Retrieving Certificate Info from Encrypted E-mails

Sometimes you receive an encrypted e-mail that you can’t open. I don’t know about other clients, but Outlook doesn’t allow you to do much with e-mails that aren’t encrypted for you, and if you’re like me, you want more information. You want to know exactly what went wrong. So, here is a quick way of retrieving the information you need from an Outlook e-mail in order to find out which certificates were used to encrypt the e-mail.  (Note: This method may not always work, but I have found it useful many times in the past.)

Step-by-Step Instructions

1. Save the e-mail to a file. For encrypted e-mails that you can’t open, this means dragging and dropping from the inbox to the desktop. A .msg file will be created.
2. Open the .msg file in Notepad and find the attachment portion of the e-mail. You will be able to distinguish the encrypted attachment from the rest of the file contents by the lack of white space in that section. See the image below for an example.
3. Near the beginning of the attachment, find the three-character sequence €0€. Copy the contents of the .msg file from the zero in that sequence to the end of the file.
4. Paste the text into a new instance of Notepad and save.
5. Next, you will need to open the file in an ASN.1 decoder. I use a tool developed here at Gemini Security Solutions called GUIdumpASN. In the image below, you can see that it presents the file’s contents in a human-readable fashion. I added to the screenshot to make it clear where the certificate issuer and serial number are.

Take Note

There are a couple things to note about this method. First, you might notice some errors when decoding the file you made. When Notepad can’t display a certain character, it will replace it with a space. So, when you copy and paste the binary data, it becomes corrupted in some places. That is also the reason why the hexadecimal number 20 appears so often in serial numbers. In every case I have seen so far, a 20 could be interpreted as 00. Usually, the certificates you are trying to identify have serial numbers that are distinct enough that it doesn’t matter.  Of course, there are better ways to copy the binary data, but that is beyond the scope of this article.  (Hint: The regular expression \x80\x30\x80 matches €0€)

The other thing to note is that issuer and serial number is not the only method for identifying a certificate. If you don’t see anything that looks like them, you probably want to look for the subject-key identifier instead.