E-Mail Verschlüsselung und digitale Signaturen (EN-US)
- vTranslator
Table of contents
The following is a description of encryption and the use of digital signatures.
Encryption
directmail is able to send encrypted emails in S/MIME format with 128 bit encryption and certificate.
Alternatively, encryption of sent PDF files with up to 128 bit encryption without certification is also available.
Basic
S/Mime means Secure Multimedia Internet Mail Extensions; and is an extension of the MIME standard for secure e-mail transport.
S/Mime uses the so-called public/private key method. This concept eliminates some basic vulnerabilities in the course of transmission (in particular, it is not enough to intercept a key sent in advance of a message transmission). In order to use this encryption method correctly, it is important that its basic features and procedure are known
S/MIME supports both the signature of e-mail and its encryption.
A signature guarantees the recipient that the e-mail was sent unchanged over the Internet. A signed e-mail is not encrypted and could therefore be read by unauthorized persons. Signing is always done with the sender's private key. Since the sender's public key is always attached to a signed e-mail, the signature can be verified by the recipient using the attached public key of the sender.
Encryption guarantees that the e-mail cannot be read by third parties. Encryption is always performed with the recipient's public key. The recipient can then decrypt the message using his or her private key.
Note:
directmail stores all e-mails unencrypted. It is assumed that the security settings of your system are sufficient to protect these mails from unauthorized access.
public and private keys are stored in so-called certificates. In addition to the keys, such certificates also contain other information such as the owner's e-mail address, validity period, hash codes, etc. To ensure that a certificate is valid, it is usually signed by a CA (Certificate Authority).
Certificates can either contain only the public key of the owner (public certificate) or also the private key (private certificate). If a certificate contains the private key, it must be protected against unauthorized access by a password. Only the owner of the certificate should have access to his private key.
Private keys are used for:
Signing e-mails for sending (using the sender's key)
Decrypting e-mails for receipt (Using the recipient's key)
public keys are used for:
Encryption for sending (With key of the recipient)
Verification of a signature on receipt (using the sender's key)
Attaching the sender's public key to each signed email (This can be used to exchange a public key at the same time)
Hint:
A private key should never be accessible to anyone other than the owner. Therefore, make sure to use "strong" passwords.
Limitations:
directmail is currently not yet able to decrypt e-mails
directmail is currently not yet able to verify signatures
public keys of a signed e-mail can only be imported into directmail (as attachment) if it is a "detached signature".
General information about S/Mime
You can use this method to encrypt and sign messages, i.e. to guarantee that the message originates from the specified sender (a kind of electronic seal).
You have two keys, one private and one public.
The private key must be kept secret. It consists of a file that you should not give out of your hands and is additionally protected by a password (be sure to choose a secure one here!).
The public key, also a file, can be distributed without worry. However, if you receive the public key of a communication partner, you must make absolutely sure that the key is really from him. This can be done either physically (he handed you the disk with the key personally) or by comparing the so-called fingerprint over the phone. The most practical way, however, is to authorize a third party (Certificate Authority, CA) to do the verification. Then you only have to recognize this CA once and everything works, if the keys of all communication partners have been signed by the CA. At the university, the computer center takes over the role of the CA. However, this will generally only be accepted by users of the university network.
You encrypt and/or sign with your private key and the recipient's public key. The recipient decrypts or confirms the origin of the mail with his private key and your public key. This is why this principle is also called aysmetric encryption.
The strict hierarchy of X.509 certificates is the basic framework of the S/MIME concept. X.509 certificates are used for SSL, S/MIME and IPSec.
At the top is the main certification authority, the Certificate Authority. It represents the highest authority of the PKI (Public Key Infrastructure). X.509 digital certificates or the X.509 digital signature guarantee that a public key can be uniquely assigned to a specific user.
A Certification Authority (CA) is a trusted third party that issues and manages digital certificates. This CA guarantees that a public key belongs to a single, identified user. Certificates can be issued offline and online. Online, for example, the TC TrustCenter offers a so-called Class 1 certificate that represents a "simple security level" free of charge. When a Class 1 or Express certificate36 is applied for, only the correctness of the e-mail address provided is checked. TC TrustCenter Class 1 certificates have extremely low requirements for proof of identity. It is primarily used here for testing encrypted mail traffic with the aid of X.509 certificates. Offline, users must be physically present at the CA. Here, for example, the Verisign37 trust center with its Class 3 certificate should be mentioned. If such a center meets certain requirements, the signatures created with the certificates are legally valid according to German law. TeleSec (Telekom) and Signtrust (Deutsche Post) are two other providers of the so-called "qualifying signature," for which a presumption of security applies under the Signature Act, which was revised in March 2001. As long as a higher authority is trusted, all certificates that depend on it are automatically classified as trustworthy.
