Naval Medical Center Portsmouth Sending and Receiving Protected Information via Electronic Mail Info

1
Naval Medical Center Portsmouth Sending and
Receiving Protected Information via Electronic
MailInformation Management Department Training
Division
2
INTRODUCTION

• In order for Navy Medicine personnel to send and
  receive sensitive information via email, they
  must be able to digitally sign and encrypt the
  messages in government furnished equipment and
  software, specifically Microsoft Outlook 2003.
• This slide presentation will outline the policy
  and procedures for compliance with current
  instructions.

3
INSTRUCTIONS

• NAVMED Pol 08-005 of 28 Jan 08 (click to view)
• All Navy Medicine personnel shall protect
  sensitive information from unauthorized access
  and disclosure
• DOD Inst. 8500.2 IA Implemen. 06 Feb 03
• DOD 8580.02R, DOD Health Information Security
  Regulation of 12 July 07
• SECNAVINST 5211.5E, DON Privacy Program
• DON CIO Washington D.C 061525Z Oct 04

4
OVERVIEW

• In order to understand the digital signature and
  encryption of email, it is important to first
  understand the following terms
• Establishment of Trust
• Public Key Infrastructure
• Public Key Cryptography
• Public Key Certificate

5
ESTABLISHING TRUST

• DIGITALLY SIGNING OR ENCRYPTING A MESSAGE IS HOW
  AN INDIVIDUAL PROVES THEIR IDENTITY, OR
  ESTABLISHES TRUST, OVER A NETWORK.
• TRUST BETWEEN END USERS OVER A NETWORK REQUIRES
  A THIRD PARTY INFRASTRUCTURE, OR PUBLIC KEY
  INFRASTRUCTURE (PKI).

6
PUBLIC KEY INFRASTRUCTURE

• PKI
• THE FRAMEWORK/SERVICES THAT PROVIDE FOR THE
  GENERATION, DISTRIBUTION, CONTROL, TRACKING, AND
  DESTRUCTION OF PUBLIC KEY CERTIFICATES. PKI
  ENABLES THE USE OF ENCRYPTION, DIGITAL SIGNATURE,
  AND ACCESS AUTHENTICATION SERVICES IN A
  CONSISTENT MANNER ACROSS A WIDE VARIETY OF
  APPLICATIONS.

7
SECURITY BENEFITS OF PKI

• AUTHENTICATION-ASSURES A PERSON/SYSTEM IS EXACTLY
  WHO/WHAT THEY CLAIM TO BE.
• DATA INTEGRITY-ASSURES TRANSMITTED DATA HAS NOT
  BEEN ALTERED.
• NON-REPUDIATION-PROTECTS AGAINST A PERSON DENYING
  LATER THAT A COMMUNICATION TOOK PLACE.
• CONFIDENTIALITY-PROTECTS AGAINST DISCLOSURE OF
  INFORMATION TO UNAUTHORIZED USERS.

8
PUBLIC KEY CRYPTOGRAPHY

• Public Key Cryptography is the physical
  implementation of individual identity and
  security in the PKI via assignment of Key Pairs
• A KEY IS AN ELECTRONIC FILE.
• A PAIR OF KEYS IS CREATED AT THE SAME
  TIME
• BY SPECIAL SOFTWARE.
• INFORMATION ENCRYPTED WITH ONE KEY CAN
• ONLY BE DECRYPTED WITH THE OTHER KEY.

USERS PRIVATE KEY
USERS PUBLIC KEY
9
PUBLIC KEY CRYPTOGRAPHY
PUBLIC KEY CRYPTOGRAPHY FACILITATES THE FOLLOWING
TASKS

• ENCRYPTION-EMAIL, ATTACHMENTS, DOCUMENTS, AND
  FILES CAN BE ENCRYPTED SO THAT ONLY THE RECIPIENT
  CAN READ THEM.
• DIGITAL SIGNATURES-ELECTRONICALLY SIGN EMAIL,
  DOCUMENTS, AND FORMS WITH DIGITAL SIGNATURE.
• SECURE COMMUNICATIONS WITH WEB SITES-YOU KNOW THE
  WEB SITE YOU ARE ACCESSING AND IT KNOWS WHO YOU
  ARE (MUTUAL AUTHENTICATION)

10
PUBLIC KEY CERTIFICATE

• AN ELECTRONIC DOCUMENT THAT OFFICIALLY LINKS
  TOGETHER A USERS IDENTITY AND PUBLIC KEY.
• CERTIFICATES ARE STORED IN A DIRECTORY SERVER AND
  MAY BE SENT WITH SIGNED EMAIL.

