Fw: Re: using certificates in Outlook for encryption

From: Justin Roysdon (justin.web_at_roysdon.net)
Date: 04/18/05

  • Next message: Bones: "Re: Windows Server 2003 Service Pack 1" 
    To: focus-ms@securityfocus.com
Date: Mon, 18 Apr 2005 08:46:39 -0700

         Couldn't a person simply use your public key to decrypt the hash, modify
    the message, and then sign it with a forged private key and include the
    forged version of the public key? How does this provide non-repudiation?
         If you send the public key in the same message, doesn't that lessen the
    effectiveness? This seems like a ridiculous waste of time. The only way
    this could be effective is if the recipient already had your public key or
    gained it from another trusted source AND could recognise a forgery.

    Crypt0 G33k
         

    ---------- Forwarded Message -----------
    From: Rod Dickerson <rod@dickersonbiz.com>
    To: focus-ms@securityfocus.com
    Sent: Fri, 15 Apr 2005 14:16:31 -0400
    Subject: Re: using certificates in Outlook for encryption

    It seems there are a few things being misunderstood in this thread. Of
    course, I may be one of those misunderstanding, so let me try to
    clarify. You have 2 ways to use certificates with email, including
    Outlook. One is to encrypt, the other is to sign. You (and for
    encryption, the recipient) must have a certificate which includes a
    private and a public key. To encrypt mail to someone else, you must
    have their public key. The message can only be decrypted by using the
    recipient's private key. While this does provide privacy (encryption),
    it does not provide non-repudiation. To achieve non-repudiation, you
    would then digitally sign the encrypted message with your private key.
    The digital signature is a hash (md5, sha1, etc) of the message, and
    the hash is then encrypted using your private key. The message will
    also contain your public key, which can be used to decrypt the hash
    once it is received. The recipient software will then hash the message
    and compare the 2 hashes. If they match, the message has not changed
    and it had to come from you (provided you protect your private key).

    So, to get someone your public key you can send them a signed message.
    Then they can save your public key in their outlook contact list and in
    turn send you an encrypted message. I have found that Outlook doesn't
    always lookup the recipient's public key, but having it in the contact
    list always works. This may be a specific issue with my site, others
    may have had better luck. The is an option is Outlook to publish your
    public key to the GAL, but again I have not had predictable results.
    This is the correct way to do it, so like I said there may be problems
    with my config. Anyway, this is how PKI mail encryption and signatures
    work, if you were interested. Hope this helps. --Rod

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ------- End of Forwarded Message -------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Bones: "Re: Windows Server 2003 Service Pack 1"
    • Quantcast