Email Encryption

Discussion in 'iOS 8' started by jmxp69, Sep 24, 2014.

  1. jmxp69 macrumors 6502

    Joined:
    Dec 10, 2008
    #1
    Has anybody noticed the optional email encryption feature in iOS8? They changed sign/encrypt to sign/encrypt by default, then enlarged the lock icon and made it clickable to toggle encryption on or off. Pretty cool huh? Never held hope they'd add this feature because I didn't think enough people used encryption AND cared to have an on/off toggle for it. Really happy little surprise.
     
  2. detlefs macrumors newbie

    Joined:
    Sep 27, 2014
    #2
    I can't get email encryption to work on my iPad. I did extensive testings to find out why this is. To read the details click here.
     
  3. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #3
    S/MIME mail encryption works fine here using a certificate issued by my employer.
     
  4. detlefs, Sep 27, 2014
    Last edited: Sep 27, 2014

    detlefs macrumors newbie

    Joined:
    Sep 27, 2014
    #4
    that is good to know. I wish I would have all the details about your installation.

    BTW, if I use the same iMac Keychain Access generated S/MIME certificate on my iMac and my iPad then I can send encrypted messages between these 2 devices using of course the same email address on both devices.

    But with certificates for 2 email addresses, using one on each device, I can't get it to work. Reading the encrypted messages on the iPad works, but sending doesn't.

    The certificate installation procedure for the above described "one certificate, one email address, on both devices" and "two certificates, two email addresses, one on each device" methods are the identical. That's why I believe there is something wrong with the encryption mechanism on the iPad.

    I made the same experience with certificates from Comodo. So, the problem is also not related to self generated, untrusted certificates.
     
  5. jmxp69 thread starter macrumors 6502

    Joined:
    Dec 10, 2008
    #5
    Ok, I'm on my iPad, and it's 5:40am, so I'm going to be brief. I read what you did, but don't understand why you did half the stuff you did.

    1) Import your issued cert to keyring on Mac.
    2) Export .p12 from keyring. Make sure it includes cert and private key. Bottom line, your email cert should be expandable to include a private key. If done correctly. If something goes wrong here, it will default to export .cer only. Stop and make sure you get this right. Mac should ask for a password and save as .p12 by default. Now stop messing with your Mac. It's ready to go. Everything else is handled automagically.
    3) Send email from Mac to yourself with .p12 attached. Sign but do not encrypt.
    4) On iOS device, you should see the signature star in red. Click name, import sig. This step imports the PUBLIC KEY from your cert so you can encrypt back to yourself.
    5) Open .p12 follow prompts to install. This installs your cert and PRIVATE KEY so you can sign and decrypt.
    6) Turn s/mime on, sign yes, encrypt by default whatever.

    Remember:
    PUBLIC KEY lets you encrypt something TO the receiver. You can freely send your public key to anybody.
    PRIVATE KEY allows you to decrypt messages sent encrypted by your PUBLIC KEY.
    CERT signs your messages and provides non-repudiation.

    Share your public key. Do not share your cert or public key.

    I have followed this process on wife and my iPhones/iPads every year for many years. It works. It's also one of things that brought me back to Apple after playing with android for a while. Apple's native mail.app is just better than any of the options on Android.
     
  6. detlefs macrumors newbie

    Joined:
    Sep 27, 2014
    #6
    here is another view of the problem:

    Assume an iMac and an iPad on one side both using email address 1. And a PC on the other side using email address 2.
    On the iMac and the iPad the same Keychain Access generated certificate for email address 1 is installed. As I explained in my previous post exchanging encrypted emails between the iMac and the iPad using this shared certificates is working.
    On the PC I installed a S/MIME certificate for email addess 2 that was generated on the iMac. Subsequently the keys and the certificate were deleted from the iMac. Then the public key for address 2 was installed on the iMac and the iPad.
    Reading PC encrypted emails on the iMac is working. Reading iMac encrypted emails on the PC is working.
    Reading PC encrypted email on the iPad is not working. I can send encrypted emails to the PC, but the PC cannot read the encrypted email.
     
