Security

Stacks on Stacks…of Floppy Disks

by

There is an episode of White Collar called Uncontrolled Variables where a company uses 8-inch floppy disks to store and secure sensitive information. The premise is that the 8-inch storage medium and file formats are so old and obsolete that no one would be able to access the contents of the disk. While it makes for an entertaining episode, I wouldn’t use this method to secure my information.

Meanwhile, back in real life, I found stacks of 3½-inch floppy disks sitting in a box untouched for 20 years. The labels had been crossed off and rewritten multiple times over the years. Do I really want what’s on a disk labeled “MS-DOS 6.0 Backup 7 of 16”? I couldn’t trust the labels and I was concerned that the contents may include information that remains sensitive over long periods of time such as personally identifiable information.

No big deal, right? I’ll pop the disks into my computer’s disk drive and start reviewing. Oh — I didn’t put a floppy drive in my machine when I built it. I’ll try the laptop. No floppy drive there either. Hmm… Maybe I’ll use the disks to play dominoes. (If you’re wondering, I tried and I couldn’t get them to stand upright on their own.) Luckily, 3½-inch floppy disk readers are still readily available online and at a reasonable cost. I ordered one of these drives and, when it arrived, I went to work attempting to read the disks.

3½-inch Floppy Disks
3½-inch Floppy Disks

While the initial problem was solved, a new problem emerged. I realized immediately that most files on the disks were 20 to 25 years old (obviously since the disks hadn’t been touched in that long). The second observation was that a surprisingly large number of files could be stored on a single disk with a mere 1.44 megabyte capacity. Through another stroke of luck, most of the files were in a version of the WordPerfect file format readable in Microsoft Word. With other files, I had to look at the binary and do a little research to identify the format. In many cases, these files were also saved without file extensions or the extensions were nonsense. In the end, I was able to find utilities online to read and convert to more current formats. I was also amazed that most of the disks were still readable. Only a few disks had issues where I couldn’t access all of the files.

Given this experience, I certainly wouldn’t use 3½-inch disks as an information security solution proposed in White Collar. It’s still too easily accessed to provide the level of obstacle. Maybe 8-inch disks are better, but I’ll stick with physically secured offline encrypted drives.

Installing Digital Certificates in iOS

by

If you read an earlier post detailing the steps to create self-signed S/MIME certificates using OpenSSL, I left off at the point where the certificate is created and packaged in the PKCS12 format. In order for the certificate to be of any use, you’ll need to install it in an e-mail client. This post details the steps for installing digital certificates in iOS 9 on an iPhone and enabling S/MIME in this iOS Mail app.

Step 1 – Load the .p12 File on the iOS Device

E-mail a copy of the .p12 file to an e-mail address accessible on your iOS device. This isn’t the most secure way of loading it on the phone, but we’ll do it this way for simplicity in this post. Once you receive the e-mail with the attachment, tap the file attachment to begin the installation process.

S/MIME Certificate for iOS Installation
S/MIME Certificate for iOS Installation

Step 2 – Install the Profile

At this point, the device will prompt you to install the profile. Tap Install in the upper right corner. If your device is password protected, you will be prompted to enter your device passcode.

Install Profile on iOS
Install Profile on iOS

Since the digital certificate is self-signed and not signed by a well-known trusted certificate authority, you will receive a warning message that the profile is not signed. Continue by tapping Install in the upper right corner.

Install Profile Warning Message
Install Profile Warning Message

You will again be prompted to install the profile. Tap the Install button at the bottom of the screen.

Prompt to Install Profile
Prompt to Install Profile

You will then be prompted to enter the PKCS12 export/import password created when the .p12 file was assembled. Enter the password and tap Next in the upper right corner of the screen.

Prompt for Certificate Password
Prompt for Certificate Password

The profile and certificate are now installed. Click Done in the upper right corner of the screen.

