Encryption and email signature

As you certainly know, mail travels through several computers between the sender’s computer and the recipient’s computer. Each time the mail is copied to disks. Behind these computers (in fact servers) are commercial companies, more or less conscientious people, administrations… They say that an unencrypted email is like a postcard without an envelope!

Actually, the number of messages passing through computer networks and the professional awareness of technicians mean that the risk of interception is very low. Nevertheless, it may sometimes be necessary to encrypt the content of an email, for example when an email is highly confidential or when professional secrecy must be respected from a contractual point of view. Encrypting email is an option integrated in most current email tools.

Follow carefully the other steps explained below and your workstation will then be ready for:

  • signing your e-mails electronically,
  • receiving encrypted emails…
  • without having to authenticate to portals such as Gaspar, thanks to your personal certificate.

The e-mail address of the sender of a message can be easily usurped. This is how false messages and viruses spread. They seem to come from a “trusted” address since it was taken from a directory or from your own address book. If the content of the message requires that the sender’s identity be known with certainty, the sender must sign the message electronically.

A personal certificate is based on a public key and a private key. The certificates are issued by the Certification Authority, which we trust. At EPFL, certificates issued by the EPFL Certification Authority are automatically stored in LDAP and are therefore accessible by certain applications (Thunderbird for example). The private key is stored on your personal computer, you will need it to electronically sign emails and read emails that have been encrypted using your public key.

Attention: never ask for a certificate from a public computer

… and go through the following steps on the workstation from which you will access secure sites or from which you will send or receive secure emails.

Warning about the lifetime of personal certificates

As explained above, to read an encrypted email you need a personal certificate. The messaging client only stores the encrypted version of the messages. This can be a problem if you want to be able to read the messages after a period of time and you changed your personal certificate in the meantime (expired certificate, machine change, etc.).

To avoid this situation, you must either store your expired certificates or copy the contents of the decrypted mail in another file.

To sign an email electronically, you must have a personal certificate.

Then in the message composition window:

  • Thunderbird: check the option “Digitally sign this message” in the Security tab
  • Outlook: Options/Security settings/Signature
  • Mail (MacOSX): once the certificate is stored in your keychain, the “sign” button is accessible when you write a new message

When you receive a signed email, you have nothing to do… You can trust the identity of the sender and especially, your email client will automatically store the personal certificate of this person. This will enable you to send him encrypted emails from this moment on.

The integrated encryption solution in most email clients is S/MIME (Secure Multipurpose Internet Mail Extensions).

To encrypt an email, the recipient must have a personal certificate (With Thundebird, the sender must also have a personal certificate…).

How do I know your recipient’s personal certificate?

He sends you a signed email (see above) and its certificate will be automatically known by your email reader.

Then, the encryption of your message depends on your email client.

In the message composition window:

  • Thunderbird: check “Encrypt this message” in the Security tab
  • Outlook: Options/Security settings/Crypt
  • Mail (MacOSX): if your keyring contains the recipient’s certificate, the “encrypt” button appears when you type the message.

If the email was encrypted using your personal certificate, it will be decrypted automatically.

1st step: how to recognize the EPFL certification authority

The EPFL certification authority issues the certificates (personal or server certificates) for the EPFL community. The tools you use (Web browsers or email readers) must therefore recognize it as a “trusted” authority in order to recognize the certificates it issues.

By going to the EPFL Certification Authority link (with the browser with which you will then use the certificates) and following the link “Access the certificate of the Certification Authority”, the loading in your browser (IE or Netscape/Mozilla) of the certificate of the EPFL Certification Authority will be done automatically.

If this EPFL certificate is already known to your tools, the following loading attempts will simply give you an informative message.

Please note that the EPFL certification authority is not recognized outside EPFL!

2nd step: how to obtain a personal security certificate

Before applying for a personal certificate, check that you do not already have an active one, see View certificates below!

At EPFL, the application for a personal security certificate is made through the portal tremplin.epfl.ch. Your certificate (of one year duration) will be loaded in your workstation. It allows you among other things:

  • to no longer have to authenticate yourself on web portals such as Gaspar,
  • to electronically sign the emails you send
  • to receive emails encrypted according to the S/MIME standard.

Once the request is made, your certificate will be available in the following days. You will receive an email when it is ready to be loaded.

If you completed the previous steps, you can view the certificates you have loaded:

Firefox: Preferences/Advanced/Encryption/View Certificates

Thunderbird: Edit/Properties/Security/View certificates

Your certificate: this is the personal certificate referred to in step 2

Authorities: you see the EPFL certification authority among the authorities you trust

Other people’s: the names of the people whose certificate is loaded.

For each certificate, you can view the details, including its expiration date.

You may want to export your certificate: to use it on another workstation or with another Web browser, or to make a backup copy.

In the window for viewing your certificate personnel, check the option Save or Export (Firefox, IE-Outlook). It is recommended to protect the exported certificate with a password. To retrieve it in another browser or workstation select the option ” Import ” of the same window of visualization of the personal certificates.