When you connect to a website, your browser sets up a direct connectioncalled a channelbetween your machine and the web server. Because the channel is a direct link, it's relatively easy to implement security because all you have to do is secure the channel, which is what security protocols such as Private Communication Technology (PCT) and Secure Sockets Layer (SSL) do. However, email security is entirely different and much more difficult to set up. The problem is that email messages don't have a direct link to a Simple Mail Transfer Protocol (SMTP) server. Instead, they must usually "hop" from server to server until the final destination is reached. Combine this with the open and well-documented email standards used on the Internet, and you end up with three email security issues: Privacy Because messages often pass through other systems and can even end up on a remote system's hard disk, it isn't that difficult for someone with the requisite know-how and access to the remote system to read a message. Tampering Because a user can read a message passing through a remote server, it comes as no surprise that he or she can also change the message text. Authenticity With the Internet email standards an open book, it isn't difficult for a savvy user to forge or spoof an email address. To solve these issues, the Internet's gurus came up with the idea of encryption. When you encrypt a message, a complex mathematical formula scrambles the message content to make it unreadable. In particular, a key value is incorporated into the encryption formula. To unscramble the message, the recipient feeds the key into the decryption formula. This single-key encryption works, but its major drawback is that the sender and the recipient must both have the same key. Public-key encryption overcomes that limitation by using two related keys: a public key and a private key. The public key is available to everyone, either by sending it to them directly or by offering it in an online key database. The private key is secret and is stored on the user's computer. Here's how public-key cryptography solves the issues discussed earlier: Solving the privacy issue When you send a message, you obtain the recipient's public key and use it to encrypt the message. The encrypted message can now only be decrypted using the recipient's private key, thus assuring privacy. Solving the tampering issue An encrypted message can still be tampered with, but only randomly because the content of the message can't be seen. This thwarts the most important skill used by tamperers: making the tampered message look legitimate. Solving the authenticity issue When you send a message, you use your private key to digitally sign the message. The recipient can then use your public key to examine the digital signature to ensure the message came from you. If there's a problem with public-key encryption, it is that the recipient of a message must obtain the sender's public key from an online database. (The sender can't just send the public key because the recipient would have no way to prove that the key came from the sender.) Therefore, to make all this more convenient, a digital ID is used. This is a digital certificate that states the sender's public key has been authenticated by a trusted certifying authority. The sender can then include his or her public key in any outgoing messages. Setting Up an Email Account with a Digital ID To send secure messages using Outlook, you first have to obtain a digital ID. Here are the steps to follow: 1. | In Outlook, select Tools, Options to display the Options dialog box. | 2. | Select the Security tab. | 3. | Click Get a Digital ID. Internet Explorer loads and takes you to the Office Digital ID page on the Web. | 4. | Click a link to the certifying authority (such as VeriSign) that you want to use. | 5. | Follow the authority's instructions for obtaining a digital ID. (Note that digital IDs are not free; they typically cost about $20 (U.S.) per year. However, some authorities enable you to set up a trial digital ID.) | Backing Up Your Digital ID You should make a backup copy of your digital ID for safekeeping. Open Internet Explorer and select Tools, Internet Options. Display the Content tab and click Certificates to see a list of your installed certificates (be sure to use the Personal tab). Click your digital ID and then click Export. |
Obtaining Another Person's Public Key Before you can send an encrypted message to another person, you must obtain his or her public key. How you do this depends on whether you have a digitally signed message from that person. If you do have a digitally signed message, follow these steps to store the sender's public key: 1. | Open the digitally signed message. | 2. | Right-click the sender's name or address in the From line. | 3. | Click Add to Outlook Contacts. Outlook adds the sender to your Contacts list and includes the sender's digital ID in the Certificates tab, as shown in Figure 15.12. Figure 15.12. When you receive a digitally signed message, add the sender to your Contacts to store his or her digital ID (and public key). | 4. | Click Save and Close. If you already have the sender in your Contacts folder, the Duplicate Contact Detected dialog box appears. | 5. | Activate the Update New Information from This Contact to the Existing One option and click OK. | If you don't have a digitally signed message for the person you want to work with, you have to visit a certifying authority's website and find the person's digital ID. For example, you can go to the VeriSign site (directory.verisign.com) to search for a digital ID and then download it to your computer. After that, follow these steps: 1. | Open the Contacts folder. | 2. | Open the person's contact info or create a new contact. | 3. | Enter one or more email addresses and fill in the other data as necessary. | 4. | Display the Certificates tab. | 5. | Click the Import button to display the Locate Certificate dialog box. | 6. | Find and select the downloaded digital ID file and then click Open. | 7. | Click Save and Close. | Sending a Secure Message After your digital ID is installed, you can start sending out secure email messages. You have two options: Follow these steps to secure your message using one or both options: 1. | Start a new email message. | 2. | Click the Options toolbar button to display the Message Options dialog box. | 3. | Click Security Settings to display the Security Properties dialog box, shown in Figure 15.13. Figure 15.13. Use the Security Properties dialog box to set the message security options. | 4. | To digitally sign the message with the sender's public key, activate the Add Digital Signature to This Message check box. Outlook enables the following check boxes: Send This Message as Clear Text SignedActivate this check box if your recipient doesn't have Secure Multipurpose Internet Mail Extensions (S/MIME), which is a specification for secure email messages. Request S/MIME Receipt for This MessageActivate this check box to request an S/MIME receipt, which tells you when (and if) your message was "cryptographically verified." | 5. | To encrypt the message with your private key, activate the Encrypt Message Contents and Attachments check box. | 6. | Click OK to return to the Message Options dialog box. | 7. | Click Close. | Faster Message Security | If you use Word as your email editor, you can apply default message security quicker by using a couple of toolbar buttons. Click the Digitally Sign button to add your digital signature to the message; click the Encrypt Message button to encrypt the message. | |
Automating Message Security You can tell Outlook to digitally sign and/or encrypt all your outgoing messages. Select Tools, Options, and display the Security tab. To encrypt all your messages, activate the Encrypt Contents and Attachments for All Outgoing Messages check box. To sign all your messages, activate the Add Digital Signature to Outgoing Messages check box. | From Here For other Outlook tricks, see Chapter 5, "Getting the Most Out of Outlook." To learn the basics of VBA, see Chapter 11, "Maximizing Office with VBA Macros." To see other Outlook VBA code, see the section titled "Outlook Macros" in Chapter 12. For more on Office security, see Chapter 14, "Securing Office 2003." To learn how to apply a password to your Outlook data files, see the section titled "Assigning a Password to Your Outlook Personal Folders" in Chapter 14. To learn how to work with the Registry Editor and the Windows Registry, see Appendix A, "Working with the Windows Registry." |