Encryption Issue
in [Outlook]
|
From: Brian Tillman [MVP-Outlook] on 16 Apr 2010 08:37 "Nick" <Nick(a)discussions.microsoft.com> wrote in message news:A864A0A7-9114-4719-9C4F-59B610C1AC92(a)microsoft.com... > I sent his new key to myself when I issued it so I know that it is the > correct one. We both have eachother's most current public key and he can > send them to me with no problem. What I don't get is why the program I used > to diagnose the issue is saying that it is looking for my private key as > opposed to his private key when I send him an encrypted email. You'd have to ask the author of the program. Again, if you send HIM a message, only HE can open it because only HE has his private key. -- Brian Tillman [MVP-Outlook]
From: Brian Tillman [MVP-Outlook] on 16 Apr 2010 08:39 "VanguardLH" <V(a)nguard.LH> wrote in message news:hq80cl$iui$1(a)news.albasani.net... > "The program to diagnose the issue". We are supposed to know what was that > program that you never identified? He did identify it. Examine again the initial message: > I downloaded Cryptigo p7mviewer to see what it > said the issue was and when I moved the email from outlook to p7mviewer it > said that problem was that my private key was not available. -- Brian Tillman [MVP-Outlook]
From: wandong on 19 Apr 2010 23:13 Even if you forget the password for the encrypted PST file, you can still decrypt it by using Advanced Outlook Repair. Advanced Outlook Repair can decrypt all the encrypted data and convert it into a new PST file that doesn't require a password. You can visit http://www.datanumen.com/aor/problems/outlook-password.htm to get more detailed information. http://www.datanumen.com/aor/ contains detailed information about Advanced Outlook Repair. And you can also download a free demo version at http://www.datanumen.com/aor/aor.exe Wangdong . Submitted using http://www.outlookforums.com
From: Nick on 26 Apr 2010 13:26
"VanguardLH" wrote: > Nick wrote: > > > "Brian Tillman [MVP-Outlook]" wrote: > > > >> "Nick" <Nick(a)discussions.microsoft.com> wrote in message > >> news:4CBFF2C3-C50A-448B-824E-60AE05536E6D(a)microsoft.com... > >> > >>>I have a co-worker that his email encryption stopped working about three > >>> weeks and I can't figure out why. I have tried deleting and reloading his > >>> certificate from our CA(We have our own CA for the company so certificates > >>> are generated by the server). I was able to get it to where he could send > >>> encrypted emails again but he still can' receive them. Any time he tried to > >>> open it he gets the error "Your digital ID name cannot be found by the > >>> underlying security system". I downloaded Cryptigo p7mviewer to see what it > >>> said the issue was and when I moved the email from outlook to p7mviewer it > >>> said that problem was that my private key was not available. The way I > >>> understand it he should not have or need my private key to open the email. > >> > >> He doesn't need your private key, he needs his or you need yours. When you > >> try to open the encrypted message, the underlying crypto subsystem expects > >> that the person opening the message has the private key matching the public > >> key used to encrypt the message. > >> > >>> I went through and checked to make sure that I had his certificate trusted > >>> and > >>> that he had mine and we both did. I verified the serial number on his to > >>> make sure it wasn't an old copy he had deleted. What I need to know is why > >>> his outlook is looking for my private key to decrypt the email when outlook > >>> should have used his public key. > >> > >> No, Outlook uses the recipient's _private_ key to decrypt the message. The > >> recipient's public key is used by the sender to encrypt the message. > >> > >> It sounds to me like the sender has a public key for a revoked certificate and > >> if you say that you deleteed his cert and reissued another from the PKI > >> server, then it's likely that is the case. When a new cert is issued, to > >> someone, that person must send the new public key to his potential senders so > >> they can use the correct public key to encrypt. > >> -- > >> Brian Tillman [MVP-Outlook] > >> > >> . > >> > > > > I sent his new key to myself when I issued it so I know that it is the > > correct one. We both have eachother's most current public key and he can > > send them to me with no problem. What I don't get is why the program I used > > to diagnose the issue is saying that it is looking for my private key as > > opposed to his private key when I send him