Profile and Certificate Installation is Complete
Profile and Certificate Installation is Complete

Step 3 – Enabling S/MIME in iOS Mail

Now that you have the digital certificate loaded and a profile created, you may begin using it in iOS Mail.

  1. Open the Settings app
  2. Tap Mail, Contacts, Calendars
  3. Tap on an existing account name under the Accounts section
  4. Tap Account
  5. Tap Advanced
  6. Enable S/MIME
  7. Additional options for Sign and Encrypt by Default will be displayed
  8. Tap Sign
  9. Enable Sign and select the certificate installed in Step 2 if it isn’t automatically selected
  10. Return to the Advanced screen
  11. Tap Encrypt by Default
  12. Enable Encrypt by Default and select the certificate installed in Step 2 if it isn’t automatically selected
  13. Exit the Settings app
Enabling S/MIME Sign and Encrypt
Enabling S/MIME Sign and Encrypt

S/MIME is now enabled and ready to use your personal digital certificate the next time e-mail is sent from this account. Recall that S/MIME uses Public Key Encryption so you won’t be able to send an encrypted e-mail to someone until you have that individual’s public key installed.

Create Self-Signed S/MIME Certificates

by

What if you need to send an e-mail containing sensitive information? Do you send anything and everything through e-mail without concern for prying eyes? Recent news stories about e-mail account hacks and interceptions by third-parties make me even more hesitant and unwilling to send anything of importance through standard plain-text e-mail. If you’ve ever been through the process of buying a home, the amount of sensitive information that is transferred between the various parties is astounding and, from my experience, it is primarily done through plain-text e-mail (gasp). So, what can you do?

While this post doesn’t address the larger systemic issues around private information transfer, it does provide a basic method for public key encryption and signing of MIME data (e-mail) using the S/MIME (Secure/Multipurpose Internet Mail Extensions) standard. Most well-known e-mail clients support S/MIME and this post provides instructions for creating your own certificate authority (CA) to create self-signed S/MIME certificates.

UPDATED: Please see the the guide for installing S/MIME certificates on iOS devices. It will guide you through the steps to add your self-signed certificates to the iOS Mail app for S/MIME.

UPDATED (October 2019): I updated the steps to use AES256 instead of DES3 for the encryption cipher. I tested the steps on a Windows 10 64-bit machine using the Win64OpenSSL-1_1_1d distribution from Win32/Win64 OpenSSL Installer for Windows – Shining Light Productions.

UPDATED (April 2020): I received a few notes that some steps are no longer working. I have updated the post to incorporate changes due to more recent builds of OpenSSL. I tested the revised steps using Win64 OpenSSL v1.1.0L Light.

A (Very) Brief Primer on Public Key Encryption

Prepare to be confused!

Since certificates are based on public key encryption, please keep in mind that you will need to have the public key of the intended e-mail recipient in order to encrypt the e-mail. Conversely, if someone wants to send you an encrypted e-mail, that person needs your public key. As an example, if I want to send an e-mail to Bob, I will need Bob’s public key to encrypt the e-mail. When Bob receives the encrypted e-mail, Bob’s e-mail client uses his personal private key to decrypt the e-mail. If Bob wants to send me an e-mail, he will need my public key to encrypt the e-mail. This post steps through the creation of your own personal public/private key pair. The public key is what an e-mail sender will need to encrypt an e-mail sent to you. Your private key is kept only by you since that is used to decrypt any e-mails encrypted using your public key. If your private key is obtained by anyone else, then that person would be able to decrypt and read your e-mails.

Is There an Easier Way?

Yes. You can obtain a basic certificate for free from a number of companies such as Comodo.

Where’s the fun in that? By creating your own certificate, you do not rely on an external party and you get to learn a little bit more along the way.

You’ve made it this far, so let’s get started.

