Using Secure Email with Microsoft Outlook Express

• Retrieving Other People's Digital Certificates
• Encrypting Email
• Digitally Signing Email
• Encrypting and Digitally Signing Email

By now, you probably know that in order to send secure (specifically, encrypted) email to an individual involved in SensorNet you will need their public key (contained within their digital certificate). How do you get their public key? Well, at SensorNet, we store people's certificates in our online directory (LDAP). You can easily retrieve their certificates via the directory and place them into your computer. Listed below are the steps on how to do this.

First, we're going to make a new directory for Outlook Express. On the top menubar, go to "Tools" and then "Accounts" (see Figure 1).

Figure 1.

In the new window, click on the "Directory Service" tab on top (see Figure 2).

Figure 2.

Now click on the "Add" button at the top right hand corner of the window. Choose "Directory Service" (See Figure 3).

Figure 3.

You'll now be instructed to enter various bits of information on different screens. On the first screen, type in "ldap.sensornet.gov" for the "Internet directory (LDAP) server" field. Click on "Next" when you are finished (see Figure 4).

Figure 4.

On the second page, click "Yes" when asked "Do you want to check addresses using this directory service?". Click on "Next" when you are finished (see Figure 5).

Figure 5.

You will now be at a window which confirms that you have successfully entered in all of your information. Click on "Finish" (see Figure 6).

Figure 6.

In the window illustrated by Figure 7, you should now see an entry for "ldap.sensornet.gov" under the Directory Service tab.

Figure 7.

Now, making sure that the "ldap.sensornet.gov" entry is highlighted, click on the "Properties" button on the right hand side of your window. You should see a window that appears similar to that illustrated by Figure 8.

Figure 8.

On this new window, click on the "Advanced" tab. The window should now appear as shown in Figure 9.

Figure 9.

For the search base, enter exactly "dc=sensornet,dc=gov" Click on the SSL connection button and the port should change to 636 as shown in Figure 9. Then then click on the "OK" button to continue (See Figure 10).

Now we have to set up Outlook Express to use digital certificates. Go to "Tools | Options" from the top menubar. Select "Security" from the tabs, and then click on the "Advanced" button near the bottom. You should then see a new window illustrated by Figure 10. In this window, make sure that "168 bits" is the option selected in the drop-down menu, and that the checkboxes marked "Always encrypt to myself when sending encrypted mail", "Include my digital ID when sending signed messages", and "Add senders' certificates to my address book" are all checked. Press "OK" when done.

Figure 10.

Now we can search for SensorNet User's's digital certificates. On the main menubar, click on "Tools | Address Book". In the Address Book window, click on the "Find People" button. You should now be a window that looks like the one illustrated by Figure 11.

Figure 11.

Make sure that the SensorNet LDAP directory that you specified above is in the "Look in" drop-down menu. Now, supply either the name or the email address of the recipient to whom you wish to send encrypted email, and click on the "Find Now" button. You'll see the entry (or entries) show up in the lower half of the window. Highlight the desired entry, and then click on the "Properties" button. You'll see another window pop up, which should look like the one illustrated by Figure 12.

Figure 12.

Click on the "Add to Address Book" button near the top right-hand corner, and then select the "Digital IDs" tab at the top. If you see any listings for the person(s) you searched, it means that you are able to send encrypted email to them! (See Figure 13) Be sure to import any certificates for people you wish to send e-mail to following the same procedure.

A good reason NOT to use Outlook Express Note that I imported my own certificate into the Outlook Express Address Book. The ONLY way to do this (that I have found) is to do it from an LDAP server as shown above. This is very non-standard. You can import a certificate file into Outlook Express by using the usual Internet Explorer import process (Tools, Options, Security, Digital IDs) but these certificates will not appear when you try to set the signing certificate for this account. So, after you import your own certificate into the Address Book, go into your mail server properties and select the signing certificate that will be used when you send mail. (Figure 12a) We highly recommend the Mozilla browser, or its separate components Firefox (browser) and Thunderbird (mail client). It will make your life easier.

Figure 12a

Figure 13.

Congratulations! The person's digital certificate has been imported to your computer. You can now send this person encrypted email. You can see the certificate by selecting the Tools menu, Options, and in the security tab click Digital IDs as shown in Figure 14.

Figure 14

An alternate method... There is also another method of retrieving a person's digital certificate. Anyone who sends you a digitally signed email will already have their email address and digital certificate automatically added to your Address Book. You can verify this by opening your Address Book, highlighting the individual (whom, as you can see, has been automatically added), and clicking on Properties. You should see a window similar to that illustrated by Figure 15.

Figure 15.

To see that this person has a digital certificate, click on the "Digital IDs" tab of their entry in your Address Book, and the resulting window should appear similar to Figure 14. You should see digital IDs, or certificates, associated with this person. This enables you to send them encrypted email (read below for more information).

Now that you have your recipient's digital certificate in your computer, it's very easy to send an encrypted email. Go to compose an email as you normally would. However, before sending it, on the top toolbar, click on the "Encrypt" icon (you can also do this by selecting "Encrypt" from the "Tools" menubar). You should see a small blue lock appear near the top right-hand corner of the window (see Figure 16). Send your email, and the recipient will then be able to decrypt the email when s/he receives it by entering the passphrase to his/her private key when prompted.

Figure 16.

Please note that if you do not have the recipient's digital certificate in Outlook Express's database, you cannot send encrypted email to them. If you try, you will see an error message which will notify you that you do not have the recipient's digital certificate. At this point, you may choose to either send the email un-encrypted, or cancel the message altogether. Please read the above section entitled "Retrieving Other People's Digital Certificates" if you wish to send them an encrypted email.

Another good reason NOT to use Outlook Express: If you try to send the above message, you will find that an error message appears (figure 17) telling you that the message is being sent with only 40-bit encryption. Microsoft claims this is a feature (http://support.microsoft.com/default.aspx?scid=kb;en-us;262003)! "This issue is by design following the Secure/Multipurpose Internet Mail Extensions 2 (S/MIME2) specification. There are many e-mail clients that do not support Secure/Multipurpose Internet Mail Extensions 3 (S/MIME3), so the S/MIME2 default (RC2 40-bit) is used for encryption when Outlook Express does not know the capabilities of the recipient." This is of course ancient poppycock, and another example of why Microsoft cannot be relied upon to properly handle PKI. Do yourself a favor and switch to Mozilla. Mozilla also does not force you to manually import the certificate into the address book. It does it automagically.

Figure 17

Digitally signing email is similar to the procedure outlined just above for sending encrypting email. The only difference is that you will have to click on the "Digitally sign" icon (or choose "Digitally Sign" in "Tools" from the menubar) before sending your email. You should see a small red ribbon appear near the top right-hand corner of the window (see Figure 18).

Figure 18.

When you are ready to send your digitally signed email, you will be prompted to enter the passphrase for your digital certificate (see Figure 19). After you enter it, your email will be sent, digitally signed.

Figure 19.