Email encryption - S/MIME protocol

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Email encryption - S/MIME protocol

    Secure/Multipurpose Internet Mail Extensions (S/MIME) is an end-to-end encryption protocol designed to send digitally signed and encrypted emails. It ensures data confidentiality, authenticity, and integrity, protecting email communication between senders and recipients.

    Show full answer Show less

    ServiceNow administrators with appropriate privileges can enable and configure S/MIME to secure outbound and inbound emails within the platform.

    Key Features

    • Digital Signatures and Verification: S/MIME uses digital signatures to verify the sender’s identity, confirming that the message is unaltered and genuinely from the stated sender.
    • Message Encryption and Decryption: Email content is encrypted so only authorized recipients with the correct private key can decrypt and read the message, ensuring confidentiality and data integrity.
    • Public Key Cryptography: S/MIME employs asymmetric cryptography with key pairs (private and public keys). Each user has a private key kept secret and shares a public key with correspondents. Public keys are exchanged via digital certificates.
    • Digital Certificates: These certificates, issued by a Certification Authority (CA), validate the public keys and provide identity information. They are time-limited and essential for secure key exchange.
    • ServiceNow Integration:
      • Outbound emails: The sender’s private key signs emails; recipients verify with the sender’s public key. For encryption, the sender uses recipients’ public keys.
      • Inbound emails: The sender signs with their private key; ServiceNow verifies with the sender’s public key. Incoming encrypted emails are decrypted with the ServiceNow instance’s private key.

    Practical Considerations for ServiceNow Customers

    • S/MIME requires all participants (senders and recipients) to have S/MIME enabled and exchange public keys through digital certificates.
    • ServiceNow does not provide S/MIME certificates; customers must obtain certificates from third-party providers.
    • Activation of S/MIME in ServiceNow is done via the com.glide.email.smime plugin, which requires admin role.
    • Understanding of digital signatures, encryption/decryption, and key management is essential to leverage full S/MIME capabilities.

    Expected Outcomes

    By enabling S/MIME in ServiceNow, customers enhance the security of their email communications through verified sender identities and encrypted message content. This reduces risks of impersonation, tampering, and unauthorized access, meeting enterprise security and compliance requirements for email confidentiality and integrity.

    Secure/Multipurpose Internet Mail Extensions (S/MIME) is an end-end encryption protocol for sending digitally signed and encrypted emails that support data confidentiality, authenticity, and integrity.

    Introduction to S/MIME

    An administrator with privileges can enable and configure S/MIME. Understanding of the following is required when using the full capabilities of S/MIME:
    • Digital signatures and signature verification
    • Message encryption and decryption
    • Public key
    • Digital certificates

    Digital signatures and verification

    With digital signature, S/MIME verifies the identity of the sender of the email. This verification ensures the following:
    • Message in the email is the exact message sent by the sender.
    • Message is received from the right sender and not someone pretending to be the sender.

    Message encryption and decryption

    S/MIME uses encryption to protect the content of the email, which ensures that only the receiver can decrypt the content. Encryption creates coded information so that it cannot be read or understood until it is decoded and readable. Message encryption helps with the two key security factors of confidentiality and data integrity.

    Public key

    S/MIME uses key pairs and asymmetric cryptography. A private key in a key pair belongs only to the sender. If the private key has been used, the owner of that key has used it.

    Public key cryptography ensures secure communication between the sender and the receiver. Both have a key-pair, with one being private and the other public​.

    Public keys are shared between the sender and the receiver. A public key is paired to only one private key. The corresponding public key is used to identify its paired private key and only its paired private key. A public key can be used by multiple recipients.

    A key pair can be used to
    • Sign and verify a signature
    • Encrypt and decrypt the content of an email

    S/MIME digital signatures and encryption require each sender and recipient to have it enabled. They also need to send or exchange public keys though digital certificates to identify each other.

    For more information about key management and cryprographic module, see Key Management Framework Reference.

    Digital certificates

    Digital certificates help in delivering the public key in the key pair. A digital certificate is a digital credential that provides information about the identity, validity, and any other required information. Digital certificates are issued by a certification authority (CA) and are valid for only a specific period of time.
    Note:
    ServiceNow® does not provide S/MIME certificates for ServiceNow mail infra users. Users should get their S/MIME certificates issued from the third party S/MIME certificate solution providers.

    S/MIME outbound emails

    Signing outbound​ mails

    The ServiceNow AI Platform uses the private key of the sender (instance email account)​ and the receiver uses the public key to verify signatures.

    Encrypting outbound​ mails

    The ServiceNow AI Platform uses public keys of the recipients to encrypt the emails and every recipient uses their private key to decrypt the email.

    S/MIME for inbound email

    Sign verification for inbound​ mails

    The sender uses a private key to sign the email and the ServiceNow AI Platform uses the public key of the sender to verify the signature.

    Decrypting inbound​ mails

    The sender uses the public key to encrypt the email and the ServiceNow AI Platform uses the private key to decrypt the email.