Encryption Issue
in [Outlook]
|
From: Nick on 15 Apr 2010 14:15 I have a co-worker that his email encryption stopped working about three weeks and I can't figure out why. I have tried deleting and reloading his certificate from our CA(We have our own CA for the company so certificates are generated by the server). I was able to get it to where he could send encrypted emails again but he still can' receive them. Any time he tried to open it he gets the error "Your digital ID name cannot be found by the underlying security system". I downloaded Cryptigo p7mviewer to see what it said the issue was and when I moved the email from outlook to p7mviewer it said that problem was that my private key was not available. The way I understand it he should not have or need my private key to open the email. I went through and checked to make sure that I had his certificate trusted and that he had mine and we both did. I verified the serial number on his to make sure it wasn't an old copy he had deleted. What I need to know is why his outlook is looking for my private key to decrypt the email when outlook should have used his public key. Thanks in advance for any help -Nick
From: Brian Tillman [MVP-Outlook] on 15 Apr 2010 14:45 "Nick" <Nick(a)discussions.microsoft.com> wrote in message news:4CBFF2C3-C50A-448B-824E-60AE05536E6D(a)microsoft.com... >I have a co-worker that his email encryption stopped working about three > weeks and I can't figure out why. I have tried deleting and reloading his > certificate from our CA(We have our own CA for the company so certificates > are generated by the server). I was able to get it to where he could send > encrypted emails again but he still can' receive them. Any time he tried to > open it he gets the error "Your digital ID name cannot be found by the > underlying security system". I downloaded Cryptigo p7mviewer to see what it > said the issue was and when I moved the email from outlook to p7mviewer it > said that problem was that my private key was not available. The way I > understand it he should not have or need my private key to open the email. He doesn't need your private key, he needs his or you need yours. When you try to open the encrypted message, the underlying crypto subsystem expects that the person opening the message has the private key matching the public key used to encrypt the message. > I went through and checked to make sure that I had his certificate trusted > and > that he had mine and we both did. I verified the serial number on his to > make sure it wasn't an old copy he had deleted. What I need to know is why > his outlook is looking for my private key to decrypt the email when outlook > should have used his public key. No, Outlook uses the recipient's _private_ key to decrypt the message. The recipient's public key is used by the sender to encrypt the message. It sounds to me like the sender has a public key for a revoked certificate and if you say that you deleteed his cert and reissued another from the PKI server, then it's likely that is the case. When a new cert is issued, to someone, that person must send the new public key to his potential senders so they can use the correct public key to encrypt. -- Brian Tillman [MVP-Outlook]
From: Nick on 15 Apr 2010 15:42 "Brian Tillman [MVP-Outlook]" wrote: > "Nick" <Nick(a)discussions.microsoft.com> wrote in message > news:4CBFF2C3-C50A-448B-824E-60AE05536E6D(a)microsoft.com... > > >I have a co-worker that his email encryption stopped working about three > > weeks and I can't figure out why. I have tried deleting and reloading his > > certificate from our CA(We have our own CA for the company so certificates > > are generated by the server). I was able to get it to where he could send > > encrypted emails again but he still can' receive them. Any time he tried to > > open it he gets the error "Your digital ID name cannot be found by the > > underlying security system". I downloaded Cryptigo p7mviewer to see what it > > said the issue was and when I moved the email from outlook to p7mviewer it > > said that problem was that my private key was not available. The way I > > understand it he should not have or need my private key to open the email. > > He doesn't need your private key, he needs his or you need yours. When you > try to open the encrypted message, the underlying crypto subsystem expects > that the person opening the message has the private key matching the public > key used to encrypt the message. > > > I went through and checked to make sure that I had his certificate trusted > > and > > that he had mine and we both did. I verified the serial number on his to > > make sure it wasn't an old copy he had deleted. What I need to know is why > > his outlook is looking for my private key to decrypt the email when outlook > > should have used his public key. > > No, Outlook uses the recipient's _private_ key to decrypt the message. The > recipient's public key is used by the sender to encrypt the message. > > It sounds to me like the sender has a public key for a revoked certificate and > if you say that you deleteed his cert and reissued another from the PKI > server, then it's likely that is the case. When a new cert is issued, to > someone, that person must send the new public key to his potential senders so > they can use the correct public key to encrypt. > -- > Brian Tillman [MVP-Outlook] > > . > I sent his new key to myself when I issued it so I know that it is the correct one. We both have eachother's most current public key and he can send them to me with no problem. What I don't get is why the program I used to diagnose the issue is saying that it is looking for my private key as opposed to his private key when I send him an encrypted email. -Nick
