June 9, 2011, 2:06 p.m.
posted by gelassen
S/MIME capabilities are built into most popular e-mail programs because it is a standard for signing and encrypting e-mail. S/MIME uses Digital Certificates for both signing and encrypting. Your Digital Certificate is a “container” for your public key to accomplish these tasks. The private key portion of the Digital Certificate is encrypted and kept on a different system. Exactly where this private key is stored depends on whether you are using a public service — such as RSA, Verisign, or Thawte. If your company has their own, self-contained PKI system, it’s likely that the private key is kept on one of those servers.
Just as an FYI: Thawte’s Digital Certificates for personal use are free, while the other companies charge a fee. Each certificate is good for one year and must be renewed annually.
Believe it or not, it’s easier to set up S/MIME with MS Outlook Express than it is with the full-featured e-mail program, Outlook. Perhaps that’s because Outlook Express is closely linked to the MS Internet Explorer Web browser, and Web browsers are already set up to store Digital Certificates. In the examples below I’ve used Outlook Express 6.0 on Windows XP Pro. Your screens and dialog boxes may look slightly different than those shown here, but you can always use your e-mail program’s Help feature to find version-specific information.
Setting up S/MIME in a corporate environment is very different from setting it up yourself on your own computer. However, I like to give you the feel of things so you can get a good sense of what is going on. If you don’t want to set up S/MIME in Outlook Express at this time, you can skip this section and come back to it later.
I’ll warn you in advance — this setup involves many steps, so give yourself plenty of time. It’s not something you can start, leave for a while, and then come back to later. You have to do it all in one go, or not at all. Give yourself at least 45 minutes to complete the tasks. You’ll also have to have a buddy go through the same thing so you can exchange encrypted e-mails. Or, if you have more than one e-mail account, you can set it up so that each account has its own Digital Certificate and you can send test messages to yourself via the various accounts.
Ready? Set? Go!
First of all, I’ll need you to open Outlook Express — not plain old vanilla Outlook, but Outlook Express. Figure shows the different icons for the two programs:
With Outlook Express open, choose Tools>Options. When you have the Options window open, click the tab that says Security. Your window should look similar to the one in Figure.
Please make sure that all the radio buttons in your window match the example above. When you have all those set, click the Advanced button. There are a few more settings to change before you go on to get your Digital Certificate. In the Advanced Security Settings dialog box, I want you to check the same boxes as are shown in Figure.
After you click OK in the Advanced Security Settings dialog box, you’ll be back to the Security tab in the Options window. Notice that there is one button on the page that says Get Digital ID. This opens your Web browser (if it isn’t already running) and directs you to a Microsoft Web site that gives you a number of different companies from which you can obtain a digital ID. It’s an accepted practice for most companies to charge for digital IDs, but I’m going to recommend that you go to a company called Thawte — their Digital Certificates for personal use are free!
Waaaaaay down at the bottom of the Microsoft Web page is a link for Thawte. Click that, and it will take you to the page at Thawte for applying for a personal Digital Certificate. If you have trouble with the link, try typing this URL instead: www.thawte.com/html/COMMUNITY/personal/index.html. When you get to that page, go again to waaaaaay down to the bottom of the page. In the last paragraph on the Thawte page, you should see a small, Act Now hyperlink. (Obviously they didn’t want to appear to be obnoxious.) Click that link and it will take you to the beginning of the registration process. It should open up a smaller window that looks like Figure.
Now the next bit takes a while to complete. As you navigate through the various pages of registration information, the site will be asking you for personal information; some of it very sensitive, like Social Security Number, Driver’s License Number, or Passport Number. Now Thawte doesn’t verify that any of these numbers you enter are correct at this point, but do make sure you are using some sort of valid information. Note: Since companies who issue Digital Certificates use personal information to verify who you are, they also have an obligation to protect all this personal information. Their reputations depend upon the fact that they are very careful with your data to make sure it doesn’t fall into the wrong hands. That’s why these companies are also referred to as Trusted Third Parties.
This certificate is for experimenting with anyway, and I don’t expect you to hang onto it forever. But, you are applying for a valid Digital Certificate and you will be able to use it with other programs that have the capability of handling them. Remember to enter a real e-mail address, too! Thawte will be sending messages to you and, if you’ve used a bogus e-mail address, you’ll never get through the registration process.
As you continue answering the questions for your certificate, you’ll eventually be asked for your passphrase. Think about this beforehand and pick something reasonable and not something like “12345678.” Then, just to be safe, create a TXT file, type in that passphrase, and store that file on a floppy disk. Put it away for safekeeping. That way, if you ever forget your passphrase, you’ll know where to go to find it. Again, don’t name the file something obvious, like “passphrase.txt,” and don’t hide the disk in an obvious location. But, enough of the reminders for now.