Requesting a digital ID
Verisign offers the possibility to create digital IDs valid for 60 days free of charge. The following is an example of how to do this:
the following link will take you directly to the Verisign website: http://www.verisign.com/client/enrollment/index.html
0115 - VeriSign Personal Digital ID Enrollment
Click on the "Enroll now" button.
0116 - Step 1 VeriSign Complete Enrollment Form
Fill in the fields according to your requirements. DO NOT check the "Check this Box to Protect Your Private Key" or directmail will not be able to process the signature.
Click "Accept" to apply for the ID and click "OK" in the following window after checking the email address.
0117 - Step 2 VeriSign Complete Enrollment Form
Also answer "Yes" to the following window.
0118 - Possible Scripting Violation
After a few minutes, you will receive a confirmation email from Verisign with a link to activate the ID. Click on this link.
0119 - VeriSign Digital ID Pickup Instuction
After the Web page is displayed, enter your PIN and click Submit.
0120 - Step 3 Pickup Digital ID
Now you can install the digital ID on your computer by clicking "Install".
0121 - Step 4 Install Digital ID
Confirm the following messages by clicking on "Yes".
0122 - Possible scripting violation
Export of a public key
You needed the exported public key to encrypt outgoing emails to a specific recipient.
Now export your public part of the digital ID to a file and send it to your directmail mailbox (example under MS Outlook 2000):
In Outlook, click on "Tools" - "Options" - Security" and then on the "Import/Export Digital ID" button.
0123 - Import / export digital ID
Check the radio button "Export your digital ID to a file" and click on "Select".
0124 - Select certificate
Select your ID to be exported and click on "View Certificate".
0125 - Certificate Details
In the "Details" tab, click on "Copy to file".
0126 - Certificate Export Wizard
In the wizard, click on "Next".
0127 - Certificate Export Wizard Export Private Key
Select "No, do not export private key and click "Next".
0128 - Certificate Export Wizard Export File Format
Select the first option "DER-encoded..." and click "Next".
0129 - Certificate Export Wizard export file name
Select a directory and a file name (with extension .cer) and click "Next".
0130 - Certificate Export Wizard Completing the Wizard
Complete the export by clicking on "Finish" and send the exported file as an attachment to a mail to your directmail mailbox. There you can import it as described later.
Export of a private key
You need the private key in directmail to be able to digitally sign e-mails.
Now export your public part of the digital ID to a file and send it to your directmail mailbox (example under MS Outlook 2000):
In Outlook click on "Tools" - "Options" - Security" and then on the button "Import/Export Digital ID".
0131 - Import/export digital ID
Check the radio button "Export digital ID to a file" and click on "Select".
0132 - Select certificate
Select your ID to be exported and click on "OK".
Now enter the path and name of the file you want to create, as well as the password associated with the key.
Then click on "OK", the key will now be exported to the specified directory.
Complete the export by clicking on "Finish" and send the exported file as an attachment to a mail to your directmail mailbox. There you can import it as described later.
Encryption procedure
To send encrypted e-mails, it is necessary to store the X.509 certificate (digital IDs) of the recipient in directmail. I.e. from each recipient to whom you want to send encrypted e-mails, you must first obtain the certificate and import it into directmail. Each certificate is always bound to one e-mail address. If you have recipients with several e-mail addresses per person, you may need several certificates per recipient.
You can integrate certificates into directmail using the following options.
Command WRKCER (Work with certificates)
With this command, one or more public certificates can be assigned to each e-mail address. The certificates are imported via IFS.
The directory '/Toolmaker/DirectMail400/certs/public' is the default directory. Certificates can thus be exported under Windows, for example, and imported into directmail.
0133 - Work with recipient certificates
Option
Description of the options
1=Export
With this selection you can export certificates to IFS directories.
2=Change
You can change details of the certificate with this selection.
0134 - Change certificate
Email address
If an administrator has requested certificates for multiple users with the same email address, you have the option here to adjust the address. The email address is used as a unique assignment of the certificate to a recipient.
Description
Text explanation for own use
Default
If this parameter is set from Yes, this certificate will be used when sending to the email address.
Valid values are:
Y This is the default certificate
N This is an alternative certificate (may be changed to the default certificate if the default certificate expires) if the default certificate expires).
Mandatory
Here you can specify that e-mails to this address are always mandatorily encrypted, regardless of the settings made by the user or via AutoMail.
Valid values are:
J E-mails to this address will always be encrypted
N The settings made when sending the e-mail will be used.
4=Delete
With this selection you can delete a certificate.
5=Display
With this selection you can display the contents of the certificate on the screen
0135 - Display spool file
11=Standard
With this selection you can convert an alternative certificate directly to the standard certificate.
