FAQ FOR S/MIME

FAQ for S/MIME
FAQ FOR S/MIME
1.
What is S/MIME? ..................................................................................................................................................................2
2.
What is digital certificate? ............................................................................................................................................2
3.
What is an encrypted email? ......................................................................................................................................2
4.
Is it mandatory to use this service? ......................................................................................................................2
5.
What I need to do to start using S/MIME service? .....................................................................................2
6.
Is it mandatory to have the digital certificate issued from NICCA? ..............................................3
7.
Is it mandatory for the sender and receiver to have a NIC email id? .........................................3
8.
Required Hardware and Software to support S/MIME on client Machine. ...............................3
9.
How to send digitally signed and encrypted mail using Mozilla Thunderbird. ....................3
10.
How to send a digitally signed email? ........................................................................................................10
11.
How to send a digitally signed and encrypted email? ....................................................................16
12.
How to Decrypt the message : ..........................................................................................................................23
13.
How to export a public certificate from your DSC? ..........................................................................25
14.
How to upload Public Certificate to NIC repository? .......................................................................31
15.
How to Install Java? ..................................................................................................................................................32
16.
Why I am Getting Popup, while saving draft? .......................................................................................35
17.
Why I am getting a Pop up, while doing spell check? ...................................................................36
18.
I can digitally sign the mail but cannot encrypt it? ..........................................................................37
19.
I can Encrypt the mail but cannot digitally sign it? ...........................................................................37
20.
Which Class of certificate to apply for? (Refer Point No. 2 of NIC CA Form)................37
FAQ for S/MIME
1. What is S/MIME?
Secure/Multipurpose Internet Mail Extensions (S/MIME) provides a consistent way for email
users to send and receive secure MIME data, using digital signatures for authentication,
message integrity and non-repudiation and encryption for privacy and data security.
2. What is digital certificate?
Digital Certificates are the electronic counterparts to driver licenses, passports and membership
cards. You can present a Digital Certificate electronically to prove your identity or your right to
access information or services online.
Digital Certificates, bind an identity to a pair of electronic keys that can be used to encrypt and
sign digital information. A Digital Certificate makes it possible to verify someone's claim that they
have the right to use a given key, helping to prevent people from using phony keys to
impersonate other users. Used in conjunction with encryption, Digital Certificates provide a
more complete security solution, assuring the identity of all parties involved in a transaction.
A Digital Certificate is issued by a Certification Authority (CA) and signed with the CA's private
key.
3. What is an encrypted email?
Ans: - Encrypted mail protects the privacy of the message by converting it from plain, readable
text into cipher (scrambled) text. Only the recipient who has the private key that matches the
public key you have used to encrypt the message can decipher the message. Encrypting a mail
is a separate process from digitally signing a message.
4. Is it mandatory to use this service?
No, it is not mandatory to use this service. This service is issued by NIC for users who want to
digitally encrypt and sign their message for security. Digitally encrypted mails can only be
decrypted by sender or receiver using their digital certificate.
5. What I need to do to start using S/MIME service?
You need to have a digital certificate provided by NIC Certificate authority, which can be stored
in a USB token or directly in your browser.
The DSC form is available on http://nicca.nic.in. While requesting for the DSC, please ensure
that the email address that you mention in the form is the address that you wish to bind with
your DSC for e.g <userid>@nic.in
Also ensure that the you request for a DSC that contains both the Digital certificate and the
encryption certificate (refer point no 3 in the form, select (tick mark) both the options i.e.
individual (signing) and Encryption.
Contact Person (NIC CA) : Mr. Sumeet Jethra (Ph. 011-24305032 email: sumeet@nic.in )
Messaging Services, NIC
2
FAQ for S/MIME
6. Is it mandatory to have the digital certificate issued from NICCA?
No, it is not mandatory to get the certificate issued from NICCA, although we recommend use of
a DSC from NICCA.
If you wish to use this service over the web interface i.e. http://mail.gov.in, you can also take this
certificate from any authority who is under CCA India 2011.
If you wish to use this service over a POP/IMAP client like thunderbird, then a DSC from any
other CA will also work.
7. Is it mandatory for the sender and receiver to have a NIC email id?
Yes, the sender and receiver both need to have a NIC email id if you wish to use this service
over the web interface.
8. Required Hardware and Software to support S/MIME on client Machine.
Operating system
Microsoft Windows XP or Vista or later
Browser
Microsoft Internet Explorer, Version 7 or later
software
Java Runtime Environment (JRE) 6 Update 7 or later
Private-public keys with
certificates
One or more private-public key pair with certificates. Certificates are
required and they must be in standard X.509 v3 format. Obtain keys
and certificates from a CA for each Convergence user who will use
the S/MIME features. The keys and their certificates are stored on
the client machine or on a smart card. The public keys and
certificates
are
also
stored
in
NIC
repository.
Smart card software
ActivIdentity ActiveClient, Version 6.2, or
(only required when
Litronic NetSign 215 Reader CAC Compliant
keys and certificates are
stored on smart cards)
Smart card reader
Any model of smart card reading device complying with ISO 7816
supported by the client machine and smart card software.
