Skip to main content
Sign In |
  Help (new window)

UMKC Campus Computer Security Web

Go Search
Home
Change Management for ISSR
  
UMKC Campus Computer Security Web > Main > emailencryption  

Configuring E-mail Encryption at UMKC

     UMKC offers limited support for e-mail and file encryption.  Before you are able to use either of these capabilities correctly, you will need to obtain a digital signing certificate from the UMKC Certificate Services server.  This certificate is good for one year, and must be replaced annually.  Some student labs may obtain the certificate for you automatically if you use a roaming profile.

     There will be some steps you need to take to first see if you already have the necessary certificates information needed to perform encryption.  Follow these steps from Internet Explorer 6:

  1. Go to Tools -> Internet Options
  2. Go to the 'Content' tab
  3. Click on the 'Certificates' button
  4. Look for a line that shows your email display name on the right, lists the issuing server as 'University of Missouri - Kansas City Enterprise CA'
  5. Double-click on the entry, and make sure it lists 'Protects e-mail messages' under the intended purposes section.
  6. Close out all of the open dialog boxes.

     If you have a current certificate, you should be fine.  This should occur in most IS managed labs automatically if you have a roaming profile.

     If you do not have a certificate follow these steps:

  1. Go to the web site: https://kc-issrv-ca1.kc.umkc.edu/certsrv  and logon with your username using the email format of your username.  (i.e. user@umkc.edu )
  2. Click on 'Request a certificate'
  3. Click on 'Create and submit a request to this CA'
  4. Under 'Certificate Template' select 'Recoverable User'.  Set the 'Key Size' to 2048.  Click 'Enable Strong Private Key Protection'.
  5. Leave the other settings at their defaults, and click 'Submit' at the bottom of the page.
  6. When prompted that the web site is trying to request a certificate on your behalf, click Yes.
  7. A window should pop up indicating that you can change the security level on your key.  Generally it is recommended that you use the level 'medium' or 'high'.  Medium just prompts for your permission before signing and encrypting.  High allows you to set a special password for encrypting and signing.  Click OK when you have the security level you want.
  8. After the key processing has occured, you will get a web page with your certificate on it.  Click on this certificate file to complete the process.

     If you have Outlook 2003, you should follow these additional steps to publish your public key information.  (This ensures others at UMKC can send to you using 168bit encryption, instead of 56bit encryption, and fixes a known issue with certificates in AD):

  1. Go to Tools -> Options
  2. Click on the 'Security' tab
  3. Click on the button for 'Publish to GAL' (short for Global Address List)

     Once you have a certificate key set, you should make sure you have a backup before encrypting anything.  Keep the file that we backup very safe.  UMKC IS can recover lost keysets issued from the UMKC Certificate Server, but only for a period of time, and should not be considered a replacement for personal backups.  Theft of this file can result in someone else claiming your identity.  Report any suspected theft to abuse@umkc.edu ASAP. 

     Here are the steps to backup your key set from Internet Explorer 6.0:

  1. Go to Tools -> Internet Options
  2. Go to the 'Content' tab
  3. Click on 'Certificates'
  4. Select your new or current certificate, and click export
  5. Click Next
  6. Select to export your private key, and select Next
  7. Select to 'Include all certificates in the certification path if possible' and 'Enable strong protection' , then click next.
  8. Set a password that you will remember.  You may need this password 10 years from now to decrypt old items, so make sure it is both something very hard to guess, and something you can remember for a long time.  Never save this password with your key file.  Click Next.
  9. Select the file name and location to save to with a .PFX file extension, and click Next.
  10. Click Finish.
  11. Move the file from the temporary location to a secure location such as a USB key, or a floppy disk.  (make sure you never lose the item you copy the file to, and make sure it is a technology that will be readable in 3 to 5 years.  After 5 years you would probably copy it to a new device technology.)

     Never lose your old certificate sets.  You will need them many years from now to decrypt old emails and files that have been encrypted using your certificate key sets.  Since you need a new set each year, it is likely you will always have multiple old certificate key sets on your machine.

