Jason Palmer, CPA, CITP

Cyber Insurance Auditing

You are here: Home / Archives for Email

Securing your Email – Assigning and Using a Digital Certificate for Secure Email in Thunderbird

By 1 Comment

Thunderbird Secure EmailIn order to use a Digital Certificate for Secure Email, you need to install the Certificate in to Thunderbird.  Installing the Certificate is straightforward.  Unfortunately, to use PGP – Public Key and Private Key Encryption in Thunderbird takes a little bit of effort to setup and install.

The steps are clearly defined with Screen Shots at the Thunderbird Documentation Site:

https://support.mozillamessaging.com/en-US/kb/digitally-signing-and-encrypting-messages

In short, Thunderbird uses the PGP (Pretty Good Privacy) Protocol to Encrypt and Digitally Sign email messages implemented through Open Source software.  The two required components are GnuPG: (GNU Privacy Guard): a free software implementation of the commercial version of PGP and the free Enigmail Thunderbird add-on.  (An add-on is small helper application software program that “adds-on” specific functionality.)
To learn more about Public Key and Private Key encryption read my article, “Securing your Email – Understanding Public Key and Private Key Encryption.”

In the documentation referenced above, you download the appropriate version of GnuPG for Windows, Mac, or Linux, the follow the instructions for installing the Enigmail Add-on.

Next, you create your Public Key and Private Key using a Key Generation Wizard.  Then you have the option of setting your configuration to sign all of your outgoing Email with your Digital Signature or on a per message basis.  This operates pretty much the same way in every Email client regardless of vendor.

Digitally signing a messages is as easy as selecting, “Sign Message” from the NEW OpenPGP tab on your Thunderbird Menu Bar.  Same holds true for “Encrypting” a message.

As with all Public Key and Private Key encryption, when you Digitally Sign an email, you must make sure to attach your Public Key with your message. This allows the Recipient to save your Public Key so that they can encrypt an email message to you.  It also allows them to Authenticate an email Digitally Signed by you.

When you receive an email encrypted with your Public Key, you will use your Private Key Passphrase to decrypt the message and read it.  Once both you and your Recipient have each other’s Public Key’s you can start to send and receive Encrypted and Digitally Signed email at will.

The Thunderbird OpenPGP add-on makes Digitally Signing, sending and receiving Encypted Email a breeze.

GnuPG Project Information
http://www.gnupg.org/

Enigmail Information
http://www.enigmail.net

 

Securing your Email – Assigning and Using a Digital Certificate for Secure Email in Outlook

By Leave a Comment

Digital SignatureIn order to use a Digital Certificate for Secure Email, you need to install the Certificate in to your specific version of Outlook and assign it to the correct profile.  This is usually the default profile if you are the only one that uses your copy of Microsoft Outlook.

In most cases, when you retrieve the Digital Certificate for Secure Email, the Internet Explorer Web Browser will automatically store it in the Windows Digital Certificate Store for you.  Most editions of Microsoft Outlook can automatically access the Microsoft Windows Digital Certificate Store.  If for some reason the Digital Certificate for Secure Email does not properly appear visible in a version of Outlook, use the tutorials below to verify the settings.

If you used FireFox to request and retrieve your Digital Certificate for Secure Email, you may need to Export/Backup then Import/Restore the Digital Certificate for Secure Email in to Internet Explorer so that it is visible to Microsoft Windows Digital Certificate Store.

Please visit the following links for excellent tutorials on the process.

Outlook 2003
https://www.globalsign.com/support/personal-certificate/per_outlook03.html

Outlook 2007
https://www.globalsign.com/support/personal-certificate/per_outlook07.html

Outlook 2010
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1348

Outlook Express – Versions 5 and 6
http://www.comodo.com/support/products/email_certs/oe_5_6.php

Microsoft Outlook 98 – 2000
https://www.globalsign.com/support/personal-certificate/per_outlook9800.php

Windows Mobile PDA
https://www.globalsign.com/support/personal-certificate/per_wm_pda.php

In general, to Digitally Sign or Encrypt an email message, when composing the message look under the OPTIONS tab,  – More Options, Security Settings, or Permissions – depending on your version of Outlook. There you will be presented with the option to Digitally Sign and/or Encrypt your message.

