Working with the Outlook 2000 Security Model

Working with the Outlook 2000 Security Model

This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.

The Microsoft Outlook 2000 security model differs from that of Outlook 97 and previous Microsoft Exchange clients. Outlook 2000 supports S/MIME security, which allows users to exchange secure e-mail messages with other S/MIME e-mail clients over the Internet, as well as within an organization.

The new Outlook 2000 security model helps ensure the security of Outlook e-mail messages by using public key encryption to send and receive signed and encrypted e-mail messages. This feature includes digital signing, which allows users to verify the identity of senders and the integrity of messages, and message encryption, which protects the contents of messages from being read by anyone except their intended recipients. Users can exchange signed and encrypted e-mail messages with other e-mail clients that support S/MIME.

E-mail messages encrypted by the user’s public key can be decrypted using only the associated private key. When a user sends an encrypted e-mail message, the recipient’s certificate (public key) is used to encrypt it; likewise, when a user reads an encrypted e-mail message, Outlook 2000 uses the user’s private key to decrypt it.

Digital certificates

S/MIME features rely on digital certificates, which associate the user’s identity with a public key. The associated private key is saved in a secure store on the user’s computer. The combination of a certificate and private key is called a Digital ID. Outlook 2000 fully supports X.509v3 standard digital certificates, which must be created by a certificate authority.

Outlook 2000 supports public Web-based enrollment to certificate authorities such as VeriSign and Microsoft Certificate Server. Outlook 2000 also works with Microsoft Exchange Key Management server to provide an integrated X.509v3-based public key infrastructure for corporate users. The sender only needs a X.509v3 certificate and private key to exchange digitally signed e-mail messages. For encrypted e-mail messages, the sender must also have each recipient’s certificate.

Certificates can be exchanged by including them in a signed message. Certificates are stored in each Outlook user’s Contacts. Microsoft Exchange Key Management Server automatically stores each user’s certificate in the Global Address Book so that encrypted e-mail messages can be sent to other users in the organization.

See also

Public key cryptography can help you maintain secure e-mail systems. For more information about the use of public key cryptography in Outlook, search for Outlook security white paper on the Microsoft Support Online Web site, at https://support.microsoft.com/support/, to find the “Microsoft Outlook 98 Security” white paper.

S/MIME is based on RSA Labs Public Key Cryptography Standard documents. These documents were consolidated in the Internet Engineering Task Force process to become the Internet standard S/MIME. For more information, see the S/MIME Central Web site at http://www.rsa.com/smime/.

If you are installing Outlook 2000 on a locked-down system, you must pay attention to where the e-mail messages and other storage files are located on the user’s hard disk. For more information, see How to Install Outlook 2000 on a Locked Down System.

Microsoft Exchange Key Management Server version 5.5 issues keys for Microsoft Exchange Server security only. Microsoft Exchange Key Management Server 5.5, Service Pack 1 supports both Exchange security and S/MIME security. For more information, see the Microsoft Exchange Server version 5.5 Resource Guide in the Microsoft BackOffice Resource Kit, Second Edition.