Using AR’s MiniKey with Microsoft Outlook and Outlook Express

Version: 1.0 12 June 2002 C:\Documents and Settings \moshe.MAIL_DOMAIN\Desktop \Using AR MiniKey with Outlook.doc

Written by: Harel Moshe ©2002 Algorithmic-Research LTD. Commercial-in-con

Contents 1.

DEFINITIONS................................................................................................................................................................3

2.

INTRODUCTION .........................................................................................................................................................4

3.

PRELIMINARY REQUIREMENTS .......................................................................................................................6 3.1 3.2 3.3

4.

HOW TO INSTALL AND CONFIGURE SECURE E-MAIL..........................................................................7 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8

5.

Client Hardware Requirements................................................................................................................................ 6 Client Software Requirements ................................................................................................................................. 6 Network Requirements.............................................................................................................................................. 6

Personal Online Certification ................................................................................................................................... 7 Offline Certification................................................................................................................................................... 7 Install AR MiniKey’s drivers & utilities ................................................................................................................ 8 Initialize the MiniKey ............................................................................................................................................. 11 Set the MiniKey as the default token.................................................................................................................... 12 Generate RSA keys and obtain a certificate for the client ................................................................................ 13 Import the root certificate of the CA..................................................................................................................... 14 View the contents of the MiniKey ........................................................................................................................ 18

WORKING WITH MICROSOFT OUTLOOK..................................................................................................20 5.1 Configure Microsoft Outlook................................................................................................................................. 20 5.2 Receiving Certificates of Other People................................................................................................................ 23 5.2.1 Importing other person’s certificate from a File .......................................................................................23 5.2.2 Importing other person’s certificate from a Signed Message..................................................................26 5.3 Sending Signed E-mail Messages ......................................................................................................................... 28 5.4 Sending and Receiving Encrypted E-mail Messages......................................................................................... 30 5.5 Receiving Signed E-mail Messages ...................................................................................................................... 31

6.

WORKING WITH OUTLOOK EXPRESS .........................................................................................................33 6.1 6.2 6.3 6.4 6.5 6.6

V 1.0

Associate your certificate with an e-mail account .............................................................................................. 33 Set the Default Security Setting for Outlook Express........................................................................................ 35 Receiving Certificates of Other People................................................................................................................ 37 Sending and Receiving Signed E-mail Messages............................................................................................... 39 Sending and Receiving Encrypted E-mail Messages......................................................................................... 40 Sending a Signed & Encrypted Message ............................................................................................................. 41

Page 2 of 41

1. Definitions The following table prescribes a common understanding of the terms and abbreviations used throughout this document. Term AR CA CAPI CRL IKE PIN PKI S/MIME SSL USB

V 1.0

Meaning Algorithmic Research Ltd. Certificate Authority Cryptographic Application Programming Interface Certificate Revocation List Internet Key Exchange Personal Identification Number Public Key Infrastructure Secure/Multipurpose Internet Mail Extensions Secure Sockets Layer Universal Serial Bus

Page 3 of 41

2. Introduction As the use of e-mail and electronic commerce is becoming more widely adopted, the amount of confidential information exchanged over the Internet is growing rapidly. As a result, there is need for increasing the security and privacy of e-mail messages. Microsoft Outlook and Outlook Express include tools for ensuring your privacy by enabling you to send and receive secure e-mail messages. Secure e-mail protects your Internet communications through both digital signatures and encryption: •

Using digital signatures, you can sign your e-mail messages with a unique ID that assures the person receiving the message that you are the true sender of the message and that it has not been tampered with during transit.



Encrypting e-mail messages that are being sent ensures that no one except the intended recipient can read the contents of the message while in transit.

