Internet E-Mail Encryption S/Mime Standard

Internet E-Mail Encryption S/Mime Standard Disclaimer: Successfully setting up encryption functions in most e-mail clients is usually not a problematic task. However, it should be noted that, when configuring encryption in some cases, unforeseen incompatibilities with other system settings may lead to errors, possibly crashing the e-mail program. Any attempts to configure the encryption function are therefore undertaken at your own risk. Bayer Business Services cannot assume any liability for this or subsequent damage, or provide any support. In following these instructions to configure your system, you are expressly agreeing to this disclaimer. The use of the encryption certificate is subject to your local legislation, compliance with which is mandatory. Comprehensible Technology an Easy to Use Primer Contact: Bayer Business Services GmbH ITO ServiceDesk 51368 Leverkusen / Germany Phone: Your general IT Serviceline E-mail: ServiceDesk@BayerBBS.com Internet: www.bayerbbs.com

2 I 3 The solution E-mail messages transmitted over the Internet are completely open. They are as secure and private as postcards, which can be read by many people along their journey through the postal service. The problem of the Internet: E-mail messages can be intercepted and read. Nevertheless, encryption of e-mail messages provides a solution that protects confidential content against unauthorized access. During the encryption process, the information in the e-mail message is encoded in a way that it cannot be read by unauthorized persons. Such security aspects are particularly important for internal and external business communications. However, a distinction must be made here: Internally, encryption functionality is easy to implement thanks to the use of a single e-mail system (Lotus Notes). The sender activates encryption in the delivery options. The solution Externally, things are quite different: The e-mail systems of the people with whom we are communicating are extremely diverse. In order to allow encrypted communication to function in such an environment, Bayer Business Services offers a simple and effective solution that is based on the S/Mime Internet standard. S/Mime is a protocol that is supported by a large number of e-mail programs. In other words, usually all of the people with whom you wish to communicate externally will have the technical capability of using it. This guide aims to demonstrate how easy it is to use encryption in communication, from the initial configuration to the daily routine. Incredibly easy. Incredibly efficient.

4 I 5 The principle Obtain the greatest effect at the smallest expense: in a one-off action, a key pair is created for each user. This pair is composed of a private key and a public key. Only these two keys fit together and are needed to successfully encrypt e-mails. What they do: The public key allows you to encrypt messages, while the private key is used for decryption. The public key is sent to the person with whom you are communicating. This allows that person to send encrypted messages to the holder of the corresponding private key. The recipient then uses his private key to decrypt the messages so that they can be read. The important aspect is that the private key must never be made known to anyone else. This is because the private key guarantees that the e-mail message can only be decrypted by the person for whom it is intended. The principle In order to configure encryption on your PC, you simply have to follow a set of easy instructions. Depending on your location, inside or outside the corporate network, these instructions differ. The steps for those inside the Corporate network are demonstrated using Lotus Notes version 6.x. If you are using a different version, this functionality must be tested please contact the ServiceDesk for further information. Internal communication partner External communication partner I 1 Find out whether your external communication partner is familiar with S/Mime I 2 Generate the key pair I 3 Send the public key to the external communication partner E 1 Integrate the key into the address book Bayer website E 2 Download the Bayer corporate certificate from the web site and integrate it into the address book 22 22 Status Setup of direction external/internal complete Once you have the internally generated key, the external communication partner can use this to send encrypted e-mail messages to the internal partner, who is able to read them. Now the external communication partner needs to configure the transmission of encrypted e-mail messages in the reverse direction.

6 I 7 Internal communication partner External communication partner I 4 Integrate the key into the address book E 3 Generate the key pair, if this has not yet been done E 4 Integrate the key pair into the e-mail program E 5 Send public key to the communication partner The principle 22 22 Status Setup of direction internal / external complete Steps I 1 to I 4 to be undertaken by the internal communication partner are described in the next section. Steps E 1 to E 5 to be undertaken by the external communication partner are described in the section The external steps.

