Secure Email for campus

Securing Your Email
Skip to Page 2 to Begin or Read this FYI
Using Security Certificates: Background and FYI
Securing email requires the use of a certificate in order to work. Once you sign up for a
certificate it lasts one full year and it is easy to renew. Actually setting up the certificate
is trivial. The initial registration takes about 10-20 minutes. Once you have the
certificate you will probably never see it or care about it until it is time to renew next
year.
How it Works
How it works is simple. You get a certificate from a trusted third party, much like you
receive an ID card from the state. You can then use the certificate to prove you are who
you say you are... or in this case, your email address is indeed being used by you and
not some other person. When you send an email, you check off the “digital signature”
button. This sends the certificate in the background to the recipient and their email
client will read “Sender Signed” and store your certificate. Once both parties have sent
each other a !signed" email, encryption is now possible.
Remember, this is not specific to your email address alone... the METHOD you retrieve
your email is equally important.
Key limitation sacrificed where security is gained:
The encrypted emails you send CANNOT be opened in a web browser. Encrypted
emails can only be opened from within a Mail program. It can be Apple Mail, it can be
Thunderbird (on the PC) but no more geckomail.ucdavis.edu or my.ucdavis.edu email
for encrypted messages. This means if you forward your email to Yahoo, you cannot
read your encrypted messages. However, this is not true for unencrypted emails.
Unencrypted emails can still be read from the browser. Since gmail gives free POP3
(downloading of emails to mail programs), gmail will work with this while Yahoo charges
for POP3 access. It is not recommended that you forward your email to another
account.
Note: the Apple Mail client is smart enough to not encrypt a message if the recipient
doesn"t have a certificate. Meaning that even though your recipient does not have this
setup, it is impossible to send an encrypted email to a person that he or she could not
decrypt.
This sounds like a lot but it"s not. It boils down to this: Once you have a certificate, and
your recipient has a certificate and you have both corresponded with the “Signed”
button checked, you are given the option to send an encrypted email. Once it is sent, it
can only be decrypted by a program which can decrypt it. Web browsers cannot open
encrypted emails.
On to the steps...
1
Outline: Four Stages to Setup Encryption
1. Create an account on thawte.com
2. Request a certificate. You then wait 10-15 minutes for Thawte to generate it.
3. Download your certificate. The mac sets it up for you.
4. Email your common recipients so that everyone gets your certificate, and send
encrypted emails!
Stage 1. Create a user account on thawte.com
This is a fairly straightforward process, though longer than most website registrations.
You must use Safari for this whole process. Do not use Firefox!
1. In Safari, go to www.thawte.com It looks like
this to the right:
2. Click on Products in the navigation bar. You
get a nice blue menu.
3. Click on “Free Personal E-mail Certificates”
4. The next window looks like this, click Join in
the top right area.
5. You next get an agreement
page. Click Next to accept
their terms and conditions. In
summary: the agreement specifies
what these certs do, that Thawte is a
Certificate Authority not endorsed by
the government officially, information is
gathered based on trust and not
shared, and they are not liable legally.
6. On the next page, enter
your Last name, first, birthday
and nationality. Then click
Next. (Ignore Charset)
7. The next page is titled, “Requesting ID Information.” Enter your UC Davis email
address. This will become your account username with Thawte. Then click next.
8. The next page is titled, “Personal Preferences.” Choose your preferred language
(most likely English) and then under Charset Preference choose “Use the default for
my language.” Click next.
9. On the next page entitled “Password Setup” you should create a password for your
Thawte account that you will be able to remember a year from now.
2
10. Password Questions. On this page you need to select 5 questions and type in 5
answers. One word answers are the best. If you don"t like the questions, then
create your own. The only rule is that there must be 5 questions. Click next.
11. On the next Confirmation page, make sure everything you have entered is correct,
then click next.
12. IMPORTANT. You will be sent an email
that will help you finish the enrollment
with Thawte. You MUST complete
this step the same day, or it will not
be successful.
13. Click on the first link in the email.
14. Enter the Probe and Ping values by
copying and pasting each into the
webpage you just loaded. Click next.
15. You should get a confirmation page
saying it was a success. Click next.
16. A login window will popup. Fill in
your UC Davis email address into
the Name field, and then enter the
password you just created into the
password field. Click Log In. You
will now be able to request a
certificate.
On to Stage 2:
Requesting a Certificate...
3
Stage 2. Requesting a Certificate
Follow these steps to request your certificate be generated.
