- Non-repudiation and Integrity: A private key stored in a PKI certificate on your CAC is used when you digitally sign an outgoing email. The corresponding public key associated with that private key is delivered to the recipient in the email you send. The recipient then uses your public key to verify your identity (non-repudiation) and that the email has not been altered in transit (integrity).
- Confidentiality: Encrypting an outgoing email requires the use of the intended recipient’s public key from a PKI certificate previously sent to you by the intended recipient. The only key that will decrypt your email is the private key that corresponds to the recipient’s public key. This is how message confidentiality is maintained: no-one but the recipient has the private key that can decrypt it. This means that -- in order to send an encrypted email to someone -- you must first have received a digitally signed email from that person.
Digital signatures confirm that the message comes from the sender who signed the message, and that it has not been altered at any point during transmission. Digital signatures also ensure that the sender cannot deny sending the message, since it required access to the private key on their CAC. You may choose to digitally sign all of your email messages by default, using an Outlook setting, or you may choose to turn your digital signature on and off depending upon the content of the email you are sending.
Email encryption protects information confidentiality by ensuring that no one but the intended recipient can read it. When you encrypt an email message, you rely on your ability to access the recipient's public key, usually from within a directory or access list, or from a previously received email from which you added the recipient to your contact list. When the recipient receives and decrypts your email, they use their private key , which resides on their common access card (CAC). Likewise, your own public key resides on your CAC. Public keys can be transmitted between users via emails that are digitally signed using CAC certificates.
In addition, encrypted emails containing privacy sensitive information must be appropriately labeled as follows:
- Include the subject line: "FOUO: PRIVACY SENSITIVE."
- Include the attachment file name (if any): "FOUO: PRIVACY SENSITIVE."
- Include in the body of both the email and the attachment (if any): "FOUO: PRIVACY SENSITIVE. Any misuse or unauthorized disclosure may result in both criminal and civil penalties."
The ability to encrypt email does NOT enable users to send classified information over unclassified systems. Doing so constitutes a classified messaging incident (CMI) that must be reported to DoD’s Privacy Manager, and which may result in disciplinary action against the violator.
Digital Signature and Encryption Controls in MS Outlook
Receiving Digitally Signed Email Messages
When you receive a digitally signed email message, a red ribbon appears next to the subject line of the email in your inbox. Once the email is open, the signer’s name appears after “Signed By” in the header of the message, and a red ribbon will appear in the far right corner of the message. Open in the normal manner.
Receiving Encrypted Email Messages
When you receive an encrypted email message, a padlock appears next to the subject line of the email in your inbox. A gold padlock will appear in the far right corner of the message. When you open the email, you may be prompted to enter your CAC PIN. If the email was sent without access to your current public key, you will not be able to open the email.
Sending Digitally Signed or Encrypted Email Messages
NDU recommends that you toggle your digital signature and encryption options on and off depending upon the type of information you are sending via email message, although it is also acceptable to enable your digital signature for all outgoing email (See “MS Outlook Settings,” below).
To toggle ON or OFF a digital signature or encryption in MS Outlook, open a “New Email,” click on the “File” tab, and then click on the “Options” tab. You can choose to “Encrypt” or “Sign” this email without affecting the settings for other outgoing email.
MS Outlook Settings
NDU highly recommends that you DO NOT modify your MS Outlook settings to encrypt contents and attachments for ALL outgoing messages, as this may prevent many of your email recipients from opening your email. Encryption works best when the sender and receiver have previously communicated with each other via digitally signed emails, and when both choose and agree to exchange unclassified information that requires encryption.
To modify your MS Outlook settings to digitally sign all outgoing email, click on the “File” tab from your Inbox, and then on “Options” in the left tool bar.
In the “Outlook Options” dialog box that opens, click on “Trust Center” in the left tool bar, and then on “Trust Center Settings.”
In the “Trust Center” dialog box that opens, click on “E-mail Security” in the left tool bar, and then click “Add digital signature to outgoing messages.”