CIPHERMAIL EMAIL ENCRYPTION
Ciphermail Gateway PDF
Encryption Setup Guide
April 4, 2016, Rev: 5454
Copyright c
2008-2016, ciphermail.com.
CONTENTS CONTENTS
Contents
1 Introduction 4
2 Portal 4
3 PDF encryption setup 6
3.1 Option 1: Static password . . . . . . . . . . . . . . . . . . . . . . 6
3.1.1 Enable PDF encryption . . . . . . . . . . . . . . . . . . . 6
3.1.2 Set a static PDF password . . . . . . . . . . . . . . . . . 7
3.1.3 Edit PDF encryption template . . . . . . . . . . . . . . . . 7
3.2 Option 2: Generate and send back to sender . . . . . . . . . . . 7
3.2.1 Enable PDF encryption . . . . . . . . . . . . . . . . . . . 8
3.2.2 Enable Generate password to originator . . . . . . . . . . 8
3.2.3 Set password validity interval . . . . . . . . . . . . . . . . 9
3.2.4 Set password Generated length . . . . . . . . . . . . . . 9
3.2.5 Edit PDF encryption template . . . . . . . . . . . . . . . . 9
3.3 Option 3: Send password by SMS . . . . . . . . . . . . . . . . . 10
3.3.1 Enable PDF encryption . . . . . . . . . . . . . . . . . . . 10
3.3.2 AllowSMS .......................... 11
3.3.3 Set recipients mobile number . . . . . . . . . . . . . . . . 11
3.3.4 Set password validity interval . . . . . . . . . . . . . . . . 11
3.3.5 Set password Generated length . . . . . . . . . . . . . . 11
3.3.6 Edit PDF encryption template . . . . . . . . . . . . . . . . 12
3.4 Option 4: One Time Password (OTP) . . . . . . . . . . . . . . . . 12
3.4.1 Enable PDF encryption . . . . . . . . . . . . . . . . . . . 12
3.4.2 EnableOTP.......................... 12
3.4.3 Enable Auto create client secret . . . . . . . . . . . . . . 13
3.4.4 Enable Auto invite . . . . . . . . . . . . . . . . . . . . . . 13
3.4.5 Set password Generated length . . . . . . . . . . . . . . 13
3.4.6 Edit PDF encryption template . . . . . . . . . . . . . . . . 13
3.5 Example OTP encryption . . . . . . . . . . . . . . . . . . . . . . 13
3.5.1 Message received in Gmail . . . . . . . . . . . . . . . . . 14
3.5.2 Portalsignup ......................... 14
3.5.3 Portallogin .......................... 14
3.5.4 GenerateOTP ........................ 14
3.5.5 OpenPDF .......................... 14
4 Enable PDF reply 14
4.1 Replyallowed............................. 18
4.2 ReplyURL .............................. 18
4.3 Replysender ............................. 19
5 Final 19
A Setup SMS gateway 19
A.1 Clickatell transport . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2
CONTENTS CONTENTS
B Allow access to portal 20
B.1 Opentherewall ........................... 20
B.2 Protectloginpage .......................... 20
3
2 PORTAL
1 Introduction
Although S/MIME and PGP encryption are one of the most secure ways to en-
crypt email, the problem with S/MIME and PGP is that it requires the recipient
to use an S/MIME or PGP capable email client1and the recipient must have a
certificate and a private key. Although installing a certificate and a private key
is not hard, even less so when using the gateways built-in CA functionality, it
may still be too cumbersome for some recipients. Especially when only a few
secure email messages need to be exchanged over a longer period.
As an alternative to S/MIME and PGP encryption, PDF encryption can be
used. The PDF standard allows a PDF to be encrypted with a password2. Files
can be added to the PDF and are encrypted as well. Because most recipients
already have a PDF reader installed, they do not need to install or configure
any software.
When the gateway PDF encrypts a message, it converts the complete email
message, including all attachments, to a PDF. The PDF is then password en-
crypted and attached to a new message (which is based on a template). This
message does not contain any information other than a general note that the
message contains an encrypted PDF. This guide will explain in detail how to
setup PDF encryption for the Ciphermail gateway.
Note: This guide assumes that the Ciphermail gateway has already been
installed and configured for sending and receiving email. For a more detailed
guide on setting up and managing a Ciphermail gateway see the Ciphermail
Administration Guide.
2 Portal
The Ciphermail gateway contains a built-in portal which can be used by ex-
ternal recipients to reply to a PDF and to retrieve one time passwords (OTP).
To support PDF reply and OTP, some portal settings should be specified. The
global portal settings can be opened by selecting Settings portal (see fig-
ure 1).