Step 1 – Install OpenSSL

We will use OpenSSL to create a certificate authority which will then sign the certificate that we create. The latest OpenSSL toolkit is found at the OpenSSL site. If a binary distribution is needed, e.g. pre-compiled installation files for Microsoft Windows, those can be found on the OpenSSL binaries page.

Once you’ve found the appropriate distribution for your operating system, please proceed with the installation instructions provided with that distribution.

I am using a Windows distribution so portions of this post may be specific to that operating system. Please also note that I have installed OpenSSL in the c:\openssl\ directory.

Step 2 – Create an OpenSSL Configuration File

Now that OpenSSL is installed, a configuration file is needed. If openssl.exe is executed at this point without the configuration file in place, the message WARNING: can’t open config file: /usr/local/ssl/openssl.cnf may be received.

NOTE: This step may no longer be necessary. In April 2020, I tested these steps using a newer build of OpenSSL and the basic configuration file in this build already incorporates the required extensions. If the basic configuration file has these extensions and you also include this smime.cnf, then you’ll get an error in Step 7.

Create a new file named smime.cnf containing the following configuration. The contents of the file follow the x509 certificate extension configuration format. For more information about the format and content, please review x509 v3 configuration page. The [req] and [req_distinguished_name] sections are generally part of any standard OpenSSL configuration file. Some distributions include a default configuration file that includes some version of these sections. I included them specifically in this configuration file because I was receiving an error message stating unable to find ‘distinguished_name’ in config and this resolved the error. The [smime] section is the important section for this exercise because it sets the appropriate extensions for an S/MIME certificate.

[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40

[smime]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = email:copy
extendedKeyUsage = emailProtection

Next, we will need to set the OPENSSL_CONF environment variable to reference the new configuration file. Setting this environment variable will eliminate the warning message mentioned earlier. This part is Windows specific. Recall that I have installed OpenSSL in the c:\openssl\ directory, named the configuration file smime.cnf, and saved it in the c:\openssl\ directory.

Open a command prompt window and be sure to Run as administrator if you are on Windows. Execute the following command:

set OPENSSL_CONF=c:\openssl\smime.cnf

When openssl.exe is executed, there is no warning message and the OpenSSL> prompt is displayed. Type exit and you’ll be returned to the c:\openssl\> prompt.

Step 3 – Generate an RSA Private Key for the Certificate Authority

In this post, we are creating a new certificate authority to sign personal certificates. Execute the following command to generate the RSA private key for the new certificate authority:

openssl genrsa -aes256 -out ca.key 4096

The options specify to use the aes256 encryption cipher and output the results to a file named ca.key with a size of 4096 bits. Please be aware that the corresponding public key is derived from this private key. No extra step or command is required to generate the public key.

The following message will be displayed. Follow the prompts to create a pass phrase for this key. Remember this pass phrase for subsequent steps.

Generating RSA private key, 4096 bit long modulus
.....................................................................................................................................................................................................................................++++
.................................................................................++++
e is 65537 (0x010001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:

Step 4 – Create Self-Signed Certificate for the Certificate Authority

Execute the following command to generate the new self-signed certificate for the certificate authority:

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

The -x509 option outputs a self-signed certificate instead of a certificate request. The -days 3650 option specifies that the generated certificate is certified for 10 years (ignoring leap years). The -key option specifies the private key to use. We will use the private key (ca.key) that was created in Step 3 and output the self-signed certificate to a file named ca.crt.

Follow the displayed prompts. You will need to use the pass phrase from Step 3. I have left most fields blank by simply entering a . character. I have provided example entries below between the brackets following the prompts. Please change the values to meet your own particular needs. Do not include the brackets in your entries.

Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:[.]
State or Province Name (full name) [Some-State]:[.]
Locality Name (eg, city) []:[.]
Organization Name (eg, company) [Internet Widgits Pty Ltd]:[TEST COMPANY]
Organizational Unit Name (eg, section) []:[.]
Common Name (e.g. server FQDN or YOUR name) []:[TEST COMPANY CERTIFICATE AUTHORITY]
Email Address []:[.]