8 I 9 Steps for the internal communication partner The Bayer Business Services solution reduces the workload for internal users to the absolute minimum. This is accomplished by the use of the specific communications and e-mail infrastructure set up by Bayer Business Services (described at http://by-securemail.bayer-ag.com). The steps described in this guide are based on Lotus Notes version 6.x or later. The function must be tested for all other versions of Lotus Notes. Contact the IT Serviceline for further information. o I 1: Find out whether your external communication partner is familiar with S/Mime At first, it is important to find out whether the external communication partner uses S/sMime, and what system is being used (in terms of operating system and e-mail program). If the external communication partner already has a key pair or already uses S/Mime encryption (this information can best be obtained from the external communication partner s system administrator) then nothing further needs to be done. However, if the external communication partner is not aware of S/Mime, this guide should be provided. It can be ordered from http://by-securemail.bayer-ag.com. Also the external communication partner should contact his ServiceDesk. The internal steps o I 2: Generate the key pair You now have to check whether your own e-mail program is configured to use the Mime format. In Lotus Notes, this is done by clicking on [File] [Preferences] [Location Preferences] and selecting the [Mail] tab. If the Mime format is not selected, please configure it and close the dialog box by clicking on [Save and Close]. To generate the key pair, the person who needs the certificate must send a signed, unencrypted e-mail with the subject Get Certificate to the e-mail address Internet-Mail-Certificate@BAYERNOTES. It is not possible to request a certificate by your administrative assistant. The message can be signed via [Delivery Options] and clicking on Sign.

10 I 11 The internal steps The CA_Engine will answer the sender with a response e-mail within one day. The subject for this message will be S/Mime Internet Mail Certificate. The e-mail message will contain a button marked [Import Internet Certificate], which imports the certificate into Lotus Notes. Note: If you use several computers for your work, e.g. a desktop and laptop, the Mime format must be configured separately on each computer. The same applies to of importing the certificate in Lotus Notes via the [Import Internet Certificate] button. In other words, both steps need to be done once on each computer you use. o I 3: Send the public key to the external communication partner In order to provide your public key to your external communication partner, you simply have to send them a signed, unencrypted e-mail message. Mails are signed by activating the corresponding box in the [Delivery Options].

12 I 13 o I 4: Integrate the key into the address book The first time a signed e-mail is received from an external communication partner, the system will require you to cross certify this signature. A window appears in which you click on [Cross certify]. The internal steps The status bar then shows an information message, stating Signed by The certificate is imported by clicking on [Tools] [Add Sender to Address Book]. When you do this, ensure that the [Include X.509 Certificates] option is selected. If the contact is already listed in the address book, a corresponding message will be displayed. You now need to select [Update] to import the certificate. This is the final step of the configuration process. In your daily work, you can use encryption when communicating with external partners in the same way as you do when communicating with internal partners. Before sending your message, select the [Encrypt] option in the [Delivery Options]. If you experience difficulties in this process, or if an error message appears, you can contact Your IT Serviceline.

14 I 15 Steps for the external communication partner E-mail programs and systems vary greatly. With this solution, Bayer Business Services supports the following systems: o Microsoft Outlook (XP and 2003 for Windows / Entourage for Mac) o Mozilla 1.7.2 / Netscape 7.1 for Windows, Linux, Mac o Lotus Notes (Version 6.x for Windows, Linux, Mac) o K-Mail 3.3.0 for Linux o Apple Mail for Mac OS X from version 10.3 The next section provides a general overview of the steps that external communication partners must perform to set up S/Mime e-mail encryption. Screenshots of the supported systems can be found in the Appendix. The external steps o E 1: Integrate the key into the address book As described in step I 4, it is necessary to import the public key into the user s own e-mail program address book. As a result, the address book record contains the public key for the communication partner in addition to name and address. o E 2: Download the Bayer corporate certificate from the Bayer web site and integrate it The so-called corporate certificate should also be imported, in order to avoid having to confirm that the communication partner is trustworthy each time a new message is received. The certification authority of the internal communication partner is Bayer Business Services. The certificate, which consists of a long string of characters, can be downloaded from the web site http://pki.bayer.info and imported automatically into e-mail programs. o E 3: Generate the key pair If no key pair exists yet i.e. e-mail encryption is not currently in use it must first be created. If the external communication partner has access to a certification authority (through the employer, for example), this is used to generate the key. The external communication partner s system administrator will be able to furnish more information. In other cases, the key pair can be obtained via the Internet, from one of the companies that offer certification authority services and that are trustworthy. Selection of recommended providers: http://www.thawte.com/secure-email/personal-email-certificates/index.html https://www.verisign.de/products-services/security-services/pki/pki-security/email-digital-id/index.html These providers have step-by-step instructions for creating the key pair, so no further information is given here. Generation of the key pair is not dependent on the e-mail clients and operating systems being used. Note: As with step I 2, this step needs only be completed once! o E 4: Integrate key pair into the e-mail program The generated key pair has to be imported into the e-mail program. This step is vital in ensuring that encrypted e-mail messages can be read. The following section demonstrates how this is done in various e-mail programs. o E 5: Send public key to the internal communication partner The public key is sent to the internal communication partner simply by sending a signed, unencrypted e-mail message. In day-to-day use, sending encrypted e-mails is easy, for internal and external communication partners alike. Simply click on the Encrypt button before sending.

