Lock IT Down: Protect your Outlook users' e-mail with digital IDs

Train your users to use digital IDs to protect confidential e-mails

Your users are sending confidential information across the Internet via e-mail. If the thought of that and what would happen if a hacker intercepted those messages disturbs you, you can train your users to use digital IDs to protect those confidential e-mails.

A digital ID is the electronic equivalent of a driver’s license or passport. Users' digital IDs prove their identities in online communications via a Web browser or e-mail. While the inner workings of the digital ID are complex, once a user acquires a digital ID, working with it is a straightforward procedure.

To get you started, I'll investigate digital IDs and explain how they work. I'll show you how to sign up for and install a digital ID in Outlook Express. After reading this Daily Drill Down, you’ll be ready to show your users how to use the digital ID to send and receive digitally signed and encrypted e-mail messages.

The components of a digital ID
A digital ID consists of two components that you can use separately or together:
  • Digital signature: The digital signature component of a digital ID is used for authentication. A message that has been signed with a digital signature proves that the message is in fact from the stated sender and verifies that the message hasn’t been altered or tampered with while en route.
  • Encryption: The encryption component is designed to scramble the contents of a message. The contents are scrambled so that the message is indecipherable as it travels across the Internet but automatically unscrambled once it reaches its intended recipient.

Behind the scenes
To perform its duties, a digital ID relies on a pair of electronic keys: a private key and a public key. The sender uses one key, and the recipient uses the other. The owner of a digital ID uses the private key and shares the public key with people he or she wishes to securely communicate with.

The public key is used to encrypt messages, and the private key is used to decrypt messages. One person's associated private key can only decrypt a message encrypted with a specific person's public key. To see how these two keys work, let’s look at an example.

Suppose Richard wants to securely communicate with Jane. He creates a new message and uses digital ID to apply a digital signature to the message. When he does so, his public key is automatically attached to the message.

When Jane receives the message, the digital signature assures her that the message is indeed from Richard. By virtue of receiving this digitally signed message, Jane now has access to Richard’s public key, which she can now use to send encrypted messages to Richard. When Jane sends an encrypted message to Richard, he’ll use his private key to decrypt the message.

If Jane wants to receive encrypted messages from Richard, she must have her own digital ID. She’ll send Richard a digitally signed message, which contains her public key. Then, Richard can use Jane’s public key to send her encrypted messages.

Obtaining a digital ID
Let’s take a look at how you go about obtaining a digital ID for a user from within a popular e-mail program such as Outlook Express. To get started, select Tools | Options. In the Options dialog box, select the Security tab and click the Get Digital ID button in the Secure Mail section. Internet Explorer will open and take you to the Where To Get Your Digital ID page on the Microsoft Office Assistance Center Web site. Here, you‘ll find links to four certification authorities (CAs) that issue digital IDs: VeriSign, GlobalSign, British Telecommunications, and Thawte Certification. Since VeriSign is Microsoft’s preferred CA (and the cost- and volume leader), I’ll show you how to obtain a digital ID from VeriSign and then use it as an example throughout the rest of this article.

Keep in mind that while the procedure for signing up and receiving a digital ID from another CA will be different, using it in Outlook Express will basically be the same.

When you click the VeriSign link, you’ll be taken to the Digital ID Center page on VeriSign’s Web site. You’ll have a choice of purchasing a one-year digital ID account or signing up for a 60-day free trial. Either way, you’ll then begin a four-step enrollment procedure.

On the Step 1 page, you’ll be prompted to complete the form with the requested information, which includes your user’s name and e-mail address. As you’re filling in the form, go with the default cryptographic service, Microsoft Enhanced Cryptographic Provider v1.0. You should also consider choosing the Additional Security For Your digital ID check box. This additional security is designed to help users protect their private keys by requiring a confirmation each time they use their digital ID. Three levels of security are available: The High setting will require users to enter a password each time they use the digital ID. The Medium setting will simply display a confirmation dialog box every time they use the digital ID. The Low setting doesn’t display any confirmation when users employ the digital ID.

If you leave the Additional Security For Your Digital ID check box blank, the Low setting is selected by default. If you select the check box, users will have the opportunity to choose either the High or Medium setting a little later in the enrollment procedure.

Once you complete the form, you’ll be prompted to confirm the users' e-mail address. If you selected the Additional Security check box, you’ll see the Creating A New RSA Exchange Key dialog box, shown in Figure A. Click the Set Security Level button to set the security level, as shown in Figure B. If you left the Additional Security check box blank, you’ll immediately be taken to the next page in the enrollment form.

Figure A
If you choose additional security for the digital ID, you'll be prompted to select a security level.

Figure B
While the Medium security level setting is the default when the Additional Security box is checked, you may want to use the High setting to password-protect the use of the digital ID.

