Message integrity enables
a user to be confident that the message he or she received is the same as the one
that the sender sent and has not been tampered with. Message
confidentiality means that the contents of a message are kept secret
from an unintended listener, such as someone trying to eavesdrop on messages.
Message authentication enables a user to be confident that
he or she knows the identity of the other party in the communication and that
message senders and recipients are who they purport to be.
To implement secure messaging, you need to be able to guarantee integrity,
confidentiality, and authentication. It is possible to send a message in a
tamperproof envelope but in clear text that anyone can read. It is possible to
encrypt a message so that it cannot be read by an unintended user but fail to
protect its integrity so that someone could delete part of it even if he or she
could not read it. A message that is encrypted and tamperproof remains insecure if
there is no method of confirming that it came from the sender that it purports to
come from. Preferably, both sender and recipient should be authenticated so that not
only can the recipient determine the message was sent by the identified sender but
the sender can ensure that the message has been received by the identified
recipient.
1. Using S/MIME Extensions
Public key cryptography uses a mathematically related key pair—a secret
private key and a published public key—to protect the authenticity of a
message. It creates a digital signature of a message using the private key,
which can be verified using the public key. It also allows protection of the
confidentiality and integrity of a message by encrypting the message using the
public key. The message can then be decrypted only by using the private
key.
S/MIME is a
standard for public key encryption and signing of MIME data. S/MIME provides
authentication, message integrity and nonrepudiation of origin (using digital
signatures), and privacy and data security (using encryption).
Before you can use S/MIME for public key cryptography, you need to obtain and
install a certificate either from your organization’s internal certificate
authority (CA) or from a trusted third-party CA. An internal certificate can be
used in-house only, as it is not trusted by external organizations. Typically,
S/MIME clients require the installation of a certificate before permitting users
to send encrypted messages.
1.1. OWA and S/MIME
A public key infrastructure (PKI) uses digital
certificates to verify and authenticate the validity of each participant in
an electronic transaction. You need to install Certificate Services on a
member server in your organization to deploy a Windows PKI. A PKI enables
your organization to publish its own certificates. Clients can request and
receive certificates from a PKI on the internal network, and the PKI can
renew or revoke certificates.
OWA users can use S/MIME to encrypt outgoing messages and attachments so
that only intended recipients who have a digital identification (a
certificate) can read them. Users digitally sign a message, which enables
its recipients to verify the identity of the sender and that the message has
not been tampered with.
Users must have a digital ID and must install the S/MIME control for OWA
before they can send encrypted and digitally signed messages or read
encrypted messages using the OWA client. The S/MIME control is necessary to
verify the signature on a digitally signed message. It is installed on a
client computer by using the SMIME tab in Options. When they use S/MIME,
users have access to features that are not otherwise available in OWA. They
can, for example, do the following:
Attach messages to other messages
Paste images into messages
Attach multiple files in a single operation
However, if the S/MIME control is installed in OWA, WebReady document
viewing works in only clear-signed messages, not in encrypted messages or
opaque-signed messages. When certain content types are sent from Outlook as
S/MIME messages, they are not displayed in OWA. In such cases, OWA displays
a banner in the message header. When a user opens a folder in another
mailbox or uses explicit sign-in to open another user’s mailbox, most
S/MIME features are not available. In such cases, the only S/MIME feature
that is available is verification of digital signatures.
1.2. Enabling and Disabling S/MIME in OWA
You can use
the Exchange Management Console (EMC) or the Exchange Management Shell (EMS)
to enable or disable S/MIME in OWA. To use the EMC, carry out the following
procedure:
Open the EMC and expand the tree in the Console pane.
In the console tree, click Client Access under Server
Configuration.
At the top of the Result pane, click the server that hosts the OWA
virtual directory.
On the Outlook Web App tab under the server name, click Owa
(Default Web Site).
In the Actions pane under Owa (Default Web Site), click
Properties.
On the Owa (Default Web Site) Properties dialog box, click the
Segmentation tab.
In the Segmentation window, click the SMime, as shown in Figure 1.
Click Enable or Disable as appropriate.
Click OK to save your changes and close the Properties dialog
box.
By default, S/MIME is enabled. To use the EMS to disable S/MIME on the OWA
virtual directory in the default Internet Information Services (IIS) website
on the local server, enter the following command:
Set-OWAVirtualDirectory -Identity "owa (Default Web Site)" -SMimeEnabled $false
To enable S/MIME
when it has previously been disabled, enter the following command:
Set-OWAVirtualDirectory -Identity "owa (Default Web Site)" -SMimeEnabled $true
Neither of the previously listed EMS commands generates an output. If the
command completes without error, the change has been made.