To use secure e-mail you need a certificate (Digital ID) that will provide a means for proving your identity. Certificates enable you to sign your e-mail messages, so that intended recipients can confirm that the message actually came from you and has not been tampered with. Also, it allows other people to send you encrypted messages. The digital certificate is composed of a public key, a private key, and other identification information. The digital certificate may also include your e-mail address so that Outlook can use it for sending digitally signed e-mails. You can obtain your certificate from a certifying authority (CA), an organization responsible for issuing certificates and for continuously verifying their validity. When you send your certificate to others, you are actually giving them your public key. In order to send you encrypted mail, others must have your public key. When a person sends you e-mail that includes your public key, only you can read the message because your private key is required for encrypting it. Because Outlook uses the Secure/Multipurpose Internet Mail Extensions (S/MIME) standard, other people can read secure e-mail messages that you compose, using programs that support this technology. Likewise, you can read messages composed by other people by using e-mail programs that support S/MIME technology.

AR’s MiniKey is a portable, personal USB token that allows users to conveniently manage their keys and certificates. When plugged in, the MiniKey enables strong identification, authentication and encryption for all Internet, Intranet, Extranet and Web-based applications. With a powerful Smartcard chip inside, MiniKey is actually a Smartcard that eliminates the need for a reader. V 1.0

Page 4 of 41

MiniKeys are ideal for storing signing and encryption keys, X509 certificates, and for creating and verifying electronic signatures, facilitating e-commerce, e-shopping and more. MiniKey is perfect for enabling public key technologies such as S/MIME, SSL and IKE. It is supplied with CAPI software, allowing its easy integration with MS CAPI-based applications such as Microsoft Outlook and Outlook Express. This manual describes the steps you have to follow in order to secure your e-mail when working with Microsoft Outlook and Outlook Express.

V 1.0

Page 5 of 41

3. Preliminary Requirements Following is a list of preliminary requirements for using AR MiniKey with Microsoft Outlook and Outlook Express.

3.1 Client Hardware Requirements •

Standard USB Port



AR MiniKey token

3.2 Client Software Requirements •

Operating system: Windows 98, ME, NT Service Pack 6, 2000 or XP



Microsoft Outlook and/or Outlook Express



MiniKey installation CD

3.3 Network Requirements •

V 1.0

For online certification, client should be able to communicate with a certification authority (CA) for certificate enrollment.

Page 6 of 41

4. How to install and configure secure e-mail Before you can send signed and encrypted e-mail messages, you should obtain a MiniKey with certificate and a pair of RSA keys. This process is called enrollment. This document describes two enrollment methods: •

Pers onal Online Certification, when the client connects to the CA through a Web page, fills an enrollment form, generates keys and receives a certificate from the CA.



Centralized Certification, when an Enrollment Agent prepares the MiniKeys with the certificates for all users and then distributes them manually.

4.1 Personal Online Certification If your organization selects this method of enrollment, please follow the steps below: •

Install AR MiniKey’s drivers & utilities (Cryptokit) (Sec 4.3)



Initialize the MiniKey (Sec 4.4)



Select the MiniKey as the default token (Sec 4.5)



Generate RSA keys and obtain a certificate from the CA of the organization (Sec 4.6)



View the contents of the MiniKey (Sec 4.8)



Configure Microsoft Outlook (Sec 5) and/or Outlook Express (Sec 6).

4.2 Offline Certification If your organization chooses this method of enrollment, please follow the steps below: •

Install AR MiniKey’s drivers & utilities (Cryptokit) (Sec 4.3)



Select the MiniKey as the default token (Sec 4.5)



Import the root certificate of the CA (Sec 4.7)



View the contents of the MiniKey (Sec 4.8)



Configure Microsoft Outlook (Sec 5) and/or Outlook Express (Sec 6).

V 1.0

Page 7 of 41

4.3 Install AR MiniKey’s drivers & utilities The client must install the MiniKey’s drivers and utility programs (Cryptokit) on his computer. To install Cryptokit, please run the setup program from the installation CD. Press the “Next“ button on the Welcome screen.

Press the “Yes” button on the License Agreement screen.

V 1.0

Page 8 of 41

Select the installation directory, and then press the “Next” button.

