Securing messages in Outlook, Outlook Express, and OWA
What's Secure MIME (S/MIME), and how do the latest Microsoft mail clients—Microsoft Office Outlook 2003, Outlook Express 6.0, and Outlook Web Access (OWA) 2003—support it?
S/MIME is an Internet standard for secure messaging. It can add data authentication, confidentiality, nonrepudiation, and integrity protection to MIME-formatted messages. The Internet Engineering Task Force (IETF) standardized S/MIME 3.0 in Request for Comments (RFCs) 2632 through 2634. From a cryptographic point of view, S/MIME is an excellent example of a hybrid cryptographic solution that combines the power of asymmetric and symmetric cryptographic ciphers.
Both the Outlook and Outlook Express mail clients have offered S/MIME support for quite a while, and Exchange Server 2003 introduces S/MIME support for OWA. Outlook 2003 is the latest version of Microsoft’s full-blown mail client. Outlook Express 6.0 is a lightweight Internet-oriented mail client that Microsoft distributes with Internet Explorer (IE) 6.0. You can connect Outlook Express 6.0 to Exchange 2003, Exchange 2000 Server, or Exchange Server 5.5 through SMTP, POP3, and IMAP4, or you can connect it to a directory through Lightweight Directory Access Protocol (LDAP). OWA provides HTTP-based mail access from a Web browser—the Exchange 2003 code includes the OWA Web pages and logic. Table 1 gives an overview of the Microsoft mail clients’ main S/MIME features.
Of the three mail clients, Outlook 2003 offers the most complete S/MIME functionality. The client supports certain S/MIME enhanced security services and includes easy-to-use digital ID management features. For example, Outlook 2003 lets you publish your digital ID (certificate) to the Exchange Global Address List (GAL), also known as the Active Directory (AD) Global Catalog (GC), and request a new digital ID from an online Certificate Authority (CA).
RFC 2634 specifies four optional security service extensions for S/MIME, also known as Enhanced Security Services (ESS). These services include secure receipts and security labels. Although Outlook 2003 supports both extensions, Outlook Express 6.0 and OWA 2003 support neither. Secure receipts, which you shouldn't confuse with Outlook's delivery receipts or read receipts, provide nonrepudiation of reading. This feature gives you cryptographic proof that the intended recipient has read and verified a signed message. A security label, which is a kind of tagging system for email messages, defines a message content's sensitivity. As with secure receipts, you can set security labels on signed messages.
To use S/MIME in OWA 2003, you must run Windows 2000 or later and IE 6.0 with Service Pack 1 (SP1) or later. You enable OWA support in the OWA client's configuration options. When you enable this support, the browser downloads an ActiveX control that provides the S/MIME logic to the client. If you access OWA from several machines, you must enable OWA support and download the ActiveX control on every machine. To install the S/MIME extension, you must have power user or local administrator privileges on the local machine. After one user has downloaded the ActiveX control to the local machine, the OWA S/MIME features will be available to all users of that machine. After users enable their OWA client to use S/MIME, the OWA interface and message properties will extend to add digital signatures and encrypt message content. A nice feature of the OWA S/MIME support is that the Exchange 2003 server performs all certificate-related processing (e.g., revocation checking). By default, all OWA traffic occurs over an HTTP Secure (HTTPS) communication channel.