Type of Certificate
Class II
9. How to send digitally signed and encrypted mail using Mozilla Thunderbird.
a) In Thunderbird, select from menu "Tools" > "Options" > "Advanced".
Messaging Services, NIC
3
FAQ for S/MIME
b) Click the "Certificates" tab > "Security Devices". A new window will open which displays the
Security Devices.
c) Click the "Load" button to load a new PCKS#11 Module. Type a name for the PKCS#11
Module or keep it default(New PKCS#11 Module) and click "Browse".
d) Select the file "aetpkss1.dll" in c:\Windows\System32 folder and click "Open", then "OK".
e) Confirm the question if you want to install this security module with "OK".
f) You will receive a message that the security module was installed.
g) The security module now will be displayed in the list.
h) Click "OK" to leave the Security Device Manager.
i) Once the email account is configured. Go to ToolsAccount Settingssecurity
Refer figure 9.1
Figure 9.1
Messaging Services, NIC
4
FAQ for S/MIME
Click on select under “Digital Signing”. Refer Figure 9.1
Figure 9.2
After clicking on select it will ask for your Digital Token Password. Enter Password and click on
ok. Refer figure 9.2
Figure 9.3
Click on “ok” Button to select your signing certificate. Refer figure 9.3.
Figure 9.4
Messaging Services, NIC
5
FAQ for S/MIME
An alert message will prompt, as shown in figure 9.4. Click on “No”
Figure 9.5
Click on “select” button under Encryption. Refer figure 9.5.
Messaging Services, NIC
6
FAQ for S/MIME
Figure 9.6
Click on “ok” Button to select your signing certificate. Refer figure 9.6
Figure 9.7
Messaging Services, NIC
7
FAQ for S/MIME
Click on “Digital sign message”, If you want to sign every message and click on “Required”
button, if you want to encrypt every message. Finally click on ok to accept those settings.
Figure 9.8
Click on SecurityEncrypt This Message (If you wish to send encrypted message). Refer figure
9.8
Digital signature will be automatically highlighted. Now Click on “send” to send your message.
Messaging Services, NIC
8
FAQ for S/MIME
Figure 9.9
If you have your token inserted in your computer, you will be able to open the encrypted email by
clicking on it as shown in the figure 9.9. The very first time you are accessing it, it will ask for token
password.
Messaging Services, NIC
9
FAQ for S/MIME
10. How to send a digitally signed email?
GO TO https://mail.gov.in (advanced view)
Note: Prior to sending digitally signed /secure email all steps mentioned in Annexure – “A” need
to be completed.
Figure: 10.1
Login with your User ID and Password. Refer Fig. 10.1
Messaging Services, NIC
10
FAQ for S/MIME
After logging in you will receive a popup window as below. (This window will appear very first
time you access this site.)
Figure: 10.2
Select the check box and click on “Run”. Refer Fig. 10.2.
Figure: 10.3
Messaging Services, NIC
11
FAQ for S/MIME
At this point you are logged in to mail.gov.in interface. This will be your secure webmail
interface. Refer Fig. 10.3.
Figure: 10.4 Click on “write” Refer Fig. 10.4.
Messaging Services, NIC
12
FAQ for S/MIME
Figure: 10.5
Fill the “To: address, Subject and From. Click “Security tab” check “Digitally Sign”. Then Click on
“Send”. Refer Fig. 10.5
Messaging Services, NIC
13
FAQ for S/MIME
Figure: 10.6
After Clicking on “Send” it will ask for the token password. Fill token password in the POPUP
window and click on “Accept” Refer Fig. 10.6.
Messaging Services, NIC
14
FAQ for S/MIME
Figure: 10.7
Veifying digital signed email. Below figure illustartes the procedure to verify digitally signed
email.
Double click on the email which is signed and click on “Sign logo” Refer Fig. 10.7
Note:
DIGITALLY SIGNED MAIL
1) You can send a signed message to anyone in the internet.
2) If you want to verify the digital signature sent by you or any user, you need to have your
digital signature (Smart Token) with you.
Messaging Services, NIC
15
FAQ for S/MIME
11. How to send a digitally signed and encrypted email?
GO TO https://mail.gov.in
Figure: 11.1
Login with your User ID and Password. Refer Fig. 11.1
After logging in you will receive a popup window as below. (This window will appear very first
time you access this mail.gov.in site.)
Messaging Services, NIC
16
FAQ for S/MIME
Figure: 11.2
Select the check box and click on “Run”. Refer Fig. 11.2.
The “Always trust content from the publisher needs to be selected” only once. You will not be
prompted for this screen again.
Messaging Services, NIC
17
FAQ for S/MIME
Figure: 11.3
At this point you are logged in to mail.gov.in interface. This will be your secure webmail
interface. Refer Fig. 11.3.
Messaging Services, NIC
18
FAQ for S/MIME
Figure: 11.4
Go to “Options” tab. Refer Fig. 11.4.
Messaging Services, NIC
19
FAQ for S/MIME
Figure: 11.5
Click on MailLocal Account  Security  Select your certificate from the drop down box and
check on “Encrypt All mails During Send”(If you want to encrypt all message you send)  click
on save. Refer Fig. 11.5.
