Encryption

How to use standards based X.509 certificated to encrypt e-mail – (at no upfront cost)

This topic is a how to.
Please keep it as clear and simple as possible. Avoid speculative discussions as well as a deep dive into underlying mechanisms or related technologies.

It is often asked what it takes to send and receive encrypted and/or digitally sign e-mails. The difference being that a digitally signed e-mail can still be in the clear unless a deliberate action is taken to encrypt the message. This document will explain how to accomplish sending encrypted e-mail and/ or digitally sign messages using standards based X.509 certificates issued by commercially recognized Certificate Authorities (CA).

Many Certificate Authority sources these days issue personal certificates for non-commercial use. Commercial certificates are also available through the same sources for a nominal fee for commercial usage (This is the way to go in you are planning an organized roll out of the technology to your organization). For most UCLA employees who have a requirement for encrypting e-mail it is possible to do it relatively easily and without any additional cost using the instructions in this document. The only drawbacks, if can be characterized as such, are that the user will be responsible for safeguarding, backing up and renewing the certificate. Tasks that are not be hard to learn but something that need to be understood if you are to take on encrypting e-mail on your own.

The instructions in this document have been written for Outlook 2007 considering that Outlook is currently one of the most popular e-mail clients used on campus.

Before we jump into the technical instructions, a word or two might be beneficial as a general background. First, this procedure is not the only way to encrypt e-mail. There are commercial applications that can be purchased to accomplish the same objective, although they all cost some money. Second, encrypting mail implies that both the sender and the receiver have taken the steps required to send and receive encrypted e-mail. For example, using the instructions listed here, both the sender and the receiver will have to obtain X.509 certificates from a CA authority and install on their computers. Each user will be responsible for keeping his/her private key safe and have a backup of the PKI keys just in case. (I will discuss how to do this later in the document). Third, for sender to send encrypted e-mail to another party, the recipient, the sender must have the public key of the recipient. You can always ask your intended party to send you his/her Public Key. This key is not a secret and data encrypted using it can be decrypted only by whoever that has the private key. That is why it is so important to keep your private key safe and don’t share it with anyone. Fortunately, in Outlook these tasks have been made very easy and I will go over them shortly.

For more information on PKI and related technologies check out the Wiki Pages at: http://en.wikipedia.org/wiki/Public_key_infrastructure

Steps Needed to Encrypt E-mail in Outlook 2007

First, you need to get a digital certificate from a Certificate Authority for encrypting mail.

-Go to Comodo’s web site at: http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html . The e-mail certificate was free to download and install at the time of writing this document.

-Or, you can get a free Internet ID from TrustCenter http://www.trustcenter.de/en/products/tc_internet_id.htm

This company has been acquired by PGP and at the time of writing this document there were some problems with getting a free e-mail cert from the site. However, earlier I had no problem downloading a free cert from their site.

Follow the Instructions on the web to install your Certificate. You will receive an e-mail to confirm the registration. Meanwhile, do not attempt to install any updates for your system especially for your browser. Complete the installation instructions until the cert is installed in your certificate store.

-View your certificate.

- Under your certificate store manager, view the certs you just installed. For example, in Windows use the MMC and the add-on for Certificates to view the cert. (If you don’t know what MMC is, check out MS TechNet http://technet.microsoft.com/en-us/library/bb742442.aspx .)

-Backup your Certificate.

-After using the MMC to view the certificate, right mouse-click the certificate you want to back up, choose All Tasks and Export. Follow the Wizard to save your certificate. include your private key.

Note: Keep your Private Key some place safe. For example, save it to an encrypted USB key and leave a copy at home. You can have more than one copy as long as you can keep track. If you use a USB key protect it with an access password. If you don’t have an encrypted USB, use a CD-R and put the CD in your safe. However, you want to do this. Just make sure you have a backup of your certificate.

-Let your other party know that, he/she also needs to do the steps above.

Once you have completed the steps above use Outlook to do the rest. Before others can send you encrypted email, you need to send them your Public Key, the public part of your digital certificate.

Exchange your Public Keys by exchanging a Singed e-mail with the other party. You can send your digital signature to multiple people if you know you have to exchange encrypted e- mail with them (they all need to follow the same steps described above to get setup and send you their Public Key.)

-To send your digital Signature to the other party:

- compose a new mail, in the < To: > field put the e-mail address of your party and click on the Sign icon on the Quick Access Toolbar.

Once your party receives your signed e-mail, he/she needs to save it in his/her contact under the Outlook Contacts. If the user is already in the Contacts list, choose to update the information already stored. This will add your Party’s Public key to his/her Contacts in Outlook.

-Right Mouse Click on the <From :> e-mail address and select “Add to Outlook Contacts”.

Ask your party to send you a signed e-mail and add that to your Contacts in Outlook.

Armed with the recipient’s Public key, you are ready to send an encrypted e-mail to your party and vice versa. To do this in Outlook:

-Compose a New Mail, and In the <To :> field of the new message box.

- Pick the user whose Public key information you just saved in your Contacts.

- Click on the “Encrypt” icon and Send.

Note: If you attempt to send mail to a party whose public key is not available in your Contacts (because you have not imported his/her Public key into your Contacts), Outlook cannot encrypt the e-mail and will warn you that: “the following recipients had missing or invalid certificates, or conflicting or unsupported encryption capabilities”

Most probably, you have not requested the recipient’s Public key yet. Just ask that person to send you a signed e-mail and save the public key as explained above in your Contacts.

In a nutshell the steps listed above are all you need to send and receive encrypted and /or signed e-mails using Outlook.