From: VanguardLH on 15 Apr 2010 16:54 Nick wrote: > I have a co-worker that his email encryption stopped working about three > weeks and I can't figure out why. I have tried deleting and reloading > his certificate from our CA(We have our own CA for the company so > certificates are generated by the server). I was able to get it to where > he could send encrypted emails again but he still can' receive them. Any > time he tried to open it he gets the error "Your digital ID name cannot > be found by the underlying security system". I downloaded Cryptigo > p7mviewer to see what it said the issue was and when I moved the email > from outlook to p7mviewer it said that problem was that my private key > was not available. The way I understand it he should not have or need my > private key to open the email. I went through and checked to make sure > that I had his certificate trusted and that he had mine and we both did. > I verified the serial number on his to make sure it wasn't an old copy he > had deleted. His certificate has nothing to do with him *sending* encrypted emails. The sender must have the public key from the e-mail cert for the *recipient*. You digitally sign an e-mail. That puts the public key into your e-mail. You send that digitally signed e-mail to someone from whom you want to *receive* encrypted e-mails (i.e., you getting their encrypted e-mails is by you sending an invite to do so by giving them your public key). They use YOUR public key to encrypt THEIR e-mail. You get their encrypted e-mail and decrypt it using your private key that only you have. So for your user to send encrypted e-mails means they must get the public key for the e-mail cert from the person to whom they want to send those encrypted e-mails. If the user is just entering the recipient's e-mail address in the To/Cc/Bcc fields then they are not sending an encrypted e-mail. They have to use the record they saved in their contacts list for the recipient when they saved that recipient into their contacts list. The contact record has the public key for the recipient saved in it. When this user gets a digitally signed e-mail from the other party, they have to save that other party as a record in their contacts list. That also records the other party's public key. Later when this user wants to send an encrypted e-mail to that other party, they must use the contact record that they saved previously which contains the public key for that other party. > What I need to know is why his outlook is looking for my private key to > decrypt the email when outlook should have used his public key. Wrong. He uses YOUR public key (that he must've saved previously) to encrypt HIS e-mail. You use YOUR private key to decrypt that e-mail. He never got your private key. Only you have the private key. He doesn't use his public key to encrypt. He uses his public key to digitally sign his e-mail and then YOU can use his public key to encrypt e-mails that you send to him (and then he uses his private key that only he has to decrypt it). You got some of the x.509 certificate handling right but got it reversed as to whose public key gets used to encrypt the e-mail. For this user to send you an encrypt e-mail, they need YOUR public key to encrypt their e-mail and then you use YOUR private key to decrypt it. My guess is that this user either did not save your digital key (the public key) as a contact record or they are manually entering your e-mail address (or using the cached copy from the .nk2 cache file) which doesn't use the saved contact record at all. They need to get a digitally signed e-mail from you. It must contain whatever is your current public key for your e-mail cert. If you change your e-mail cert, you'll have to send them another digitally signed e-mail with your new public key. From that digitally signed e-mail, they must save you as a contact record. When they want to use your public key to encrypt their e-mail sent to you, they MUST use the contact record where they saved your digital key. Manually entering the e-mail address or pulling it out of the cached list (.nk2 file) will NOT use the contact record where is recorded your public key. If you changed to a newer e-mail cert, send another digitally signed e-mail to the other party and have them replace their current contact record so the new contact has your new public key. They must use that contact record when they select you as a recipient for their e-mail so it gets encrypted using your public key stored in that contact record. They will also have to manually elect to encrypt their e-mail (using your public key) before they send it, or enable the option to always encrypt their outgoing e-mails (for those where the public key is available in the contact records for those recipients). Your certificate: - Public key. You give this to OTHERS by digitally signing your e-mails. THEY use your public key to encrypt THEIR e-mails they send to you. - Private key. Only you have this. Others encrypt their e-mails using your public key that they got in your digitally signed e-mails. Anyone else that intercepts a copy cannot decrypt, even those that also have your public key. Only YOU have the private key to decrypt the e-mail.