REMEMBER:  Before you can encrypt a message to a Recipient, you must have that Recipients PUBLIC key.  To exchange your key with a potential recipient, send him or her any email message that is Digitally Signed.  This message will include your PUBLIC key and for future Authentication, allow the Recipient to store your key in his or her contact list. Then, the Recipient should reply back to you with his or her Public key.  Once you have your intended Recipients Public Key, you can encrypt your email communications on a selective basis and vice-versa.
To learn more about Public Key and Private Key encryption read my article, “Securing your Email – Understanding Public Key and Private Key Encryption.”

Securing your Email – Understanding Public Key and Private Key Encryption

By 2 Comments

Public Key InfrastructureWith Public Key Encryption, also known as asymmetric key encryption, two different keys, a Private Key and Public key are used simultaneously to both Digitally Sign and Authenticate an email message and/or encrypt it.

The Private Key and Public Key are a mathematically related unique pair of really long random that are 100% mated to each other.  The Private and Public Keys are created by using the information from your “Personal or Business Digital Certificate for Secure Email” and a “Key Generation Utility.”  The Certificate authenticates your email address and optionally your identity.  (See my article, “Securing your Email – Digital Certificate for Secure Email” for information on obtaining one.)  Note:  The Key Generation Utility is usually included as part of the Email Client Software or Web Mail Browser Plug-In.  It may not be necessary to explicitly create the key pair as it may automatic.

So, how does Public and Private Key Encryption work?  For starters, recall that the Private Key and Public key are a related pair – they work together.  Important Safety Tip:  As the names imply, the Private Key must remain private and its’ “pass phrase” (the password to use the key) must remain “private” and ONLY known to you personally.  The Public Key is widely distributed to everyone you want to communicate with so that the recipients can either Authenticate a message from you as genuine, decrypt an encrypted message you send them, or they can encrypt a message that only you can decode with your Private Key.  The Public Key can also be placed on a “Trusted Public Key Server” (think phone directory for everyone’s Public Key) so that others can look up your Public Key to encrypt messages to be sent that only you can decrypt with your Private Key.

NOTE:  For purposes of this discussion we need to assume that regardless of if you are using a Class 1 (Email Address Validated) or Class 2 (Email Address and Identity Validated) Digital Certificate for Secure Email, that YOU are the one and only person associated with your email account and that the Pass Phrase to your Private Key is known ONLY to you.  With a basic Class 1 Digital Certificate for Secure Email, ANYONE who has access to your email account and who may have requested a Digital Certificate for Secure Email without your knowledge could masquerade as you for purposes of sending Digitally Signed and Encrypted Email.

If I want to Digitally Sign an email message so that a recipient will have a high degree of assurance that I was the actual sender of the message, similar to when I have a paper document Notarized, I use my Private Key along with my Public key to tell my Email Client to “Digitally Sign” the message.  I then attach my Public Key with the message as I send it to the recipient.  The Recipients’ Email Client uses the attaché Public Key to process my Digital Signature and verify that the Digital Signature is Authentic and Genuine.  (Recall when I have a paper document Notarized, a licensed independent third party Authenticates my signature by reviewing other Identity documents.  This is similar to what a Certificate Authority would do when issuing a Class 2 Digital Certificate for Secure Email.)

You may be wondering, “How is this any different than if I just sent a regular message since I included the Public Key, the part required for the recipient to authenticate the message?”  The answer is that when I Digitally Signed the message with my Private Key, I had to enter in my super-secret, ultra-secure “pass phrase” known only to me.  The Private Key and Public Key are a mated pair that must be used together to be of any value.  Since only my Public Key can be used to authenticate a message that I personally, Digitally Sign, the message has to be authentic and sent by me.  Assuming that the Recipient uses either the Public Key that I sent along with the message or retrieves my Public Key from a Trusted Public Key Server, the message can be authenticated as legitimately Digitally Signed by me.

