[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Encrypted Email

Posted on 2006-06-13
12
Medium Priority
?
993 Views
Last Modified: 2012-05-05
Could someone please explain a little bit about encrypted email.  Before I explain I am NOTlooking for code I just need a bit of technical description about how this might work.

I have written a web application that sends an email to a specific client (can be 1 of 15).  I need to change it to encrypt the email.  So the email is encrypted and stays encrypted until it is recieved buy the client.  

I have purchaced a Secure Certificate.   Am I right in thinking that the certificate must also be added to each offices outlook.  Can the same certificate be used in all 15 offices to decrypt..



0
Comment
Question by:Kevin Robinson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
12 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1000 total points
ID: 16892996
Yes they must, if outlook is being used. There are standards like PGP that use a public and private key for email signing, this can be hard to impliment since both parties have to share a public key with one another, and each generate their own private key's as well. To ease this pain, people typically only sign the emails...
http://office.microsoft.com/en-ca/assistance/HP010461711033.aspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/ncrypte.mspx
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3MsgSecGuide/3e281cc6-52ef-4f81-8f15-2e431ded7610.mspx?mfr=true

Signed emails are basically a hash of the text and headers in the email converted into a one-way hash that is created against the senders private key, that can be checked agains the senders public key to show the message has it's integrity intact. Here is a pic of such a hash http://www.haltabuse.org/pgp/win/graphics/signedemail.jpg
-rich
0
 
LVL 5

Assisted Solution

by:kevinf40
kevinf40 earned 1000 total points
ID: 16893130
To answer the second part of your question - yes the same cert can be used.

How you configure it will depend on your requirements.

The easiest option will be for the application to encrypt the data using it's private keys and for all the clients to have copies of it's public key to decrypt the message - in a public environment this would only provide authentication (e.g. prove that the message originated from the application) not security as the public key is by definition available to many people.  But in your environment as long as the public key was only distributed to the 15 clients and no one else this would likely suffice.

For a more secure solution you would distribute the public key of the server to all clients, and they would also have their own key pair.  The server would then have the public key of each client stored locally, and encrypt the message with the relevant clients public key, then sign it with it's private key (or vice-versa e.g. sign then encrypt depending on your preference).  The client would then confirm the signature with the servers public key, and unencrypt the message with it's private key.

This option is considerably more complex, and it looks like the first option would work for your needs.

cheers

Kevin
0
 
LVL 3

Author Comment

by:Kevin Robinson
ID: 16893152
Could you explain something else

I have a certificate (.cer file).  What then is a pfx.file?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16893439
pfx and cer

*.pfx certificate contains the public/private key and *.cer only contains the public key, so *.pfx is able to sign and encrypt email, but *.cer is used to encrypted email only. *.pfx and *.cert can be exported by "Control Pannel"->"Internet Options"->"Content"->"Certificates". If importing private key is chosen, the *.pfx will be generated, otherwise *.cer will be generated.

-rich
0
 
LVL 3

Author Comment

by:Kevin Robinson
ID: 16894859
Do I create a pfx file from the cer file?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16895000
You can, the cert (cer) is typically all that needs to be exchanged, your private key needs to stay private, you only need to share the public cert for emails to be exchanged and checked for authenticity. http://support.microsoft.com/?kbid=179380 http://support.microsoft.com/kb/168726/EN-US/
http://www.microsoft.com/technet/security/topics/cryptographyetc/certs.mspx#ECHAC

You can see why folks typically use the PGP/GPG style of signing (the image I linked to earlier) where a hash is present at the bottom of the message.
http://www.gnupg.org/(en)/documentation/howtos.html
-rich
0
 
LVL 3

Author Comment

by:Kevin Robinson
ID: 16900659
I sent a support question to the company that I bought the certificate from.  I explained my situation and yhey said that I do not need to do anything else.  Because my certificate is installed on the site the emails that are sent out are already encrypted.  But is this not just SSL  


Support Quote.
==========
"You dont need any different SSL certificates for this. Since you have installed the SSL certificate on your Email server, which inturn sends the Emails through your secured webpage, the outgoing Emails should be sent secured."


I got this from anouther site
=====================
VERY IMPORTANT: SSL encryption is only in effect when the email is in transit between the server and the desktop client.

When your mail is sitting on the email server it is not encrypted: once the message gets to the server over an SSL link, it sits in the mail queues on the server in clear text

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16901265
The last bit is true enough, nothing to worry about there, the email has to be plain-text sometime...
You can open an email sent from your software and look at it's properties to see if it was sent encrypted. You could also use a sniffer like ethereal ot wireshark to see if you can see the contents of the body of the email.
-rich
0
 
LVL 5

Expert Comment

by:kevinf40
ID: 16901943
With regards to the mail on the server the use of sensible ACL's (along with all the other standard security practices such as managing physical access to the server etc) on all exchange related directories will prevent unauthorised access to the mails.

cheers

Kevin
0
 
LVL 3

Author Comment

by:Kevin Robinson
ID: 16910080
How exactly do I create a public private key pair from the certificate?
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question