Naval Medical Center Portsmouth Sending and Receiving Protected Information via Electronic Mail Information Management Department Training Division
INTRODUCTION In order for Navy Medicine personnel to send and receive sensitive information via , they must be able to digitally sign and encrypt the messages in government furnished equipment and software, specifically Microsoft Outlook This slide presentation will outline the policy and procedures for compliance with current instructions.
INSTRUCTIONS NAVMED Pol of 28 Jan 08 (click to view)NAVMED Pol of 28 Jan 08 “All Navy Medicine personnel shall protect sensitive information from unauthorized access and disclosure…” DOD Inst IA Implemen. 06 Feb 03 DOD R, DOD Health Information Security Regulation of 12 July 07 SECNAVINST E, DON Privacy Program DON CIO Washington D.C Z Oct 04
OVERVIEW In order to understand the digital signature and encryption of , it is important to first understand the following terms: Establishment of Trust Public Key Infrastructure Public Key Cryptography Public Key Certificate
DIGITALLY SIGNING OR ENCRYPTING A MESSAGE IS HOW AN INDIVIDUAL PROVES THEIR IDENTITY, OR ESTABLISHES TRUST, OVER A NETWORK. TRUST BETWEEN END USERS OVER A NETWORK REQUIRES A THIRD PARTY INFRASTRUCTURE, OR PUBLIC KEY INFRASTRUCTURE (PKI). ESTABLISHING TRUST
PUBLIC KEY INFRASTRUCTURE PKI THE FRAMEWORK/SERVICES THAT PROVIDE FOR THE GENERATION, DISTRIBUTION, CONTROL, TRACKING, AND DESTRUCTION OF PUBLIC KEY CERTIFICATES. PKI ENABLES THE USE OF ENCRYPTION, DIGITAL SIGNATURE, AND ACCESS AUTHENTICATION SERVICES IN A CONSISTENT MANNER ACROSS A WIDE VARIETY OF APPLICATIONS.
SECURITY BENEFITS OF PKI AUTHENTICATION-ASSURES A PERSON/SYSTEM IS EXACTLY WHO/WHAT THEY CLAIM TO BE. DATA INTEGRITY-ASSURES TRANSMITTED DATA HAS NOT BEEN ALTERED. NON-REPUDIATION-PROTECTS AGAINST A PERSON DENYING LATER THAT A COMMUNICATION TOOK PLACE. CONFIDENTIALITY-PROTECTS AGAINST DISCLOSURE OF INFORMATION TO UNAUTHORIZED USERS.
PUBLIC KEY CRYPTOGRAPHY Public Key Cryptography is the physical implementation of individual identity and security in the PKI via assignment of “Key Pairs” * A KEY IS AN ELECTRONIC FILE. *A PAIR OF KEYS IS CREATED AT THE SAME TIME BY SPECIAL SOFTWARE. *INFORMATION ENCRYPTED WITH ONE KEY CAN ONLY BE DECRYPTED WITH THE OTHER KEY. USER’S PRIVATE KEY USER’S PUBLIC KEY
ENCRYPTION - , ATTACHMENTS, DOCUMENTS, AND FILES CAN BE ENCRYPTED SO THAT ONLY THE RECIPIENT CAN READ THEM. DIGITAL SIGNATURES- ELECTRONICALLY SIGN , DOCUMENTS, AND FORMS WITH DIGITAL SIGNATURE. SECURE COMMUNICATIONS WITH WEB SITES- YOU KNOW THE WEB SITE YOU ARE ACCESSING AND IT KNOWS WHO YOU ARE (MUTUAL AUTHENTICATION) PUBLIC KEY CRYPTOGRAPHY PUBLIC KEY CRYPTOGRAPHY FACILITATES THE FOLLOWING TASKS:
PUBLIC KEY CERTIFICATE AN ELECTRONIC DOCUMENT THAT OFFICIALLY LINKS TOGETHER A USER’S IDENTITY AND PUBLIC KEY. CERTIFICATES ARE STORED IN A DIRECTORY SERVER AND MAY BE SENT WITH SIGNED . USER’S IDENTITY USER’S PUBLIC KEY VALIDITY PERIOD ISSUER’S SIGNATURE
ENCRYPTION When sending , sensitive information must be ENCRYPTED under the following conditions: 1.PHI – Personally identifiable medical information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Examples: Names, Social Security Numbers, Medical Record Numbers, Health Plan Beneficiary Numbers, Phone and Fax numbers, addresses) 2.PII - Personally Identifiable Information protected under the Privacy act of 1974 (Examples: Full Name (if not common), telephone number, street address, address, driver’s license number, credit card numbers)
ENCRYPTION (cont.) 3.OPSEC Indicators (Examples: valuable information to adversaries, such as large group or troop movements, habits at work, financial transactions) 4.Confidential Contract Information 5.Other Sensitive information not approved for public release NOTE: All s containing PHI or PII shall be marked as “FOR OFFICIAL USE ONLY (FOUO) – PRIVACY SENSITIVE. Any misuse or unauthorized disclosure may result in both civil and criminal penalties.” ENCRYPTION ICON IN MICROSOFT OUTLOOK 2003