Technical Note:  The Email Clients are performing a massive amount of mathematical calculations in the background creating hash totals and checksums which are shorter strings of numbers that represent the original extremely long numbers to expose tampering.  It is possible that the body text which is not encrypted in a Digitally Signed Message could be altered in transit.  The message would still correctly show the Digital Signature as “Authentic” however the “math” would also show that the message had been altered from its’ original content.

To Encrypt a message requires one extra step:  Before I can send a recipient an encrypted message, I need to know their Public Key.  My Email Client software will use the Recipients’ Public Key to encrypt the message.  Then, the Recipients’ Email Client will use the Recipients’ Private Key to decrypt the message.

Taking it one step further, if I use my Private Key and the Recipients Public Key at the same time, I can both Digitally Sign the message and Encrypt it so that the Recipient can Authenticate that I actually sent the message with my Public Key and Decrypt the message with the Recipients Private Key so only the Recipient can read it.

The best way to get started in using Digital Signatures and encrypting email, when appropriate, is to obtain a Digital Certificate for Secure Email and then send a Digitally Signed message to people you want to be able to communicate with securely.  (See my article, “Securing your Email – Digital Certificate for Secure Email” for information on obtaining one.)  Since your Public Key is automatically included in your Digitally Signed Message, the Recipients’ Email Client will automatically store it so that it can be used to either decrypt messages sent by you or encrypt messages that are sent to you from the Recipient.

Note:  If you are not using Microsoft Outlook or Lotus Notes, you will need an “Add-on” application for your email client or web browser.  Options will be discussed in a future article.

Securing your Email – Digital Certificate for Secure Email

By Leave a Comment

HTTPS SSL Computer CubeA Digital Certificate for Secure Email enables you to digitally sign your email and authenticate that the message was actually sent from your email account.  Optionally, you can also encrypt the email message to secure it against unauthorized viewing.  (Encryption of email will be discussed in a future article.)

A Digital Certificate for Secure Email is issued by one of the well-known Certificate Authorities, the same group of companies that issue SSL (Secure Socket Layer) Certificates that encrypt web browser communications.  (The “lock” in your browser when connected over HTTPS:// )

A Class 1 Certificate requires only that you enter your First Name, Last Name, Email Address and a pass-phrase which secures the Certificate itself from unauthorized use or for revocation if the Certificate is compromised or lost.  The only Authentication performed is that the email address submitted is valid and that you have access to that email account to retrieve the Certificate.  It is important to note that the Certificate is ONLY validating the existence of the email address.  Anyone who has access to the specific email account can request a Certificate and can most likely use it to authenticate a message sent from that specific email account.  This is critical to understand if you share your email account with others.

For many non-business users, a Class 1 Certificate is adequate and available at no cost from a Comodo, a Certificate Authority Provider.  (There are a few other free providers but none as quick or as easy to use as Comodo.)   Most people have an email account that they do not share and that is properly secured with a strong password.  (Well at least they have an email account they do not share.  Not everyone follows good password creation guidelines.)  The point being that if you send an email message to jason@palmer.net  confidence is high that I am the only one sending and receiving mail from that account.  In fact, the entire point of using a Digital Certificate for Secure Email is that you as the recipient could immediately tell if the message was sent from the real jason@palmer.net email account (most likely me if a Class 1 Certificate and definitely me if a Class 2 Certificate) or if it was spoofed.  (There are other ways of determining a Spoofed email, specifically by reviewing the Full Headers of the Message and spotting inconsistencies in the email addresses and Servers.)