In the components selection, select the MiniKey and CAPI and press the “Next” button to start copying the files.

V 1.0

Page 9 of 41

When installation is completed, the Finish window will display.

Press the “Finish” button to complete the installation. At this point you will be asked to insert the MiniKey into the USB port of the computer. The operating system will recognize the new device and install its drivers.

Note: NT 4.0 users must plug-in the Minikey during the installation in order for the operating system to recognize it or reboot after installation while it is inserted. The default password that protects your MiniKey is 12345678. It is recommended to change it.

V 1.0

Page 10 of 41

4.4 Initialize the MiniKey Note: Run this step only when your organization uses Personal Online Certification and your token is empty.

Before using the MiniKey for the first time it has to be initialized with the “Token Initialization Utility”. All previous information on the token will be erased. To run this utility, select “Token Initialization” from the Cryptokit menu or right click on the icon of “AR Certificate Manager” at the system tray and select “Init Token”.

The “Token Initialization Utility” screen displays a list of all tokens currently installed on the computer. A plus sign [+] indicates that the token is present.

To initialize the MiniKey: •

Insert the MiniKey into the USB port.



In the “Installed devices list”, click on the USB Port (marked by +) with MiniKey inserted.



Click the Initialize button.



Enter the password for the MiniKey (minimum 6, maximum 55 alphanumeric characters) and confirm it.



Wait until the initialization process is finished.

V 1.0

Page 11 of 41

4.5 Set the MiniKey as the default token •

Open AR “Certificate Manager” by selecting it from the Cryptokit menu or by pressing the right click on the icon of “AR Certificate Manager” at the system’s tray and selecting “Select Slot”.



The “Select Slot” window will open and display all the slots that are installed on the computer. Verify that the selected slot (default slot) is the USB port with the MiniKey inserted and press the Select button.

V 1.0

Page 12 of 41

4.6 Generate RSA keys and obtain a certificate for the client Note: Run this step only when your organization uses Personal Online Certification and your token is initialized.

The client has to generate on the MiniKey a pair of RSA private/public keys and obtain a certificate from the CA by: •

Filling an enrolment form by means of a Web browser.



Generating a pair of RSA keys on the token.



Generating a PKCS10 certificate request and sending it to the CA.



Accepting the certificate that has been generated by the CA.



Storing the certificate on the token. Note: AR Minikey may hold up to 6 sets of private/public/certificate objects. Each set may be used for authentication or encryption with a different application.

Please follow the instructions below to generate the keys and certificate by using a Web form: •

Open a Web browser and enter the enrollment page of the organization’s CA.



Fill in the enrollment form.



In the enrollment form you should specify the key usage. Please make sure to mark “E-mail protection”.



Press the Submit button in the enrollment page.



Enter the PIN of the MiniKey.



At this stage, the light on the MiniKey starts blinking. The RSA private and public keys are generated on the MiniKey. This may take about 30 seconds. When the process finishes, the public key is sent to the CA.



As a response, the CA generates a certificate and the Web browser displays a new screen where you are asked whether or not to “Install the Certificate” on the token.



Press, “Install the Certificate ” to copy it into the MiniKey. Note: The process of enrollment may change from one CA to another. Please consult your network administrator for additional details.

V 1.0

Page 13 of 41

4.7 Import the root certificate of the CA Note: Run this step only when your organization uses Offline Certification. In order for your certificate to be valid, the root certificate of the CA has to be imported into the “Trusted Root Certificate Store”. This is done automatically during the process of enrollment, but if your organization uses “Offline Registration”, this has to be done manually. To import the root certificate of the CA follow the steps below: •

Obtain a file with the root certificate of the CA from your system administrator.



Double click on the file containing your CA’s certificate.



Click on the “Install Certificate ” button.

V 1.0

Page 14 of 41



Press the “Next” button on the “Certificate Import Wizard” screen.



