Email encryption and signing

Phal · 3 Jan 2012 at 09:33

I looked into this a while back for a customer and found it was a bit of a pain to setup encryption for Exchange 2003 and also saw that Exchange 2007 and 2010 were a lot better at this.

Fast forward a year or two and now we have a few other customers who have a requirement for email encryption and signing rather than just encryption.

This requirement has come as a result of them dealing with the same company and this company has stipulated a method that involves invidual certificates being needed for each user that will be emailing them.

Is this a commonplace thing? Individual certificates seems like a pain in the ass but I guess if they absolutely require individual signing then I guess individual certificates are a must?

Knubje · 3 Jan 2012 at 11:26

You can get domain email encryption but for individual email encryption I think that each person would need their own certificate.

I had to look into this for CEO's who wanted to email a few secret people internally and externally. I got it working at this level, they all have to share their certificates with each other for emails to be encrypted. You can get personal certs for less than $10 a year, less in bulk I'd imagine.

This was all on 2007/2010 though, I haven't looked into it recently. I suggest that if everyone wants to do it then you might need to look into domain level, if its just a few people then work it out for individual certs to be sorted.

Phal · 3 Jan 2012 at 12:40

Yeah they've specified some particular certificate issuers we should use so they are compatible etc and the individual certs are $20 a year from there.

Individual certs just seems to be a daft way to do this kind of thing :/ I'm just wondering whether this is the norm for people who want emails signed/encrypted etc.

I've dealt with TLS encryption before between Exchange servers and that made sense to me. Exchange 2007/2010 supports TLS quite nicely now but 2003 was a bit of a pain. Faffing around with individual certs just seems like a crap way to do things lol

Hulkster · 3 Jan 2012 at 13:02

I don't know the technical aspects of doing this in Exchange, but I think it's important not to consider encryption and digital signatures side by side...they accomplish different tasks and one is not a replacement for the other.

Encrpytion is really about confidentiality, whereas signing is about Integrity.

Eg if Joe Bloggs want's to email Fred Bloggs...the message may not need to be encrpyted, but Fred might want to know that the message hasn't been tampered with, that it has definitely came from Joe and that he can't deny having sent it...then this will need a digital signature.

Depending on the nature of the business then they be legally required or at least considered best practice.

If you use both then you achieve Integrity and Confidentiality, along with authenticity.

Knubje · 3 Jan 2012 at 13:18

Hulkster said:
I don't know the technical aspects of doing this in Exchange, but I think it's important not to consider encryption and digital signatures side by side...they accomplish different tasks and one is not a replacement for the other.

Encrpytion is really about confidentiality, whereas signing is about Integrity.

I was about to stay this, in my advice above it can be said that the individual encryption method is about confidentiality.

I do not think there is an easier way to do mass confidential encrypted messages between users. I'm quite certain this requires personal certificates.

Phal · 3 Jan 2012 at 13:32

Yeah, the TLS encryption I've setup in the past was really to make sure messages going to external sources were encrypted.

Surely encryption using signed 3rd party certificates for TLS provides a fairly good level of authentication? Servers need to authenticate with each other before they will communicate?

The only thing I'm not sure about is whether Outlook can keep messages secure before they reach the Exchange server :/

Guess I need to do some research! In any case it seems that we will need to follow the instructions/methods they have specified for this case but invidual certificates seems like a lolkebab way of making work for yourself

Hulkster · 3 Jan 2012 at 14:19

It could well be a compliance thing. If they are dealing with contracts etc then they may need to be able to legally prove that the sender who sent the message is indeed that person and not an imposter - have a read about non-repudiation.

Also worth clarifying the requirements with the customer as to exactly why they want to use signatures.

I think a good analogy is to compare it to say a software download.

I could log in to a website and download a package from a secure server, over an SSL connection and the package could be encrypted itself, say in a WinRAR archive.

This is the "sending email securely from one server to another and i know nobody will read it on the way" step

Now - when I recieve the package and open it - how do I know it has not been altered?

In the software world this is where we would use the MD5 checksum to verify the integrity of the package. Ie, it is as the developers made it. If the checksum matches then we know no 3rd party has altered it's contents. We know it's from them because the hash matches....so this is like the digital signature part.

This is the same as the signature, and shows us that the package is authentic (note I was talking about authenticity as opposed to authentication.)

Apologies if I am over egging the pudding!

Take a look at the "Confidentiality, Integrity, Availability" Information Security model as it will probably become easier to see how the different requirements are made up.