The portal settings will be briefly explained:
Password The password is used by the external user to login to the portal. If
no password is set for the user, the user cannot login to the portal.
Note: It’s strongly advised not to set the portal password for the global set-
tings. Every external user should have a personalized password.
Min. password strength If the user sets or changes the portal password, the
password should have a minimal strength. The password strength is estimated
using the algorithm from NIST Special Publication 800-63. Before the new
1Most email clients however support S/MIME out of the box
2The PDF is encrypted with AES128 with a key based on the password.
4
2 PORTAL
Figure 1: Portal settings
password is accepted, additional checks on the password strength are done. A
new portal password is only accepted if the password:
is not based on your email address
does not contain a QWERTY keyboard sequence of more than 5 charac-
ters
does not contain more than 5 duplicate characters in a row
is of sufficient strength in bits
Note: The administrator is free to set any portal password for a user, i.e.,
there is not check on the strength of the password if set from the WEB GUI.
Enabled If set, the user can login to the portal using the email address of the
user as the login name and the portal password for the user. If not set, the user
cannot login.
Note: the enabled setting is only used to specify whether the user can login.
If not set, users can still reply to a PDF since replying to a PDF does not require
the user to login.
Auto invite If the Auto invite setting is set and a one time password encrypted
PDF is sent to the user, the user is “invited” to select a new password.
Base URL To access the portal functionality, external users need to connect
to the portal. The URLs to which external users need to connect to are written
to the emails and encrypted PDFs (for example the reply link in the PDF). To
make sure the URLs are externally accessible URLs, the gateway has to know
what the correct external URL of the portal is3. The Base URL is not directly
used, but is used as the base for the following URLs: PDF reply URL and OTP
URL. The Base URL can only be set for the global settings.
3In most typical setups, the gateways internal IP address is different from the external IP ad-
dress (NAT).
5
3 PDF ENCRYPTION SETUP
Example: In most setups, the base URL should look similar to*:
https://www.example.com/web/portal
* replace www.example.com with the domain name or IP address of the real
server.
3 PDF encryption setup
This section explains how to configure PDF encryption. The gateway supports
four different password modes:
1. The PDF can be encrypted using a pre-defined static password.
2. The PDF can be encrypted using randomly generated password. The
password will be sent back by email to the sender of the message.
3. The PDF can be encrypted using randomly generated password. The
password will be sent by SMS Text to the recipient.
4. The PDF can be encrypted using a One Time Password (OTP) algorithm.
The different password modes will be separately explained.
3.1 Option 1: Static password
This section will explain how to configure PDF encryption with static passwords.
To enable static password mode, the following steps are required:
1. Enable PDF encryption.
2. Set a static PDF password.
3. Edit PDF encryption template.
3.1.1 Enable PDF encryption
To make sure that PDF encryption is allowed, the following settings should be
specified:
Encrypt Mode: should be set to Allow.
PDF enabled: should be selected.
These settings can be set for the global settings, for a domain or for a specific
user.
Note: The default settings of Encrypt Mode and PDF enabled are set to allow
encryption.
6
3.2 Option 2: Generate and send back to sender3 PDF ENCRYPTION SETUP
Figure 2: Password preferences
3.1.2 Set a static PDF password
A new user object for the external recipient should be added. A new user can
be added by clicking Add user on the left hand side menu. Once the external
user has been added, the static PDF password can be specified on the settings
page (see figure 2).
Note: the external recipient must be an external user, i.e., the Locality setting
should be set to External. If not, the message will not be encrypted4.
3.1.3 Edit PDF encryption template
The encrypted PDF will be attached to a standard message which is based
on a template. The standard template can be modified to contain specific in-
formation about the company sending the message. The PDF template can
be modified by selecting the global settings and then select templates. On the
template page, multiple templates can be selected. The template for the static
password mode is Encrypted PDF (see figure 3).
3.2 Option 2: Generate and send back to sender
With this mode, a PDF password will be automatically generated and sent back
to the sender of the message by email.
To enable send back to sender mode, the following steps are required:
1. Enable PDF encryption.
2. Enable Generate password to originator
3. Set password Validity interval
4. Set password Generated length
5. Edit PDF encryption template.
4Every user by default is an external user unless the Locality has been set to Internal for the
user, for the domain or for the global settings.
7
3.2 Option 2: Generate and send back to sender3 PDF ENCRYPTION SETUP
Figure 3: Templates
3.2.1 Enable PDF encryption
To make sure that PDF encryption is allowed, the following settings should be
specified:
Encrypt Mode: should be set to Allow.
PDF enabled: should be selected.
