Solved

PKI email encryption

Posted on 2013-05-15
2
531 Views
Last Modified: 2014-04-19
Running Windows 2003 Domain.  Exchange 2003 and Outlook 2003.  Outlook is accessed via a Windows 2003 Terminal Server. Budget is not allowing an upgrade of our servers.  

One of our clients is requiring that our emails with them are encrypted with PKI.  We have a Barracuda appliance to filter for spam/viruses, but, per our client, the Barracuda email encryption service is not acceptable to send encrypted emails.  

I can create a user certificate from out local domain Certificate Authority and then import the cert into Outlook.  I tried sending an email to a gmail account, but Outlook balked since I didn't have the recipient's certificate.  

My questions:
To send an email, will the end user (client) have to send me a certificate and how would I import that so I can send encrypted email?
Is what I did, able to satisfy my client's request for PKI?
Is there a better way to do this? I have +/- 15 users that will have to send encrypted emails.
0
Comment
Question by:supprteng
2 Comments
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 39174610
For any PKI to work you have to exchange keys first, and that exchange does not need to be encrypted in any way. However, there is S/MIME email which outlook supports natively( see below), and there is PGP email. PGP will require 3rd party software, but S/MIME won't other than creating some signatures/keys. You do not have to purchase certs to use S/MIME as long as the person you're exchanging with understands that your certs are self-signed.

The two types are not compatible, you need to know if they use PGP/GPG or S/MIME.

http://office.microsoft.com/en-us/outlook-help/get-a-digital-id-HP010355070.aspx?CTT=5&origin=HP010356428
http://office.microsoft.com/en-us/outlook-help/encrypt-e-mail-messages-HP001230536.aspx?CTT=5&origin=HP010355070

http://www.gpg4o.de/en/product/productinfo-gpg4o.html
-rich
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 250 total points
ID: 39230497
Email Encryption requires that you have the public key as that is the encryption key.  Only the recipient should have the private key that is the decryption key.  A certificate will normally include a public key with it.  Without having the key/certificate exchange occur prior to sending an encrypted email then it cannot work using public key cryptography.

There are a few ways to handle the key exchange for encryption:
1. Within the same AD you can select the checkbox on the certificate template to publish to AD.
2. Send an email and include the exported certificate as an attachment.  This exported cert should never include the private key.  You should get a .cer, .crt, or .p7c file (.p7c would have the user cert & all CA cert(s) included).  Note that many email filters will block certs cert files so you probably need to zip them first.  This method could be done admin-to-admin to send all of your company's certs to each other at one time & then you could deploy them via GPO to your users.  This isn't great if there are a lot of users, but for a couple of small companies it is usually okay.
3. Send a signed email - this will usually send the encryption keys, too, but if it doesn't then there is a checkbox in your email security settings for doing that.  This is a preferred method as it is signed also, reducing the chance of a spoofed email sending you encryption keys.  Note that if you send it to gmail there will be a .p7s file that would be used for the signature.
4. There are also "keyring" (or "keychain") providers out there where you could populate a copy of your encryption certificate & both sides could look to the keyring repository to acquire the certs as needed. I don't know of any services out there offhand, but there are a few that exist.  These normally need a client software component so it can figure out where to go look for an approved key.



You could also use another form of cryptography that uses synchronous keys, however this is generally not advisable.  Basically you could wrap a document up (e.g. zip it or Word document protection) & encrypt it using a secret password that is known to both companies.  While this would technically be valid if using something like AES for the encryption method, it would be subject to the strength of the password against an offline attack to be of any value - this would mean having a difficult to crack password over 20 characters long that needs to be entered correctly every time you send a message.  That password would either need to be shared with everyone at both companies to make it easier to use (and more vulnerable to attack) or to have a password mesh that is difficult to manage and enforce (userA to userB has one password, A to C has another, B to C a third, etc.) which obviously becomes quickly impractical to manage.  Technically, you still need to handle the secret key exchange at some point, but it could be encrypted first & relayed later but still must be done before the receiving party could read it.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now