Hack 28. Send and Receive S/MIME Encrypted Emails
By default, you won't be able to view any S/MIME messages on your BlackBerry. Here's how to set up your device to be able to view them.
While all communication between your device and your server is encrypted, the emails that you compose and receive end up as plain text when they're ultimately sent across the public parts of the Internet. S/MIME solves this problem by providing a way to send signed and encrypted emails across the Internet. S/MIME ensures that, in emails that are digitally signed, the sender is who she says she is, and the content wasn't altered in transit. Encrypted emails are encrypted using the recipient's public key, guaranteeing that the content can be unencrypted only by the recipient's private key.
By default, the BlackBerry can't read emails sent using S/MIME. However, if you're using a BlackBerry Enterprise Server, there is an additional software package you can purchase from RIM that allows you to send and receive S/ MIME encrypted emails. You can even wirelessly retrieve the digital certificates of users to whom you'd like to send encrypted email via an LDAP server.
2.8.1. Install the BlackBerry S/MIME Support Pack
When you originally installed your BlackBerry Desktop Manager, there was an optional component called Certificate Synchronization that you may or may not have installed. If you did not, you'll need to go through Add/Remove Programs in Control Panel and modify the BlackBerry Desktop Manager installation to ensure that the option is selected (see Figure 2-11).
Figure 2-11. The Certificate Synchronization custom option
After you have installed the Certificate Synchronization option, you'll have another icon in Desktop Manager (see Figure 2-12), where you'll configure various options related to S/MIME. You'll also need to go through Application Loader to load the updated S/MIME libraries on your device. This will add a couple items into your device Options and set up your mail program with the ability to send messages using S/MIME.
Figure 2-12. The Certificate Sync icon in BlackBerry Desktop Manager
You'll need to purchase another software package directly from your RIM representative called the BlackBerry S/MIME Support Package. This is a separate installation that you need to run on your computer. It will install the libraries on your BlackBerry that allow you to send and receive S/MIME email messages.
2.8.2. BES Configuration
The BlackBerry Enterprise Server that your device is homed on will have to have S/MIME enabled as well. In the BlackBerry MMC, ensure that the "Support S/MIME encrypted messages on this server" option is checked, as shown in Figure 2-13.
Figure 2-13. Enabling S/MIME on your BlackBerry Enterprise Server
2.8.3. Import Your Personal Certificates to Your Device
Once you get the software loaded and make sure your BlackBerry environment is set up for S/MIME, you will need to load your certificates in to your device's key store. Bring up the certificate synchronization tool by double-clicking on the Certificate Sync icon in Desktop Manager.
First off, you'll need to add your private key to the BlackBerry key store. Click the Import Certificate button (see Figure 2-14), browse for your private key certificate, and select it. It will be imported into the key store and then synchronized with your device.
2.8.4. Import Other People's Certificates over USB
To send encrypted email to other people, you need to encrypt the contents with their public key. This encryption takes place on your BlackBerry, so you will have to get those users' public keys onto your device.
Figure 2-14. Importing a private key
There are a couple ways to do this:
The first option is certainly the easiest, if it's available to you. Most Public Key Infrastructure (PKI) deployments have LDAP interfaces for accessing other users' public keys. This provides a convenient way for users to send encrypted email to a user with whom you haven't explicitly exchanged keys. Making users' certificates available via LDAP alleviates the key exchange problem that plagued PKI in its infancy.
To import a certificate that is stored on an LDAP server, you will need to define the settings describing the LDAP connection. Click Options in the Certificate Sync tool and go to the LDAP Servers tab. Click the Add button to add a new LDAP server.
Enter a descriptive name for the Friendly Name field in the dialog box, as shown in Figure 2-15. The Base Query defines the search base, which will be different for each domain that the LDAP server is able to search.
If your certificates are stored in an Active Directory domain, then, by default, you will have to set the Authentication Type to Simple and use your Windows domain credentials to bind to the LDAP server.
Figure 2-15. Defining the LDAP connection properties
Once you've defined an LDAP connection, click OK to return to the Certificate Sync tool. Go to the Other People's Certificates tab to import other certificates to sync with your BlackBerry. You can then use the Find in LDAP button to search for certificates stored in the LDAP server you specified. When you find a certificate you would like to have available on your BlackBerry, select the entry from the search results and click the Mark for addition button, as shown in Figure 2-16.
Figure 2-16. Adding another user's certificate using LDAP
Once you've added the certificates you'd like to have available on your BlackBerry, click the Synchronize button to load the certificates onto your BlackBerry's key store through the USB cable. Your key store on your device is secured by a password that is defined when you use the Certificate Sync tool (shown in Figure 2-17) the first time. When you synchronize your certificates in Desktop Manager, you will be prompted for this password. This is different from the password for unlocking your device (which you should have set!), which you are also prompted for when you synchronize. The first time you do this, it can be confusing to determine which password you're being prompted for. Read carefully to ensure you are entering the correct one.
Figure 2-17. Setting your new key store password
2.8.5. Import Certificates via LDAP Wirelessly
You can also do certificate queries and lookups wirelessly from your device. To enable this functionality, your BES administrator will need to set up some LDAP settings similar to what you set up in your client. The configuration screen is shown in Figure 2-18. When these settings are changed, the MDS service will need to be restarted.
Figure 2-18. MDS LDAP settings for wireless certificate lookups
Once your BlackBerry Enterprise Server is set up with the proper LDAP settings, you'll be able to retrieve the certificates for a user with whom you haven't already exchanged keys. When you are composing a message, choose the type of message you'd like to send, and if there isn't a certificate for the recipient on your device, it will automatically do a wireless lookup and try to retrieve the recipient's public key.
Once your server is configured, you can perform wireless certificate searches from your device (see Figure 2-19). You can add certificates as you compose a message on your device or you can import certificates into your device using the Certificates program in Options.
Figure 2-19. Searching for a certificate from your device (image courtesy of Research In Motion, Limited)