From: VanguardLH on 15 Apr 2010 17:27
Nick wrote: > "Brian Tillman [MVP-Outlook]" wrote: > >> "Nick" <Nick(a)discussions.microsoft.com> wrote in message >> news:4CBFF2C3-C50A-448B-824E-60AE05536E6D(a)microsoft.com... >> >>>I have a co-worker that his email encryption stopped working about three >>> weeks and I can't figure out why. I have tried deleting and reloading his >>> certificate from our CA(We have our own CA for the company so certificates >>> are generated by the server). I was able to get it to where he could send >>> encrypted emails again but he still can' receive them. Any time he tried to >>> open it he gets the error "Your digital ID name cannot be found by the >>> underlying security system". I downloaded Cryptigo p7mviewer to see what it >>> said the issue was and when I moved the email from outlook to p7mviewer it >>> said that problem was that my private key was not available. The way I >>> understand it he should not have or need my private key to open the email. >> >> He doesn't need your private key, he needs his or you need yours. When you >> try to open the encrypted message, the underlying crypto subsystem expects >> that the person opening the message has the private key matching the public >> key used to encrypt the message. >> >>> I went through and checked to make sure that I had his certificate trusted >>> and >>> that he had mine and we both did. I verified the serial number on his to >>> make sure it wasn't an old copy he had deleted. What I need to know is why >>> his outlook is looking for my private key to decrypt the email when outlook >>> should have used his public key. >> >> No, Outlook uses the recipient's _private_ key to decrypt the message. The >> recipient's public key is used by the sender to encrypt the message. >> >> It sounds to me like the sender has a public key for a revoked certificate and >> if you say that you deleteed his cert and reissued another from the PKI >> server, then it's likely that is the case. When a new cert is issued, to >> someone, that person must send the new public key to his potential senders so >> they can use the correct public key to encrypt. >> -- >> Brian Tillman [MVP-Outlook] >> >> . >> > > I sent his new key to myself when I issued it so I know that it is the > correct one. We both have eachother's most current public key and he can > send them to me with no problem. What I don't get is why the program I used > to diagnose the issue is saying that it is looking for my private key as > opposed to his private key when I send him an encrypted email. > > -Nick Huh? Why would you issue HIS certificate to YOUR host (for use by YOUR e-mail client)? You can't use his e-mail cert. You don't have an e-mail account with the correct e-mail addresses encoded within that cert. You MUST send encrypted e-mails using the account encoded within the cert. You can't use save a cert for an e-mail account that you can't use. When you issue yourself a cert, you save it in your host's cert repository. It has the e-mail address that you specified when you requested the cert. That e-mail address must match to the e-mail account that you use to send an digitally signed e-mail. Outlook will not let you use a cert that has, say, someone(a)otherdomain.com when you are sending it through an account whose e-mail address is me(a)domain.com. You don't need and cannot use the other person's cert. You need to use YOUR cert to digitally sign your e-mails and which matches on the e-mail address for the account through which you send your digitally signed e-mails (sp to give your public key to the recipient). The only way [that I know of how] to "send his new key to yourself" would be for you to import HIS cert into HIS host and use HIS e-mail client to digitally sign HIS e-mail that HE sends to you (and you then save as a contact to record HIS public key for use by YOUR e-mail client). You would then need to use that contact record where HIS public key got stored when you wanted to send him an encrypted e-mail. "The program to diagnose the issue". We are supposed to know what was that program that you never identified? "looking ... for his private key when I send him an encrypted e-mail". Wrong! You need to use his PUBLIC key when you send him an encrypted e-mail. For him to send you an encrypted e-mail: - Did you import YOUR e-mail cert into YOUR host? That gives you: o The public key that you need to digitally sign your e-mails. * HE needs your *public* key to encrypt HIS e-mails sent to you. o The private key that **ONLY** you have. * You will use your private key to decrypt e-mails send to you that were encrypted with your public key. * Lots of users may have your public key, especially if you opt to always digitally sign your outbound e-mails. None of them can decrypt an e-mail that was encrypted using your public key. Only you have your private key usable for decryption. - Did he get a digitally signed e-mail from you? o That gives him YOUR public key. * He MUST save you in a contact record. That stores your public key in that contact record which he will use to send you encrypted e-mails. o He will need to use YOUR public key to encrypt HIS e-mails sent to you. o He must use the contact record where your public key got saved when he wants to encrypt his e-mails sent to you. * He must NOT manually enter your e-mail address. * He must NOT use a cached entry (from the .nk2 file) for your e-mail address from his nickname cache. That is a cache of his *manual* entries. No contact record is involved with [cached] manual entries. * He MUST use the contact record to specify you as the recipient since that is where your public key got stored. Your public key stored in his contact record used to specify you as the recipient is how he can encrypt e-mails that he sends to you. For him to send you an encrypted e-mail, he doesn't even need his own e-mail certificate. He could be completely nude of any certificates for himself. Whether he can encrypt e-mails to you depends solely on whether or not you gave him your public key. He doesn't need any certificate to send you an encrypted e-mail. He only needs YOUR public key from YOUR e-mail cert that YOU previously gave him through a digitally signed e-mail. His own e-mail cert, if he even has one, is NOT involved in sending you an encrypted e-mail. You getting encrypted e-mails is all about YOUR e-mail cert: they use YOUR public key to encrypt and you use YOUR private key to decrypt. |