Once you complete the security level configuration, you’ll see the Digital ID Services Step 2 page, which will inform you that, within the hour, users will receive an e-mail message from the VeriSign Digital ID Center with instructions for installing their digital ID.

Installing the digital ID in Outlook Express
When your user receives a message from the VeriSign Digital ID Center, he or she will see that it’s an HTML-based e-mail message with a prompt to click the Continue button to proceed with the digital ID installation. However, I’ve discovered that clicking the button yields an error page.

The alternative is to have users scroll to the bottom of the page, where they’ll find their PIN number and a link to the Step 3 page. They can highlight and copy their PIN number to the clipboard and then click the link.

Once users arrive at the Step 3 page, they’ll paste their PIN number in the appropriate text box and click the Submit button. They’ll then see the Step 4 page, where they’ll be informed that their digital ID has been created and prompted to click the Install button.

Next, users will see a page that contains instructions for associating their digital ID with their e-mail account. Unfortunately, these instructions are a bit outdated, so if they’re using Outlook Express 5.x or 6.0, they’ll need to disregard them and use the following instructions.

Your users will begin by selecting Accounts from the Tools menu and then clicking the Mail tab in the Accounts dialog box. Next, have them double-click their e-mail account to open the Properties dialog box and select the Security tab, as shown in Figure C.

Figure C
Your users will associate their digital IDs to their e-mail account from the Security tab of their e-mail account's Properties dialog box.

At this point, your users will actually be setting up the two digital ID components I mentioned earlier—the digital signature and the encryption routine—by clicking the respective Select buttons. When they do so, they’ll see the Select Default Account Digital ID dialog box, as shown in Figure D. To continue, have them select their newly installed digital ID and click OK.

Figure D
While selecting a digital ID, your users can click the View Certificate button to see the contents of their digital ID.

After they select both Digital ID components, have your users click OK to close their e-mail account Properties dialog box and then close the Account dialog box.

Sending messages with a digital ID
Once your users finish associating their digital ID with their e-mail account, they’re ready to begin using their digital ID. As I mentioned earlier, if they want to establish a secure communication channel between themselves and a colleague, both need to obtain a digital ID and swap public keys.

To begin the procedure, users will create an e-mail message to a colleague, as usual. Then, before they send the message, they’ll click the Digitally Sign Message icon on the toolbar or select the Digitally Sign command from the Tools menu. When they do, they’ll see the digital signature icon appear adjacent to the From field, as shown in Figure E.

Figure E
If you chose to use additional security with users' digital IDs, they will see the appropriate confirmation dialog box when they click the Send button.

Receiving messages signed with a digital ID
When users receive messages that have been signed with a Digital ID, they’ll see the digital signature icon on the e-mail icon in their Inbox. When they open the message, they’ll initially see a Help screen in the e-mail message body informing them that they have received a digitally signed message. They’ll have to click the Continue button to read the contents of the message.

By virtue of receiving a digitally signed message, users will have access to the sender’s public key, which they can then use to send encrypted messages back to the sender. The users will first have to save the public key to the sender’s entry in the users' Address Book. Have them open the digitally signed message and click the digital signature icon. When they see the This Is A Digitally Signed Message dialog box, they’ll click the View Certificates button. Then, in the View Certificates dialog box, shown in Figure F, they’ll click the Add To Address Book button. They’ll then see a confirmation message that the digital ID was added to the users' Address Book.

Figure F
Before they can use a public key to send encrypted messages, users need to add the digital ID to their Address Books.

Sending encrypted messages with a digital ID
Once a user has added the colleague’s public key to his or her Address Book, he or she can send encrypted messages to the colleague. To do so, have them create the message and address it to their colleague as they normally would. Then, users either click the Encrypt Message icon on the toolbar or select the Encrypt command from the Tools menu. When they do, they’ll see the encryption icon, a blue padlock, appear adjacent to the From field in the e-mail message.

In addition to encrypting the message, they can also digitally sign the message by clicking the Digitally Sign Message icon on the toolbar or selecting the Digitally Sign command from the Tools menu.

Receiving encrypted messages
Once a user has sent someone his or her public key, the person who received it can use the key to send the user an encrypted message. When the encrypted message arrives, the user will see the encryption icon on the e-mail icon in the Inbox. When the user opens the message, he or she will either see the message or will be prompted to confirm the use of his or her digital ID, depending on what level of security was used for the digital ID. If the user has a colleague's public key, he or she can send an encrypted reply simply by clicking the Reply To Sender button.

With Internet security concerns on the rise, you may want to consider having your users employ a digital ID to protect their confidential e-mail as it travels across the Internet. Digital IDs provide a secure, two-way communication channel between trusted parties and use encryption to diminish security risks.


Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

Editor's Picks