Securing Exchange Server 2003
Understanding Digital Signatures
You can through digital signatures secure an Exchange Server 2003 messaging system. Digital signatures are used to verify the identities of the senders of data messages. With Exchange Server 2003, a digital signature can be attached to an e-mail message to ensure that the sender of the message is actually who he/she claims to be. If the content of the e-mail message is modified as the message is being transported, the signature becomes invalid.
Hashing algorithms provide data authentication and non-repudiation. A hashing algorithm is a complex mathematical algorithm, called a hash function, which is applied to a segment of the original message. This results in a fixed length output, called a hash value, which is unique to the original message. If the data is modified while being transmitted, the recipient is able to determine this because a single bit change results in many changes to the fixed length output of the hash.
Digital signatures use a hashing technology to authenticate the identity of the sender. While a bigger hash means a more secure algorithm, performance is negatively impacted because these hashes take longer to create.
The hashing algorithms supported in Windows Server 2003 are outlined below:
- Message Digest 4 (MD4) and Message Digest 5 (MD5): MD4 and MD5 are RSA algorithms which both create a 128-bit output. Input is processed in 512-bit blocks. MD5 is used in Windows NT and Windows 2000 to hash the passwords of users. MD5 supports the Challenge Handshake Authentication Protocol (CHAP) for dial-in clients. MD5 is the stronger hash between the two hashing algorithms.
- Secure Hash Algorithm: SHA-1 also processes input in 512-bit blocks, but it creates a 160-bit output. This makes SHA-1 more secure than both MD4 and MD5. The algorithm is also faster than these two algorithms.
- Secure Hash Standard (SHS): The SHS has extensions to the SHA-1 standard with larger digest sizes, namely; SHA-256, SHA-384 and SHA-512.
Exchange Server 2003 and Outlook 2003 implement digital signature capabilities through using Secure Multi-Purpose Internet Mail Extensions (S/MIME).
Understanding Public Key Encryption
Exchange Server 2003 provides public key encryption which can be used to protect e-mail messages from being interpreted. Exchange Server 2003 and Outlook 2003 implement encryption capabilities through using Secure Multi-Purpose Internet Mail Extensions (S/MIME).
A public key infrastructure (PKI) can be defined as a set of technologies which control the distribution and utilization of unique identifiers, called public and private keys, through the utilization of digital certificates. The set of technologies that constitute the PKI is a collection of components, standards and operational policies. The PKI process is based on the use of public and private keys to provide confidentiality and integrity of an organizationâ€TMs data as it is transmitted over the network. When users partake in the PKI, messages are encoded using encryption, and digital signatures are created which authenticate their identities. The recipient of the message would then decrypt the encoded message.
To ensure that data is securely transmitted over the Internet, intranet, and extranet; cryptography is used. With PKI, you can define cryptography as being the science used to protect data. A type of cryptography, called encryption, uses mathematical algorithms to change data to a format that cannot be read, to protect the data. Encryption basically ensures that the content of a data message is hidden from unauthorized parties intercepting the message. A mathematical algorithm contains the method used to scramble the original message into ciphertext. A cryptographic key is utilized to either change plaintext (original message) to ciphertext (scambled message) or to change ciphertext (scrambled message) to plaintext (original message). It is the ciphertext that is transmitted over the network. The message is decrypted into a readable format once it has reached the intended recipient.
Encryption utilizes keys to encrypt and decrypt data. Longer complicated keys mean that data is more protected from interpretation by another person.
The PKI components that enable digital signature and encryption capabilities are listed here:
- Microsoft Certificate Services: Windows Server 2003 includes Microsoft Certificate Services which can be used to implement a PKI. Through Certificate services, you can publish, issue, and store and perform management tasks for certificates. The Certificate services are considered as a primary component of the Windows PKI because it provides the means for certificates and any policies associated with the management of certificates, to be centrally administered. While third party CAs such as VeriSign and Thawte can be utilized, the most cost effective solution for larger organizations that need a considerable amount of certificates issued, is to use a Windows PKI implementation
- Digital certificate: Digital certificates are the core of the PKI, and are used to certificates are used to distribute the public key. A digital certificate associates a public key with an entity such as an individual or organization because it contains the public key for the user or organization, additional information on the user or organization, and information on the entity that issued the certificate. The entities that issue and manage digital certificates are called certificate authorities (CAs).
- Certificate template: Certificate templates are used to define the format and content of the certificate, based on intended use of the certificate. Through certificate templates, you can specify the users and groups which are permitted to request the particular certificate. You would usually create one certificate template for digital signatures and then create another certificate template for encryption purposes.