Change the radio button to “Place all certificates in the following store ” and press the “Browse ” button.

V 1.0

Page 15 of 41



Mark the “Trusted Root Certification Authorities” and press the “OK ” button.



Press the “Next” button.

V 1.0

Page 16 of 41



Press the “Finish” button.



Choose “Yes” to add the certificate to your Root store.



Click the “OK ” button.

V 1.0

Page 17 of 41

4.8 View the contents of the MiniKey You can use the “Show Manager” utility for checking the contents of the MiniKey. Activate it by pressing the right click on the icon of “AR Certificate Manager” at the system tray and selecting the “Show Manager”.

“AR Certificate Manager” window will then open and display all the certificates in the personal store of Digital IDs and the certificates on the MiniKey.

V 1.0

Page 18 of 41



V 1.0

Double click a certificate to view its details

Page 19 of 41

5. Working with Microsoft Outlook 5.1 Configure Microsoft Outlook Before you can send signed and/or encrypted e-mail messages with Microsoft Outlook, you must associate your certificate with the e-mail account you want to use it with. To perform this operation, follow the steps below: • Click the “Tools” menu. •

Click “Options ” and then click the “Security” tab.



If you want to automatically encrypt all outgoing messages, select “Encrypt contents and attachments for outgoing messages”.



If you want to automatically sign all outgoing messages, select “Add digital signature to outgoing messages”.



For additional settings, click on the “Change Settings" button.

V 1.0

Microsoft Out look

Page 20 of 41

On the “Change Security Settings” screen: •

Select an existing "Security Setting Name" or create a new one by pressing the “New” button.



Choose "Secure Message Format": S/MIME.



Check the “Default Security Setting for this Secure Message Format ” check box.



Click the “Choose ” button to select the certificates (Digital IDs) you want to associate with your account. Repeat the same procedure on both the signing certificate and encryption certificate.

V 1.0

Microsoft Out look

Page 21 of 41

In the “Select Certificate” window: •

Choose the certificate that you want to use for signing or encrypting your e-mail messages in Microsoft Outlook. Note: Only the certificates (Digital IDs) with the same e-mail address as your e-mail address for the account will be shown.



V 1.0

Click the “OK ” button.

Microsoft Out look

Page 22 of 41

5.2 Receiving Certificates of Other People To encrypt an e-mail message, you must have the certificate of the person you are sending the e-mail message to. The certificate must be part of the person’s entry in the Address Book. You can get other person’s certificate by: •

Importing a file with the certificate of that person as described in section 5.2.1.

– Or – •

Receiving a signed e-mail message from that person as described in section 5.2.2.

5.2.1 Importing other person’s certificate from a File Before you start the following procedure, you must obtain a file with other person’s certificate. To import the certificate from a file, open Microsoft Outlook’s “Contacts” window by: •

Clicking “Contacts ” in the “Outlook Folder List”.

– Or – •

Clicking the “Tools” menu and selecting “Address Book ”.



Opening your “Contacts ” folder.

V 1.0

Microsoft Out look

Page 23 of 41

In the contacts window: •

Select the contact person and click “Properties” to enter the contact person’s properties window.

In the contact person properties window: •

V 1.0

Select the “Certificates” tab and press the “Import ” button.

Microsoft Out look

Page 24 of 41



Use Explorer to search for the file containing the certificate of that person.



Upon successful import of the certificate, you should see it in the contact person’s certificate pane. Press the “Save and Close ” button to exit.

From this stage on, you should be able to send encrypted mail messages to that person.

V 1.0

Microsoft Out look

Page 25 of 41

5.2.2 Importing other person’s certificate from a Signed Message Before you start the following procedure, you must get a signed e-mail message from that person. Signed messages contain inside them, the sender’s certificate which can be imported easily into your address book. To import the certificate from a signed e-mail message: •

Open the signed e-mail message from that person.



Right click on the person’s e-mail address and select “Add to Contacts ”.

In the contact person properties window: •

Select the “Certificates” tab.