USERS IDENTITY
USERS PUBLIC KEY
VALIDITY PERIOD
ISSUERS SIGNATURE
11
ENCRYPTION

• When sending e-mail, sensitive information must
  be ENCRYPTED under the following conditions
• PHI Personally identifiable medical information
  under the Health Insurance Portability and
  Accountability Act of 1996 (HIPAA) (Examples
  Names, Social Security Numbers, Medical Record
  Numbers, Health Plan Beneficiary Numbers, Phone
  and Fax numbers, Email addresses)
• PII - Personally Identifiable Information
  protected under the Privacy act of 1974
  (Examples Full Name (if not common), telephone
  number, street address, email address, drivers
  license number, credit card numbers)

12
ENCRYPTION (cont.)

• OPSEC Indicators (Examples valuable information
  to adversaries, such as large group or troop
  movements, habits at work, financial
  transactions)
• Confidential Contract Information
• Other Sensitive information not approved for
  public release
• NOTE All emails containing PHI or PII shall be
  marked as FOR OFFICIAL USE ONLY (FOUO) PRIVACY
  SENSITIVE. Any misuse or unauthorized disclosure
  may result in both civil and criminal penalties.

ENCRYPTION ICON IN MICROSOFT OUTLOOK 2003
13
DIGITAL SIGNATURE

• Email must be DIGITALLY SIGNED under the
  following conditions
• Official Business
• Requests or responses to requests for resources
• Organization position/information external to the
  organization (division, department, command).
• Contract information, financial or funding
  matters
• Personnel management matters
• In addition to encrypting for all messages
  qualifying for ENCRYPTION

DIGITAL SIGNATURE ICON IN MICROSOFT OUTLOOK 2003
14
REQUIRED ITEMS

• In order for personnel to be able to send and
  receive encrypted and digitally signed email,
  there are certain required items for workstation
  setup and then Outlook configuration
• Current CAC (Common Access Card) and PIN. You
  have to put your CAC in the card reader and use
  your PIN when you want to send this type of
  email. Your CAC card contains certificates, a
  way of verifying your identity. The framework
  and services that control these public key
  certificates is called the Public Key
  Infrastructure or PKI.

15
REQUIRED ITEMS

• Identified Workstation. Setup and configuration
  of Microsoft Outlook 2003 will only be valid for
  the workstation on which you set it up. If you
  travel to another, you have to set it up again.
• Current Card Reader. The current CAC Reader is
  ActivClient 6.1 x86. You must also see the
  associated card reader icon in the task bar/tray
  in the lower right hand area of your computer
  screen. When you insert your card, the icon
  should change as noted below

ActivClient Agent - No Smart Card
ActivClient Agent Smart Card Inserted
16
REQUIRED ITEMS

• Microsoft Outlook 2003 You must have a fully
  functioning Microsoft Outlook 2003 office
  application installed on your government computer.

ITEMS 1-4 MUST BE IN PLACE BEFORE PROCEEDING
FOR ANY HARDWARE OR SOFTWARE PROBLEMS, CONTACT
THE IMD HELPDESK AT 953-7200 OR EMAIL
NMCP-HELPDESK_at_MED.NAVY.MIL
17
Step One Insert CAC (Common Access Card) into
Keyboard or Card Reader
SETUP

NOTE Make sure that the icon in the tray
changes to reflect the card insertion
18
SETUP (cont.)

• Step Two Reviewing Your Certificates (in
  Internet Explorer)

Step 3 Verify current certificates (make sure
they are up to date) you may remove the old ones
(delete the outdated ones), and close. Then,
click on Clear SSL State, apply, and OK.
Step 2 Click on Content Tab, and then Click
Certificates
Step 1 Go to TOOLS-INTERNET OPTIONS
19
SETUP (cont.)

• Step Three Making Your Certificates Available
  To Windows (you need to do this to install your
  Certificates on your workstation)

Step 1 Double click on ActivClient Agent icon
in system tray area of desktop.
Step 2 Pull down the TOOLS menu and select
ADVANCED-MAKE CERTIFICATES AVAILABLE TO WINDOWS.
Click OK after you are successful.
NOTE If the icon indicates that it is
ActiveGold versus ActivClient, then you have
the OLD version of the CAC Reader installed and
you need to contact the IMD Helpdesk at 953-7200.
20
SETUP (cont.)
Before exiting out of the program, double click
on My Certificates, then on the Signature and
Encryption Certificates to verify your email
address.