16 I 17 Microsoft Outlook o E 1: Integrate the key into the address book When you answer a signed e-mail message, the key is automatically imported into your address book. You can check the result by clicking on [Tools] [Internet Options] in Internet Explorer. Appendix: Microsoft Outlook In this dialog box, click on [Content] and open the certificates cache by clicking on [Certificates]. All imported certificates are stored here. If the certificate is not stored in the certificates store, you can perform this step manually. Simply right-click on the e-mail address of the sender, and select [Add to Contacts]. o E 2: Download the Bayer corporate certificate from the Bayer web site and import it This step was not necessary during testing. However, you may find that the untrusted sender message appears. If this happens, download the corporate certificate from http://pki.bayer.info. Double-clicking on the certificate will import it automatically into Internet Explorer. If this does not work, the certificate can be imported manually via Internet Explorer [Tools] [Internet Options] by clicking on [Certificates], the [Intermediate Certification Authorities] tab and selecting [Import]. The certificate can then be imported by locating it in the folder to which it was saved when it was downloaded.

18 I 19 o E 3: Generate the key pair See general description on page 15. o E 4: Integrate key pair into the e-mail program If the provider is Thawte, the certificate is installed in your e-mail program simply by clicking on [Install your Certificate]. You then just have to answer the subsequent questions by clicking [Yes] to complete the import process. To check that the certificate has been imported correctly, follow the steps described in E 1 to view the [Internet Options] from the [Tools] menu of Internet Explorer. Appendix: Microsoft Outlook In this dialog box, click on [Content] and open the certificates cache by clicking on [Certificates] and navigate to the tab [Personal]. All your personal certificates are stored here. The certificate must now be imported into Outlook so that it can be used. This is done by clicking on [Tools] [Options] and selecting [Security] [Settings] in Outlook.

20 I 21 Various settings must then be entered in the dialog box, which is empty at first. The name, the cryptography format S/Mime and the certificate have to be integrated for both digital signation and encryption purposes. Appendix: Microsoft Outlook Click on [ok] to confirm the data and complete this step. o E 5: Send public key The public key is sent to your communication partner simply by sending a signed, unencrypted e-mail message. Step 2 Step 1 Once you have clicked on [Send], confirm the subsequent message by clicking on [ok].

22 I 23 Netscape / Mozilla o E 1: Integrate the key into the address book The key is imported automatically into the address book, simply by responding to a signed e-mail message. You can check that it has been imported successfully by clicking on [Edit] [Preferences]. Appendix: Netscape / Mozilla Information on certificates is shown in [Privacy & Security] of this window. Open this information by clicking on [Certificates]. To open the Certificate Manager, simply click on [Manage Certificates]. All imported certificates are stored here.

24 I 25 If the certificate is not stored in the Certificate Manager, you can perform this step manually. Simply right-click on the e-mail address of the sender, and select [Add to Address Book]. o E 2: Download the Bayer corporate certificate from the Bayer web site and integrate it This step was not necessary during testing. However, you may find that the untrusted sender message appears. If this happens, download the corporate certificate from http://pki.bayer.info. The certificate is imported by selecting [Import] in the Certificate Manager. Accessing the Certificate Manager is described in step E 1. Appendix: Netscape / Mozilla o E 3: Generate the key pair See general description on page 15. o E 4: Integrate the key pair into the e-mail program If the provider is Thawte, the certificate is installed in your e-mail program simply by clicking on [Install your Certificate]. When this is done you must enter the master password that was assigned in step E 3 (page 15). This completes the import process. To check that the certificate has been imported correctly, follow the steps described in E 1. The link between e-mail account and certificate has to be checked now via the menu [Edit] [Mail & Newsgroup Account Settings].