Outlook can use SSL to communicate with Exchange, I think this is on by default in 2007+ but needs to be turned on manually on 2003. Don't quote me on that though!

anything I don't mind · 19 Apr 2012 at 08:27

I have been asked to look in to and find a quote for a secure email solution. I was always under the impression that email encryption had to be end to end, both recipient and sender have to exchange keys. Software such as pgp comes to mind. Is there an industry standard way of doing this these days? They don't mind spending money and they are on exchange 2007.

http://office.microsoft.com/en-us/outlook-help/encrypt-e-mail-messages-HP001230536.aspx

Based on this it looks like exchange 2007 and outlook 2010 should be able to do it all without any additional software, just requires the purchase of keys and configuration.

Ev0 · 19 Apr 2012 at 09:48

I used to work in a large financial and we had a couple of ways to handle email encryption.

If it was required between us and a specific company we'd set a TLS link up between us, so effectively our server knows to send anything to their server over an encrypted link.

Otherwise we used PGP email gateway which seemed to work quite nicely so I'd maybe take a look at that. We had it setup so that if you set the email as confidential within outlook PGP would kick in and encrypt it. Depending on who you were sending it to it would do different things.

If the person you are sending to has PGP themselves and their keys are in the system it just encrypts and sends it to their outlook. Was quite cool that if someone sent an email in with their key attached the system automatically plucked the key out and stuck it in the store.

If they didn't have PGP it gives them a weblink to a webmail style client where they can retrieve the email.

That's how I remember it working anyway, so don't shoot me if any of that's wrong

anything I don't mind · 19 Apr 2012 at 11:29

It is just for one user who will send an encrypted email once a month or so. I have just puchased one of these digital ID certificates from comodo and will configure outlook to send encrypted emails. Hopefully this is what they were after.

I think that this only supplies one way encryption, it is up to the recipient to organise their own encryption mechanism if they want to reply to the email with an encrypted message.

They do seem very strict on this email encryption. They won't give anyone a certificate unless they send through their passport. Obviously don't want people communicating with encrypted email anonymously. I would assume the E-PKI certificates can be self signed as well. Probably just need to accept it in to the cert store on receiving the emailing.

Ev0 · 19 Apr 2012 at 12:13

They aren't strict on 'email encryption', they are strict on issuing certificates making sure you are who you say you are.

It's not the encryption part they are bothered about with the ID, it's the signing part as to digitally sign something is a sort of proof it really is from that person.

The checks are stop me making a cert up in someone elses name/company and sending out signed emails and signing them as them

It's not some conspiracy to track people using encrypted mail.

And yes you can self sign a cert, create your own, but it won't be issued by a so called trusted cert authority so when people check the cert chain it won't necessarily be accepted/trusted.

A single certificate will allow that person to digitally sign their emails, and also for people to then send in encrypted emails. A single cert like this will not allow the user to send encrypted mails. To send an encrypted to message to someone this way you need a copy of their certificate (which if they send you a signed message you can get a copy there).

You sign with your private key, you encrypt with someone's public key. You can't encrypt with your public key then send to someone as to decrypt it the private key is needed, and you never give that out to anyone

This link has some info on how to do it in Outlook http://www.globalsign.com/support/personal-certificate/per_outlook07.html

Not sure I'd have picked Comodo as an issuer after the problems they've had though, but the cert will still do it's job though.

Drop me a message in trust if you wanna ask anything off here

anything I don't mind · 19 Apr 2012 at 15:06

yea, sigh. I have managed to get the certificate in to outlook. But I have since learned that, as you have just said, you can only encrypt messages using this method if the recipient and yourself have already exchange digital signatures. Which might not be ideal for the clients requirements. Although at least now they can receive encrypted messages and have the option to send encrypted messages after advising the recipient on how to save our certificate from our contact.

I might recommend this pgp gateway.

Looks like i registered the certificate on the incorrect domain. Apparently the account that wants the cert uses a different domain.

Ev0 · 19 Apr 2012 at 15:46

Aw well it's only a few quid for a cert so no big loss to start again.

The gateway stuff is pretty overkill for 1 person, and maybe have to explain to the person sending the emails that you can't really just setup an encryption system up for one person and it work for both side.

Get each side of the conversation a cert, whack those into Outlook as described in that link and should be ok.

And I personally wouldn't use Comodo, Symantec/Verisign offer a cert they brand as a 'digital id' which is pretty cheap that I think will do the job.

http://www.symantec.com/verisign/digital-id