     If your user account is ever compromised, alert abuse@umkc.edu immediately, so that your certificates can be marked as invalid on the Certificate Server.  This will help prevent some identity theft to an extent.

     When encrypting email messages, you will need both your own certificate key set, and you must also have the public key of the person you are sending to.  If you are sending to another person at UMKC, and they have obtained their keys, Outlook 2003 and Outlook Web Access will automatically pull their public key information from Active Directory.  If you are unable to send an encrypted email to a UMKC user, they likely do not have a public key, and they need to use the above certificate request steps to get their key set.

     If you are sending encrypted email to someone outside of UMKC, you must have a copy of their public key.  You can do this by having them send you a 'signed' but not 'encrypted' email.  When you get the signed message, open the message, right-click on the 'From' address, and select 'Add to Outlook Contacts'.  This will create a contact item with the certificate on the 'Certificates' tab.  Click save on the contact.  (This must be done from Outlook 2002 or Outlook 2003.  This will not work on Outlook Web Access.)

     Once you have determined you have your own certificate, and the public key of the intended recipient, you can compose your encrypted email message.

For Outlook 2003:

  1. Open your new email message, and address it as usual.
  2. Click on the 'Options' button on the tool bar.
  3. Click on the 'Security Settings' button.
  4. Turn on 'Encrypt message contents' and also 'Add digital signature'.  Optionally select 'Send this message as clear text signed' and 'Request S/MIME receipt for this message.
  5. Click OK and then Close to close out the two dialog boxes.
  6. Finish your email and click send.
  7. Ok the use of your private key for encrypting the message.

The steps to send just a signed message are the same, only on step 4 do not select to encrypt the message.

For Outlook Web Access 2003:

  1. The first time you want to start using encryption, you must setup the S/MIME plugin.  Do that by visiting this website:  https://e2k.exchange.umkc.edu/exchange/?cmd=options
  2. Scroll down to the section named 'E-mail Security' and click 'Download' to install the S/Mime plugin
  3. Click Save and Close to close the window.  Then restart Outlook Web Access.
  4. Click to create a new message, and address it as normal.
  5. If you want to encrypt a message, click on the envelope icon with a blue lock.  If you want to sign the message, click on the envelope icon with a red badge.  (Always sign emails that you encrypt.)
  6. Compose your message as normal and click send.

     When using either program for encryption, if you do not have the public key of the person you are trying to send to, you will get an error.  If they are a UMKC person, make sure they have obtained their certificate key set.  If they are outside of UMKC, make sure you have used Outlook 2003 (not web access) to add their public key to their contact item in Outlook.

     You can send yourself encrypted messages as needed.  This helps when protecting information that you need to get to, that is also confidential.

     When viewing encrypted messages in Outlook 2003 in full message view, you can click on the blue lock icon, to see the encryption settings.  When viewing, select the line 'Encryption Layer' to see what level of encryption was used.  It should always say it is using 168bit encryption. 

     If your encryption is not at 168bit on a message you sent, and the user you sent to is at UMKC, they may need to go to the steps above to publish their certificate into Active Directory using Outlook 2003. 

     If you receive a message from a UMKC user and it is not at 168bit encryption, you may need to re-publish your certificate in Active Directory using Outlook 2003 as listed above.

     For any emails to/from people off campus that are not encrypted at 168bit encryption, the recipient and yourself may need to re-exchange signed emails, and re-create your contact items for each other.

     UMKC generated certificates are compatible with AOL Instant Messenger encryption.  You will need to import your certificate into AOL-IM, then you should be ready to communicate with other AOL-IM users who are setup for encryption.  Click here for more information.

     UMKC Windows Messenger Service is encrypted between yourself and the server without the need for a certificate on your end.  MSN Messenger is not encrypted, and cannot currrently be encrypted.

     If you notice any items in this document needing changes, updates, etc., please email Justin Malyn at malynj@umkc.edu