Ask Us About... Security, October 2000

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

by Joel Scambray

Continuing with our theme from last column on secure communications, we'll be talking about secure e-mail in its various forms in this column.

On This Page

Encrypted E-Mail: The Working Person's VPN

Encrypted E-Mail: The Working Person's VPN

Q: I'm worried that sensitive data in e-mail messages is visible in transit over the network. What can I do to prevent prying eyes from reading my mail?

A: Traditionally, there have been two ways to secure e-mail: Pretty Good Privacy (PGP) and Secure Multipart Internet Mail Extensions (S/MIME). Both are based on public key cryptography, where users each possess two keys, a public key for encrypting, and a private key for decrypting (and signing) messages. Because PGP evolved from a free distribution (and remains free for noncommercial use), it tends to be a little more popular and widespread in my experience, but many large organizations rely on S/MIME. Fortunately, the two systems cohabitate nicely within Microsoft Outlook®, and I use both extensively, depending on whom I am communicating with and their personal or organizational preference.

PGP: tried and true

Implementing PGP is simple as installing the package, but be aware of the frills. The commercial PGP packages include more than just a secure e-mail tool. There is also PGPDisk, which can encrypt files transparently for users, and the newest commercial version (7.0) also comes with VPN, intrusion detection (IDS), and personal firewall modules. I won't talk about these other features much here, but will focus on the e-mail security strengths of PGP. Be aware that VPN client and personal firewall features install network-level drivers that may conflict with others you may load. Deselect these using the custom install if desired. One last thing—PGPDisk prevents Windows 2000 from going into Standby or Hibernate mode unless you upgrade to version 6.5.8 or later.

Once installed, PGP will walk you through the process of creating a public/private key pair. Because of recent research that suggests 512-bit keys are feasibly attacked by an extremely resourceful adversary (the research used 35.7 CPU-years across over 280 computers), most experts recommend using at least a 768-bit key; and I personally use 2048 (and know of a few people who use 4096). The greater the key length, the slower the performance of encryption; but I haven't noticed much problem using 2048 and my 4096 friends don't complain either.

The keys are stored in files called pubring.pkr for public keys and secring.skr for the private key(s). BACK THESE UP to a secure location! Although you can replace keys by simply generating new ones, you will need to send out the new public key to everyone you communicate with securely, and you will no longer be able to decrypt messages that are encrypted with the old public key. Since the private key is used to "sign" your e-mail messages, it should be treated as a unique aspect of your online identity. Additionally, the pubring file contains all of the public keys you may have collected over the years from correspondents, so it can be strenuous to re-create. You may also consider key recovery issues if you are implementing PGP for a company that may want to retrieve data encrypted by an employee after they have moved on. Key recovery involves creating a back door key that can unlock the file, to be kept by a recovery agent (typically the IT administrator). To guard the departed employee's privacy a bit more, it is also possible to divide up a recovery key among several different people so that a certain baseline number of parties must unite their key material to unlock the encrypted data. Thus, more than one person must agree that the data is important enough to decrypt, which prevents arbitrary access to confidential data by rogue recovery agents.

Next you need to obtain public keys from your correspondents. Under the Server menu in PGP, there is a Search function that allows you to search for PGP keys in public directories by several parameters, including UserID and key fingerprint (a uniquely identifying string of numbers and characters used to authenticate the public key). This is a really handy way of finding someone's public key without actually e-mailing them and asking for it (which works pretty well, too). In addition, MIT and NAI maintain PGP key databases that can be searched by key fingerprint. For example, my PGP key can be found here in the MIT database. Tip: keys can be copied and pasted right into the PGPKeys GUI.

One an appropriate public key has been obtained for your intended recipient, use it to encrypt an e-mail message to them. The PGP installer puts a menu and an icon in Outlook that enables one-click encryption of message body and attachments—it's the little yellow envelope with lock icon that appears at the top (or just look under the PGP menu). Only the recipient can decrypt the message with his or her corresponding private key. You may also encrypt with your own public key so that you can decrypt the sent message later for some reason.

