Secure
Email with Verisign Digital ID
- With digitial certificate,
we can sign and encrypt emails for authentication and confidetiality purpose.
- Verisign provide
60 days trials for their Digital IDs for Secure Email. $19.95 per year with
$1000 protection aganist economic loss caused by corruption, loss, or misuse
of your Digital ID.
- Here are the four
steps for request and setup digital certificates:
- Step 1. Click
"Buy Now" in http://www.verisign.com/products-services/security-services/pki/pki-application/email-digital-id/page_dev004002.html
for the trial edition
- Select the
specific browser (IE or Netscape) to generate the certificate request.
- Fill in the
enrollment form information for the digital ID,
- Choose the
60 day trial instead of paying with credit card,
- Select "check
this box to protect your private key",
- Choose and
hit "accep" to accept the subsriber agreement and privacy
policy.
- Accept to
allow the run of a private key and certificate request program,
- Confirm the
email address.
- Confirm to
run private key/certificate generation script.
- When prompt
with "Creating a new RSA exchange key", select OK.
- The ceritificate
request was sent. https://digitalid.verisign.com/cgi-bin/sophia.exe.
- Step 2. An email
will be sent to your mail box with a PIN number.
- Step 3. Pick
up the signed certificate at Verisign site using the PIN number.
- Step 4. The web
page shows the subject fields of the digital ID and Click "Install"
button to install the certificate on browser.
- Note that for encrypting
email, we need the public key or the certificate of the receiver. We can ask
the receiver to send us a signed email (plain text with signed hash and certificate,
but without encryption).
- First send a signed
email with certificated attached to me by setting the proper option on your
outlook as follows:
- Select Tools
| Options menu, select "Security" tab, then the following dialog
window appears:
- Check "Add
digital signature to outgoing messages"
- Check "Send
clear text signed message when sending signed messages"
- Uncheck "Encryp
contents and attachments for outgoing messages"
- Hit "settings..."
and the following Change Security Settings" dialog window appears:
- If you have
multiple digital certficates, you can use the "Choose ..."
button to the right of "Signing Certificate section to choose the
verisign digital ID. Same for the Encryption Certificate.
- Note that the
default Hash Algorithm is SHA1 and Encryption algorithms is 3DES. I
did not see AEC choice here.
- Leave the "Send
these certificates with signed messages" option checked. We need
to provide the receiver with the public key throug the attached certificate.
- Hit OK to conclude
both dialog windows.
- Email me a simple
message with subject "CS691: Here is my signed email". In the
main body identifies who you are.
- I will reply with
a signed email with my digital certificate.
- You should see the
following email with digital ID ribbon symbol on outlook. Click the ribbon
symbol. The outlook will show the detail of the message security propery.
- Set your outlook
to send me the encrypt message now that you have my public key.
- Select Tools | Options
menu, select "Security" tab, check the "Encryp contents and
attachments for outgoing messages" option.
- Reply my signed email
with an encrypted email. Note that the received encrypted email will have
a lock symbol similar to the following:
- If you read the email
using CS Unix webmail program, you will see the following:
The mail body content is sent as attachment using .p7m format and it is encrypted.
Our squirrel web mail does not seem to support signed/encrypted email feature.
You need use other tools to decrypted the received email.
- Read the Don Davis'
paper on "Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM,
PGP, and XML", for understanding potential surreptitious forwarding attacks
with simple sign and encrypt scheme and how it can be repaired. http://www.comms.scitech.susx.ac.uk/fft/crypto/sign_encrypt7.pdf
- Note that AIM 5.2
and above support encrypted instant messaging using verisigned digital ID.
- Note that besides
requesting a receiver to send signed email with certificate, you can also
search their certificates in verisign site: https://digitalid.verisign.com/services/client/index.html
and download the certificate as a .p7c format file.