Verify that Microsoft Outlook automatically imported the person’s certificate from the signed e-mail message.



Press the “Save and Close ” button to exit.

V 1.0

Microsoft Out look

Page 26 of 41

If the contact person already exists in your address book, you will be asked whether you want to update the contact person’s details or not. •

Press “Update new information from this contact to existing one ”.



Press the “OK ” button.

The certificate will be updated in the contact persons address book. From this stage on, you should be able to send encrypted mail messages to that person.

V 1.0

Microsoft Out look

Page 27 of 41

5.3 Sending Signed E-mail Messages Signed e-mail messages allow recipients to verify your identity. To send signed e-mail messages, you must have a certificate of your own. Signed messages may also be used to send your certificate to other people, so they can send you encrypted e-mail. For more information, please refer to section 5.2. To digitally sign all your e-mail messages: •

In Microsoft Outlook, click the “Tools ” menu.



Click “Options”, and then click the “Security” tab.



Check “Add digital signature to outgoing messages”.

To digitally sign a specific e-mail message: •

V 1.0

Press the “Options” button on Microsoft Outlook toolbar.

Microsoft Out look

Page 28 of 41



In the “Message Options” window, click on “Add digital signature to outgoing message ” check box.



Complete the message and press the “Send ” button.



The MiniKey PIN entry dialog would open. Type the MiniKey PIN code and press the “OK ” button.

V 1.0

Microsoft Out look

Page 29 of 41

5.4 Sending and Receiving Encrypted E-mail Messages Encrypting an e-mail message prevents other people from reading it when it is in transit. To encrypt an e-mail message, you need the certificate of the person you are sending the e-mail message to. The certificate must be part of the person’s entry in the Address Book. For an explanation on how to update other people’s certificates in the Address Book, please refer to section 5.2. To encrypt all your e-mail messages: •

In Microsoft Outlook, click the “Tools ” menu.



Click “Options ”, and then click the “Security” tab.



Click on “Encrypt contents and attachments for outgoing messages” check box.

To encrypt a specific e-mail message: •

Press the “Options ” button on Microsoft Outlook toolbar.



In the “Message Options” window click on “Encrypt message contents and attachments ” check box.



Complete the message and press the “Send ” button.

If you want to send encrypted message to more than one recipient, you must have their certificates updated in your Address Book. If Microsoft Outlook does not find certificate for one or more recipients, you will get the following message:

In that case you can press the “Send Unencrypted” button to send this message unencrypted to All the recipients, or press “Cancel” button and remove the person without certificate from the recipients list.

V 1.0

Microsoft Out look

Page 30 of 41

5.5 Receiving Signed E-mail Messages Signed e-mail messages from others allow you to verify the authenticity of a message –that the message is indeed from the true sender and that it has not been tampered with during transit. Signed e-mail messages are designated with special signed e-mail icons. Any problem with signed e-mail messages that you receive might indicate that the message could have been tampered with or has not originated from the true sender. When you receive a signed message, Microsoft Outlook displays the following sign in the message window: Click this sign to view the signature’s details.

If the digital signature were invalid, then this sign would appear: Click on this sign to display the “Digital Signature” window and learn the reason why the signature is invalid.

V 1.0

Microsoft Out look

Page 31 of 41

V 1.0

Microsoft Out look

Page 32 of 41

6. Working with Outlook Express 6.1 Associate your certificate with an e-mail account Before you can send signed and/or encrypted e-mail messages with Outlook Express, you must associate your certificate with the e-mail account you want to use it with. To perform this operation, follow the steps below: • In Outlook Express, click the “Tools ” menu and then click “Accounts ”. •

Select the “Mail” tab.



Select the account you want to use your certificate with and click the “Properties” button.

V 1.0

Microsoft Outlook Express

Page 33 of 41

In the account properties window: •

Select the “Security” tab.



Click the “Select ” button to select the certificates (Digital IDs) you want to associate with this account. Repeat the same procedure on both signing certificate and encryption certificate.

