Within earlier versions of Exchange Server, Microsoft enabled S/MIME Security using MAPI clients, but did not recognize that Outlook Web Access became more and more interesting for business use. So with Exchange Server 2003, Microsoft implemented this feature with Outlook Web Access too.
Basics of Email encryption and Email signing
The technique of S/MIME relies on complex algorithms that create the appropriate key pair:
- The public key
- The private key
This key pair needs to be available if any encryption or signing is being used. If one is missing, you won’t be able to use the corresponding key anymore.
The public key has to be published, the private key can be compared with your identity card or your driving license, it declares your digital identity.
Email Encryption
When you try to secure email to make sure that no one can read the SMTP packages on its way from sender to recipient you will have to encrypt them.
This feature works the following way:
- The messaging platform looks for the public key of the recipient
- It now encrypts the message using this public key
- The message is now being delivered to the target system
- If the recipient tries to open the message his system will have to own his private key to be able to decrypt the message
Email Signature
When you want to use the digital signature you have to make sure that the recipient can recognize that you yourself wrote this email and not anyone else. In addition, you can be sure that the email has not been changed during its way.
Email Signing works the following way:
- The messaging platform looks for the private key of the sender
- It now hashes the message and then encrypts this fingerprint with this private key
- The message is now being delivered to the target system
- If the recipient tries to open the message his system will have to be able to access the recipient’s public key
- If now hashes the message again, decrypts the fingerprint using the public key
- If the sender’s and recipient’s fingerprint are the same you can be sure that the message was originally sent from the sender and has not been changed in between
Configuring Outlook Web Access 2003 for S/MIME Security
With Exchange Server 2003, Microsoft added the S/MIME feature to Outlook Web Access using a control. It relies on the interaction of the Web browser and the Exchange server to provide full functionality. This functionality differs from Outlook Web Access without the S/MIME control because this control provides a fully functional S/MIME email client. It is designed to integrate seamlessly with Microsoft Internet Explorer 6.x or later. The control itself is a Common Object Model (COM) object that also uses dynamic HTML (DHTML) to support the basic message security services. It controls all access to any certificates required for S/MIME security.
To install Outlook Web Access with the S/MIME control using the download, the users must have administrative privileges to install the control itself on his workstation.
These are the steps in details to install the control:
- Use a computer running Windows 2000 or later with Internet Explorer 6 or later and log on to Outlook Web Access.
- In OWA click Options in the navigation pane.
- Under Email-Security click Download
- Install the control on your local machine.
Figure 1: Download and install the S/MIME Control
After a successful installation, you can now configure the general options for digital signing and signature.
Figure 2: General Settings for Encryption and Signature
To digitally sign an or encrypt any messages from now on in Outlook Web Access you will have use the following two new buttons:
Figure 3: Setting Email security individually
If you want you can configure digital signature and encryption by default, you can find these settings on the options page of Outlook Web Access.
To configure the behaviour of the Outlook Web Access S/MIME Control itself, you should have a look at the Exchange Server Message Security Guide, which can be found at:
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exmessec.mspx
Troubleshooting S/MIME Security
In general there won’t be any deep problems when configuring S/MIME security with Outlook Web Access. S/MIME is a default feature with all well-known messaging platforms and therefore your architecture design will be the problem itself in most times.
If S/MIME does not work properly you should check whether your certificate chain is configured properly and that all certificates are available as needed and that they are being trusted. This can be done by having a close look into the certificate store of each machine in the configuration chain.
If there are still problems, you should check whether your infrastructure is working without any problems not using S/MIME just using unencrypted and unsigned transfers.
Conclusion
As described in the chapters above, you can see that configuring S/MIME security is no real big problem. You just have to configure S/MIME as stated in the step-by-step guide above and should make sure that all certificates are valid.
S/MIME is a good security feature and will grow within the near future due to security risks and other problems. But if you think of virus scanning you should have to rethink your virus scanning infrastructure, because as of today nearly none of the virus scanning engines is able to scan secure email. This is due to the design of email security itself and can only be changed if you are implementing a second key into each package to be able to scan it properly.
For further information regarding this topic please do not hesitate to contact me.
