Using etoken for Securing E-mails Using Outlook and Outlook Express Lesson 15 April 2004 etoken Certification Course Securing Email Using Certificates Unprotected emails can be easily read and/or altered Digital signatures: Allow verification of the sender s identity. Provide proof the the message has not changed after being signed. Encryption protects the content of messages - only the authorized recipient can decrypt the message. 1
Solution Overview Using etoken with Microsoft Outlook: Request and download a digital certificate Digitally sign an email message Encrypt and decrypt an email message System Requirements Windows 95/98/ME/NT/2000/XP Internet Explorer 5.0 and above Netscape 4.6 and above etoken R2 or PRO Install etoken PKI Client Install user certificate on the etoken 2
Downloading a Certificate from Entrust Web Site A demo certificate can be enrolled from a public site: Launch Internet Explorer. Go to http://www.entrust.com/freecerts Under Web Certificates, click on SSL Web Certificates Select Web Browser Certificate Downloading a Certificate from Entrust Web Site On the enrollment page insert the required information. Read the license agreement, if accepted, click Proceed to step 2 3
Downloading a Certificate from Entrust Web Site Review the DN information and click Proceed to Step 3 Downloading a Certificate from Entrust Web Site In the CSP section, choose the etoken Base Cryptographic Provider Click Retrieve Your Certificate 4
Downloading a Certificate from Entrust Web Site Note: For installing the digital certificate on the etoken, make sure you do the following: Select etoken Base Cryptographic Provider. Insert the etoken to the computer. Enter the etoken password when prompt during the download of the Digital ID. If you want to download the Digital ID to the computer s hard drive, Select the default Microsoft Base Cryptographic Provider. Downloading a Certificate from Entrust Web Site The etoken logon dialog box will appear. Insert the etoken password in order to generate the RSA key pair on the etoken. 5
Downloading a Certificate from Entrust Web Site Congratulations the certificate is stored on your etoken! Downloading a Certificate from Entrust Web Site Open the etoken Properties tool Select Advanced, and view the Certificates & Keys tab. All the certificates stored on the etoken are displayed: 6
Using etoken to Sign Emails with Microsoft Outlook Signing an Email Message 1. Open Microsoft Outlook 2. Click on New 3. Scroll down to New Mail Message 7
Signing an Email Message 4. Click the [Options ] 5. The following window appears: 6. Click on Security Settings Signing an Email Message 7. Check Add digital signature to this message 8. Click on Change Settings 8
Signing an Email Message 9. To choose the signing certificate click on Choose Signing an Email Message 10. Select the certificate used for signing emails. 11. Click OK. 9
Signing an Email Message The etoken logon dialog box appears. The sender must logon to the etoken in order to sign the message using his private key. Signing an Email Message 12.Click Send. The signed email will be sent along with the signature and the sender s public key. The recipient can then add the sender to his contact list while saving his public key. The public key can be used for replying encrypted messages. 10
Using etoken to Sign and Encrypt Email Messages Signing and Encrypting Emails 1. Open Outlook Express 2. Click on New 3. Scroll down to Mail Message 11
Signing and Encrypting Emails 4. Click the Options button. 5. Click on Security Settings 6. Click on Security Settings Signing and Encrypting Emails 7. Check Encrypt message contents and attachments. 8. Click on Change Settings 12
Signing and Encrypting Emails 9. click on Choose next to Encryption Certificate Encrypting Emails 10. Select the certificate for encrypting emails. 11. Click OK. 13
Encrypting Emails 12.The message was encrypted using the recipient's public key which was previously received and stored as part of his contact details. 13.Click Send Only the recipient can decrypt this message by using his corresponding private key. Encrypting Emails The recipient uses his private key stored on his etoken to decrypt the message. The recipient uses the sender s public key to verify the signature. 14
Using etoken for Secure Emails in Microsoft Outlook Express Selecting the Certificate in Outlook Express Before you can use the certificate to secure your email in Outlook Express, you must select it, as described below. To select the certificate in Outlook Express: 1. In Outlook Express, select Tools, then Accounts. 2. Double-click on the account associated with the certificate, and click the Security tab. 3. The Security Options window is displayed, as shown: 15
Selecting the Certificate in Outlook Express 4. In the Signing Certificate area, click Select. The available 5. certificates are displayed, as shown in the following example: 6. Select the certificate and click OK. The certificate is displayed for the Signing Certificate. 7. Repeat steps 4 to 5 for Encrypting preferences. 8. Click OK and then Close. The selected certificate will be used for signing, encrypting and decrypting your email. Signing an Email Message 16
Signing an Email Message The sender logs on to the etoken to sign the message using his private key A Digitally Signed Message When a digitally signed mail is received, the indication for the signature is marked as described below: 17
Verifying the Signature When the signing icon is double clicked, it is possible to verify the sender s certificate. Saving the Sender s Public Key for Encrypting Messages It is essential to save the sender s public key, so encryption can be enabled. Saving the public key is done by adding the sender to the address book. 18
Saving the Sender s Certificate The sender s certificate is saved once the sender is added to the address book. Decrypting an Email Message The receiver uses his private key on his etoken to decrypt the message Once you try to open an encrypted message you are requested to input the etoken password: 19
The Decrypted Mail Message When an encrypted mail is received, the indication for the encryption is marked as described below: Outlook Web Access Using SSL v3 and etoken for Web Access to Exchange Server 2000 20
Using SSL v3 and etoken for Web Access to Exchange Server 2000 Microsoft Outlook Web Access (OWA) for Microsoft Exchange Server provides users access to e-mail, personal calendar and group applications on Microsoft Exchange Server through a Web browser. System Requirements: Windows 2000 Server with Service Pack 1 or higher Microsoft Exchange Server 2000 Active Directory Internet Explorer 5.0 and above Netscape 4.6 and above etoken R2 or PRO Install etoken PKI Client Enroll personal certificates for the users Outlook Web Access Basic Steps 1. Configuring SSL on the web sever. 2. Installing NNTP services. 3. Installing Microsoft Exchange Server 2000 4. Creating Exchange inbox for the domain users 5. SSL Authentication to the Exchange mailbox 21
Creating Inbox for New Users in the Domain From exchange server create a mailbox for the user. How to Enable Windows Directory Service Mapper Open Internet Services Manager Right click on the Server name. Select properties Select Edit in Master Properties field 22
How to Enable Windows Directory Service Mapper Click Directory Security Tab. Select Enable the Windows directory service mapper in Secure communications field. Client Certificate Mapping In the Internet Information Services open the Exchange web site properties Select the Directory Security tab and click Edit in Secure Communication field 23
SSL Configuration and Client Certificate Mapping Check Require secure channel (SSL) Select Require client certificates Check Enable client certificate mapping SSL Authentication to Microsoft Exchange Server 2000 Client Side 1. Open Internet Explorer. 2. Insert the etoken 3. Enter the URL: https://server name/exchange 4. Select the user s certificate. Click Ok. 24
SSL Authentication to Microsoft Exchange Server 2000 5. Enter the etoken password. Access to Inbox is Granted 25