26 I 27 In the screen, the certificate for digital signature and encryption should be integrated automatically. This happened if the fields on the left of the select buttons are filled with information as on the following screenshot. Appendix: Netscape / Mozilla If these fields are empty, click on [Select] (once for the digital signature, once for encryption) to link the certificate with the e-mail account. This completes the import of the certificate into the e-mail program. o E 5: Send public key to the internal communication partner The public key is sent to your communication partner simply by sending a signed, unencrypted e-mail message. Once you have clicked on [Send], you must enter the master password. The master password must be reentered each time the program is restarted, whenever you first send a signed or encrypted e-mail message.

28 I 29 Lotus Notes o E 1: Integrate the key in the address book The first time a signed e-mail is received from an external communication partner, the system will require you to cross certify this signature. A window appears in which you click on [Cross certify]. Appendix: Lotus Notes The status bar then shows an information message, stating Signed by The certificate is imported by clicking on [Tools] [Add Sender to Address Book]. When you do this, ensure that the [Include X.509 Certificates] option is selected on the [Advanced] tab. If the contact already appears in the address book, select [Update] when the corresponding message appears, to import the certificate. o E 2: Download the Bayer corporate certificate from the Bayer web site and integrate This step was not necessary during testing. If it is necessary, the certificate can be imported into the Domino server. To do this, please contact your Domino administrator or ServiceDesk. o E 3 and E 4: Generate key pair and integrate into Lotus Notes The certificate is generated as in step E 3 of the general section (as on page 15), and can be exported from the Internet Explorer certificates store by clicking on [Tools] [Internet Options] in Internet Explorer.

30 I 31 In this dialog box, click on the [Content] tab and open the certificate store by clicking on [Certificates]. All imported certificates are stored here. Appendix: Lotus Notes Start the export process by selecting the [Personal] tab and clicking on the [Export] button. The wizard guides you through the export process. Please include the private key in the export and configure the export file format as follows:

32 I 33 Select a password to protect the file, and check the file name and folder. Complete the export wizard. You can now import the certificate into Lotus Notes by clicking [File] [Security] [User Security]. Enter your password, and select [Your Identity] followed by [Your Certificates]. Then click on [Get Certificates] and choose [Import Internet Certificates]. Appendix: Lotus Notes Select the file that contains the exported certificate, and then select [PKCS 12 encoded]. To import the certificate, enter the password you chose when you exported it and click on [Accept All].

34 I 35 Once the certificate has been imported successfully, close the window by clicking on [ok]. You must now verify the e-mail format setting by clicking on [File] [Preferences] [Location Preferences] and selecting the [Mail] tab. Appendix: Lotus Notes If the Mime format is not selected, please configure it and close the dialog box by clicking on [Save and Close]. o E 5: Send public key to the internal communication partner The public key is sent to the internal communication partner by sending a signed, unencrypted e-mail message. The e- mail message can be signed by selecting the security option [Sign] in the [Delivery Options].

36 I 37 K-Mail People who use the K-Mail e-mail program must implement encryption using two programs. Certificates and keys are managed by the certificate management program Kleopatra which links into the K-Mail address book. o E 1: Integrate the key into the address book The first time a signed e-mail is received from an external communication partner, the system will inform you that there is insufficient information concerning this sender, or that the sender has been classified as untrustworthy. Appendix: K-Mail Right-click on the e-mail address and select the option [Add to Address Book] to add this e-mail address to your address book. Then click on [Details] to display the certificate in the Kleopatra certificate management program. By right-clicking and selecting [Validate], the relationship to the partner changes from untrusted to trusted. The identity of the sender can be determined by double-clicking to access the detailed information.

38 I 39 In the address book, the S/Mime protocol must be selected in the [Encryption Settings] section of the detailed information for the entry, and the certificate linked to the address book entry. Appendix: K-Mail Click on [Edit] to open the address book, from which you select the entry for the user whose certificate you wish to use. After you have made this selection, confirm by clicking [ok] and exit the other windows. o E 2: Download the Bayer corporate certificate from the Bayer web site and import it Save the certificate to the hard disk and after starting the KDE certificate management program Kleopatra, import the certificate by clicking on [File] [Import Certificates]. Select the certificate file in the window shown, and click [Open]. The next window then shows whether the import was successful:

40 I 41 The certificate is displayed in the Kleopatra certificates store: o E 3: Generate the key pair See general description on page 15. In this step, the certificate is stored in a local file using the browser (Opera, Konquerer or Netscape/Mozilla). This file should be imported to Kleopatra as described in step E 2. Appendix: K-Mail o E 4: Integrate key pair into the e-mail program Display the identities wizard by selecting the [Configure K-Mail] option in the [Settings] menu. Select the current identity in the window shown, and click [Edit]. In the dialog that is then displayed, select the [Cryptography] tab and click on [Change] in the line encryption certificate for S/Mime. The encryption certificate is imported into the e-mail program from the window that opens. o E 5: Send a signed e-mail to internal communication partners to provide them with your public key The public key is sent to the internal communication partner by sending a signed, unencrypted e-mail message. The e-mail message can be signed by selecting the security option [Sign].