DIGITAL SIGNATURE must be DIGITALLY SIGNED under the following conditions: 1.Official Business 2.Requests or responses to requests for resources 3.Organization position/information external to the organization (division, department, command). 4.Contract information, financial or funding matters 5.Personnel management matters 6.In addition to encrypting for all messages qualifying for ENCRYPTION DIGITAL SIGNATURE ICON IN MICROSOFT OUTLOOK 2003
REQUIRED ITEMS In order for personnel to be able to send and receive encrypted and digitally signed , there are certain required items for workstation setup and then Outlook configuration: 1.Current CAC (Common Access Card) and PIN. You have to put your CAC in the card reader and use your PIN # when you want to send this type of . Your CAC card contains “certificates”, a way of verifying your identity. The framework and services that control these public key certificates is called the Public Key Infrastructure or “PKI”.
REQUIRED ITEMS 2.Identified Workstation. Setup and configuration of Microsoft Outlook 2003 will only be valid for the workstation on which you set it up. If you travel to another, you have to set it up again. 3.Current Card Reader. The current CAC Reader is ActivClient 6.1 x86. You must also see the associated card reader icon in the task bar/tray in the lower right hand area of your computer screen. When you insert your card, the icon should change as noted below: ‘ActivClient Agent - No Smart Card’‘ActivClient Agent – Smart Card Inserted’
4.Microsoft Outlook 2003 – You must have a fully functioning Microsoft Outlook 2003 office application installed on your government computer. REQUIRED ITEMS FOR ANY HARDWARE OR SOFTWARE PROBLEMS, CONTACT THE IMD HELPDESK AT OR **ITEMS 1-4 MUST BE IN PLACE BEFORE PROCEEDING**
1.Step One: Insert CAC (Common Access Card) into Keyboard or Card Reader SETUP NOTE: Make sure that the icon in the tray changes to reflect the card insertion:
SETUP (cont.) 2.Step Two: Reviewing Your Certificates (in Internet Explorer) Step 1: Go to TOOLS- INTERNET OPTIONS Step 2: Click on Content Tab, and then Click “Certificates” Step 3: Verify current certificates (make sure they are up to date); you may remove the old ones (delete the outdated ones), and close. Then, click on ‘Clear SSL State’, apply, and OK.
SETUP (cont.) 3.Step Three: “Making Your Certificates Available To Windows” (you need to do this to install your Certificates on your workstation): Step 1: Double click on ‘ActivClient Agent’ icon in system tray area of desktop. Step 2: Pull down the TOOLS menu and select ADVANCED-MAKE CERTIFICATES AVAILABLE TO WINDOWS. Click ‘OK’ after you are successful. NOTE: If the icon indicates that it is “ActiveGold” versus “ActivClient”, then you have the OLD version of the CAC Reader installed and you need to contact the IMD Helpdesk at
SETUP (cont.) Before exiting out of the program, double click on “My Certificates”, then on the “Signature” and “Encryption” Certificates to verify your address. If your address is INCORRECT, exit out of the window and you will need to update it via one of the 3 methods below before proceeding (ensure your certificates are still valid, i.e. not revoked or expired): 1.Update it yourself at the following link: 2.Go to any of the CAC PIN reset stations. Go to the following link to find the CAC reset station nearest you: CAC Reset Stations 3.Call the IMD Helpdesk at for assistance
OUTLOOK CONFIGURATION The next steps require configuring Microsoft Outlook 2003 so that can be digitally signed and encrypted: 1.Step One: Open Microsoft Outlook Click on TOOLS- OPTIONS 2. Select the SECURITY Tab. Leave only the ‘Send clear text…’ box checked for now, otherwise ALL of your outgoing will automatically be digitally signed. Next, click on the “Settings” button.