These settings can be set for the global settings, for a domain or for a specific
user.
Note: The default settings of Encrypt Mode and PDF enabled are set to allow
encryption.
3.2.2 Enable Generate password to originator
To enable automatic password generation and to make the gateway send the
generated passwords back to the sender by email, the PDF option Generate
password to originator should be selected. The generated passwords will be
sent back to the sender by email (see figure 4for an example message). If an
email is sent to multiple recipients, a new password will be generated for each
recipient.
To make it possible for a recipient to determine which password belongs
to which message, a unique password id will be generated for every new en-
crypted email. The message with the encrypted PDF, will also contain the
unique password id.
8
3.2 Option 2: Generate and send back to sender3 PDF ENCRYPTION SETUP
Figure 4: PDF passwords
Note: The message containing the newly generated passwords, which is sent
back to the sender, is based on the Password notification template (see figure
3).
3.2.3 Set password validity interval
By default, a new password will be generated for every new message. The
time (in minutes) a generated password will be valid can be set by changing
the value of password Validity interval (see figure 2). If a password is still valid,
a new password will not be generated and the existing password and password
id will be used.
3.2.4 Set password Generated length
The length of the randomly generated password is by default 16 bytes (128
bits). The length of the generated password can be set using the advanced
password setting Generated length.
Note: make sure the generated password is long enough to make it harder to
“guess” the password.
3.2.5 Edit PDF encryption template
The encrypted PDF will be attached to a standard message which is based
on a template. The standard template can be modified to contain specific in-
formation about the company sending the message. The PDF template can
be modified by selecting the global settings and then select templates. On the
template page, multiple templates can be selected. The template for the send
back to sender mode is Encrypted PDF (see figure 3).
9
3.3 Option 3: Send password by SMS 3 PDF ENCRYPTION SETUP
Figure 5: PDF encryption with SMS
3.3 Option 3: Send password by SMS
In this mode, a PDF password will be automatically generated and the pass-
word will be sent by SMS Text to the recipient’s mobile number. This mode
requires that the SMS gateway is correctly setup (see Appendix Aon how to
setup the SMS gateway).
To enable SMS mode, the following steps are required:
1. Enable PDF encryption.
2. Allow SMS.
3. Set recipients mobile number.
4. Set password Validity interval
5. Set password Generated length
6. Edit PDF encryption template.
3.3.1 Enable PDF encryption
To make sure that PDF encryption is allowed, the following settings should be
specified:
Encrypt Mode: should be set to Allow.
PDF enabled: should be selected.
These settings can be set for the global settings, for a domain or for a specific
user.
10
3.3 Option 3: Send password by SMS 3 PDF ENCRYPTION SETUP
Figure 6: SMS settings
Note: The default settings of Encrypt Mode and PDF enabled are set to allow
encryption.
3.3.2 Allow SMS
By default, senders are not allowed to send SMS Text messages. To allow the
sender to send SMS Text messages, the Send SMS property should be se-
lected (see figure 6). The Send SMS setting can be set for the global settings,
for a domain or for a specific user.
3.3.3 Set recipients mobile number
The generated password will be sent by SMS Text to the recipient. The gate-
way therefore has to know which phone number to use. A user object for the
recipient should be added and the Phone number settings should be set (see
figure 6). The telephone number should be in international format (i.e., it should
start with a country code).
Note: instead of explicitly setting the mobile number of the recipient, the
sender can also add the phone number to the subject line of the email. See
the Ciphermail Administration Guide for more information on how to setup the
gateway to allow the mobile number to be specified on the subject line of the
email.
3.3.4 Set password validity interval
By default, a new password will be generated for every new message. The
time (in minutes) a generated password will be valid can be set by changing
the value of password Validity interval (see figure 2). If a password is still valid,
a new password will not be generated and the existing password and password
id will be used.
3.3.5 Set password Generated length
The length of the randomly generated password is by default 16 bytes (128
bits). The length of the generated password can be set using the advanced
password setting Generated length.
Note: make sure the generated password is long enough to make it harder to
“guess” the password.
11
3.4 Option 4: One Time Password (OTP) 3 PDF ENCRYPTION SETUP
3.3.6 Edit PDF encryption template
The encrypted PDF will be attached to a standard message which is based
on a template. The standard template can be modified to contain specific in-
formation about the company sending the message. The PDF template can
be modified by selecting the global settings and then select templates. On
the template page, multiple templates can be selected. The template for the
password by SMS mode is Encrypted PDF via SMS (see figure 3).