- Certificate publication points: These are the locations points from where certificates are made available.
You can make certificates available through either of these methods:
- Directory service
- Web servers
- Directories which are specific to the operating system
- Certificate authorities (CAs): A certificate authority (CA) is the trusted entity that issues digital certificates to users, computers or a service. An organization can have multiple CAs, which are arranged in a logical manner. A CA can be a trusted third party entity such as VeriSign or Thawte, or it can be an internal entity of the organization. An example of an internal CA entity is Windows Server 2003 Certificate Services. Windows Server 2003 Certificate Services can be used to create certificates for users and computers in Active Directory domains.
The process by which a user, computer, or service identifies itself to the CA is called registration. Registration can be automatically performed during the certificate enrollment process, or it can be performed by another trusted entity. An example of a trusted entity would be a smart card enrollment station. Certificate enrollment is the terminology used to refer to the process by which a user requests a certificate from a CA.
- Certificate revocation list (CRL): When a certificate is issued, the time for which the certificate remains valid is defined. There is however occasions when the CA can end the validity of the certificate through a procedure referred to as certificate revocation. A certificate is typically revoked when information included in the certificate has become invalid or untrusted. When the private key associated with the public key in the certificate is no longer secure or trusted, the certificate should be revoked without delay. The certificate revocation process is performed by the CA issuing the certificate revocation list (CRL), and it includes the serial numbers of those certificates which have been revoked.
- CRL Distribution Points (CDPs): When the CA validates certificates, it checks the CRL to determine whether it is still valid or not. If the certificate is on the CRL, the CA announces the certificate as being revoked. The CA places the CRL at locations, called CRL Distribution Points (CDPs), from which clients can download the CRL. When clients cannot locate a CRL at a CDP, it works on the assumption that all certificates issued by the CA have since been revoked. Enterprise CAs publishes its CRL in Active Directory. The actual object used is the CRLDistributionPoint object. The stand-alone CAs store their CRLs in the systemroot%system32certsrvCertEnroll folder.
- Certificate servers: When you use the Microsoft Certificate Services on Windows Server 2003 with Exchange Server 2003, all certificate functionality becomes available as one single service.
You can use certificate servers to perform a number of functions:
- Create and issue certificates from a single location.
- Import certificates into a CA.
- Import archived private keys into a CA.
- Maintain copies of private keys.
- Certificate and Certificate Authority management tools: You can use these management tools to perform a number of tasks:
- Start and stop CAs.
- Back up and restore CAs.
- Mange all issues certificates.
- Revoke certificates.
- View, install and reinstall the CA certificate for the CA.
- View the contents of the CRL.
- Publish CRLs.
- View and change the CRL distribution points.
- View, approve, or deny pending certificates.
- Import and export certificates and keys.
- Recover archived private keys.
How to implement digital signatures and encryption on Exchange Server 2003
- Open the Certification Authority console by clicking Start, Administrative Tools, and then Certification Authority.
- Right-click Certificate Templates, and click New, and then Certificate Template To Issue from the shortcut menu.
- The Enable Certificate Templates dialog box opens.
- Click Exchange User.
- Click OK.
- Right-click Certificate Templates again and then click Manage from the shortcut menu.
- This opens the certificate templates management tool.
- Right-click Exchange User and then select Properties on the shortcut menu.
- The Exchange User Properties dialog box opens.
- Click the Security tab.
- In the Group Or User Names box, select Authenticated Users.
- In the Permissions For Authenticated Users box, for the Enroll permission, enable the Allow checkbox.
- Click OK in the Exchange User Properties dialog box.
- Click OK.
How to configure digital signatures and encryption in Outlook
- Open Outlook.
- Click Options on the Tools menu item.
- The Options dialog box opens.
- Click the Security tab.
- Click Settings.
- The Change Security Settings dialog box opens.
- In the Security Settings Name box, enter a name for the e-mail digital certificate.
- In the Signing Certificate pane, under Certificates and Algorithms, select Choose alongside Signing Certificate.
- Select the signing certificate.
- In the Hash Algorithm box, choose a hash algorithm.
- Click OK in the Change Security Settings dialog box.
- On the Security tab of the Options dialog box, in the Encrypted E-mail box, select the appropriate options:
- Encrypt contents and attachments for outgoing messages.
- Add digital signature to outgoing messages.
- Send clear text signed message when sending signed messages.
- Request S/MIME receipt for all S/MIME signed message.
- Click OK.