1. You should now be logged in, if so, go to step 2. If not, go to thawte.com and login
using the same steps as Stage 1, numbers 1-3, then clicking Login instead of Join.
2. Click Certificates. Then Request a Certificate. Then request an X.509 Format Cert.
3. On the next page, make sure
Mozilla Firefox is selected, then
click request.
4. The next page is titled
“configure certificate name.”
For our purposes we will not
have our names verified by a
notary. “No Employment
Information Available” should
be selected, so click next.
5. You will now get a “configure
email addresses for certificate
page. Your email address
should be checked, then click
next.
6. The next page is titled,
“configure extranet capabilities for
certificate”. Click Next.
7. On the next page “configure X.509v3
cert extensions,” accept the Default
Extensions by clicking on the first
Accept. Do NOT click on configure.
4
8. In “generate certificate public key” make
sure 2048 (High Grade) is selected,
then click next.
9.On the next page, click finish.
10.You will get an email confirming that
your request for a certificate has been
processed. It takes anywhere from 5-15
minutes for it to be generated by Thawte.
You are done with stage 2. When you
get a second email saying it is ready,
go to Stage 3 of this guide.
Important:
Don!t close your
browser
windows at
any time!
On to Stage 3:
Downloading Your Certificate...
5
Stage 3. Downloading and
Installing Your Certificate
Once you have requested a certificate, as you did in
stage 2, it takes a few minutes before Thawte finishes
generating it.
1. You should get an email from Thawte when your
certificate is ready. It should look something like this:
2. Do NOT click on the link in the email. It won!t
work! Instead, close the email.
3. Switch back to Safari, to the larger page you had
open. On the left-hand side, click on the link that
says “view certificate status” in red.
4. You should get a list
saying one has
been issued. Click
on the word
Navigator.
5. On the next page
you will see a button
in red that says
“Fetch”. Click
it. Safari will
download your
certificate.
6. When it is done
downloading, Safari
knows to add it to your
keychain.
7. Quit the Keychain Access
program by going
to the Keychain
Access menu,
then click Quit.
On to Stage 4:
Signing Your Messages, and
Encrypting Them...
6
Stage 4. Signing and Encrypting Email Messages
You now have a certificate installed on your Mac. If you send email from this Mac, with
your Mail program, you have the ability to send a “signed” email. Believe it or not, it is
easy for someone to use your email address to send email, even without your
password. With a certificate you are basically letting your recipient know you are indeed
the owner of the email address you are sending from.
If both ends of communication have a certificate from Thawte setup, and both have
corresponded with a digitally-signed message already, one can then encrypt email
between the two.
Here"s how:
1. If your Mail program was open when you setup the certificate, Quit it, then reopen
your Mail. When you relaunch if Mail asks for use of your keychain click “Always
Allow”
2. The easiest way for everyone on staff to get a signed message is to email the staff
listproc. Open a new email and email your staff listproc or other common
addresses.
3.Make sure the
seal has a checkmark in it.
4.The difference
between checked
and not checked
is subtle. One is
an X while the
other is a Check.
Make sure it is a
check-mark. There
are little to no
reasons why you
would want to send
a non-signed
message. (Note,
this is a digital
signature
produced by the
certificate. It is
not the same as
your signature
line.)
5.Note how next to
the badge symbol on its left there is a lock that is grayed out. What this tells you is
that you cannot send an encrypted message to this recipient. Either this recipient
doesn"t have a certificate, or they have never emailed you with a digital certificate.
7
6. Once you have made sure the badge has a check-mark in it, you can send an email
saying you are just setting up your secure email.
7. Now let"s say we are all setup. If you are sending to a recipient who has their
certificate setup, the option for a lock is given. Making sure the lock is locked will
ensure the email is sent encrypted.
8.Again the difference
between encrypted / unencrypted is subtle. The
lock on the left is unencrypted. The lock on
the right is encrypted.
9.When you
receive a message and
you want to know if it is
encrypted, it shows up
in the “To” section.
10. Whenever you send an
encrypted message, it
will stay on whatever
setting you last did. So,
pay attention to your
lock when you are
sending confidential
messages, and make
sure it is always
locked.
11. If the lock is not available (that is, it is greyed out) then either your recipient has no
certificate, or they have not yet sent a signed message. If you send to multiple
recipients and even just one of them isn"t set up, encryption is disabled. This system
only works if everyone is set up. Paying attention to the lock before you send is
crucial.
8
Important: subject lines are NOT encrypted.
That!s It. You can now send Encrypted Email Messages!