F6=Create
This function key is used to create certificates in directmail. You can use it to import certificate files stored in IFS.
0136 - Create certificates
Use selection 1 to select the desired certificate to import.
0137 - Import certificate
Email Address
Enter the email address for the certificate to be imported.
Description
Enter the description for the certificate to import.
Default
The imported certificate can be set as the default.
Valid values are:
Y Set as default
N Should not be used as default.
Command IMPCER (Import Certificate)
This command can be used to import certificates directly from IFS into directmail. This corresponds to the function key F6 in the WRKCER command. The command IMPCER can be used especially if certificates are to be imported automatically via the mail inbox wizard.
0138 - Import certificate
X.509 certificate file
Enter path and name of the certificate file in IFS.
E-mail address
Here is the address with which this certificate should be linked. With the value *CERT the import process uses the e-mail address stored in the certificate.
Description
The text description of the certificate.
Default certificate
Here you define whether the certificate is the default, or an alternative certificate for the specified email address.
Valid values are:
*YES This is a standard certificate
*NO This is an alternative certificate
Force encryption
Use this to control whether an email to the specified email address should be encrypted under all circumstances.
Valid values are:
*Yes E-mails to this address will always be encrypted
*NO The settings used when sending the e-mail will be used.
Delete certificate file
Allows you to control whether or not the certificate file (.cer) should be physically deleted from IFS after import.
Valid values are:
*Yes The certificate file will be deleted after the import.
*NO The certificate file remains in the IFS.
Working with private certificates
Within the address book, certificates for a recipient can be edited/imported with the selection 18=Certificates.
0139 - Private certificates
Description of the selections
1=Export
With this selection you can export certificates to IFS directories.
2=Change
You can change the description of the certificate with this selection.
4=Delete
With this selection you can delete a certificate.
5=Display
With this selection you can display the contents of the certificate on the screen
0140 - Show private certificates
11=Standard
With this selection you can convert an alternative certificate directly to the standard certificate.
F6=Create
This function key is used to create private certificates in directmail. Currently you can only create your own certificates, later it will also be possible to import certificates.
0142 - Create private certificate
With selection 1 you get to the capture of the certificate data.
0143 - Screen 1 Capture of certificate data
Name
Any name for managing the certificate.
Description
The text description of your certificate.
Name
This is the full name of the certificate. Please note that no special characters may be included here.
E-mail address
Enter the e-mail address belonging to the certificate here.
Password/Validation
Certificates are password protected. Enter the password for your certificate twice here.
0144 - Screenshot 2 Entering the certificate data
The creation of the private key may take some time depending on the performance of your IBM i.
Exporting certificate attachments
Every signed e-mail automatically contains the sender's certificate. This is added as an attachment to the e-mail. This way a certificate can be transferred to the certificate store of directmail by selecting 1=Export. For this purpose there is a new item "4. certificate" in the menu 1=Export. Certificates usually have the file extensions: .cer .der .p7m .p7s. Attachments with these extensions will be shown as certificate by directmail. (Selection 5=Display)
Note
directmail only imports detached signature certificates. i.e. the signature and the certificate are attached to the e-mail as a separate attachment.
0145 - Export a certificate
0146 - Import certificate
Note about the certificate store under directmail:
Access key for certificates is the e-mail address of the recipient. Any number of certificates can be stored for each e-mail address. The default certificate is always used for encrypting the e-mail.
There are basically three possible values for the encryption parameter:
N = No-> The e-mail is sent unencrypted.
J = Yes-> E-mail is sent encrypted only. If no certificate is available for a recipient, the e-mail will not be sent to this address. The e-mail then receives the status "WRN=Warning" and is placed in the error folder.
M = Possible -> The e-mail is sent encrypted if a certificate is available; if no certificate is available, the e-mail is sent unencrypted.
With the selection 25 = Internet, it can be displayed for an e-mail for which recipients no certificate was available.
Digital signatures
directmail supports digital signatures when sending e-mails. To do this, a private certificate must first be assigned to a mailbox. This can be managed and created using option 18=certificate in the WRKMBX command. The certificates are stored password-protected in the path: /Toolmaker/directmail400/certs/private. Please make sure that you back up this directory.
In order to send signed emails, you need to set the flag for signing when you exit the editor or in the OPNEMLAPI command. The system checks if there is a private certificate for the selected mailbox.
A digital signature does not mean that the e-mail will be encrypted. It is only used to determine whether an e-mail has been modified.
Verification of a signed mail attachment
The verification is done online using the product SecSigner from the company Seccommerce at the following URL: http://www.seccommerce.de/de/produkte/webcontrust/secsigner/secsigner_demo_verify.html