Email Security with Digital Certificates (Part 5)

by [Published on 9 Aug. 2016 / Last Updated on 9 Aug. 2016]

In this article series we have been exploring digital certificates and how they can be used to sign and encrypt email messages. Now that we have all the theory, it is time to get “hands on” and start signing and encrypting our emails.

If you would like to be notified of when Nuno Mota releases the next part in this article series please sign up to our MSExchange.org Real Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:

Using S/MIME

Before we can use S/MIME, we must get and install an individual key/certificate either from our company’s Certificate Authority (CA) or from a public CA. As previously mentioned, separate private keys/certificates can sometimes be used for signature and for encryption, thus allowing escrow of the encryption key without compromising non-repudiation. In this article we will just use a single certificate for both purposes.

Encryption requires having the recipient’s certificate on our “store”, which we will soon see how to do when we receive an email from that user with a valid signing certificate.

A typical basic (“class 1”) personal certificate verifies the owner's identity but it only declares that the sender is the owner of the “From:” email address. As such, it only proves that an email received really did come from the “From:” address given, it does not verify the person’s name or business name for example. If you want to enable recipients to verify the sender’s identity by carrying the sender’s legal name in the certificate, the sender needs to obtain a “class 2” certificate from a CA who will carry out a more in-depth identity verification process.

Depending on the CA’s policy, the certificate and all its contents may be posted publicly for reference and verification, making the name and email address available for everyone to see and possibly search for. At a minimum, all CAs post at least serial numbers and revocation status (without any personal information), which is mandatory to maintain the integrity of the public key infrastructure.

Obtaining a Digital ID

A digital ID, also known as a digital certificate, will enable us to send digitally signed messages using Outlook for example. It will help prove our identity and prevent message tampering in order to protect the authenticity of an email message.

There are several CAs that provide free email certificates. In this example we will use Comodo’s Free Secure Email Certificate:

Image

Start by clicking on Sign Up Now, complete all the required fields in the application form and click Next:

Image

The application should be successful and the details on how to collect our certificate are sent to the email address we specified in the form:

Image

The following screenshot shows the email we receive by Comodo with the instructions on how to collect our certificate:

Image

Once we click on Click & Install Comodo Email Certificate, we should receive the following message:

Image

This means that the certificate was automatically added to our Certificate store on our computer. We can check this my using the Certificate MMC (Microsoft Management Console):

Image

Using this console, we can create a backup of our certificate by exporting it, as well as check its properties:

Image

We can see that the algorithm used in this certificate is SHA-256:

Image

And we can see what our Public Key is for example. It is also important to keep in mind when our certificate expires (valid to field) so we can renew it before that date:

Image

Configuring Outlook with the Digital ID

Now that we have our Digital ID, we need to configure Outlook to use it. In this article we will use Outlook 2016, but the procedure is almost identical for other versions of Outlook.

  1. On the File tab, click Options -> Trust Center -> Trust Center Settings -> Email Security:

Image

  1. Under the Encrypted e-mail section, click Settings:

Image

  1. Under Security Setting Preferences, click New. Outlook should automatically populate all the fields:

Image

When we installed the certificate we saw that the hashing algorithm used was SHA-256, so we update the Hash Algorithm value from SHA1 to SHA265 to match it.

This is also where we can specify different certificates to sign emails (Signing Certificate) and to encrypt emails (Encryption Certificate) by clicking on Choose... and selecting a different certificate. In this case I will use the same certificate for both operations.

We can also manually import a certificate by using the Import/Export feature if a certificate was not automatically added to our store:

Image
13

We then specify which certificate to import, it’s password and then click on OK:

Image

The certificate is then imported into our store and is available for Outlook to use.

At this stage, let us leave all the Encrypted e-mail settings blank. This means that emails will not be automatically signed or encrypted:

Image

Digitally Signing Emails

Finally, we have everything in place to start digitally signing our emails. To do so, we start by composing a new email message. Within the email window, we click on the Options tab and select Sign in order to sign this particular email we are sending to Linda:

Image

When Linda receives the email Nuno sent her, she can immediately see that the email has been signed because of the different icon it has:

Image

When opening the email, it states who signed it and a “signed symbol” is displayed to highlight that fact:

Image

If Linda clicks on that signed icon, further details are displayed regarding the signature, including that it is valid and trusted:

Image

By clicking in Details... we get further details regarding the certificate (Digital ID) used to sign this email:

Image

If Linda clicks on Signer: nuno@..., she can get information regarding the signature itself:

Image

Save a Recipient's Digital ID

As already mentioned throughout this article series, in order to send encrypted email messages, the sender must possess the recipient’s digital ID (remember that we encrypt messages with the recipient’s public key). This is why the intended recipient of the encrypted message must first share his/hers Digital ID by sending an email to us. At this stage, Nuno already sent Linda a signed email, so Linda has everything she needs to send encrypted emails to Nuno.

First, she needs to add Nuno’s Digital ID to her contact list:

  1. Linda starts by opening the message that is digitally signed by Nuno;
  2. She then right-clicks the name of the sender (Nuno) beside his picture, and then clicks Add to Outlook Contacts. If Linda already had an entry for Nuno, she would click Edit Contact:

Image

The certificate is now stored with her contact entry for Nuno and she can send encrypted messages to him. But let’s confirm this is the case by viewing the certificate for Nuno’s contact:

  1. On the Navigation bar, click People.
  2. On the Home tab, click List:

Image

  1. Double-click the person’s name, select the Contact tab, and then click Certificates:

Image

  1. If we now double click on the listed certificate, we can see its details and properties:

Image

Encrypting Emails

OK, now that we have confirmed we have Nuno’s certificate in our Contact store, we can send him an encrypted email. To do so, we start by composing a new email message. Within the email window, we click on the Options tab and select Encrypt and/or Sign in order to encrypt the email and/or sign it as well:

Image

When Nuno receives the email, the icon indicates that this is an encrypted email:

Image

By opening the email, we can see it has been encrypted and also digitally signed:

Image

As before, by clicking on the lock icon, we can see the details regarding the certificate (Digital ID), used to sign the email. Notice the Encryption Layer section that was not present before, and which describes that the email was encrypted using AES 265:

Image

If we click on View Details... we get information regarding the encryption algorithm:

Image

Conclusion

In this article series we explored the basics of cryptography, how digital certificates work and how we can use them to protect email communications by signing and/or encrypting emails in Outlook using S/MIME.

If you would like to be notified of when Nuno Mota releases the next part in this article series please sign up to our MSExchange.org Real Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:

See Also


The Author — Nuno Mota

Nuno Mota avatar

Nuno is an Exchange MVP working as a Senior Microsoft Messaging Consultant for a UK IT Services Provider in London. He specializes in Exchange, Lync, Active Directory and PowerShell.

Advertisement

Featured Links