  7. detlefs, Sep 27, 2014
    Last edited: Sep 27, 2014

    detlefs macrumors newbie

    Joined:
    Sep 27, 2014
    #7
    jmxp69. I read your procedure. Thanks for describing it, but you could have saved that effort. I have done this many times. I don't have a problem exporting and installing p12 and cer files on the iMac and the iPad. BTW, I moved to generating my own S/MIME certificates in Keychain Access because I got tired of having to renew every year. Also among family and friends I don't need 3rd party authorized certificates.

    I also have S/MIME and OpenPGP working on my iMac communicating in encrypted emails with several Macs and PCs since many years. I think I know what I am doing. Yet I can't get my iPad to accept public keys and successfully send an encrypted email. Even though the public keys are installed in iPad/Settings/General/Profiles.

    I don't know where the problem is.
    About why I did all that stuff. I went to this extend to pinpoint the problem by ruling out possible causes.
     
  8. detlefs macrumors newbie

    Joined:
    Sep 27, 2014
    #8
    On the iPad in iOSX there are 2 ways to install public keys.
    1. Receive a cer file by email. Install by double clicking the file. This way the certificate is installed in iPad/Settings/General/Profiles
    2. The received email is signed. One clicks the sender name which is in red with a ?. The certificate opens and can be installed. The certificate is then trusted. However, using this way the certificate is not installed in iPad/Settings/General/Profiles.

    What is the difference between these 2 methods in terms of function?

    Regarding my problem. If I receive a signed email on my iPad I can view the certificate but when I click install nothing happens. The certificate remains untrusted.
     
  9. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #9
    Depends on what's in the .cer file. It can contain public and/or private keys. Email signatures only contain public keys.
     
  10. detlefs macrumors newbie

    Joined:
    Sep 27, 2014
    #10
    Rigby, as far as I know the cer file always contains a public key. Only the p12 contains the key pair.

    But fundamentally there is still something I don't understand. In OSX Keychain Access, if you create a S/MIME key with the Certificate Assistant for one email address there are 3 entries created in Keychain Access. These entries are one private key, one public key and one certificate. If you send a signed email the certificate is send. People use the words certificate and public keys interchangeably. But if the certificate is the public key, what then is the public key for listed independently of the certificate in Keychain Access? This public key, BTW, can only be export as a pem file.

    I continued my investigation about how to correctly install public keys in iOS8 and in OSX.

    On the iPad to install an email public key it is enough to view in Mail the certificate of the received signed email by clicking the red marked email sender name and then click Install in the certificate. Apparently the certificate/public key doesn't need to be in the iPad/Settings/General/Profiles to be able to send encrypted emails.

    In OSX it is also enough to install the certificate/public key in Keychain Access if one in Mail clicks the red marked sender name to open the certificate and marks it as trusted. The certificate will then be listed in Keychain Access under Certificates. There will be no additional public key listed under Keys.

    jmxp69, now I also don't understand why I went through so much trouble when it is so easy. However, having said that, while I have exchanging and using public keys for encryption now working between iOS and OSX devices, I still can't get the same to work between iOS and PC. But OSX to PC and visa versa is working. This is my last problem.
     
  11. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #11
    .cer (or .crt) files are either DER or PEM encoded. These formats can be used to encode X.509 certificates (i.e. public key only), but also PKCS12 files, which can contain both public and private keys. The whole thing is quite confusing, since the files can have different content depending on how they were generated.

    I have no experience creating keys using Keychain Access on the Mac, so I can't help there.
     
  12. detlefs macrumors newbie

    Joined:
    Sep 27, 2014
    #12
    That means that a cer file can be encoded in DER or PEM. And it means that also the PKCS12 (p12) file can be encoded in DER or PEM. "These formats" at the beginning of the second sentence in the quote relates to DER and PEM and not to cer. Cer is a file type and not a format. Indirectly, the second sentence in the first half up to the comma says that cer files are public keys. And in the second half of the sentence it says p12 files contain public and private keys.
     