2.Step Two: Change Security Settings 1. Make sure “Active Client Certificates” is in the ‘Security Settings Name’ and that all of the boxes are checked. 3. Click on the 2 nd “Choose” button. Click on the remaining certificate and “OK”, and then “OK” again. 2. Click on the 1 st “Choose” button. Click on the ‘DOD …Smart Card’ certificate and “OK”. This certificate may be listed 1 st or 2 nd for you, so look closely. OUTLOOK CONFIGURATION
2.Step Three: Publish to the Global Access List (GAL) 1. Click on ‘Apply’, and then on the “Publish to GAL” button on the bottom left. Once they have been published successfully, click on “OK”, and then click on “Apply” and “OK”. Enter your CAC PIN when prompted, and then OK after it is accepted. OUTLOOK CONFIGURATION
SENDING A DIGITALLY SIGNED MESSAGE To prepare to send a digitally signed message, make sure that you have Microsoft Outlook 2003 open and “New Message” selected. 1. Click on NEW MESSAGE. You should see two new “envelope” icons in the Standard Toolbar. If not, from the main menu select TOOLS-CUSTOMIZE and check the box for “show standard and formatting toolbars on 2 rows” 2. To digitally sign a message, click on the envelope with the red “digitally sign” symbol on it before sending. You will have to insert your CAC and enter your PIN.
SENDING AN ENCRYPTED MESSAGE 1. To encrypt a message, you need to click on the envelope with the blue ‘padlock’ on it before sending the message. 2. When encrypting, you must also digitally sign, so both “envelope” icons must be selected. 3. You will be required to insert your CAC and type in your PIN before the message can be sent.
Department of Defense (DoD) Global Directory Service If you cannot send an encrypted message to another user (this usually happens if the individual has a Department of Defense address outside of the Global Directory), you will need to go to a place called the “Department of Defense (DoD) Global Directory Service” to retrieve their Public Key Certificate. This is an example of the error message that you might see in Microsoft Outlook 2003 if you are unsuccessful in sending an encrypted message to another user:
Department of Defense (DoD) Global Directory Service Type in the last name (at a minimum) of the individual whose certificates you want to retrieve and click SEARCH. To get to this “DoD-wide repository” in order to search for and retrieve a certificate, go to (CAC is required). The website will look like the picture below:
Department of Defense (DoD) Global Directory Service After clicking on the SEARCH button, one or more users will appear in a window like the one below. Click on the last name of the desired user to expand the certificate: Under “Certificate Download Options”, click “Download Certificates) as vCard…
Department of Defense (DoD) Global Directory Service Once the next window appears below, click on “Hardware (CAC) Certificate for…” under “Select a certificate from the available certificates for vCard download.” This window will pop up right after you click “Hardware (CAC) Certificate for…” the user that you have selected. Click on ‘OPEN’ (NOTE: YOU MUST HAVE MICROSOFT OUTLOOK 2003 OPEN FOR THIS TO WORK!).
Department of Defense (DoD) Global Directory Service After clicking OPEN, the user’s Contact information will automatically open in Microsoft Outlook and you can click on the “Certificates” tab to view the certificate. SAVE AND CLOSE the Contact. If the individual is already in your Contacts List, you will receive a “Duplicate Contact Detected” message and be prompted to “Update new information...” if you desire.
PROBLEMS/ASSISTANCE ACCESS IT SUPPORT VIA INTRANET ACCESS IA (INFORMATION ASSURANCE) VIA IT INTRANET LINK CALL IT (INFORMATION TECHNOLOGY)