How to Send Encrypted Emails Programmatically (from an automated process)

Question

I have a process that runs on a UNIX (Solaris) server that runs nightly and needs to be able to send out encrypted emails.

I only need the "encryption" portion, NOT the digital signature / self-repudiation part of PKI.

I use MS Outlook in a corporate setting and I am assuming that when a user clicks "Publish to GAL..." under Tools -> Options -> Security, this will publish their PUBLIC KEY to the Global Address List (GAL).

So I am thinking that I need a way to connect to the Exchange Server that the GAL is on from my UNIX server. Then I would need to retrieve the recepients PUBLIC KEY. Then I could encrypt the email using the recepients PUBLIC KEY. This would encrypt the email and only allow someone with the recepients PRIVATE KEY to read the email right? Then I would send out the email. But, what I am not sure about, is how to encrypt the email using only the recepients PUBLIC KEY (no KEYS on the UNIX side) in a way that MS Outlook will be able to read the email when the recepient receives it?

Would this work? Anybody out there run into a similiar problem and come up with a solution? Java code is preferred, but any langauge would do to start with.

Any additional details required in order to get a reasonable answer?

Thanks

Answer 1

In the general case : to send an encrypted message to someone, you only need their public key. You dont need to have a key yourself. The rule with asymetric crypto is whatever is encrypted with a public key can be decrypted with the corresponding private key, and whatever is encrypted with a private key can be decrypted with the corresponding public key.

You will need a key for your server only if you want to sign the message.

If you want to do the implementation in Java, I dont think that JavaMail supports encryption out of the box, but you can have a look at JavaMail-Crypto (havent used it myself). There is supposedly a JNI interface to GnuPG somewhere ... And you can always exec PGP or GnuPG from any language ...

I dont know about the support for PGP in Outlook, nor anything else about Outlook.

Answer 2

You have to send encrypted mail to Outlook in s/mime format. Outlook doesn't support PGP.

Start by trying to send a plaintext message from Java and see if you can get it into Outlook. Worry about the encryption later. Use the JavaMail library to create and send emails.

I don't know how to extract keys from the GAL. It is probably easiest to start off by exporting a key manually and see if you can work with it.

To create encrypted mails in s/mime format I recommend Bouncy Castle. Bouncy Castle is a crypto-provider that also has support for s/mime. (Look for the CMS/Smime package). There should be some examples in the downloaded sources. I've used it in the past to send emails to a wide array of email clients, including Outlook and it works pretty well. But brace yourself for the crypto stuff -- it can be a steep learning curve!

Answer 3

The caveat not noted previous is that the GAL isn't necessarily on the Exchange Server, and is more frequently found on the Domain server, when not run in a standalone mode. The certificate will be found in the LDAP attribute userCertificate or userSMIMECertificate.

Answer 4

You're logic is right.

Typical PKI encryption is:

cryptoAlgorithm(plaintext, public key) = ciphertext

cryptoAlgorithm(ciphertext, private key) = plaintext

For some algorithms, the cryptoAlgorithm is the same procedure, sending and receiving.

So... for each recipient you need their digital certificate, which will contain their public key.

GAL Certificate Storage

I would think it would be possible to configure the GAL to allow users to publish certificates. My general impression is that how the GAL is configured and used varies from company to company.

S/MIME & PGP

I agree with the post that S/MIME is what you want for Outlook.

Also note - if your users are using Outlook Web, rather than the Outlook client, they won't be able to receive encrypted emails. At least as of 2000, but I suspect 2003 as well. It's a huge usability problem and I've got no good workaround.

General Microsoftyness

Microsoft has their own special way of doing things (no kidding...). They are no different in the world of PKI. User certificates must be clearly marked with an encryption capability. I know it must have the KeyUsage field KeyEncipherment. And there may be one other extension required by Microsoft. Having an incorrectly formatted user certificate could mean that the recipient will be unable to read the mail when it arrives, because Outlook won't agree on the fact that the mail was encrypted. Spare some serious integration testing time here and plan to hit lots of user groups on how to do this. Every time my team has had to integrate with a Microsoft product, there have been nasty surprises, particularly regarding how the certificate is configured.

Libraries & Tools

I second the recommendation for BouncyCastle - I haven't used it, but people I trust swear by it. I personally loved the Phaos toolkit when I had to write this stuff, but I'm out of date. I know it cost serious money, and may be too much bang for your buck.

OpenSSL is another fabulous tool, and useful for much more than SSL. It's great for generating test certificates, but I can't remember if it does S/MIME email encryption as well.

For most libraries, you should be able to take plaintext, and the certificate, and put both into a function that generates the S/MIME message. They may require the encryption algorithm as well.