Messaging Services, NIC
20
FAQ for S/MIME
Composing an encrypted message
Figure: 11.6
Click on write to compose new message. Refer Fig. 11.6
Check if you want to encrypt and sign or only sign the message.
Write down the email address in “To” field. Write subject and type message in compose window.
And click on “send”. It will ask you the token password in a POPUP window.
Messaging Services, NIC
21
FAQ for S/MIME
Figure: 11.7
At this point you have sent signed and encrypted message.
Write down token password in the POPUP window and click on “Accept” Refer Fig. 11.7.
Messaging Services, NIC
22
FAQ for S/MIME
12. How to Decrypt the message :
Click on the Encrypted message to open it. It will ask you for the “Token Password” in the
POPUP window, if. Refer Fig. 2.8.
If you have already verified your token password in current login session, it will not ask for token
password.
Figure: 12.1
Messaging Services, NIC
23
FAQ for S/MIME
Figure: 12.2
Below screen shot is after verification of token password. Now you can see the encrypted
message. Refer Fig. 12.2.
Messaging Services, NIC
24
FAQ for S/MIME
13. How to export a public certificate from your DSC?
Insert your USB token/smart card in your computer.
Figure 13.1
Go to Start Programs SafeSign StandardToken Administration utility. Refer Figure 13.1
Messaging Services, NIC
25
FAQ for S/MIME
Figure 13.2
Double click on above highlighted token. (Ensure Token status as “operational” before double
clicking )
Figure 13.3
Messaging Services, NIC
26
FAQ for S/MIME
There will be 2 certificates (private and public) as shown in Figure 13.3
Double click on certificates one by one. Refer figure 13.3
Figure 13.4
Your encryption certificate will have “Encipher secret keys”. Refer Figure 13.4.
Now click on “Save to file”. Refer figure 13.4
Messaging Services, NIC
27
FAQ for S/MIME
Figure 13.5
Write filename and click on “save”. Refer figure 13.5.
Messaging Services, NIC
28
FAQ for S/MIME
Figure 13.6
Right click on the fileOpen with WordPad. Refer figure 13.6
Messaging Services, NIC
29
FAQ for S/MIME
Figure 13.6
Messaging Services, NIC
30
FAQ for S/MIME
14. How to upload Public Certificate to NIC repository?
Figure 14.1
Login to https://msgapp.nic.in/cert/, upload your encryption certificate here. Refer fig14.1
Figure 14.2
Messaging Services, NIC
31
FAQ for S/MIME
Browse for your certificate file and click on submit. If everything is OK you will receive
following message. Refer fig. 14.3
Figure 14.3
15. How to Install Java?
If you are trying to access https://mail.gov.in from browsers other than IE (i.e. Firefox, Chrome,
Safari, etc)), you will receive following message in popup.
“The server supports encryption and signing of messages, but these features are currently only
available with Internet Explorer 7 and above”
The above message appears as this service is currently supported on IE only.
After clicking ok you will be forwarded to your mailbox.
Internet Explorer Users (IE 7 and above)
The very first time you access https://mail.gov.in, it will ask for java installation, if you are
connected to internet. If you don’t have internet access in your PC, you have to download java
version 6 from http://java.com .
Click “yes” to proceed.
Messaging Services, NIC
32
FAQ for S/MIME
Figure 15.1
Click on “Install” to proceed with java installation. Refer Figure 15.1.
Java installation will proceed with following screen. Refer Figure 15.2
Figure 15.2
Messaging Services, NIC
33
FAQ for S/MIME
Figure 15.3
Click close to finish java installation. Refer Fig. 15.3
Figure 15.4
Check “Always trust content from this publisher” radio button and click on “Run”. Refer Figure
15.15.
Messaging Services, NIC
34
FAQ for S/MIME
Figure 15.5
You will be forwarded to you INBOX now. Refer figure 15.5
16.
Why I am Getting Popup, while saving draft?
Ans : This warning message will pop up, if you have not inserted your token in PC while saving a
draft. If you don’t want to encrypt your draft click on “save anyway” button. Your draft will be saved
as unencrypted.
Messaging Services, NIC
35
FAQ for S/MIME
Figure 16.1
17. Why I am getting a Pop up, while doing spell check?
Ans. : To be spell-checked, the message must be sent without encryption to the mail server. The
spell checker can only work on plain text. As our servers use Secure Socket Layer (SSL)
transmission, the message is protected as it is sent. However, during spell-checking, it is still
exposed in plain text inside the mail server.
Messaging Services, NIC
36
FAQ for S/MIME
Figure 17.1
18. I can digitally sign the mail but cannot encrypt it?
Ans. : Ensure that you have encryption certificate along with signing certificate in your DSC.
How to ensure <insert>
19. I can Encrypt the mail but cannot digitally sign it?
Ans. : Ensure that you have signing certificate along with encryption certificate in your DSC.
How to ensure (refer point no 17 above)
20. Which Class of certificate to apply for? (Refer Point No. 2 of NIC CA Form)
Ans. : Class II
Messaging Services, NIC
37