Jason Palmer, CPA, CITP

Cyber Insurance Auditing

You are here: Home / Archives for Secure Email

Securing your Email – Understanding Public Key and Private Key Encryption

By 2 Comments

Public Key InfrastructureWith Public Key Encryption, also known as asymmetric key encryption, two different keys, a Private Key and Public key are used simultaneously to both Digitally Sign and Authenticate an email message and/or encrypt it.

The Private Key and Public Key are a mathematically related unique pair of really long random that are 100% mated to each other.  The Private and Public Keys are created by using the information from your “Personal or Business Digital Certificate for Secure Email” and a “Key Generation Utility.”  The Certificate authenticates your email address and optionally your identity.  (See my article, “Securing your Email – Digital Certificate for Secure Email” for information on obtaining one.)  Note:  The Key Generation Utility is usually included as part of the Email Client Software or Web Mail Browser Plug-In.  It may not be necessary to explicitly create the key pair as it may automatic.

So, how does Public and Private Key Encryption work?  For starters, recall that the Private Key and Public key are a related pair – they work together.  Important Safety Tip:  As the names imply, the Private Key must remain private and its’ “pass phrase” (the password to use the key) must remain “private” and ONLY known to you personally.  The Public Key is widely distributed to everyone you want to communicate with so that the recipients can either Authenticate a message from you as genuine, decrypt an encrypted message you send them, or they can encrypt a message that only you can decode with your Private Key.  The Public Key can also be placed on a “Trusted Public Key Server” (think phone directory for everyone’s Public Key) so that others can look up your Public Key to encrypt messages to be sent that only you can decrypt with your Private Key.

NOTE:  For purposes of this discussion we need to assume that regardless of if you are using a Class 1 (Email Address Validated) or Class 2 (Email Address and Identity Validated) Digital Certificate for Secure Email, that YOU are the one and only person associated with your email account and that the Pass Phrase to your Private Key is known ONLY to you.  With a basic Class 1 Digital Certificate for Secure Email, ANYONE who has access to your email account and who may have requested a Digital Certificate for Secure Email without your knowledge could masquerade as you for purposes of sending Digitally Signed and Encrypted Email.

If I want to Digitally Sign an email message so that a recipient will have a high degree of assurance that I was the actual sender of the message, similar to when I have a paper document Notarized, I use my Private Key along with my Public key to tell my Email Client to “Digitally Sign” the message.  I then attach my Public Key with the message as I send it to the recipient.  The Recipients’ Email Client uses the attaché Public Key to process my Digital Signature and verify that the Digital Signature is Authentic and Genuine.  (Recall when I have a paper document Notarized, a licensed independent third party Authenticates my signature by reviewing other Identity documents.  This is similar to what a Certificate Authority would do when issuing a Class 2 Digital Certificate for Secure Email.)

You may be wondering, “How is this any different than if I just sent a regular message since I included the Public Key, the part required for the recipient to authenticate the message?”  The answer is that when I Digitally Signed the message with my Private Key, I had to enter in my super-secret, ultra-secure “pass phrase” known only to me.  The Private Key and Public Key are a mated pair that must be used together to be of any value.  Since only my Public Key can be used to authenticate a message that I personally, Digitally Sign, the message has to be authentic and sent by me.  Assuming that the Recipient uses either the Public Key that I sent along with the message or retrieves my Public Key from a Trusted Public Key Server, the message can be authenticated as legitimately Digitally Signed by me.

Technical Note:  The Email Clients are performing a massive amount of mathematical calculations in the background creating hash totals and checksums which are shorter strings of numbers that represent the original extremely long numbers to expose tampering.  It is possible that the body text which is not encrypted in a Digitally Signed Message could be altered in transit.  The message would still correctly show the Digital Signature as “Authentic” however the “math” would also show that the message had been altered from its’ original content.

To Encrypt a message requires one extra step:  Before I can send a recipient an encrypted message, I need to know their Public Key.  My Email Client software will use the Recipients’ Public Key to encrypt the message.  Then, the Recipients’ Email Client will use the Recipients’ Private Key to decrypt the message.

Taking it one step further, if I use my Private Key and the Recipients Public Key at the same time, I can both Digitally Sign the message and Encrypt it so that the Recipient can Authenticate that I actually sent the message with my Public Key and Decrypt the message with the Recipients Private Key so only the Recipient can read it.

The best way to get started in using Digital Signatures and encrypting email, when appropriate, is to obtain a Digital Certificate for Secure Email and then send a Digitally Signed message to people you want to be able to communicate with securely.  (See my article, “Securing your Email – Digital Certificate for Secure Email” for information on obtaining one.)  Since your Public Key is automatically included in your Digitally Signed Message, the Recipients’ Email Client will automatically store it so that it can be used to either decrypt messages sent by you or encrypt messages that are sent to you from the Recipient.

Note:  If you are not using Microsoft Outlook or Lotus Notes, you will need an “Add-on” application for your email client or web browser.  Options will be discussed in a future article.

Securing your Email – Digital Certificate for Secure Email

By Leave a Comment

HTTPS SSL Computer CubeA Digital Certificate for Secure Email enables you to digitally sign your email and authenticate that the message was actually sent from your email account.  Optionally, you can also encrypt the email message to secure it against unauthorized viewing.  (Encryption of email will be discussed in a future article.)