Thawte has the ability to recover your key if you lose it. It does this by asking you a series of questions to identify yourself. You’ll be given the opportunity to choose your questions and answers during the process of requesting your certificate. Be sure to write down your questions and answers so that you can refer back to them, but hide them in a secure location or store them in another text file on a floppy.
At this point you’ll have to pause and wait for Thawte to send you an e-mail to confirm your e-mail address. (You’ll be getting another one from them later on.) After you get that e-mail, follow their directions and copy and paste the information where they tell you to on the corresponding Web page. Thawte will come back immediately with confirmation of your e-mail address.
Next in the series of questions, you’ll be asked about some settings again. You can accept the default if you want, but I suggest that you set the security level to High (the default is Medium). If you set the security to High, you’ll be asked for a password to protect your certificate. Don’t let that confuse you. Do not use the same password or passphrase you gave earlier; use something different. What they are asking for now is a password to provide some sort of access control to your certificate.
Warning In order to properly protect your certificates, set the security to High when applying for a Digital Certificate and set your Web browser’s security setting to High, too. Use a different password to protect your certificates than the one you used when you created your certificate request.
You’re almost done now! The Thawte Web page will create a key for you and will send you another e-mail to congratulate you and tell you about their trust authority process. But, because I’m just doing this for fun, you don’t want to hear about that now! You want to know how the dickens you get your certificate. The certificate is not in Thawte’s e-mail and there’s no direction in the e-mail on where to go or how to get your certificate! There’s not even any clear instruction on the Thawte Web site. (That was very naughty of them!) Well, one of the reasons you bought this book is because I’m going to tell you what to do next!
You have to give Thawte about 20-30 minutes to process your request for your certificate. After that time has passed, go to www.thawte.com/cgi/personal/cert/status.exe. If it asks for a UserID and password, use the e-mail address you used to register your certificate as your UserID, and use the password/passphrase you used to create the certificate as your password.
You should be at the personal certificates page now. On the left side of the screen you will need to choose View Certificate Status, which will pull up the certificate you’ve applied for. If you haven’t waited long enough, the status will be pending. If the certificate has been approved, the status will be issued. Your screen should resemble Figure.
Again, Thawte doesn’t tell you what to do next, but I am here to save the day! See where it says “Type” on the Web page and underneath that it says “MSIE”? Click the MSIE link, and it takes you to another Web page. At the very bottom of this Web page is a short paragraph that says “Fetch and Install Certificate.” Figure shows you what I mean.
After you click the little button with the doggie, your certificate will be installed into Internet Explorer and Outlook Express. Now you’ll be ready to go back to Outlook Express to finish up what you started.
Now that you have your certificate and it’s been automatically installed on your system, you won’t have much to worry about after you finish configuring Outlook Express.
You’ll need to go back to the Tools>Options>Security tab (it may still be open, just as you left it before getting your certificate). There’s a button that says Digital IDs. Click that button and you go to another screen that shows your current certificates (digital IDs). You should see Thawte Freemail Member — Personal Freemail RSA 2000.8.30. (If you don’t see it, you should go back to the Thawte site and try Fetch and Install again.)
Then, on the right side of the window, you’ll see a button that says Advanced. Click on that. As with all the other clicking you’ve done, you’ll see yet another window open. (You probably only have half a zillion windows open by the time you’re finished with this operation!) This window has all kinds of options. Make sure that you check every single one of the options, as in Figure.
After you have checked all the boxes, click OK, and you’re ready to send an encrypted message, a signed message, or a message that is both signed and encrypted. Remember:
Signing a message proves you’re the person who sent it.
Encrypting a message scrambles it so others can’t read it.
Signing and encrypting a message proves that you’re the person who sent it and scrambles it, too.
To send an encrypted message, you have to be sure that the other person (the recipient) has a certificate, too. Outlook Express automatically searches the public Digital Certificate servers to see if one exists for your recipient. (It searches by e-mail address.) If there is no certificate for your friend, the message will not encrypt. (If you decide to send a message to yourself using another e-mail address, you’ll have to go through the application/registration process for the other e-mail address to get another Digital Certificate.)
So, here you go.
Compose a new message in Outlook Express and address it to a friend who has a Digital Certificate. When you are finished creating the message, but before you send it, choose Tools>Encrypt Using S/MIME (see Figure). After you have done that, you will see a small blue lock appear on the far right side of the message window, by the To: box. Then go ahead and click Send. Outlook Express will ask for your password only if you set the security setting to High when you created your certificate. (That password is the second one you gave, not the first one you gave to create the certificate. If you left the security setting at Medium, you will not be asked for a password.)
Tip When composing an e-mail that you intend to encrypt, pay special attention to the Subject line. You wouldn’t want to accidentally give everyone a clue to your secret message by entering something like “New Product Specifications and Pricing” in the subject heading! That’s because everything in an e-mail is encrypted except the subject line.
