CA Certificate Application One: When Outlook sends a message, it adds a digital signature to the message

CA certificates are widely used in digital signatures, and because Windows supports RSA algorithms well, many third-party applications under the Windows platform support the application of cryptography for RSA algorithm certificates. Recently, the opportunity to take advantage of project summary, especially in Windows under the common CA Certificate digital signature application. The program is divided into three blog posts, each of the following three aspects of digital signature applications:

1. Add a digital signature to Outlook messages

2. Make PDF document with digital signature

3. Add a digital signature to the Word/excel document

First, make it clear that a digital signature made with a CA certificate differs from our usual personality signature. The digital signature applies the cryptography technology, which makes the content of the signature non-modifiable and falsified, thus guaranteeing the security of the content in the process of storage and transmission.

First, start with Outlook. When we use Outlook to send and receive mail, we usually do not add a digital signature. The main is that our usual mail content security requirements are not high, or mail sending and receiving environment is relatively safe. Message security, mainly refers to two points:

1, the Mail sender is real, not an imposter;

2, the content of the message is complete, has not been tampered with.

Why to prevent 1th? Very simple, for example, the company's boss every month to send an e-mail to the company's finances, how much money transferred to a dedicated account. If one day, a company employee (assuming there is such a person), using the company's management loopholes, to get the company's boss email password (This is actually very easy, the company it can reset all the employee's mailbox password). The employee then used the company's CEO's email address to send a letter to the finance that the month's money hit the XXXXXX account (in fact his own account). On the other hand, after the financial received the mail, see is Mister Mailbox account issued, no doubt on the money hit! It's not safe, is it?

The 2nd is relatively small, because unless someone can receive a packet on the mail server, and then tamper with the packet, the message recipient will see the mail content inconsistent with the original message. This kind of tampering requires a bit of technology, and now the mail server has good precautions, but can not rule out the possibility.

Then, if you add a digital signature to the message, the above two security risks can be completely avoided.

For the first case, if the company bosses and financial conventions, Mister's mail is digitally signed. Then other people want to forge the boss of the Mail, in addition to the need to get the mail password, but also to obtain the boss's certificate, and the certificate is generally saved by Usbkey, use the certificate signed when you need to enter the Usbkey password. That is to say that the person also need to steal Mister Usbkey, and know the password, can imagine almost impossible, unless the boss himself in the custody of poor.

The second case is simpler, because if the message recipient receives the message when the message is tampered with, Outlook verifies that the signature failed, prompting the message to be untrusted.

Having said so many theories, here's how to add a digital signature when you use Outlook to send a message.

I. Owning a CA certificate

First, you have to have a CA certificate that belongs to you. Generally through the CA Center application, in the form of Usbkey issued. It is important to note that some key items must be correct when applying for the certificate. Like what:

1. The message field in the certificate consumer must be the same as the Outlook mailbox account. This means that your Outlook mailbox can only use your own certificate to prevent misappropriation. As shown in the following:

The user's email address and Outlook mailbox account are: [email protected]

2. The certificate purpose must be "digital signature", and the enhanced use must function "secure e-mail" type, as shown in:

3. Import the certificate into the system (insert Usbkey)

In the case of a Usbkey user, the general client will automatically install the certificate from key to the system when the key is connected to the system, so no special action is required. In the case of a software-implemented CA certificate (such as through a Microsoft CSP), you will need to install the certificate file to the system, which can be done through the function buttons on the Windows Certificate View dialog box.

Ii. editing the contents of a message

Edit the contents of the message body as usual. Such as:

For testing convenience, the message is sent to me.

Iii. Select a signing certificate

After the message is written, before sending, add a digital signature, the following steps:

1. Through the tagging toolbar, open the Properties dialog box, and on the dialog, click on the "Security Settings" button as shown in:

2. Open the Security Properties dialog box

On the Security Properties dialog box, tick add a digital signature for this message and send a message in clear text, and then click Change Settings after the security setting type, such as:

Note: The message encryption option, which is a more advanced application of the CA certificate, is not covered in this article.

3. Select Certificate

On the Change Security Settings dialog box, tick "Send certificate with signed message" (because a certificate is required to verify the signature, and the recipient's computer may not have your certificate), then click the "Select" button. Such as:

The certificates that are already present in the system (the current user) are listed, and the certificates that you want to use are selected. In this case, there is only one certificate, so you can choose directly.

Then, click OK one by one until you close all the dialog boxes and back to the main interface of the Mail editor.

Iv. sending mail

After doing the setup work, you can click the Send button as usual to send the message. However, Outlook may have a processing time when the Send button is clicked, because Outlook uses Usbkey to perform signature operations on the contents of the message, and the message content is generally slower and more often. In this process, you need to enter the Usbkey password, as shown in:

If the password is entered successfully, then the message will be sent out successfully!

V. Acceptance of mail

Below, we act as a message recipient to see how to verify a digitally signed message.

First, when we receive this message, Outlook displays a signed token on the message header. While Outlook displays the signature being checked, Outlook is actually using the Mail sender's certificate and Microsoft's CSP to do cryptographic operations and verify the correctness of the signature. As shown in the following:

When the signature verification succeeds, Outlook displays the signer of the message (the email address in the certificate) as shown in:

According to the signer can determine whether the source of the message is reliable (corresponding to the above-mentioned security risks 1). Of course, if the message is tampered with during transmission, Outlook prompts the "signature is not trusted" prompt (corresponding to the security implications described earlier in 2).

In summary, the message with a digital signature, to ensure the authenticity and integrity of the message content. At the same time, using Outlook and RSA certificate, the entire signature verification process is completed by the system, for the user just choose their own certificate, easy to use.

Next announcement: Make a PDF document with a digital signature.

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

CA Certificate Application One: When Outlook sends a message, it adds a digital signature to the message