1.3. Managing S/MIME for OWA
You manage S/MIME for OWA by using the Regedit utility to edit the
registry on an Exchange Server 2010 Client Access server. Changes are made
on a per-server basis, and if you have more than one Client Access server
and you need the same S/MIME behavior on all such servers, you need to make
the same changes on each server. Changes to the S/MIME settings in the
registry take effect immediately. Users do not need to sign out or to
restart any services.
The registry settings that control S/MIME behavior on a Client Access
server can be found by accessing the following registry key:
HKLM\System\CurrentControlSet\Services\MSExchange OWA\SMIME
As shown in Figure 2,
the settings that control S/MIME are not in the registry by default, and you
need to add them. Table 12-1
shows some of the settings you can use. This list is not exclusive.
Table 1. Settings that control S/MIME behavior
|
Name and Type
|
Values
|
Explanation
|
|---|
|
CheckCRLOnSend (DWORD)
|
1=True, 0=False (default).
|
If a certificate revocation list (CRL) distribution
point in a sender’s certificate chain cannot be
accessed during revocation verification when sending
signed or encrypted email, OWA will indicate a failure
and prevent the email message from being sent when
CheckCRLonSend is set to true.
|
|
DLExpansionTimeout (DWORD)
|
A value in milliseconds. The default is 60000 (60
seconds); the range is 0 through 2147483647.
|
This attribute controls how long OWA waits for a
distribution list in Active Directory to expand when
sending encrypted email before the operation fails. A
zero setting disables the ability to send encrypted
email to distribution lists. When this parameter is set
to its maximum value, OWA waits until the distribution
list is expanded regardless of how long expansion
takes.
|
|
UseSecondaryProxiesWhenFindingCertificates
(DWORD)
|
1=True (default), 0=False.
|
OWA matches a certificate in Active Directory for a
recipient when sending encrypted email. The certificate
subject or subject alternative name can contain a Simple
Mail Transfer Protocol (SMTP) address as one of its
values. If the value of this parameter is set to true,
OWA accepts certificates that do not match the primary
SMTP address of the recipient as valid. If the value is
set to false, OWA accepts only certificates that match
the primary SMTP address of the recipient as
valid.
|
|
CRLConnectionTimeout (DWORD)
|
A value in milliseconds. The default is 60000 (60
seconds); the range is 5000 through 2147483647.
|
This setting specifies the time that OWA waits while
connecting to retrieve a single CRL as part of a
certificate validation operation. If the CRL is not
retrieved before the time expires, the operation fails.
If the setting is less than 5000, the default value
(60000) is used. If the maximum value is specified, the
connection does not time-out.
|
|
CRLRetrievalTimeout
(DWORD)
|
A value in milliseconds. The default is 10000 (10
seconds); the range is 0 through 2147483647.
|
This setting specifies the time that OWA waits to
retrieve all CRLs when validating a certificate. If all
CRLs are not retrieved before the specified time
expires, the operation fails.
|
|
Disable CRL Check (DWORD)
|
1=True, 0=False (default).
|
If true this setting prevents CRLs from being checked
while certificates are being validated. Disabling CRL
checking can decrease the time it takes to validate
signatures. However, it shows revoked email messages
signed with revoked certificates as valid instead of not
valid.
|
|
AlwaysSign (DWORD)
|
1=True, 0=False (default).
|
If true this setting requires users to digitally sign
email messages when they use OWA with the S/MIME
control. The OWA Options page and the Message Options
dialog box show the “Send signed e-mail”
option as selected.
|
|
AlwaysEncrypt (DWORD)
|
1=True, 0=False (default).
|
If true this setting requires users to encrypt email
when they use OWA with the S/MIME control. The OWA
Options page and the Message Options dialog box show the
“Send encrypted e-mail” option as
selected.
|
|
ClearSign (DWORD)
|
1=True (default), 0=False.
|
If true this setting requires any digitally signed
email message that is sent from OWA to be clear-signed.
If false this setting causes OWA to use an opaque
signature.
|
|
IncludeCertificateChainWithoutRootCertificate
(DWORD)
|
1=True, 0=False (default).
|
If this setting is true, signed or encrypted email
will include the full certificate chain, except for the
root certificate. By default, OWA includes only the
signing and encrypting certificates and not their
corresponding certificate chains when sending signed or
encrypted email.
|
Note:
CLEAR AND OPAQUE-SIGNED EMAIL
MESSAGES
Clear-signed email messages are larger than opaque-signed (encrypted)
messages, but they can be opened and read using most email clients,
including clients that do not support S/MIME.
Warning:
Edits to the registry take effect immediately without requiring
confirmation. Take care when editing the registry.