V 1.0

Microsoft Outlook Express

Page 34 of 41

In the “Select Default account Digital ID” window: •

Select the certificate with which you want to digitally sign or encrypt your e-mail with. Note: Only the certificates (Digital IDs) with the same e-mail address as your e-mail address for the account will be shown.



Click the “OK ” button.

6.2 Set the Default Security Setting for Outlook Express To set the default security setting of Outlook Express: •

Click the “Tools ” menu.



Click “Options ”, and then click the “Security” tab.



If you want to automatically encrypt all outgoing messages select the “Encrypt contents and attachments for all outgoing messages”.



If you want to automatically sign all outgoing messages select “Digitally sign all outgoing messages”.



For additional settings, click the “Advanced” button.

V 1.0

Microsoft Outlook Express

Page 35 of 41



V 1.0

In the “Advanced Security Settings” window, make sure that the check box “Add senders' certificates to my address book” is checked.

Microsoft Outlook Express

Page 36 of 41

6.3 Receiving Certificates of Other People To encrypt an e-mail message, you need the certificate of the person you are sending the e-mail message to. The certificate must be part of the person’s entry in the Address Book. To store another person’s certificate: •

In Outlook Express, activate your “Address Book” by pressing the “Addresses” button on the toolbar.



In the Address book, select the contact person and press the “Properties” button on the toolbar.

V 1.0

Microsoft Outlook Express

Page 37 of 41



In the contact person properties, select the “Digital IDs” tab and press the “Import ” button.



Use Explorer to search for the file containing the certificate of the relevant person.

V 1.0

Microsoft Outlook Express

Page 38 of 41



Upon successful import of the certificate, you should see a green mark near the certificate.

From this stage on, you should be able to send encrypted mail messages to that person.

6.4 Sending and Receiving Signed E-mail Messages Signed e-mail messages let recipients verify your identity. To send signed e-mail messages, you must have a certificate of your own. To digitally sign all your e-mail messages: •

In Outlook Express, click the “Tools ” menu.



Click “Options ”, and then click the “Security” tab.



Check the “Digitally sign all outgoing messages” check box.

To digitally sign a specific e-mail message: •

V 1.0

Press the “Sign message” button on the “New Message” toolbar.

Microsoft Outlook Express

Page 39 of 41



Complete the message and press the “Send ” button.

Signed e-mail messages from others allow you to verify the authenticity of a message –that the message is indeed from the true sender and that it has not been tampered with during transit. Signed e-mail messages are designated with special signed e-mail icons. Any problem with signed e-mail messages that you receive (described in Outlook Express security warnings) might indicate that the message could have been tampered with or has not originated from the true sender.

6.5 Sending and Receiving Encrypted E-mail Messages Encrypting an e-mail message prevents other people from reading it when it is in transit. To encrypt an e-mail message, you need the certificate of the person you are sending the e-mail message to. The certificate must be part of the person’s entry in the Address Book. For an explanation on how to update other people’s certificates in the Address Book, please refer to the previous section. To encrypt all your e-mail messages: •

In Outlook Express, click the “Tools ” menu.



Click “Options ”, and then click the “Security” tab.



Select “Encrypt contents and attachments for all outgoing messages”.

To encrypt a specific e-mail message: •

Press the “Encrypt message ” button on the “New Message” toolbar.



Complete the message and press the “Send” button.

V 1.0

Microsoft Outlook Express

Page 40 of 41

When you receive an encrypted e-mail message, you can be reasonably confident that the message has not been read by anyone else. Outlook Express automatically decrypts e-mail messages, providing that you have the correct certificate installed on your computer.

6.6 Sending a Signed & Encrypted Message According to your needs you can choose to send a Signed and Encrypted message by pressing both “Sign” and “Encrypt” buttons on the “New Message” toolbar.

V 1.0

Microsoft Outlook Express

Page 41 of 41