CONTENTS

Using PKI for Secure Email

Tutorial Overview. This tutorial will guide you through the steps required to setup secure email using PKI and is broken down into four sections. The first is a brief overview of PKI, the resources used, and an explanation of why these applications were selected. The second section will cover to installation and configuration of Thunderbird. This will cover both configurations for IMAP and POP, which includes the installation of the two additional extensions required for POP accounts. The third section covers the installation and configuration of both GPG and Enigmail. The final section covers the creation and use of the private and public key pair. This tutorial is used in IS2771 S ecurity in E-Commerce.

Public Key Infrastructure. This tutorial will cover the steps required to install and configure selected software components to set up Public Key Infrastructure (PKI) for use with email. The components that are used will be described later but first you must have a basic understanding about PKI and how it works.

PKI provides digital key and certificate management that enables security between parties, which allows the authentication of a person, prove ownership of a document, or communicate securely over a public communication medium. To accomplish this PKI uses public key algorithms, public and private keys, digital signatures, digital certificates, and certificate authorities (CAs).

The public key algorithms are used to create a public and private key pair and a digital certificate. Public and private keys are corresponding keys, which means that if data is encrypted with the public key it can be decrypted with the private key and vice versa. PKI uses these concepts to provide confidentiality through encryption and integrity through digital signatures. A digital signature are created by combining the data to be signed with the private key, which the recipient checks by applying the same computation to that data but uses the corresponding public key. If the data is unaltered the computations will produce identical results.

A key pair is issued to each entity who wishes to use PKI. The private key is kept strictly private while the public key is publicly distributed. The public key can be distributed in a number of ways, which are through a trusted third part acting as a key server, email, or removable media. A digital certificate provides a cryptographic binding between a public key and an individual to which public key belongs and is issued by a CA. The certificate it made publicly available, allowing others to obtain the public key and verify the ownership of that public key.

This tutorial will use three pieces of software that will allow you to setup PKI for use with email. Each piece of software is explained below giving you a brief description of what it does and why it was chosen.

Mozilla Thunderbird. Thunderbird is an email client that acts as a global inbox for one of multiple email accounts. Thunderbird comes with built- in support for a number of security measure for email but by default it does not include support for PKI. But due to Thunderbird's high level of integration it allows for easy installation of PKI software. Thunderbird also supports IMAP and POP accounts, which allows those that wish to access POP accounts the ability with the addition of two extensions. Finally Thunderbird was chosen because of its cost, which is free.

GNU Privacy Guard. GPG is the open source alternative to PGP and allows for the encryption and signing of data and communications. GPG is also compliant with the OpenPGP standard, which implements the same operating protocols and data formats as the original PGP created by Phil Zimmerman. In the PKI architecture this application acts as the CAs by managing the certificates and key pairs.

Enigmail. In following the current trend of using free applications, Enigmail is no different. Enigmail is the core to establishing PKI for it is the software that allows Thunderbird to access the authentication and encryption features provided by GnuPG.