Preparing the Keychain
This step is optional, but I recommend that you follow it. Indeed, although most users use the Keychain without even thinking about it, this application has some features that can greatly enhance the security of your data.
A Keychain is, in fact, an encrypted file that contains sensitive information like passwords, secure notes, and yes, private keys.
When you log in, Mac OS X's default behavior is to "unlock" the keychain. In other words, it decrypts the file.
When a Mac OS X application needs a password, it automatically asks the Keychain for it. If the keychain is unlocked, Mac OS X will look at the access authorizations for the password.
If it is set to "Allow all applications to access this item," it will give the password to the application silently. Or, if you have it set to "Confirm before allowing access," it will ask for your permission first.
This is a very secure system, since you can set the access authorizations yourself -- Mac OS X pre-sets them for you if you don't want to deal with this.
However, since private keys are so important, we want to keep them in a "locked keychain" (encrypted file) that we will only unlock on demand.
Sure, we could change the Mac OS X default behavior and not unlock Keychain automatically at login, but this is not convenient for our less secure passwords such as Safari auto-fills and mail accounts. For them, having the Keychain unlock itself automatically and setting access authorizations on a password-by-password basis should be enough. However, you be the judge.
Therefore, we are going to create an additional keychain where we are only going to store our certificates. In order to do so, open the "Keychain access" utility, located in the "Utilities" folder.
Then use the "File" menu to create a new Keychain. Give it a good name and click on create. The next step is to create a good keychain password. Again, this password is as important as your Thawte account password but should not be the same. You should also be able to learn it by heart since you will have to type it to use your certificates.
Here's a tip: use the Keychain Access "View" menu to select "Show status in Menu Bar." This will be handy later on.
Now that the Keychain is created, minimize the "Keychain Access" window and go back to Mozilla.
The Transfer Process
To transfer the certificate, you will first need to access the certificates manager.
In order to do so, use the "Mozilla Firebird" menu to open the "Preferences" sheet. Then click on "Advanced" and use the disclosure box located next to the "Certificates" item if needed. Finally, click on "Manage Certificates."
The window that appears will show you all your key pairs. Select the one you want to export and click on "Backup." This will tell Mozilla to package the pair into an (encrypted) file and to save a copy of it somewhere where you can access it directly.
Give the backup file a name and save it onto the Desktop. Then pick a password for it. The password can be weaker than the others -- but not too weak, of course. You do not need to write it down, but simply to remember it for 2 minutes.
Once the file is on your desktop, you can quit Mozilla. Now double-click on the file as if you wanted to open it. This will launch (or unminimize) Keychain Access and it will ask where you want to import it.
Select the Keychain that you just created and click on "OK." The Keychain will now contain your private key and the associated certificates.
Certificates contain no secrets and are made public when you send a signed mail. There is therefore no need to protect them better than what we have done.
Your private key, however, is very important. To protect it even better, we are going to restrict access to it. To do so, click on it once and select "Access control" in the bottom half of the window.
In the panel that appear, deselect "Allow all applications" and pick "Confirm before allowing access." Now, Mac OS X will prompt you for confirmation before allowing an application to access the private key, even when the Keychain is unlocked.
The most paranoid of us (in the positive sense of the term) will want to check the "Ask for keychain password" box. When this option is selected, Mac OS X will ask you for the keychain password before allowing access to the private key even when the keychain is unlocked.
There is one minor drawback that you should be aware of. With this method, when you want to send a signed mail, Mail will begin the signing process, ask for your permission before fetching the certificate, and sending the mail. If you, for any reason, deny access to the certificate, the recipient would receive a mail with a message that states that the signature wasn't verified successfully, leading him to think that the mail has been tampered with.
Finally, drag the backup file created by Mozilla to the Trash and use the "Finder" menu to "secure empty" it. If you want, you can remove the certificate from Mozilla's certificate manager -- since you do not want to keep unneeded copies of such sensitive files on your hard drive.
You can now safely quit the Keychain Access application.
Before sending signed mails, use the "Keychain" menu to unlock the keychain that contains your private key and certificates, although you can also do that on-the-fly while sending the mails. When you are done, use the menu again to lock the Keychain, greatly enhancing the security of your keys.
Now that we have gone through this lengthy process, we can go back to the typical Apple way of doing things.
It's now time to fire up Mail and to click on the "New" button to create a blank mail. Mail will automatically detect that you are the proud owner of a certificate and display a button on the top right of the mail-composing window.
If you have multiple accounts in Mail, you will need to use the "Account" pop-up menu to select the account that the certificate is associated with before being able to see the button.
The mail-composing process does not change at all. Just make sure that the button is clicked (it is filled with a dark gray color) and contains a checkmark in a black badge). This means that the message will be signed when you send it.
If you not want to sign a message, click on the button. The color lightens and the badge contains a small cross.
You can send signed message to everyone. Mail will send the message along with the necessary elements for the other computer to check your signature -- your public key.
Receiving Signed Messages
You receive signed messages like any other ones. The only difference lies in the last header of the message, displayed at the top of the window. You will see a header containing the small "Signed" badge, indicating that this is indeed a signed message.
If the message does not contain the public key or has been modified by a malicious user, a big yellow band will appear at the top of the message window, stating that Mail was unable to verify the message signature. This is usually a bad sign and should ring warning bells immediately.
As soon as you receive a signed message, Mail will import the sender's certificate into your login keychain.
Sending Encrypted Messages
Remember, to send an encrypted message, Mail needs to know the recipient's public key so that he can then decrypt it with his private key. Therefore, you can only send encrypted messages to people whose public keys you already have in your Keychain.
The easiest way to obtain someone's public key and immediately send this person encrypted messages is to ask her to send you a signed message. Upon arrival, Mail will store the certificate in the keychain and allow you to encrypt messages that you send to this person.
The process is exactly the same as when signing messages. However, this time you need to pay attention to a second button: the one with a padlock icon on it.
The padlock can be unlocked (the message won't be encrypted) or locked (the message will be encrypted).
You can send an encrypted message without signing it. However, this is not really a good thing to do since the message you are sending is probably important, and adding an authenticity check to it greatly improves the security of the transfer.
Receiving an Encrypted Message
In typical Apple fashion, receiving an encrypted message is completely transparent. When you open the message, you will immediately be able to see its contents, and this leads some users to think that the process failed.
However, the security header will state that it has been encrypted during the transfer.
Although obtaining a certificate is not the most straightforward thing in the world, it's easy enough to do, as is installing the certificates you obtain.
Apple's implementation of S/MIME support in Mail allows every user, whether they are experienced or are using a Mac for the first time, to protect the mail they are sending by encrypting them. And that's a very good thing. Indeed, using certificates will greatly increase the security of mail communications by reducing (not eliminating) the risk of impersonation, and preventing mails from being tampered with.
Talk to people about mail certificates and signing and try to use this method as often as possible. The security and comfort it provides are great and, since it can be integrated into your everyday workflow without any difficulty, it can only be an improvement. Encourage them to get certificates and to use them too.
However, you should not forget that signing a mail is like signing a piece of paper. Sure, someone can falsify your signature like someone can steal your private key, but in most countries, you are held responsible for what you sign. A signed mail comes with legal consequences and you should take every single step you can to protect your private key. For example, do not use them on shared computers. Keys are not something to play with, but they definitely are something to use when you are serious about the integrity of your written communications.
FJ de Kermadec is an author, stylist and entrepreneur in Paris, France.
Return to the Mac DevCenter