Using Digital Signatures and Encryption

Previous page
Table of content
Next page
 < Day Day Up > 

Secure/Multipurpose Internet Mail Extensions (S/MIME) is used to digitally sign and encrypt messages. Digital signatures provide authentication, nonrepudiation, and data integrity; encryption keeps message contents confidential.

NOTE

S/MIME for Outlook 2003 and OWA can work with an organization's (for example, Windows Server 2003 Certificate Services) or outsourced Public Key Infrastructure (PKI) solution. The following sections on S/MIME assume that a PKI is in place. For information on implementing PKI for Exchange Server 2003, refer to Chapter 12, "Server-Level Security."


Simplified Fundamentals of Using Digital Signatures and Encryption

Digital signatures and encryption are fundamental components to S/MIME. S/MIME is in turn a small subset of PKI which has a large reach into many different security facets. For instance, PKI supports smart cards, SSL, user certificates, and much more. For the purposes of this chapter it is important to have an understanding of S/MIME and how it can be used to secure the messaging environment.

X.509 is a digital certificate standard that defines the format of the actual certificate used by S/MIME. The certificate identifies information about the certificate's owner and includes the owner's public key information. X.509 is the most widely used digital certificate and therefore has become the industry standard digital certificate. PKI products, such as Microsoft's Certificate Services included in Windows Server 2003, are products that generate X.509 digital certificates to be used with S/MIME capable clients .

The Signing Process

When a user chooses to sign a message, a random checksum is generated from and added to the message. The random checksum is the digital signature (also known as a digital ID). This signature is then encrypted using the user's private signing key. The user then sends the message to the recipient that includes three items: the message in plain text, the sender's X.509 digital certificate, and the digital certificate.

The recipient then checks its Certificate Revocation List (CRL) to see whether the sender's certificate is on the list. If the certificate is not on the list, the digital signature is decrypted with the sender's public signing key. If it is on the CRL, the recipient is warned that the sender's certificate has been revoked . Remember that the digital certificate included the sender's public signing key. The recipient's client then generates a checksum from the plain text message and compares it to the digital signature. If the checksums match, the recipient knows the sender is the one who sent the message. If they do not match, the recipient is warned that the message has been tampered with.

The Encryption Process

When a user chooses to encrypt a message, the client generates a random bulk encryption key that is used to encrypt the contents of the message. The sender then uses the recipient's public key to encrypt the bulk encryption key. This is referred to as a lockbox . If there are multiple recipients for the message, individual lockboxes are created for each recipient, using his or her own public encryption key. The contents of the lockbox (the bulk signing key) are the same, however. This saves the client the overhead of encrypting the message multiple times and still ensures that the message contents stay secure.

For this process to work, the sender must have a copy of the recipient's digital certificate. The certificate can be retrieved from either the Global Address List (GAL) or the sender's Contact list. The digital certificate contains the recipient's public encryption key, which is used to create the lockbox for the bulk encryption key.

When the recipient receives the message, he will use a private encryption key to decrypt the lockbox that contains the bulk encryption key used to encrypt the message contents. The bulk encryption key is then used to decrypt the message.

Configuring Outlook 2003 for Secure Messaging

To configure Outlook 2003 clients for secure messaging, do the following:

  1. In Outlook 2003, click Tools, Options and select the Security tab.

  2. Obtain a secure email certificate if one does not already exist by either choosing the Get a Digital ID option (to obtain the certificate from a third party) or by using the Certificate snap-in ( certmgr.msc ) to request one from the organization's PKI.

  3. Select Options from the Tools menu and then click on the Security tab.

  4. On the Security tab, click Settings to display the default security settings, as shown in Figure 11.10. Ensure that the Security Setting Preferences reflect the S/MIME settings.

    Figure 11.10. Verifying Outlook 2003 S/MIME settings.

    graphics/11fig10.gif

  5. Click OK.

  6. Check Encrypt contents and attachments for outgoing messages and Add digital signature to outgoing messages.

  7. Click OK when done.

Configuring OWA for Secure Messaging

Earlier versions of Outlook supported digital signatures and encryption, but OWA did not. The Exchange Server 2003 OWA version now supports these S/MIME features, using an S/MIME ActiveX control.

Users can download the S/MIME ActiveX control from Exchange Server 2003 by clicking on the Download button under the E-mail Security section on the OWA Options page. Two windows prompt the user to accept or decline the installation and execution of the S/MIME ActiveX control, as illustrated in Figure 11.11. Simply selecting Yes to both of these prompts allows the user to enable S/MIME.

Figure 11.11. Accepting S/MIME certificates.

graphics/11fig11.gif

To configure default S/MIME settings for OWA, do the following:

  1. Scroll down to the E-mail Security section on the OWA Options page.

  2. Check Encrypt contents and attachments for outgoing messages and Add a digital signature to outgoing messages.

If these options are left unchecked, the OWA user can still use S/MIME on a per message basis.

Sending Secure Messages

To configure S/MIME on a per message basis in Outlook 2003, do the following:

  1. Create a new message and then click the Options button within the message window.

  2. Click the Security Settings button to display the Security Properties window.

  3. Check either email security setting (Encrypt message contents and attachments or Add a digital signature to this message).

  4. In the Security Settings section, select the appropriate S/MIME configuration and then click OK.

  5. Click Close when done.

To configure S/MIME on a per message basis in OWA, do the following:

  1. Create a new message and then click the Options button within the message window.

  2. Check either email security setting (Encrypt message contents and attachments or Add a digital signature to this message), as shown in Figure 11.12.

    Figure 11.12. Using S/MIME for an individual message.

    graphics/11fig12.gif

  3. Click Close when done.

TIP

The easiest way to enable secure messaging with users outside of the Exchange 2000 organization is to send the user a digitally signed message. Outlook 2000 and later sends a copy of the sender's certificate with any signed message by default. The recipient of the signed message can then add the sender and certificate to the Contacts folder. When users receive an encrypted message they need to enter their security password to decrypt the message.


 < Day Day Up > 

Previous page
Table of content
Next page
Microsoft Exchange Server 2003 Unleashed
Microsoft Exchange Server 2003 Unleashed (2nd Edition)
ISBN: 0672328070
EAN: 2147483647
Year: 2003
Pages: 393
Authors: Rand Morimoto
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Documenting Software Architectures: Views and Beyond
A Practitioners Guide to Software Test Design
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Information Dashboard Design: The Effective Visual Communication of Data
Ruby Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy