COMP3371 Practical Session 4 – The PKI & Secure Email
The purpose of this session is to demonstrate how you can actually try out the PKI (Public Key Infrastructure) and Verisign’s role in supporting it. You will then be able to download and install software from the Verisign website that will associate a digital ID with your email address.
You can then use the digital certificate to encrypt your email messages and send a “freebie” digital ID to assist with decryption, when using email client software such as Outlook Express or Mozilla Thunderbird.
You can then make your private key available to selected email addresses, so that other people can read your email and send secure email back to you. The ID will only be valid for a short time period, so you are recommended to use it as much as possible before it expires.
Advantages of a digital certificate (or digital ID – essentially the same thing!) include:
· Guaranteeing your identity to a remote computer
· Ensure email came from sender
· Protect email from tampering
· Ensuring that contents of email messages cannot be viewed by others
Exercise 4(a): The Verisign Digital-ID Repository
This provides access to all the stored information about the various digital IDs that the PKI provides. This was previously managed by Verisign but now is part of Symantec:
http://www.symantec.com
Take a quick look at the relevant sections, and then go to this link:
https://ibm-enroll.verisign.com/client/search.htm
This will provide information about digital IDs that have been previously allocated. Put in an email address, and see what happens…
The rest of the session will focus on creating your own digital ID based on an email address that doesn’t already have a digital ID, which will be free for you to use for a short period of time (25 days).
Exercise 4(b): Setting up an email client to send and receive email (optional)
To set up a digital ID based on email address, a computer with an email client such as Outlook is required. These applications both integrate reasonably seamlessly with The PKI.
The University of Worcester Internet firewall (like many organisational networks!) is configured to filter out SMTP and POP3 data.
We therefore don’t have the luxury of being able at access a POP3 or SMTP server, and so the only option for students from within the university is to use TCP port 80 to send and receive data.
You will therefore, have to use a local Outlook client.
1. Start up Outlook
2. Follow the wizard to set up an email client manually
3. Add a suitable email name for yourself – default may be OK
4. Add a screen name, and let Outlook set your client up.
5. Click again when finished (three green ticks).
6. You now need to create your digital ID, and associate it with your email settings. You have only configured Outlook for this machine, and in any case all the settings will be lost when you log out.
If you don’t want to lose your private key, it might be better to use your own laptop or tablet machine. You should already have Outlook set up on that machine. If not, you’ll need to set it up first…
If you don’t have a laptop with you, you can wait and do this at home.
Otherwise, let’s proceed to the next stage…
Exercise 4(c): Getting a Digital ID (on your own computer…)
This is another exercise that you can only complete on your own computer, but you can get the process started on the university desktops with steps 1 and 2...
1. Go to http://www.symantec.com/en/uk/digital-id/
It generally requires an annual fee to obtain a digital ID from Symantec or anyone else. However, it is possible to get a 25-day trial ID via this URL.
2. Click on “buy now”, and choose the “free” option. Type in the email address you wish to associate when prompted and click on Submit.
3. Note that the window now shows https, not http. What does that mean?
Click Yes on the user agreement. The rest of the process will follow from instructions sent to your email address. This will happen in two stages.
4. You will need to follow the rest of the four step process on the screen to get a digital certificate:
Step 2 – Check your email inbox. When (if – you may be rejected!!!) it comes through, the message should provide instructions for step 3… DON’T! NOT YET!)
Step 3 – (DON’T DO THIS UNTIL YOU HAVE ACCESS TO YOUR OWN EMAIL CLIENT!) Then, follow the instructions – go to the required URL and paste your ID into the box
Step 4 – (Again, DON’T DO THIS UNTIL YOU HAVE ACCESS TO YOUR OWN EMAIL CLIENT!) Click on install to download the digital certificate to your Outlook set up (will be automatically saved – probably as a .p7c file)
5. Now follow the instructions to associate the digital ID with your email account (Tools/Accounts/Properties/Securities in Outlook Express)
6. Click on Use digital ID, then highlight the ID itself and click OK. The Digital ID will now be associated with the email account.
7. Wait (several minutes…) to receive a “welcome” email message from Symantec, which will give you information on how to use your new digital certificate.
Exercise 4(d): Using email securely with a digital ID (as Ex 4©)
Believe it or not, your private key and digital signature are now held with your Outlook settings as a file with the suffix .cer. Your public key is held within the Verisign digital-ID database, which is publicly available from the IBM-Verisign website.
1. Once you are sure that your digital ID has been installed, attempt to send a short encrypted and digitally signed email to one of the students in your address book (you need to find and click on the relevant “digitally sign” and “encrypt” buttons before clicking the send button).
2. You will probably get a message telling you that you can either send it unencrypted, or have to cancel the send altogether.
This is because the remote email address has not been associated with your public key. They would not be able to read the encrypted mail, because they would have no means of getting access to your public key. Unless Verisign have your permission to make your public key available to that email address, you will not be allowed to send it encrypted.
3. Contact Verisign again at:
https://ibm-enroll.verisign.com/client/search.htm
4. At the input form, type in the email address or name of another student/person who you know has recently (or perhaps not so recently) applied for a digital certificate.
5. If the certificate is found, and not expired (only 25 days, then payment is required), download it, and install it with the student email address in your email address book.
6. Now try again to send the digitally signed and encrypted message. This time, you should be successful.
7. Once another student has obtained a digital certificate, download their public key from the Verisign site into your address book. You now should be ready to receive secure communication from them via the Internet!
Exercise 4(e): Replying to encrypted email securely using the senders digital certificate
When you receive an encrypted email, it will arrive with the sender’s digital certificate. You can add this to your contacts list.
Then, when you wish to send them an email, use the address book. Their email address in the contacts list will already have their digital certificate attached. You just select the email address, and send….
Now you try it!
RCH15 5