The certificate authority has been created. Now, we will begin creating the personal certificate for a particular e-mail address.

Step 5 – Generate an RSA Private Key for the Personal E-Mail Certificate

Similar to Step 3, we will need to create a new private key. This private key is for your personal certificate instead of the certificate authority. Again, please be aware that the corresponding public key is derived from this private key. No extra step or command is required to generate the public key.

Execute the following command:

openssl genrsa -aes256 -out smime_test_user.key 4096

When prompted, enter a pass phrase that is different from the one used in the certificate authority private key.

Generating RSA private key, 4096 bit long modulus
............++++
.............................++++
e is 65537 (0x010001)
Enter pass phrase for smime_test_user.key:
Verifying - Enter pass phrase for smime_test_user.key:

Step 6 – Create the Certificate Signing Request

Now that we have a personal private key, we will need to create a certificate signing request. This command looks similar to Step 4 where we created a self-signed certificate for the certificate authority. In this step, however, the options are slightly different because we are creating a certificate signing request instead of a self-signed certificate. We are creating a certificate signing request because we will use the certificate authority to sign the certificate.

Execute the following command:

openssl req -new -key smime_test_user.key -out smime_test_user.csr

When prompted, enter the pass phrase used to create the private key in Step 5. Again, I have left most fields blank by simply entering a . character. I have provided example entries below between the brackets following the prompts. The example uses a fake person named Test User with an e-mail address of test_user@dalesandro.net. As always, please change the values to meet your own particular needs. Do not include the brackets in your entries.

Please note that the Common Name used in this step should be different from the one used in Step 4. I also didn’t set a challenge password or company name in the final two entries.

Enter pass phrase for smime_test_user.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:[.]
State or Province Name (full name) [Some-State]:[.]
Locality Name (eg, city) []:[.]
Organization Name (eg, company) [Internet Widgits Pty Ltd]:[TEST COMPANY]
Organizational Unit Name (eg, section) []:[.]
Common Name (e.g. server FQDN or YOUR name) []:[Test User]
Email Address []:[test_user@dalesandro.net]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 7 – Sign the Certificate Using the Certificate Authority

At this point, we are finally creating the personal self-signed certificate. We will use the configuration file we created in Step 2 to set the necessary extensions and we will use the certificate authority to sign the new personal certificate.

Execute the following command:

openssl x509 -req -days 3650 -in smime_test_user.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime_test_user.crt -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout -extfile smime.cnf -extensions smime

NOTE: As mentioned in Step 2, if the build already has a proper configuration file then the smime.cnf file created in Step 2 is unnecessary and the last two parameters should be excluded from the command, i.e. remove “-extfile smime.cnf -extensions smime”.

When prompted, enter the pass phrase for the certificate authority private key from Step 3.

Signature ok
subject=O = TEST COMPANY, CN = Test User, emailAddress = test_user@dalesandro.net
Getting CA Private Key
Enter pass phrase for ca.key:

Step 8 – Package the Certificate into the PKCS12 Format

After all of that work, I imagine you’ll want to use your new self-signed digital certificate to send e-mail. Many e-mail clients will need the certificate packaged in a standard format. This step bundles the necessary files into the PKCS12 format.

Execute the following command:

openssl pkcs12 -export -in smime_test_user.crt -inkey smime_test_user.key -out smime_test_user.p12

When prompted, enter the pass phrase associated with your personal private key created in Step 5. You will also create another pass phrase which will be used to import the P12 file into an e-mail client.

Enter pass phrase for smime_test_user.key:
Enter Export Password:
Verifying - Enter Export Password:

Closing Thoughts

You now have your very own self-signed S/MIME certificate which can be used to send signed e-mails. This also allows others to send you encrypted e-mails by using your public key. Once your recipients provide you with their public keys, then you’ll be able to send encrypted e-mails to them as well.