A Digital Certificate for Secure Email is issued by one of the well-known Certificate Authorities, the same group of companies that issue SSL (Secure Socket Layer) Certificates that encrypt web browser communications.  (The “lock” in your browser when connected over HTTPS:// )

A Class 1 Certificate requires only that you enter your First Name, Last Name, Email Address and a pass-phrase which secures the Certificate itself from unauthorized use or for revocation if the Certificate is compromised or lost.  The only Authentication performed is that the email address submitted is valid and that you have access to that email account to retrieve the Certificate.  It is important to note that the Certificate is ONLY validating the existence of the email address.  Anyone who has access to the specific email account can request a Certificate and can most likely use it to authenticate a message sent from that specific email account.  This is critical to understand if you share your email account with others.

For many non-business users, a Class 1 Certificate is adequate and available at no cost from a Comodo, a Certificate Authority Provider.  (There are a few other free providers but none as quick or as easy to use as Comodo.)   Most people have an email account that they do not share and that is properly secured with a strong password.  (Well at least they have an email account they do not share.  Not everyone follows good password creation guidelines.)  The point being that if you send an email message to jason@palmer.net  confidence is high that I am the only one sending and receiving mail from that account.  In fact, the entire point of using a Digital Certificate for Secure Email is that you as the recipient could immediately tell if the message was sent from the real jason@palmer.net email account (most likely me if a Class 1 Certificate and definitely me if a Class 2 Certificate) or if it was spoofed.  (There are other ways of determining a Spoofed email, specifically by reviewing the Full Headers of the Message and spotting inconsistencies in the email addresses and Servers.)

For added assurance, you may want to consider a Class 2 Certificate whereby you need to provide the Certificate Authority with proof of identity, such as a Government issued ID (Driver’s License, Passport, Passport Card, Birth Certificate, or similar).  A Class 2 Certificate validates both the email address and that you are its’ owner and a real person.  Email signed with a Class 2 Certificate is similar sending over a notarized document.  An independent third party has verified your identity so when you use the Certificate a certain level assurance can be assumed by the recipient that you are the actual, legitimate sender of the message.

Class 2 Digital Certificates for Secure Email come in two flavors:  “Personal”, that specifically identify you as an individual and “Business”, that specifically identify you and that you are a legitimate employee of a specific company.

You may be wondering, “Wow, this sounds great!  Why isn’t everyone using a Digital Certificate for Secure Email on every message?”  The answer would be because it is a little cumbersome to setup and use.  First both you and everyone you want to send and receive mail from need to obtain his or her own Digital Certificate for Secure Email.  Next, you need to configure your email client to work with the Digital Certificate for Secure Email.  This is relatively straightforward in Microsoft Outlook, Mozilla Thunderbird, or Lotus Notes.  Not quite as easy for Web Mail Users of Gmail, AOL, Hotmail, Yahoo, and similar services as it requires a plug-in or extension installed in the web browser. (A plug-in or extension is a specialized helper application that enables additional features and capabilities in your web browser.)

If the recipients’ email client is properly configured to understand a Digitally Signed email message, when you send a Digitally Signed Message, the recipient will see a notation on the email that the message was Digitally Signed.  However, if the recipients email client is not setup properly, the recipient will see an additional text attachment to your message that is meaningless and contains the Digital Signature Information.  This can become very annoying to your recipients as every message would you send them would have an attachment.

Securing your email all starts with either a Class 1 or Class 2 Digital Certificate for Secure Email.  At least visit Comodo below and start with a FREE Class 1 Digital Certificate for Secure Email, and then tell all of your friends to do the same.  A Class 1 Digital Certificate for Secure Email takes only minutes to request and install, they are valid for one year, and are available free of charge

Stay tuned and read my future articles on how to implement Secure Email Communication for transmission of sensitive and confidential information over the wild Internet through Email.

Important Technical Note:  Make sure that you use the same computer and web browser to request and access the retrieval of Digital Certificate for Secure Email.  You will also need to make sure that Java is enabled and that your web browser accepts Cookies to complete the process successfully.  The Certificate is actually being created and added to your web browser’s certificate store, and then you have to export it for your specific email client.  Microsoft Internet Explorer and Microsoft Outlook do not require this step as they both can access the same Certificate Store in Windows.  Firefox and the Thunderbird Email client or Lotus Notes might require some additional steps to configure properly.  Instructions are provided by both the Certificate Authority and your Email Client Vendor.

Digital Certificate for Secure Email Authority Vendors:

Free Class 1

Comodo – FREE AND RECOMMENDED CHOICE
http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html

Symantec TrustCenter – FREE (Not as fast or easy as Comodo.)
https://www.trustcenter.de/RetailStore/cid/CustomerData!input.action

StartSSL – Free but cumbersome to apply for and install
https://www.startssl.com/?app=1

CACert – Free and very cumbersome to apply for and install
https://www.cacert.org/

Paid Class 1 and 2 Personal and Business
NOTE:  There is no reason to pay for a Class 1 Certificate.  Use the Free options above.

Comodo – Business Class 2 Certificates – Value Priced Leader
http://www.enterprisessl.com/ssl-certificate-products/addsupport/secure-email-certificates.html

*Prices and Features vary widely with Vendors listed below – Read Carefully before purchasing.

GlobalSign – Personal and Business Class 1 and 2
https://www.globalsign.com/personalsign/comparison.html

IdenTrust – Personal and Business Class 2
http://www.identrust.com/certificates/trustid.html

Symantec TrustCenter – Personal Class 2
http://www.trustcenter.de/en/products/tc_personal_id.htm

Symantec TrustCenter – Business Class 2
http://www.trustcenter.de/en/products/tc_business_id.htm

Symantec/Verisign – Personal Class 1
http://www.symantec.com/verisign/digital-id