42 I 43 Apple Mail o E 1: Integrate the key into the address book Importing the public key for a communication partner and the Bayer corporate certificate is performed automatically in Mac OS X when opening a received, signed e-mail message. You can see that an e-mail message has been signed by the [Signed] flag that shows as an icon in the message header under [Security]: Appendix: Apple Mail When first adding a key, you may receive a message that the e-mail signature could not be verified (see figure below). In this case click on [Show Details] and then on [ok] to confirm that you wish to trust the Bayer corporate certificate in the future. When you reopen the message it should appear as signed, as above. In Mac OS X, certificates and public keys are not stored in the system address book, but in the user s keychain. To check a certificate has been imported correctly, open the [Keychain] system program from the [Programs] [Utilities] folder. You can also use the Apple address book to check for which e-mail addresses of an entry you have stored a public key. The [Signed] icon appears next to each e-mail address in the address book for which there is a certificate.

44 I 45 o E 2: Download the Bayer corporate certificate from the Bayer web site and import it This step is usually not required in Mac OS X since the corporate certificate is loaded automatically using the information in the communication partner s public key and added to your keychain. This can be checked in the [Keychain] program, found under [Programs] [Utilities], by clicking on [Category] on the left and [Certificates]. Appendix: Apple Mail The Bayer corporate certificate should now be displayed as a root certification authority (Secure Mail CA) alongside others, and all certificates belonging to your communication partners. If the corporate certificate is missing, it can be downloaded from http://pki.bayer.info and the file is added to the list of certificates in the keychain via drag-and-drop. o E 3: Generate the key pair See general description on page 15. o E 4: Integrate key pair into e-mail program Users of Mac OS X version 10.4 or later (Tiger) can continue with point b). a) Under older versions of Mac OS X 10.3 you may find that downloading certificates with Safari fails. In this case, try repeating the action with another web browser (e.g. Firefox) and then export the downloaded certificate using the corresponding function (e.g. Firefox [Settings]). Click on [Advanced] and then under [Certificates] on [Manage Certificates]. You can select the appropriate certificate and click on [Backup] to export it to your desktop.

46 I 47 Select the option [PKCS 12 file] as the export format, and enter the desired passwords. You must now enter the Firefox master password, which is defined the first time you use one of the security functions in Firefox, and then you have to create a password for the export file to prevent unauthorized use. Please continue at point a/b). b) Users of Mac OS X 10.4 or later (Tiger) should use Safari to request and download a certificate where possible, since other browsers, such as Firefox, only save downloaded certificates to their own certificate management program, and not to the keychain. Sometimes downloading a certificate causes a warning to be displayed that a program is being downloaded (e.g. in the case of Thawte this is a file called [deliver.exe]). Confirm this warning by clicking on [Load]. a/b) Double-click on the received certificate file from b) or the exported file from Firefox in a). Normally the system program [Keychain] opens and imports the new certificate automatically. If you exported from Firefox, for example, you will have to enter the password for the export file. The certificate should then be stored along with your e-mail address or your name in the keychain. Appendix: Apple Mail If this has not worked, open [Keychain] manually (from [Programs] [Utilities]) and drag the received certificate file into the list of certificates. o E 5: Send public key When steps E 1 to E 4 have been completed successfully, two new buttons are displayed in the top right of the header section of new messages. The button with the [Signed] icon (check or cross in a cogwheel) determines whether the mail should be digitally signed using the public key, while the other button (open or closed padlock) determines whether the mail should also be encrypted. The public key is sent to your communication partner by answering his signed e-mail message (from step E 1) or writing a new e-mail message and activating the [Signed] button (see image). You should not activate encryption the first time you send a signed message to a recipient, since the recipient will not be able to decrypt the message without first receiving the public key (i.e. the signature). Once this is done, new e-mail messages can easily be encrypted by activating the padlock icon.