3.4 Option 4: One Time Password (OTP)
With the one time password mode, a password will be generated using a "One
Time Password" (OTP) algorithm. The generated passwords will be based on
the Client Secret of the recipient and the Password ID of the email. Because
the Password ID of the email will always be different for every PDF, the gener-
ated password will be different for every PDF.
To enable OTP mode, the following steps are required:
1. Enable PDF encryption.
2. Enable OTP.
3. Enable Auto create client secret.
4. Enable Auto invite.
5. Set password Generated length
6. Edit PDF encryption template.
3.4.1 Enable PDF encryption
To make sure that PDF encryption is allowed, the following settings should be
specified:
Encrypt Mode: should be set to Allow.
PDF enabled: should be selected.
These settings can be set for the global settings, for a domain or for a specific
user.
Note: The default settings of Encrypt Mode and PDF enabled are set to allow
encryption.
3.4.2 Enable OTP
OTP should be enabled by selecting the PDF OTP enabled setting.
12
3.5 Example OTP encryption 3 PDF ENCRYPTION SETUP
3.4.3 Enable Auto create client secret
The Client secret of a recipient is used for generating a One Time Password.
Every recipient therefore requires a Client secret. The gateway will automati-
cally generate a random client secret for a recipient if the setting Auto create
client secret is checked and the recipient does not yet have a client secret.
3.4.4 Enable Auto invite
A recipient needs to login to the portal to generate the one time password of
the PDF 5. The recipient therefore requires a portal password. If the Auto invite
option is enabled and there is not yet a portal password for the recipient, an
invite link will be added to the email. After clicking the invite link, the recipient
can choose a portal password for the portal account. Alternatively, the portal
password can be set by the gateway administrator.
3.4.5 Set password Generated length
The length of the randomly generated password is by default 16 bytes (128
bits). The length of the generated password can be set using the advanced
password setting Generated length.
Note: make sure the generated password is long enough to make it harder
to “guess” the password. In the OTP mode, the password will be generated by
the portal. The password can be copied and pasted into the PDF password
dialog. The password can therefore be longer than with the other modes since
the recipient does not have to enter the password manually.
3.4.6 Edit PDF encryption template
The encrypted PDF will be attached to a standard message which is based
on a template. The standard template can be modified to contain specific in-
formation about the company sending the message. The PDF template can
be modified by selecting the global settings and then select templates. On the
template page, multiple templates can be selected. The template for the OTP
mode is Encrypted PDF OTP and Encrypted PDF OTP invite if the recipient is
invited (see figure 3).
3.5 Example OTP encryption
The following section will give a brief overview of the steps an end-user will
need to take to read a PDF encrypted message which was encrypted with an
OTP.
The following steps will be shown:
1. Message received in Gmail
5Alternatively, using the client secret, the one time password can be locally (i.e., client side)
generated using Javascript or some other client application.
13
4 ENABLE PDF REPLY
2. Portal signup
3. Portal login
4. Generate OTP
5. Open PDF.
3.5.1 Message received in Gmail
A PDF encrypted message in Gmail looks like a normal email message with an
attached PDF document (see figure 7). The email contains some text explain-
ing what the required steps are to open the encrypted email.
3.5.2 Portal signup
Clicking the link in the email opens the portal signup page on which the recip-
ient needs to choose a password (see figure 8). The portal signup only has
to be done the first time. Once the recipient has selected a password, the
recipient can login with the selected password.
3.5.3 Portal login
After the password has been selected, the recipient has to login with the new
password (see figure 9).
3.5.4 Generate OTP
After logging in, the page on which the One Time Password (OTP) can be
generated will be opened. The password ID, from the email, has already been
filled in (see figure 10)6. Clicking the Generate password button will generate
the One Time Password for the PDF (see figure 11).
3.5.5 Open PDF
The generated password can be copied and pasted into the PDF reader pass-
word dialog. The PDF will be opened. Message attachments are added to the
PDF an can be opened from the attachment pane at the bottom of the PDF
(see figure 12).
4 Enable PDF reply
A recipient of an encrypted PDF can reply to the encrypted PDF message by
clicking the Reply link embedded in the PDF. The browser will connect via a
secure https connection to the on-line reply portal running on the gateway (see
figure 13). On the reply portal page, the user can create the reply message and
add attachments. The reply will be sent via the Ciphermail gateway back to the
6The password ID is taken from the link. If the password ID is not filled in, it can be copied and
pasted from the email.
14
4 ENABLE PDF REPLY
Figure 7: OTP email in Gmail
15
4 ENABLE PDF REPLY
Figure 8: Portal signup
Figure 9: Portal login
16
4 ENABLE PDF REPLY
Figure 10: Generate OTP
Figure 11: OTP generated
17
4.1 Reply allowed 4 ENABLE PDF REPLY
Figure 12: Decrypted PDF
sender of the PDF encrypted message. By default the PDF reply functionality
is not enabled.
