Takeaway:  This article provides an email encryption walk-through.  There comes a time when every organization requires secure email.  Setup email encryption organization-wide or per individual with these simple steps.

PGP:  There are a number of expensive encryption products available but organizations that use Outlook can (and should) use the built-in tools made freely available by Microsoft.  The same technology that protects web sites provides encrypted email -SSL certificates. 

To be fair, there are alternatives to SSL email encryption.  For instance, Pretty Good Privacy (PGP) is an open source encryption protocol.  PGP has a good (pun) reputation with third-party Outlook plugin support.  PGP's greatest flaw is that it is not widely accepted.  Why bother with email encryption that business partners don't support?

I suspect SSL based encryption is popular because of its native Outlook support.  It's worth mentioning that any S/MIME email client supports SSL based encryption (e.g., Firefox and Mac Mail).  In addition, SSL certificates allow for email encryption and also validates a sender's identity.

SSL:   Outlook validates certificate authenticity using a public key infrastructure (PKI).  Trusted root certificate authorities (CAs) issue X.509 (i.e, SSL) certificates to individuals and businesses.  Most web browsers and email clients trust X.509 certificates issued by the handful of public root CAs (e.g., GoDaddy).

Fig. 1.  Individuals and businesses obtain X.509 (i.e., SSL) certificates from root CAs,

Digital Signatures:  SSL certificates consist of a private key and a public key.  The private key is the basis for digital personal identity.  Private keys ensure integrity and confidentiality; and must remain a guarded secret.  Digital signatures use private keys (i.e., digital IDs) to sign outbound email messages.

When Outlook signs a message it first creates a message digest based on mathematical functions (i.e., hashing).  The message digest is a unique and summary of the original data.  Outlook then uses the private key to encrypt the message digest.  The encrypted message digest is the digital signature.

N.B., the message digest is not the same thing as the message. The message digest is encrypted in the digital signature but the message contents remain unencrypted (huh?).  Keep in mind that the private key encrypts the message digest.  The receiving side uses the public key to decrypt the message digest.  Recall, the private key is a well kept secret -only the sender can sign messages with it.  This process establishes the sender's identity and validates the authenticity.  We can be reasonably sure the sender is, who they claim to be, when they include a digital signature.

Content Encryption:  Why does the private key encrypt the message digest but not the message contents?  The answer is because SSL certificates use asynchronous (i.e., one-way) encryption.  Private-keys decrypt public-key encryption, and public-keys decrypt private-key encryption.   It's pointless to encrypt message contents with a private key when everyone has access to the public key.  Why lock a door if everyone has the key to open it?  


Outlook never encrypts message content with a sender's private or public keys.  Outlook therefore, uses the recipient's public key to encrypt messages content.  This process ensures confidentiality because only the recipient can decrypt the message with their super-secret personal key. 



Outlook Encryption Process

1. Both parties must exchange digitally signed emails before encryption is possible.  The process stores the senders’ digital signature (i.e., public key), in the recipients’ contact list.
2. New messages are encrypted just before the message is sent.  The new message window contains an Encrypt, and a Sign button in the Options ribbon.   The encrypt option is only available if the recipient’s digital ID (public certificate) is stored in the contact list.

Fig 2.  Outlook Encryption Process Flow

Updated on 4/6/2014 by Steven Jordan.


References:
http://technet.microsoft.com/en-us/library/cc962021.aspx
http://office.microsoft.com/en-us/outlook-help/overview-of-certificates-and-cryptographic-e-mail-messaging-in-outlook-HP001230534.aspx

http://technet.microsoft.com/en-us/library/cc962033.aspx

Exchange 2010 Network Administration Network Security Outlook 2013 PKI