Hello,
I am testing ciphermail now for a short while and I am interested to see if
my emails (inbound and outbound) are EDI compliant signed and encrypted.
Currently I am only able to see if the email is signed/decrypted/encrypted
correctly through the logs.
But I am not able to see if this was EDI compliant.
Is there any way to be sure that the compliance is given?
Kind regards,
Tom
attachment.htm (530 Bytes)
I am testing ciphermail now for a short while and I am interested to see
if my emails (inbound and outbound) are EDI compliant signed and encrypted.
Currently I am only able to see if the email is
signed/decrypted/encrypted correctly through the logs.
But I am not able to see if this was EDI compliant.Is there any way to be sure that the compliance is given?
With EDI compliant you mean EDI(a)energy compliant? So, RSASSA-PSS
algorithm for signing and RSAES-OAEP for encryption?
The following line is logged when the email is signed:
INFO Message was S/MIME signed. Signing algorithm:
SHA256WithRSAAndMGF1; Sign mode: clear; MailID:
b91b9438-1fde-4da0-bce7-f1033b88aa93; Recipients: [test(a)example.com]
(mitm.application.djigzo.james.mailets.SMIMESign) [Spool Thread #2]
The "Signing algorithm" tells you which algorithm was used for signing
which in this case is SHA256WithRSAAndMGF1 (which is RSA-PSS)
The following line is logged when the email is encrypted:
INFO Message was S/MIME encrypted. Encryption algorithm: AES128; Key
size: 128; Encryption Scheme: RSAES-OAEP-SHA256; MailID:
b91b9438-1fde-4da0-bce7-f1033b88aa93; Recipients: [test(a)example.com]
(mitm.application.djigzo.james.mailets.SMIMEEncrypt) [Spool Thread #2]
The "Encryption Scheme" tells you which padding algorithm is used. In
this case RSAES-OAEP-SHA256 is used.
For received email, the header of the email should contain the relevant
info after decryption. This is however a bit harder to analyze:
X-Djigzo-Info-Encryption-Recipient-0-0: EMAILADDRESS=ca(a)example.com, CN=MITM
Test CA, L=Amsterdam, ST=NH,
C=NL/115FCD741088707366E9727452C9770//1.2.840.113549.1.1.7/OAEP Parameters
The X-Djigzo-Info-Encryption-Recipient- parameters are formed as follows:
ISSUER/SERIAL-NUMBER/SUBJECT-KEY-IDENTIFIER/KEY-ENCRYPTION-ALGORITHM-OID/ALGORITHM-PARAMS
Hello Martijn,
thank you for your detailed answer.
Yes I mean EDI(a)energy and I must have overlooked the log details that the
padding is included in the message.
This can be parsed easily which is enough in my opinion.
Thank you for your help.
Kind regards,
Tom
attachment.htm (4.86 KB)
Am Mo., 15. Juni 2020 um 14:51 Uhr schrieb Martijn Brinkers < martijn(a)ciphermail.com>:
> I am testing ciphermail now for a short while and I am interested to see
> if my emails (inbound and outbound) are EDI compliant signed and
encrypted.
> Currently I am only able to see if the email is
> signed/decrypted/encrypted correctly through the logs.
> But I am not able to see if this was EDI compliant.
>
> Is there any way to be sure that the compliance is given?With EDI compliant you mean EDI(a)energy compliant? So, RSASSA-PSS
algorithm for signing and RSAES-OAEP for encryption?The following line is logged when the email is signed:
INFO Message was S/MIME signed. Signing algorithm:
SHA256WithRSAAndMGF1; Sign mode: clear; MailID:
b91b9438-1fde-4da0-bce7-f1033b88aa93; Recipients: [test(a)example.com]
(mitm.application.djigzo.james.mailets.SMIMESign) [Spool Thread #2]The "Signing algorithm" tells you which algorithm was used for signing
which in this case is SHA256WithRSAAndMGF1 (which is RSA-PSS)The following line is logged when the email is encrypted:
INFO Message was S/MIME encrypted. Encryption algorithm: AES128; Key
size: 128; Encryption Scheme: RSAES-OAEP-SHA256; MailID:
b91b9438-1fde-4da0-bce7-f1033b88aa93; Recipients: [test(a)example.com]
(mitm.application.djigzo.james.mailets.SMIMEEncrypt) [Spool Thread #2]The "Encryption Scheme" tells you which padding algorithm is used. In
this case RSAES-OAEP-SHA256 is used.For received email, the header of the email should contain the relevant
info after decryption. This is however a bit harder to analyze:X-Djigzo-Info-Encryption-Recipient-0-0: EMAILADDRESS=ca(a)example.com,
CN=MITM
Test CA, L=Amsterdam, ST=NH,
C=NL/115FCD741088707366E9727452C9770//1.2.840.113549.1.1.7/OAEP ParametersThe X-Djigzo-Info-Encryption-Recipient- parameters are formed as follows:
ISSUER/SERIAL-NUMBER/SUBJECT-KEY-IDENTIFIER/KEY-ENCRYPTION-ALGORITHM-OID/ALGORITHM-PARAMS
From the above example
ISSUER: ca(a)example.com, CN=MITM Test CA, L=Amsterdam, ST=NH, C=NL
SERIAL-NUMBER: 115FCD741088707366E9727452C9770
SUBJECT-KEY-IDENTIFIER: <not set>
KEY-ENCRYPTION-ALGORITHM-OID: 1.2.840.113549.1.1.7 (which is the OID for
RSAES-OAEP)ALGORITHM-PARAMS: OAEP Parameters (meaning that there are additional
parameters for OAEP)For decrypted email you can have multiple headers, one for each
recipient the email was encrypted for. It can be that some recipients
support RSAES-OAEP whereas other do not.The headers for signing are added in a similar way:
X-Djigzo-Info-Signer-ID-0-1: EMAILADDRESS=ca(a)example.com, CN=MITM Test CA,
L=Amsterdam, ST=NH,
C=NL/115FD1392A8FF07AA727558FA50B262//1.2.840.113549.1.1.10The X-Djigzo-Info-Signer-ID- parameters are formed as follows:
ISSUER/SERIAL-NUMBER/SUBJECT-KEY-IDENTIFIER/SIGNING-ALGORITHM-OID
ISSUER: ca(a)example.com, CN=MITM Test CA, L=Amsterdam, ST=NH, C=NL
SERIAL-NUMBER: 115FD1392A8FF07AA727558FA50B262
SUBJECT-KEY-IDENTIFIER: <not set>
SIGNING-ALGORITHM-OID: 1.2.840.113549.1.1.10 (which is the OID for
RSASSA-PSS)Email which is encrypted with a different padding algorithm or signing
algorithm use different OIDs.Hope this helps
Kind regards,
Martijn Brinkers
--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF encryption and secure webmail pull.W: https://www.ciphermail.com/
E: info(a)ciphermail.com
T: +31 20 290 0088