Sending and Receiving E-mail Securely
Sending and Receiving E-mail Securely
Sending and Receiving E-mail Securely
E-mail programs offer two kinds of security: signatures and encryption. Both depend on certificates that serve as electronic identity keys. The security system that Microsoft provides with Outlook Express, S/MIME, uses certificates issued by third parties, such as VeriSign and Thawte. Another popular security system, Pretty Good Privacy (or PGP), lets each user generate his or her own keys (Eudora can work with PGP keys). Both are forms of public-key cryptography. Each certificate consists of a public key (or digital ID), a private key, and a digital signature. You keep your private key and digital signature secret, while you provide your public key to anyone with whom you exchange secure mail, either directly or via a generally available key server.
Signatures allow you to add to your mail a signature block, generated with your private key, that verifies the author is indeed you, and that the message was not modified in transit. Anyone who wants to validate your signature can check it by using your public key. The signature is added as an extra block at the end of the message, without modifying the other contents, so that the recipient can read your message, whether he or she validates your signature or not.
Encryption scrambles a message so that only the recipient can decode it. A message encrypted with someone's public key can be decrypted only with that person's private key. You encrypt a message with the recipient's public key, and the recipient uses his or her private key to decode it. Anyone else looking at the message would see only unreadable gibberish. It's possible both to digitally sign and encrypt the same message, so that only the designated recipient can decode the message and the designated recipient can then verify that the message is really from you.
Mail security depends on a key ring of keys. On your key ring, you need your own private key and digital signature and the public key of everyone with whom you plan to exchange secure mail. Outlook Express security keeps your private key and digital signature as one of the properties of your Mail account and keeps other people's public keys in the Address Book.
Outlook Express and other Microsoft e-mail programs provide a certificate-based system (called S/MIME) for signing and encrypting mail. Signed mail uses your own certificate to prove to the recipient that the author of the message is you and that the message arrived without tampering (these are the same type of certificates described in the preceding sections for authenticating material you download from the Web). Encrypted mail uses the recipient's certificate to protect the message's contents so that only the intended recipient can read the messages. A single message can be both signed and encrypted.
note For more information about encryption and signature, see RSA Data Security's Web site at http://www.rsasecurity.com and Network Associates' Pretty Good Privacy Web site at http://www.pgp.com. These sites describe how to use encryption with various e-mail programs.
Getting a Certificate
The only source of certificates is a certificate authority, and for a certificate to be useful, the authority has to be one that is widely accepted. The best known certificate authority is VeriSign, at http://www.verisign.com, who also owns Thawte, at http://www.thawte.com. It provides a variety of certificates at various prices, usually including a free two-month trial of a personal certificate suitable for signing e-mail. The certificate authority's Web site walks you through the process of getting a certificate. Details vary, but generally the steps include the following:
* You enter basic information, including your e-mail address, into a form on the authority\'s Web site.
* Your Web browser automatically downloads your private key, part of the security information from the authority.
* The authority e-mails a confirmation code to the address you give. This ensures that the address you provide is really yours.
* You run Outlook Express and receive the message. It contains the URL of a page that will finish the registration and a unique code to identify yourself when you get there. Use Windows cut-and-paste tool to copy the code from your mail program to the browser windo, rather than trying to retype it.
* The authority generates the public key that matches your private key and downloads it as well.
note This process of obtaining a certificate only verifies your e-mail address, not any other aspect of your identity. VeriSign offers more secure certificates with more careful identity checks, but the vast majority of certificates in use are the simplest kind.
Sending Signed Mail
Once you have a certificate, sending signed mail is simple. While you're composing a message in Outlook Express, click the Digitally Sign Message button (the one with the little orange seal) to tell Outlook Express to sign the message as it's sent. Signed messages appear with the orange seal in the list of messages Sending Encrypted Mail
Sending encrypted mail is only slightly harder than sending signed mail. The difference is that before you can send signed mail to someone, you have to have that recipient's digital ID (public key) in your Windows Address Book. Once you have the digital ID, create the message as usual in Outlook Express and click the Encrypt Message button (the envelope with the little blue lock) before sending the message. There are three common ways to obtain someone's digital ID: from a signed message he or she sent, from an online directory, or from a file obtained elsewhere, such as a Web-based lookup system.
Getting a Digital ID from Incoming Mail
- Any time someone sends you a digitally signed message, you can get that person's digital ID from the message and add it to your Address Book. (Note that the digital ID is the equivalent of the sender's public key; the corresponding private key is not disclosed.) Open the message, select File | Properties and click the Security tab; you see the View Certificates dialog box. Assuming that the signature is valid, click Add To Address Book. The Address Book opens, creating a new entry for your correspondent (if one does not already exist). Click the Digital IDs tab and observe that a digital ID is listed; then click OK to update the Address Book.
- [figure]
- Getting a digital ID from a mail message Getting a Digital ID Through LDAP Search
If you know that your correspondent has a digital ID and you know which certificate authority issued it, you can look it up in that authority's directory.
- In Outlook Express, open the Address Book and click the Find button to open the search window,. In the Look In box, select the directory to search, which is most likely VeriSign for personal digital IDs. Enter the person's name or e-mail address and click Find Now.
Searching the VeriSign directory to find a digital ID
The directory returns a list of entries that match your request. Double-click any entry in the list to see the details, which are arranged like an address book entry, to be sure it's the person you want. If it is, click Add To Address Book to turn it into an Address Book entry, edit as desired (adding more personal info, usually) and click OK to update the Address Book.
Getting a Digital ID from a File
Digital IDs can be stored in certificate files, usually with the extension .cer. Someone can mail you a third party's ID as a file, or you might download the file from a Web-based search system.
To add the digital ID to your Address Book, open the Address Book and create an entry for the person, including his or her e-mail address. (The e-mail address has to match the one to which the certificate is assigned.) Then click the Address Book's Digital IDs tab, shown in Figure 31-8. Click the Import button and select the file containing the ID. The Address Book reads the digital ID and adds it to the Address Book entry. [figure] \ Importing or exporting a digital ID
If you want to store someone's digital ID in a file to transfer it to another computer or send it to a third person, open the Address Book entry for that person, click the Digital IDs tab, click Export, and specify the file to create.
caution Don't try to export your own digital ID this way; bugs in Windows keep it from working. Remember, you can send anyone your digital ID by sending a signed e-mail message.
Receiving Encrypted or Signed Mail
Outlook Express automatically handles incoming encrypted or signed mail. Signed messages have a little orange seal at the right end of the Security line of the message headers; encrypted messages have a little blue lock. When you open the message, Outlook Express automatically validates the signature or decrypts the message. The first time it does so, it displays a special window in place of the actual message, telling you what it did. Scroll down and click Continue to see the actual message. If you'd rather not see the special window in the future, a box above the Continue button lets you avoid the window in the future.