In a nutshell
s/mail is a program that protects emails from these threats. It provides email encryption and digital signature assuring the highest security level that is available on the market.
Other ways to gain email security, like gateway-based encryption or built-in crypto functions of mail clients, exist, but they are only good enough for low- or medium-level security. For instance, if an email is encrypted at the gateway, everyone having access to the email on its way from the client to the gateway can read it, which is normally not the intention of the author. Built-in protection functions are usually not designed (and not evaluated) to meet high security needs.
s/mail is available as a plugin for Microsoft Outlook and IBM Notes. Convenience for both users and administrators have been important design-goals in the development process of s/mail. User interaction is kept to a minimum, encryption and signing are performed automatically.
The user-interface is seamlessly integrated into the respective email client. Flexible group policies allow for easy administration and preconfiguration.
Frequently asked questions
In spite of the World Wide Web, email is still the most popular internet application. As secret information are exchanged by email, it is crucial to observe security requirements. An email can be secured in two ways, which can be combined: by encryption and by digital signature. Encryption is used to ensure confidentiality, while digital signatures assure non-repudiation. The most common way to encrypt and sign emails is based on the S/MIME standard and digital certificates, which are provided by a Public Key Infrastructure (PKI).
Emails can be secured at two locations: either on the client, where the email is written, or on a gateway. The gateway approach is the simpler one, because, because only one component is necessary for a whole network. For low and medium security requirements it is sufficient to operate a gateway.
However, an email protection gateway neither provides end-to-end security nor personal digital signatures. For enterprises requiring a high security level client-based email protection is therefore a must. In theory, the native crypto functionality provided by the popular email clients can be used for this purpose, but usually these tools don’t have the security evaluations required by organizations with high security needs. Instead, evaluated add-ons (plug-ins) have to be used.
s/mail is used (among others) by the following customers:
- Armed Forces: Apart from the German Armed Forces several military organizations
in other countries use s/mail.
- German defense corporation: As a supplier of the German Armed Forces this corporation
- IT company: An international IT company, which is active in the military sector, uses
s/mail for their communication with the German Armed Forces.
- Windows Vista, Windows 8 / 8.1 or Windows 10
- IBM Notes or Microsoft Outlook
- Smart card reader or USB port
s/mail has a modular architecture
The architecture of s/mail is strictly modular. During development much effort was spent on flexible core components, which minimize platform dependencies. In s/mail’s architecture, these core components take center stage. They implement all cryptographic functions including encryption and digital signatures, decryption and signature verification. The core components also handle certificate verification including chain building. Both certificate revocation lists (via LDAP or HTTP) and OCSP are supported.
s/mail uses its own certificate database, which follows the CDSA architectural guidelines (invented by Intel). The core components access private keys, e. g. on a smart card. They also include cryptographic libraries that are responsible for creating emails according to the S/MIME standard. In addition a MIME library is included in the core components to compute the unencrypted body of an email.
Beside the core components s/mail also includes a platform specific part. This component is responsible for handling the communication between the email client and the core components. It accepts the email to be S/MIME encoded and passes it to the core components. In the other direction it passes the S/MIME email to the email client that sends the now S/MIME encoded email out.
s/mail is one of the most powerful and secure client-based email encryption solutions on the market. As a plugin for Microsoft Outlook or IBM Notes it integrates seamlessly into the respective email client.
As the only solution of its kind s/mail has a permission for “VS – Nur für den Dienstgebrauch”, NATO Restricted, and EU Restricted data by the German authorities.
s/mail includes administration via group policies. It can be determined, which functionality and options are available for the users. An administrator can even define which level of security a user has to meet .Standardized Cryptography
s/mail uses standardized symmetric and asymmetric cryptography including key exchange and digital signatures based on
digital certificates. The certificates used are usually provided by a Public Key Infrastructure. s/mail follows well-known
standard, for instance S/MIME, X.509, PKCS#11.
Smart Card Support
s/mail includes a powerful smart card support. Digital certificates on a card chip are automatically detected and registered.
Upon removal of the smart card automatic deregistration is possible. Smart cards are utilized either native or through the PKCS#11 interface. After an initial configuration through Windows GPO no user interaction is required.Digital Signatures
s/mail supports digital signatures created by a smart card. The validity of such signatures and the corresponding certificates is validated according to the PKIX standard and certificate status information provided by LDAP, HTTP or OCSP.
As s/mail is a plugin, users have to adjust themselves only to minimal changes during their work with emails. Most of the cryptographic processes are computed without user interaction. In some cases users have to provide PINs of their smart card.
s/mail supports a powerful message recovery, handles even unusual digital certificate variants, and offers many other
- Permission for “VS – Nur für den Dienstgebrauch”, NATO Restricted, and EU Restricted data
- OCSP Support
- Smart Cards (PKCS#11)
- ECC Support
- Management Tool
- Group Mailboxes
- Configurable CRL Management
- Flexible Group Policies
- PKI Support
- Message Recovery
The German Armed Forces (Bundeswehr) is the biggest IBM Notes user in Germany and also uses Microsoft Outlook. It goes without saying that encryption is essential for such an organization. As the native encryption function of IBM Notes neither had an appropriate security evaluation nor provided the range of functionality required by the Bundeswehr, it could not be used. It turned out that s/mail was the only suitable alternative. s/mail is client-based, available for IBM Notes, provides high security, and has a number of practical features. In a process of several years the Bundeswehr evaluated s/mail. As a consequence, cryptovision implemented several additional features and made some changes in the software, which made s/mail an even more powerful solution. s/mail became evaluated for national military use by the German authorities (meanwhile it even has “VS – Nur für den Dienstgebrauch”, NATO Restricted and EU Restricted permission). There is no other crypto product with such a certification on the market. In 2007 the Bundeswehr purchased an enterprise license of s/mail.