Implementing S/MIME

S/MIME is a bit more complex under the covers, but fortunately there is a wizard built into Outlook that assists the process. (See the Microsoft Knowledge Base article 195477 for an overview of S/MIME usage, which I will paraphrase and amplify with my own experience here.) Under Tools/Options/Security, click "Get a Digital ID”, and it will take you to a Web site that will enable you to select a digital ID provider. A digital ID, or digital certificate, is a special form of a public key used for encrypting e-mail that contains some additional information about you (name, e-mail address, and so on) and is signed by a certification authority to vouch for its authenticity. In order for anyone to send you S/MIME messages, or for you to sign your own, you'll need to obtain one. I recently bought a Class 1 Digital ID from online certificate authority VeriSign Inc. for $14.95 per year to use for secure e-mail.

I'll use VeriSign's enrollment process as an example, since I am familiar with it. The wizard walks you through the process of purchasing, generating, downloading, and installing your new digital ID. It's pretty straightforward; just remember to apply High security to the certificate store (the place where your digital ID is stored, typically the Registry) and to require a password every time you access the private key.

Once the certificate is installed, you are ready to start sending and receiving S/MIME-encrypted mail. Of course, you must obtain an S/MIME certificate from your intended recipient first. Typically, you can send messages that are simply signed with your certificate (not encrypted), and the recipient can save your certificate as part of that your contact information in his or her Outlook address book. To do this, create a new message, click the Options button, and then select the two radio buttons under "Security" in the upper right. If your recipient doesn't yet have your certificate, only select the "Add digital signature” button. Once the recipient receives your message, he or she can open it, right-click your name in the "From" field, and select "Add to Contacts.” On the Certificates tab for your new Outlook Contact object, the recipient should see your certificate. Now he or she can send you an encrypted message using the e-mail address stored with your new Outlook Contact object, and repeat the procedure of adding their digital certificate to the message so that you can get their message.

A couple of tips: for corporate Microsoft Exchange users, you may see a message similar to the following when you attempt to send signed or encrypted mail:

"This message cannot be secured using the selected Security Setting. Your e-mail address
may not match the e-mail address on the certificate, or some other problem exists with the
certificate. Do you want to proceed with this message without security?"

Contact your Exchange administrator, and tell them to add an appropriate SMTP address that matches the e-mail account you used to sign up for your ID to your Exchange mailbox. VeriSign's technical support told me that my ID would need to be replaced when I asked them about this problem. My experience indicates that simply adding the appropriate SMTP address solves the problem without the tremendous hassle of revoking your certificate and generating a new one.

As with PGP, I highly recommend backing up S/MIME certificates. Go under Tools/Options/Security; click "Import/Export”/"Export your digital ID to a file"/|Select"; and then specify a file name and password to protect the file. You have a choice of two file types; the Internet Security format (.pfx) is usually sufficient (unless you need to integrate with Exchange). Store the PFX file in a safe and secure place, as recommended for the PGP key rings. For example, I export both my PGP key rings and S/MIME certificates to a floppy disk and then store the disk in a fire-resistant combination safe. You can also use the Windows 2000 Professional Users and Passwords Control Panel/Advanced/Certificates to manage certificates installed on a system.

If you want to copy your S/MIME certificate to another computer, the PFX format makes it easy. Copy the PFX file to the other system; right-click on it; and select Install PFX. Then walk through Certificate Import Wizard, making sure to select Strong Encryption and High Security and to specify a password. Then start Outlook; go under Tools/Options/Security/Settings/Security Settings Preferences, and type a name in the Security Settings Name field (call it S/MIME). Then under Certificates and Algorithms/Signing Certificate/Choose, select the digital ID you just imported. Don't get frustrated if you botch the import process the first time around. I've occasionally received this error when attempting to send S/MIME-signed or encrypted mail following a certificate import:

"Can't open this item. Your Digital ID name cannot be found by the underlying
security system."

This is typically an indication of a failed import. Try exporting the certificate and deleting it from the system (there is a radio button to specify deletion during the export process), and then run through the steps above to import it again. (You DO NOT need to revoke your certificate and obtain a new one, as noted previously.) You can also go to Tools/Options/Security and click "Import/Export” functions within Outlook to import your PFX file.

Out of space again?

Whew! That took longer than I thought. But it's worth it. With the increasingly mobile and distributed workforce made possible by the Internet, secure e-mail is one of the most powerful collaboration tools around. Next month, we'll get to some of the things that ended up on the cutting room floor this time.

Joel Scambray is a Principal of Foundstone. He is co-author of Hacking Exposed: Network Security Secrets & Solutions, from Osborne-McGraw Hill.

Send your Security questions to the Ask Us About Security mailbox. If your question is selected, you will see your answer in a forthcoming column.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.