  13. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #13
    No, it's not that easy. There is no real standard for the file extensions, meaning different software can use different extensions. .cer files can contain both DER or PEM encodings (DER is basically a binary version of the ASCII-armored PEM format). Instead of .cer some software uses .crt, or .pem for PEM.
     
  14. detlefs macrumors newbie

    Joined:
    Sep 27, 2014
    #14
    yes, what you are saying is correct. A cer file or p12 file can contain different encoding. It is similar to video files. An avi can also contain various encoding. Like avi, cer and p12 are containers of various encoding. Various encoding of public keys or public and private keys.

    However, the key question is whether a cer file can contain a private key or always only a public key. In my opinion the cer file never contains a private key.
     
  15. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #15
    Sigh. Take some valid .p12 file, open a shell on Mac OS, and enter the following:

    openssl pkcs12 -in <file>.p12 -out test.cer -nodes; less test.cer

    Enter the password for the PKCS12 file, and you'll see an valid ASCII-armored PEM output with one or more private keys and certificates.

    But if you don't want to believe it, that's fine with me. It's not me who needs to solve a problem with certificates after all.
     
  16. detlefs macrumors newbie

    Joined:
    Sep 27, 2014
    #16
    again, you are right. The p12 contains certificate, private key and public key. I suspect the Certificate and the public key are essentially the same.

    I have never argued that the p12 doesn't contain the public key.

    Please show me a cer file containing a private key. This is what I am questioning. The file type name "cer" already indicates that it is a certificate. And if you import a cer file into Keychain Access all you get is a certificate.

    About my problem. jmxp69 made me focus on the difference between importing a certificate in iPad Mail versus importing a by email received cer file into iPad/Settings/General/Profiles. Based on this I was able to successfully get the encrypted email exchange between iPad and iMac going. The remaining problem is with the encrypted email exchange between iPad and PC.
     
  17. detlefs macrumors newbie

    Joined:
    Sep 27, 2014
    #17
    I discovered another import thing to know about public keys in iOS8.

    If the certificate for your email connection is expired and you want therefore to install a new certificate you first have to uninstall the old certificate. You cannot install a new certificate while the old one is still in place.

    To do that you need to open a old signed email, open the certificate and uninstall it. Only then is it possible to install the new certificate for this email address.

    This means for one email address only one certificate can be managed by iOS8. This also means that in case you keep your very old emails on your iPad or iPhone, after exchanging the certificate you can no longer read the old encrypted emails for this email address. That is different in OSX. There you can keep the old certificates and you will be able to read the old emails even after installing a new certificate.
     
  18. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #18
    If you entered the command line above, you just generated one. :rolleyes:
     
  19. detlefs macrumors newbie

    Joined:
    Sep 27, 2014
    #19
    Rigby, with your command line you are generating a cer file from a p12 file. Of course you can generate a certificate from a full key pair installation.

    Try this. Create a cer file in Keychain Access or from the command line. Import the cer file into another Mac. Now in the Mac where you imported the cer file try to create a p12 from the imported certificate.

    Think about it, you are giving your certificate to other people when you sign your email. If you can generate a private key from a certificate then you would give away your private key every time you sign your email.

    BTW, some explanation about this issue can be found here.
     
  20. detlefs macrumors newbie

    Joined:
    Sep 27, 2014
    #20
    In my previous post I said:
    Actually signing an email is not the same as generating a cer file and sending it by email. Although I think the cer file and the signed signature contain the same key information, namely the certificate only. So practically it is the same, but in a different container.

    I also gave a link to a website. Click here.

    On this website it says:
    I conclude from the above that a cer file can theoretically contain a private key but that on most platforms the cer file only contains the certificate/pubic key. From experience I know that cer files generated in OSX Keychain Access and in Windows Certificate Manager only contain the certificate and not the private key. While I have not tried myself I think that is also true for cer files created at the command line in OSX and Windows.

