Cryptography is an essential element of every security professional's toolkit. We recently covered the basics of cryptography and now turn our attention to the practical implementation of cryptography to secure electronic mail. In this tip, we examine the use of cryptography to provide confidentiality and non-repudiation using the most common email client, Microsoft Outlook.
Obtaining and installing a certificate
Email encryption schemes use asymmetric cryptography to provide a scalable approach for secure email with any user around the world. Of course, it would be very difficult to manually exchange public keys securely with everyone you email. That's where digital certificates come into play. You obtain a digital certificate from a trusted certificate authority (CA), and the CA provides other users with a degree of assurance of the certificate owner's identity.
Many CAs provide digital certificates to individual email users and offer step-by-step instructions for installing the certificate for use in Microsoft Outlook and other email clients. Here are a few sources you may wish to consider for digital certificates:
These certificates are typically available for around $20 per user, per year. If you have a large number of email users, it's possible to set up your own certificate authority, but this is generally not practical for a small-to-medium sized business.
Creating a digital signature
Once you've installed your certificate, you're ready to get started applying cryptography to your email communications! You now have the ability to apply digital signatures to all of your messages, providing recipients with the assurance that you are the legitimate sender of the message and that it was not forged.
Applying digital signatures to your messages is quite simple. Once you've installed a digital certificate from one of the CAs listed above (or another CA), using the instructions provided with the certificate, simply click the digital signature icon in the new message window of Microsoft Outlook, as shown below:
When you click this message, Outlook will create a unique message digest based upon the contents of your message and then sign that message digest with your private key to create the digital signature. Recipients then generate their own copy of the message digest from the message contents and decrypt your digital signature using your public key. If the two versions of the message digest (the one decrypted from your digital signature and the one generated by the recipient) match, the digital signature must have been created by someone possessing the sender's private key: you.
Encrypting emails in Outlook
Digital signatures allow you to prove the originator of a message, but they do not provide confidentiality: that's where message encryption comes into play. In order to exchange encrypted email with someone, you must have access to their public key. The easiest way to do this is to ask the individual to send you a digitally signed message. Outlook will then extract the public key from the signed message, and you may then use it to exchange encrypted email.
Encrypting emails in Outlook is just as easy as digitally signing them. Simply click the encryption icon in the new message window, as shown below:
When you use the encryption option, Outlook uses the recipient's public key to encrypt the message. When the recipient receives the message, his or her copy of Outlook uses the corresponding private key to decrypt the message and display the plaintext to the recipient.
Confused about how public and private keys work? The good news is that Outlook hides all of these details from end users. You simply need to set up digital certificates, click the appropriate icons and Outlook will handle all of the heavy lifting. For more background on the technology, read my previous tip: Encryption 101.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.