Now your friend has received a super-secret message from you. If anyone other than your friend tries to open it, it will look roughly like this:
3QTn+zHWb7OKr7ihbxBHXcQgdbt+0R02T+nYKlyjV40ARKKYhuPDAnW188ulTzYa A28n4eldE82f57kRQHwGtmusfuMpHZJJ8ARYZf/Ba5SmHr2yr6Ycu4bkDjj5e4QU P6I3KBd0zXeRm666BxrJZ2M0ibUDkpEM5gfgZxOzFcQ6uqotpVKNEzjWiIG4zVdk NfzjH1gKwZdQnzpHvn0gZGD+mxtjRdXZgP1VR9iizGqb1xeJ0RRMQKUHNHuiI0MV JOus5ZfMJCxyKNmMjcJoTUhcwuGMiIf3holg8AkstYFykEeOZV9Zhz54YOCH3FTB
Of course this is just a pretend example. Most encrypted messages will have page upon page of text that looks like a chicken has played with a typewriter. However, when you friend gets the e-mail, he may note that there is a little blue lock attached to the sender’s name (that’s you!). When he clicks on it to open it, he may be faced with the dialog box shown in Figure.
After he clicks Continue, the message automatically decrypts and he will be able to read it. Now you can both play with signed and encrypted e-mails and attachments.
You’ll have to admit that after you got the Digital Certificates all set up, it was not difficult to send encrypted emails. However, if you were in a corporate environment, the IT department would be in charge of all this work. It’s a lot of overhead on their end, but that makes it so much easier for everyone in the long run.
Ugh! You knew I’d bring you back to the ugly present at some point, didn’t you? Well, I have to take care of some housekeeping before I can go on to the next subject. That housekeeping involves backing up copies of your Digital Certificates. That way if you start using a different computer, or your hard drive dies, you can use your old certificates and you don’t need to go through the arduous process of applying for new certificates.
The two most common problems that users experience with e-mail encryption are:
They forget their passphrase.
They lose their personal keys.
No matter how experienced. No matter how intelligent. No matter if they have been trained on encryption software or not. People always make the same two mistakes! Don’t count yourself in those numbers!
Here’s how to back up your Digital Certificate. Whether you realize it or not, the Digital Certificate you’ve received actually contains two keys: your private key and your public key. You’re going to be backing them both up, but to separate floppy disks. The reason you’ll be keeping them separate is so no one can steal them and effectively steal your online identity. To save these two different keys, you’ll navigate through a series of windows and questions and you’ll do this separately for each key. First you’ll save your public key and your certificate and then you’ll do essentially the same task to save your private key and the certificate. If it seems confusing, just take your time. We’re just experimenting here, so nothing is really critical at this point.
In Outlook Express, choose Tools>Options and then click the Security tab. Click on the button that says Digital IDs. Your Digital Certificate information appears in the next window.
Select your Digital Certificate by clicking on it. (If you accidentally click on it twice and open another window, just click Cancel to get out of that window.) After you have selected the certificate, notice that the Export button becomes operable. Click Export, which starts the Certificate Export Wizard. Click Next to get started.
The first thing the wizard asks you is if you are going to export the private key. At this point you’re exporting the public key, so click the radio button next to No, Do Not Export the Private Key. What you will be “exporting” (actually just a fancy name for “saving somewhere else”) this time is your Digital Certificate and its public key.
You’ll notice in the next window that certificates can be exported in a number of different formats. For this exercise, accept the default, which is DER encoded binary X.509 (.cer). The other formats are sometimes required by different types of systems, but you don’t need to worry about that now.
Click Next, and the wizard asks you for a file name. Be sure to give the path to the floppy disk (or whatever external media you are using) and name the file something like “bigdogs_pubcert.cer.” (You can use the Browse button if you need to navigate to a special drive and/or folder.) Normally you would make the name something a little more obtuse, but we’re just experimenting at this point. After you have your path and name all set, click Next again.
The next screen indicates that you are exporting your certificate information. Click Finish, and you’re done with the first part.
To save your private key, you need to go through the same steps as above, except that you choose Yes, Export the Private Key when you get to the Certificate Export Wizard. You will be asked for a password to protect your key, which is the password you used when you set the security settings to High. Enter that password, and continue with the Wizard until it asks you where to file it and what to name the file. Save the file as you did before, but use a different file name.
You can also back up copies of the Digital Certificates used by your friends. They are stored in the Address Book, along with all the other information you have on your friends. If you double-click on a person’s name, you will pull up the Properties for that contact. There are a number of tabs in that window and the last one says Digital IDs. When you click on that tab, you’ll be able to see the Digital Certificate associated with that e-mail address. From that window you can export the digital ID just as you did your own.
’Nuff said! Play around with it now and have fun. Until you’re comfortable with what you’re doing, only send files and data that are replaceable. You don’t want to send someone the only copy of a file you have and then have the program play funny games with you! In any case, enjoy sending your secret messages.