Overview of certificates and cryptographic e-mail messaging in Outlook

You can help prevent impersonation and tampering of e-mail messages in Microsoft Office Outlook 2007 by using cryptographic features such as S/MIME (S/MIME: Secure Multipurpose Internet Mail Extensions (S/MIME) is a specification for secure e-mail messages that uses the X.509 format for digital certificates and uses various encryption algorithms such as 3DES.), digital signatures (digital signature: An application of an algorithm to the message data used to prove to the recipient that the message is from the sender (not an imposter) and that the message has not been altered. Includes the sender's certificate (with the public key).), and encryption (encryption: The process of encoding data to prevent unauthorized access. An encrypted message is unreadable to all but the recipient, who has a public key that will decrypt it because the key matches the private key that the sender used to encrypt it.).

The following introduces the basic terminology of cryptography and explains some of the common methods used.

In this article

Using cryptography for more secure communications

Cryptography is a set of standards and protocols for encoding data and messages, so that they can be stored and transmitted more securely. Even when the transmission medium (for example, the Internet) is untrustworthy, you can use cryptography to encrypt your sensitive files — so that an intruder is less likely to understand them — and ensure data integrity as well as maintain secrecy.

You can verify the origin of encrypted data and messages by using digital signatures and certificates. When you use cryptographic methods, the cryptographic keys must remain secret. However, the algorithms, key sizes, and file formats can be made public without compromising security.

The two fundamental operations of cryptography are encryption and decryption. Encryption involves scrambling the data in such a way that it is impossible to deduce the original information. While in decryption, scrambled data is turned back into the original text by using a cryptographic key.

In order to encrypt and decrypt, you need an encryption algorithm and a key. Many encryption algorithms exist, including Data Encryption Standard (DES), Rivest/Sharmir/Adleman (RSA) encryption, RC2, and RC5. In each of these options, a key is used in conjunction with the algorithm to convert the plaintext (readable by people) into cipher text (scrambled and unreadable by people).

DES, RC2, and RC5 are known as symmetric key technologies, or secret key cryptographies, because the key used to encrypt the data is used to decrypt it as well. Hence, the key must be a shared secret between the party encrypting the data and the party decrypting it.

RSA is known as public key cryptography, or asymmetric cryptography, because it uses two keys: a public key (public key: The key a sender gives to a recipient so that the recipient can verify the sender's signature and confirm that the message was not altered. Recipients also use the public key to encrypt (lock) e-mail messages to the sender.) and a private key (private key: The secret key kept on the sender's computer that the sender uses to digitally sign messages to recipients and to decrypt (unlock) messages from recipients. Private keys should be password protected.). The keys are mathematically related, but you cannot figure out one without knowing the other. The private key is kept private — only the party generating the key pair should have access to it. The public key can be freely shared over an insecure medium such as the Internet. With public key systems, there is no shared secret between the two parties. If the public key is used to encrypt the data, then only the private key can decrypt it. Similarly, if the private key is used to encrypt the data, then only the public key can decrypt it.

Top of Page Top of Page

Using certificates for cryptographic e-mail messaging in Outlook

Outlook uses certificates in cryptographic e-mail messaging to help provide more secure communications. To use cryptography when you send and receive e-mail messages, you must first obtain a digital ID (digital ID: Contains a private key that stays on the sender's computer and a certificate (with a public key). The certificate is sent with digitally signed messages. Recipients save the certificate and use the public key to encrypt messages to the sender.) from a certificate authority (certificate authority (CA): An entity, similar to a notary public, that issues digital certificates, keeps track of who is assigned to a certificate, signs certificates to verify their validity, and tracks which certificates are revoked or expired.) (CA). Digitally signing a message applies the sender's certificate and public key to the message. Your certificate is sent with the message to help authenticate you to the recipient. You also use a certificate in Outlook when you encrypt messages.

Certificates are validated by means of a certificate hierarchy. The root certificate authority (root authority: The certification authority (CA) at the top of a certification hierarchy (known as a "chain of trust") with several other certificate authorities; each verifying the authenticity of the next CA. The root CA has a self-signed certificate.) is at the top of a certification hierarchy (certification hierarchy: A structure whereby one certificate authority verifies another certification authority's certificates by digitally signing them. This establishes a "chain of trust" that increases confidence that a certificate is authentic.) and is the most trusted CA. The root CA has a self-signed certificate, so it is important to obtain certificates only from certificate authorities that are known and trusted.

You can learn more about the characteristics of one of your own certificates or a certificate that is attached to an e-mail message that you received). For example, you can:

To view information about a certificate that has been used to encrypt or digitally sign an e-mail message that was sent to you, open the message and click the cryptographic button on the far right in the header, for example, Encrypted button image or Signed button image. For messages that are signed, or encrypted and signed, in the next dialog box, for example, the Digital Signature: Valid dialog box, click Details.

In the Message Security Properties dialog box, you see the properties of the message, including the security layers. You can click a security layer to see a description of that layer.

You can also view additional information about the certificate or make changes to a security layer. For example, you may want to find out why Outlook has determined that a certificate for an e-mail message is invalid (invalid: Refers to a certificate with a status that Outlook has checked against a certificate authority's database and found to not be legitimate or not current. The certificate might also be expired or revoked.) or not trusted. In some scenarios, you can also take steps to correct the status of the certificate. For example, you can choose to trust the CA that issued the certificate, if that is why a digital signature certificate is not trusted. You can also do the following:

 Note    The buttons are inactive when the Subject layer is selected.

Top of Page Top of Page

Applies to:
Outlook 2007