For added assurance, you may want to consider a Class 2 Certificate whereby you need to provide the Certificate Authority with proof of identity, such as a Government issued ID (Driver’s License, Passport, Passport Card, Birth Certificate, or similar).  A Class 2 Certificate validates both the email address and that you are its’ owner and a real person.  Email signed with a Class 2 Certificate is similar sending over a notarized document.  An independent third party has verified your identity so when you use the Certificate a certain level assurance can be assumed by the recipient that you are the actual, legitimate sender of the message.

Class 2 Digital Certificates for Secure Email come in two flavors:  “Personal”, that specifically identify you as an individual and “Business”, that specifically identify you and that you are a legitimate employee of a specific company.

You may be wondering, “Wow, this sounds great!  Why isn’t everyone using a Digital Certificate for Secure Email on every message?”  The answer would be because it is a little cumbersome to setup and use.  First both you and everyone you want to send and receive mail from need to obtain his or her own Digital Certificate for Secure Email.  Next, you need to configure your email client to work with the Digital Certificate for Secure Email.  This is relatively straightforward in Microsoft Outlook, Mozilla Thunderbird, or Lotus Notes.  Not quite as easy for Web Mail Users of Gmail, AOL, Hotmail, Yahoo, and similar services as it requires a plug-in or extension installed in the web browser. (A plug-in or extension is a specialized helper application that enables additional features and capabilities in your web browser.)

If the recipients’ email client is properly configured to understand a Digitally Signed email message, when you send a Digitally Signed Message, the recipient will see a notation on the email that the message was Digitally Signed.  However, if the recipients email client is not setup properly, the recipient will see an additional text attachment to your message that is meaningless and contains the Digital Signature Information.  This can become very annoying to your recipients as every message would you send them would have an attachment.

Securing your email all starts with either a Class 1 or Class 2 Digital Certificate for Secure Email.  At least visit Comodo below and start with a FREE Class 1 Digital Certificate for Secure Email, and then tell all of your friends to do the same.  A Class 1 Digital Certificate for Secure Email takes only minutes to request and install, they are valid for one year, and are available free of charge

Stay tuned and read my future articles on how to implement Secure Email Communication for transmission of sensitive and confidential information over the wild Internet through Email.

Important Technical Note:  Make sure that you use the same computer and web browser to request and access the retrieval of Digital Certificate for Secure Email.  You will also need to make sure that Java is enabled and that your web browser accepts Cookies to complete the process successfully.  The Certificate is actually being created and added to your web browser’s certificate store, and then you have to export it for your specific email client.  Microsoft Internet Explorer and Microsoft Outlook do not require this step as they both can access the same Certificate Store in Windows.  Firefox and the Thunderbird Email client or Lotus Notes might require some additional steps to configure properly.  Instructions are provided by both the Certificate Authority and your Email Client Vendor.

Digital Certificate for Secure Email Authority Vendors:

Free Class 1

Comodo – FREE AND RECOMMENDED CHOICE
http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html

Symantec TrustCenter – FREE (Not as fast or easy as Comodo.)
https://www.trustcenter.de/RetailStore/cid/CustomerData!input.action

StartSSL – Free but cumbersome to apply for and install
https://www.startssl.com/?app=1

CACert – Free and very cumbersome to apply for and install
https://www.cacert.org/

Paid Class 1 and 2 Personal and Business
NOTE:  There is no reason to pay for a Class 1 Certificate.  Use the Free options above.

Comodo – Business Class 2 Certificates – Value Priced Leader
http://www.enterprisessl.com/ssl-certificate-products/addsupport/secure-email-certificates.html

*Prices and Features vary widely with Vendors listed below – Read Carefully before purchasing.

GlobalSign – Personal and Business Class 1 and 2
https://www.globalsign.com/personalsign/comparison.html

IdenTrust – Personal and Business Class 2
http://www.identrust.com/certificates/trustid.html

Symantec TrustCenter – Personal Class 2
http://www.trustcenter.de/en/products/tc_personal_id.htm

Symantec TrustCenter – Business Class 2
http://www.trustcenter.de/en/products/tc_business_id.htm

Symantec/Verisign – Personal Class 1
http://www.symantec.com/verisign/digital-id