You can help prevent impersonation and tampering when sending e-mail messages in Microsoft Office Outlook 2003 by using cryptographic features such as S/MIME digital signatures (digital signature: An application of an algorithm to the message data used to prove to the recipient that the message is from the sender (not an imposter) and that the message has not been altered. Includes the sender's certificate (with the public key).) and encryption (encryption: The process of encoding data to prevent unauthorized access. An encrypted message is unreadable to all but the recipient, who has a public key that will decrypt it because the key matches the private key that the sender used to encrypt it.). You obtain certificates for digital signing and encryption from a certificate authority (certificate authority (CA): An entity, similar to a notary public, that issues digital certificates, keeps track of who is assigned to a certificate, signs certificates to verify their validity, and tracks which certificates are revoked or expired.). Digitally signing a message applies the sender's certificate (certificate: A digital means of proving your identity. When you send a digitally signed message you are sending your certificate and public key. Certificates are issued by a certification authority, and like a driver's license, can expire or be revoked.) and public key (public key: The key a sender gives to a recipient so that the recipient can verify the sender's signature and confirm that the message was not altered. Recipients also use the public key to encrypt (lock) e-mail messages to the sender.) to the message. Certificates are also used when encrypting a message.
Learning more about cryptography and cryptographic certificates can help you understand how digital signing and encryption work together in Outlook 2003 to help provide more secure e-mail messaging.
Using cryptography for more secure communications
Cryptography is a set of standards and protocols for encoding data and messages, so that they can be stored and transmitted more securely. The following introduces the basic terminology of cryptography and explains some of the common methods used.
Cryptography helps you to have more secure communications, even when the transmission medium (for example, the Internet) is untrustworthy. You can also use it to encrypt your sensitive files, so that an intruder is less likely to understand them. Cryptography can be used to help ensure data integrity as well as to maintain secrecy. Cryptography helps to verify the origin of data and messages, by using digital signatures and certificates. When you use cryptographic methods, the cryptographic keys must remain secret. The algorithms, key sizes, and file formats can be made public without compromising security.
The two fundamental operations of cryptography are encryption and decryption (decrypt: The process of converting cipher (scrambled) text back into plain, readable text. Recipients decrypt (unlocks) the e-mail messages sent to them using their private key.). Encryption involves scrambling the data in such a way that it should be infeasible to deduce the original information, unless you have access to the appropriate key. Decryption is the reverse process: Scrambled data is turned into the original text by using a key.
In order to encrypt and decrypt, you need an encryption algorithm and a key. Many encryption algorithms exist, including Data Encryption Standard (DES), Rivest/Sharmir/Adleman (RSA) encryption, RC2, and RC5. A key is used in conjunction with the algorithm to convert the plain text (readable by people) into cipher text (scrambled, unreadable by people).
DES, RC2, and RC5 are known as symmetric key technology because the key used to encrypt the data is the same one used to decrypt it. Hence, the key must be a shared secret between the party encrypting the data and the party decrypting it. You can use public key technology to pass the key securely to the other party.
RSA is known as public key, or asymmetric, technology, because two keys are used: a public and a private key (private key: The secret key kept on the sender's computer that the sender uses to digitally sign messages to recipients and to decrypt (unlock) messages from recipients. Private keys should be password protected.). The keys are mathematically related, but you cannot figure out one without knowing the other. The private key is kept private — only the party generating the key pair should have access to it. The public key can be freely shared over an insecure medium such as the Internet. With public key systems, there is no shared secret between the two parties. If the public key is used to encrypt the data, then only the private key can decrypt it. Similarly, if the private key is used to encrypt the data, then only the public key can decrypt it.
Using certificates for cryptographic e-mail messaging in Outlook
Outlook 2003 uses certificates in cryptographic e-mail messaging to help provide more secure communications. To use cryptography when you send and receive e-mail messages, you first obtain a Digital ID (digital ID: Contains a private key that stays on the sender's computer and a certificate (with a public key). The certificate is sent with digitally signed messages. Recipients save the certificate and use the public key to encrypt messages to the sender.) from a certificate authority (certificate authority (CA): An entity, similar to a notary public, that issues digital certificates, keeps track of who is assigned to a certificate, signs certificates to verify their validity, and tracks which certificates are revoked or expired.) (CA). A Digital ID contains a private key that is stored on the sender's computer and a certificate (with a public key). Your certificate is sent when you digitally sign messages to help authenticate you to the recipient. You also use a certificate in Outlook when you encrypt messages.
Certificates are validated by means of a certificate hierarchy. The root certificate authority (root authority: The certification authority (CA) at the top of a certification hierarchy (known as a "chain of trust") with several other certificate authorities; each verifying the authenticity of the next CA. The root CA has a self-signed certificate.) is at the top of a certification hierarchy (certification hierarchy: A structure whereby one certificate authority verifies another certification authority's certificates by digitally signing them. This establishes a "chain of trust" that increases confidence that a certificate is authentic.) and is the most trusted CA. The root CA has a self-signed certificate, so it is important to obtain certificates only from certificate authorities that are known and trusted.
You can learn more about the characteristics of a certificate (one of your certificates or a certificate that is attached to an e-mail message you have received). For example, you can:
To view information about a certificate used to encrypt or digitally sign an e-mail message that was sent to you, open the message and click the cryptographic button on the far right in the header, for example, Encrypted or Signed . For messages that are signed, or encrypted and signed, in the next dialog box (for example, the Digital Signature: Valid dialog box), click Details.
In the Message Security Properties dialog box, you see the properties of the message, including the security layers. You can click a security layer to see a description of that layer.
You can also view additional information about the certificate or make changes to a security layer. For example, you may want to find why Outlook has determined that a certificate for an e-mail message is invalid (invalid: Refers to a certificate with a status that Outlook has checked against a certificate authority's database and found to not be legitimate or not current. The certificate might also be expired or revoked.) or not trusted. In some scenarios, you can also take steps to correct the status of the certificate. For example, you can choose to trust the CA that issued the certificate, if that is why a digital signature certificate is not trusted.
To make changes to the trust (trust: Indicates whether you trust the individual or group to whom the certificate is issued. The default setting is Inherit Trust from Issuer, which means that the certificate is trusted because the issuer, usually a certificate authority, is trusted.) status of the certificate, click the signature layer or encryption layer, and then click Edit Trust. To see additional information about the encryption of a message or the digital signature on a message, click the signature or encryption layer, and then click View Details. Finally, to trust all messages signed by the certificate authority, click the signature layer, and then click Trust Certificate Authority.
Note The buttons are inactive when the Subject layer is selected.