Using PKI for Secure Email
Tutorial Overview. This tutorial will guide you through the
steps required to setup secure email using PKI and is broken down into
four sections. The first is a brief overview of PKI, the resources used,
and an explanation of why these applications were selected. The second
section will cover to installation and configuration of Thunderbird.
This will cover both configurations for IMAP and POP, which includes the
installation of the two additional extensions required for POP accounts.
The third section covers the installation and configuration of both GPG
and Enigmail. The final section covers the creation and use of the
private and public key pair. This tutorial is used in
IS2771 Security in E-Commerce.
Public Key Infrastructure. This tutorial will cover the steps required
to install and configure selected software components to set up
Public Key Infrastructure (PKI) for use with email. The components
that are used will be described later but first you must have a basic
understanding about PKI and how it works.
PKI provides digital key and certificate management that enables
security between parties, which allows the authentication of a person,
prove ownership of a document, or communicate securely over a public
communication medium. To accomplish this PKI uses public key algorithms,
public and private keys, digital signatures, digital certificates, and
certificate authorities (CAs).
The public key algorithms are used to create a public and private key
pair and a digital certificate. Public and private keys are
corresponding keys, which means that if data is encrypted with the
public key it can be decrypted with the private key and vice versa. PKI
uses these concepts to provide confidentiality through encryption and
integrity through digital signatures. A digital signature are created by
combining the data to be signed with the private key, which the
recipient checks by applying the same computation to that data but uses
the corresponding public key. If the data is unaltered the computations
will produce identical results.
A key pair is issued to each entity who wishes to use PKI. The private
key is kept strictly private while the public key is publicly
distributed. The public key can be distributed in a number of ways,
which are through a trusted third part acting as a key server, email, or
removable media. A digital certificate provides a cryptographic binding
between a public key and an individual to which public key belongs and
is issued by a CA. The certificate it made publicly available, allowing
others to obtain the public key and verify the ownership of that public
This tutorial will use four pieces of software that will allow you to
setup PKI for use with email. Each piece of software is explained below
giving you a brief description of what it does and why it was chosen.
Mozilla Thunderbird. Thunderbird is an email client that acts as
a global inbox for one of multiple email accounts. Thunderbird comes
with built- in support for a number of security measure for email but by
default it does not include support for PKI. But due to Thunderbird's
high level of integration it allows for easy installation of PKI
software. Thunderbird also supports IMAP and POP accounts, which allows
those that wish to access POP accounts the ability with the addition of
two extensions. Finally Thunderbird was chosen because of its cost,
which is free.
GNU Privacy Guard. GPG is the open source alternative to PGP and
allows for the encryption and signing of data and communications. GPG is
also compliant with the OpenPGP standard, which implements the same
operating protocols and data formats as the original PGP created by Phil
Zimmerman. In the PKI architecture this application acts as the CAs by
managing the certificates and key pairs.
Enigmail. In following the current trend of using free
applications, Enigmail is no different. Enigmail is the core to
establishing PKI for it is the software that allows Thunderbird to
access the authentication and encryption features provided by GnuPG.
Windows Privacy Tray. WinPT is a graphical taskabar front-end for GnuPG with integrated key management.