• If your email address is INCORRECT, exit out of
  the window and you will need to update it via one
  of the 3 methods below before proceeding (ensure
  your certificates are still valid, i.e. not
  revoked or expired)
• Update it yourself at the following link
• https//www.dmdc.osd.mil/ump/umpsecurity.htm
• Go to any of the CAC PIN reset stations, which
  are located at each of the Branch Health Clinics,
  Tricare Prime Clinics, DFA Suite (Bldg 1, 3rd
  Deck), Qtr Deck (Bldg 2, 2nd Deck, and Human
  Resources (MILPERS, Bldg 3, 4th Deck), to have it
  updated
• Call the IMD Helpdesk at 953-7200 for assistance

21
OUTLOOK CONFIGURATION

• The next steps require configuring Microsoft
  Outlook 2003 so that email can be digitally
  signed and encrypted
• Step One Open Microsoft Outlook 2003

1. Click on TOOLS-OPTIONS
2. Select the SECURITY Tab and click on the
Settings button. Leave only the Send clear
text box checked for now, otherwise ALL of your
outgoing email will automatically be digitally
signed.
22
OUTLOOK CONFIGURATION

• Step Two Change Security Settings

2. Click on the 1st Choose button. Click on
the DOD EMAILSmart Card certificate and OK.
This certificate may be listed 1st or 2nd for
you, so look closely.
1. Make sure Active Client Certificates is in
the Security Settings Name and that all of the
boxes are checked.
3. Click on the 2nd Choose button. Click on
the remaining certificate and OK, and then OK
again.
23
OUTLOOK CONFIGURATION

• Step Three Publish to the Global Access List
  (GAL)

1. Click on Apply, and then on the Publish to
GAL button on the bottom left. Once they have
been published successfully, click on OK, and
then click on Apply and OK. Enter your CAC
PIN when prompted, and then OK after it is
accepted.
24
SENDING A DIGITALLY SIGNED MESSAGE

• To prepare to send a digitally signed
  message, make sure that you have Microsoft
  Outlook 2003 open and New Message selected.

1. Click on NEW MESSAGE. You should see two new
envelope icons in the Standard Toolbar. If
not, from the main menu select TOOLS-CUSTOMIZE
and check the box for show standard and
formatting toolbars on 2 rows
2. To digitally sign a message, click on the
envelope with the red digitally sign symbol on
it before sending. You will have to insert your
CAC and enter your PIN.
25
SENDING AN ENCRYPTED MESSAGE

1. To encrypt a message, you need to click on the
envelope with the blue padlock on it before
sending the message.
2. When encrypting, you must also digitally
sign, so both envelope icons must be selected.
3. You will be required to insert your CAC and
type in your PIN before the message can be sent.
26
Department of Defense (DoD) Global
Directory Service
If you cannot send an encrypted message to
another user (this usually happens if the
individual has a Department of Defense email
address outside of the Global Directory), you
will need to go to a place called the Department
of Defense (DoD) Global Directory Service to
retrieve their Public Key Certificate.
This is an example of the error message that you
might see in Microsoft Outlook 2003 if you are
unsuccessful in sending an encrypted message to
another user
27
Department of Defense (DoD) Global
Directory Service
To get to this DoD-wide repository in order to
search for and retrieve a certificate, go to
https//dod411.chamb.disa.mil (CAC is required).
The website will look like the picture below
Type in the last name (at a minimum) of the
individual whose certificates you want to
retrieve and click SEARCH.
28
Department of Defense (DoD) Global
Directory Service
After clicking on the SEARCH button, one or more
users will appear in a window like the one below.
Click on the last name of the desired user to
expand the certificate
Under Certificate Download Options, click
Download Certificates) as vCard
29
Department of Defense (DoD) Global
Directory Service
Once the next window appears below, click on
Hardware (CAC) Certificate for under Select a
certificate from the available certificates for
vCard download.
This window will pop up right after you click
Hardware (CAC) Certificate for the user that
you have selected. Click on OPEN (NOTE YOU
MUST HAVE MICROSOFT OUTLOOK 2003 OPEN FOR THIS TO
WORK!).
30
Department of Defense (DoD) Global
Directory Service
After clicking OPEN, the users Contact
information will automatically open in Microsoft
Outlook and you can click on the Certificates
tab to view the certificate. SAVE AND CLOSE the
Contact.
If the individual is already in your Contacts
List, you will receive a Duplicate Contact
Detected message and be prompted to Update new
information... if you desire.
31
PROBLEMS/ASSISTANCE

• ACCESS IT SUPPORT VIA INTRANET
• ACCESS IA (INFORMATION ASSURANCE) VIA IT INTRANET
  LINK
• CALL IT HELPDESK _at_ 953-7200
• EMAIL NMCP-Helpdesk_at_med.navy.mil

(INFORMATION TECHNOLOGY)