To enable the PDF reply functionality, the following steps should be taken:
1. Select Reply allowed.
2. Set the Reply URL.
3. Set the Reply sender.
4.1 Reply allowed
The reply link will only be added when the Reply allowed setting is selected
(under the advanced settings). The Reply allowed setting can be set for the
global settings, for a domain or for a specific user.
4.2 Reply URL
The Reply URL specifies which URL should be used for the reply link. The
Reply URL should be set to the external IP address (or domain name) on which
the gateway can be accessed.
Note: If the base URL has been setup correctly (see section 2), the Reply
URL is automatically configured. You only need to set the Reply URL explicitly
if the PDF reply page should be accessed on a different URL than the base
URL.
18
4.3 Reply sender A SETUP SMS GATEWAY
Figure 13: PDF reply
4.3 Reply sender
The Reply sender should be set to an email address that will be used as the
sender of the PDF reply (for example user reply@example.com). For more
information why the real email address of the replier is not used, see the Ci-
phermail Administration Guide. The Reply sender should be set to a real email
address which is capable of receiving email. In most cases it’s best to set the
reply sender for the global preferences.
5 Final
For a discussion about the pros and cons of the different PDF password modes
and a discussion of other security related issues regarding PDF encryption, see
the PDF section of the Frequently Asked Questions (FAQ).
A Setup SMS gateway
Ciphermail contains an SMS gateway which is used for sending generated
passwords via SMS Text messages. The SMS gateway can use different SMS
transports for the delivery of SMS Text messages7. The default SMS transport
is set to Clickatell (see http://www.clickatell.com for more information).
SMS Text messages are sent via a secure HTTPS connection to Clickatell.
When an SMS Text message is sent, it is queued for delivery until the message
has been delivered with the active SMS transport (see figure 14). To test the
SMS gateway an SMS Text message can be manually added with Add SMS.
7Currently only Clickatell and Gnokii (direct connection to Nokia phones) are supported.
19
A.1 Clickatell transport B ALLOW ACCESS TO PORTAL
Figure 14: SMS gateway
A.1 Clickatell transport
The default SMS transport is the Clickatell transport. This transport forwards all
the SMS Text messages to an external SMS gateway (using a secure HTTPS
connection). A Clickatell account should be available and configured before
any SMS Text messages can be sent. See see http://www.clickatell.com
for more information about the sign-up process.
During the Clickatell sign up process, an HTTP connection should be added8
(leave the Callback parameters empty). The connection has an associated API
ID which is required by the Clickatell transport. Open the Clickatell transport
configuration page by opening the SMS page and clicking the Clickatell settings
left-hand side sub-menu (see figure 15). The first three settings: API id,User
and Password are mandatory. The From parameter can be set to the sender
of the SMS Text message (i.e., set to the telephone number of the sender) but
only after the telephone number has been approved by Clickatell.
Clickatell uses pre-paid message credits. To check how many credits are
left (and for testing the login credentials), click update balance.
Note: The new transport settings are only used after the changes have been
applied. Before clicking Update balance, make sure all changes are applied.
B Allow access to portal
B.1 Open the firewall
If the gateway is protected by a firewall, the firewall should be opened to accept
incoming connections to the gateway on the https port9.
B.2 Protect login page
In the default setup, the Web admin login page and the PDF reply page can
be accessed on the same (https) port. To prevent unauthorized users from
opening the gateway Web admin login page, it is advised to only allow access
to the Web admin page from certain approved IP addresses.
8See the Clickatell HTTP API Specification v.2.x.x document for more information
9If the gateway uses a different port than the default https, for example 8443, the firewall should
be opened for the alternative port.
20
B.2 Protect login page B ALLOW ACCESS TO PORTAL
Figure 15: Clickatell settings
Figure 16: IP filter
The gateway contains a IP filter which can be used to block access to the
Web admin pages from unauthorized IP addresses. To authorize IP addresses,
open the Ciphermail Virtual Appliance console and select config IP Filter. . . .
On the IP filter dialog, a comma separated list of IP ranges can be specified
which will be authorized to access the Web admin login page (see figure 16).
Example: to allow access to the Web admin login page from the range 192.168.178.*
and from the IP 123.45.67.89 use the following IP filter: 192.168.178.0/24,
123.45.67.89.
Note: for users not using the Ciphermail Virtual Appliance, or for other ways
to protect the Web admin login page against unauthorized access, see the
Ciphermail Installation Guide.
21