    This can easily be tested. One just needs to create a cer file in OSX or Windows and import it into another Mac or PC. All you find is a certificate. As far as I know, in OSX and Windows, the private key can only be exported in a p12 file.
     
  21. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #21
    Look, I have no idea how the Keychain Access app handles .cer files. But I often have to do with certificates and cryptographic keys as part of my job and I have seen all kinds of different .cer files used by other tools and applications. As I told you before, there is no fixed standard of what can and can not go into such a file. I just showed you that the file format is absolutely capable of containing both private and public keys.

    When private keys are exported to files, it is common practice to encrypt them (but I disabled this using the -nodes option in the example above to keep it simple); in encrypted form, it is safe to send them by mail.

    As to your S/MIME problem, my guess is that it is almost certainly a problem with the certificates that you generate. Perhaps the self-signing is not correct, or you are missing a private or public key somewhere which would prevent you from sending or receiving encrypted mails.
     
  22. detlefs, Sep 29, 2014
    Last edited: Sep 29, 2014

    detlefs macrumors newbie

    Joined:
    Sep 27, 2014
    #22
    Rigby, I acknowledge that you know a lot more about this issue than I do. Especially about key and certificate handling at the command line and about what information these files can contain. I don't use the command line for dealing with keys and certificates and I don't know the intricate details of the encryption software either. I only use user interfaces like Keychain Access and the Windows Certificate Manager.

    In Keychain Access if you click on a private key or its corresponding certificate you have two export options. You can export into cer or p12. If you export into p12 you get the certificate and the private key. To get this file you have to specify a password. In other word, the p12 will be encrypted for safety. The cer file is created without the need for a password and only contains the certificate. Rigby, you can believe me. I checked and double checked in Keychain Access and the Windows Certificate Manager. The user interfaces keep it simple for novices like me.

    I have created 3 S/MIME key pairs (certificate, private key) on my 2 iMacs in Keychain Access. One of the three I transferred to a Windows PC (p12 file). Each of the 3 S/MIME is for a different email address. I then exported on each computer the certificate/public key (cer files) and manually transferred them to the other computers with a USB stick. That worked without a problem. I can send signatures and send and read encrypted emails without problem. Perfect! I now know that I don't need to manually transfer the certificate. Sending a signed email is enough to transfer the certificate/public key. Important with this method is that one opens the certificates and marks them as trusted. You need to do that for the S/MIME key pairs and the imported certificates.

    What I had problems with was with iOS/iPad. I just couldn't get sending of encrypted emails working. The mistake that I was making is that I imported the cer file into Profiles (iPad/Settings/General/Profiles). That seems to be the iOS equivalent of OSX Keychain Access. This is the place where the email S/MIME key pairs (certificate/private key) are installed. But importing the certificate/public key to this location is not how one is supposed to install the certificate/public key to be able to use it for email encryption. One needs to install the public key by clicking on the red marked name of the sender in the email in Mail. The certificate then opens and one has the option to install it. It is then installed without appearing in the Profiles DB. I didn't know this procedure. I learned that from jmxp69. Now I can send signed and encrypted emails between iOS devises and iOS and OSX devices using the certificates that I created myself. Great!

    However, what is still not working is the encrypted email exchange between the Windows PC and the iPad. At the moment I don't know what the problem is. But I have some ideas what it might be. I don't have a chance to work on this until the next weekend. Anyway, if I figure it out I will post it in this thread.

    Currently I tend to believe that the problem is with the iOS because the encrypted email exchange between OSX and Windows with my Certificates is working.

    What I can rule out is definitely that there is a problem with the certificates. If I had a problem with the certificates I wouldn't be able to send any signed and encrypted emails. But it is possible that the PC certificate/public key installed on the iPad got somehow screwed up.
     
  23. detlefs macrumors newbie

    Joined:
    Sep 27, 2014
    #23
    I finally figured out why the iPad was unable to decrypt emails from Windows Live Mail while in OS X had no problems decrypting the same email.

    I posted the details here.
     

Share This Page