an encrypted email. > > > > -Nick > > Huh? Why would you issue HIS certificate to YOUR host (for use by YOUR > e-mail client)? You can't use his e-mail cert. You don't have an e-mail > account with the correct e-mail addresses encoded within that cert. You > MUST send encrypted e-mails using the account encoded within the cert. You > can't use save a cert for an e-mail account that you can't use. > > When you issue yourself a cert, you save it in your host's cert repository. > It has the e-mail address that you specified when you requested the cert. > That e-mail address must match to the e-mail account that you use to send an > digitally signed e-mail. Outlook will not let you use a cert that has, say, > someone(a)otherdomain.com when you are sending it through an account whose > e-mail address is me(a)domain.com. You don't need and cannot use the other > person's cert. You need to use YOUR cert to digitally sign your e-mails and > which matches on the e-mail address for the account through which you send > your digitally signed e-mails (sp to give your public key to the recipient). > > The only way [that I know of how] to "send his new key to yourself" would be > for you to import HIS cert into HIS host and use HIS e-mail client to > digitally sign HIS e-mail that HE sends to you (and you then save as a > contact to record HIS public key for use by YOUR e-mail client). You would > then need to use that contact record where HIS public key got stored when > you wanted to send him an encrypted e-mail. > > "The program to diagnose the issue". We are supposed to know what was that > program that you never identified? "looking ... for his private key when I > send him an encrypted e-mail". Wrong! You need to use his PUBLIC key when > you send him an encrypted e-mail. > > For him to send you an encrypted e-mail: > - Did you import YOUR e-mail cert into YOUR host? That gives you: > o The public key that you need to digitally sign your e-mails. > * HE needs your *public* key to encrypt HIS e-mails sent to you. > o The private key that **ONLY** you have. > * You will use your private key to decrypt e-mails send to you that were > encrypted with your public key. > * Lots of users may have your public key, especially if you opt to > always digitally sign your outbound e-mails. None of them can decrypt > an e-mail that was encrypted using your public key. Only you have > your private key usable for decryption. > - Did he get a digitally signed e-mail from you? > o That gives him YOUR public key. > * He MUST save you in a contact record. That stores your public key in > that contact record which he will use to send you encrypted e-mails. > o He will need to use YOUR public key to encrypt HIS e-mails sent to you. > o He must use the contact record where your public key got saved when he > wants to encrypt his e-mails sent to you. > * He must NOT manually enter your e-mail address. > * He must NOT use a cached entry (from the .nk2 file) for your e-mail > address from his nickname cache. That is a cache of his *manual* > entries. No contact record is involved with [cached] manual entries. > * He MUST use the contact record to specify you as the recipient since > that is where your public key got stored. Your public key stored in > his contact record used to specify you as the recipient is how he can > encrypt e-mails that he sends to you. > > For him to send you an encrypted e-mail, he doesn't even need his own e-mail > certificate. He could be completely nude of any certificates for himself. > Whether he can encrypt e-mails to you depends solely on whether or not you > gave him your public key. He doesn't need any certificate to send you an > encrypted e-mail. He only needs YOUR public key from YOUR e-mail cert that > YOU previously gave him through a digitally signed e-mail. His own e-mail > cert, if he even has one, is NOT involved in sending you an encrypted > e-mail. You getting encrypted e-mails is all about YOUR e-mail cert: they > use YOUR public key to encrypt and you use YOUR private key to decrypt. > . > This may help help clear things up a little bit as I forgot to add this in my original post. When I am working with the co-worker I am remoted into his computer becuase he lives in another state. So I am not issuing his cert to myself I am doing through his login remotely. This is also how I know that the certs that have been swapped are the most recent. So if anyone has any idea why he would be able to send but not recieve encrypted emails I am willinig to try almost anything. |