Title: Naval Medical Center Portsmouth Sending and Receiving Protected Information via Electronic Mail Info
1Naval Medical Center Portsmouth Sending and
Receiving Protected Information via Electronic
MailInformation Management Department Training
Division
2 INTRODUCTION
- In order for Navy Medicine personnel to send and
receive sensitive information via email, they
must be able to digitally sign and encrypt the
messages in government furnished equipment and
software, specifically Microsoft Outlook 2003. - This slide presentation will outline the policy
and procedures for compliance with current
instructions.
3 INSTRUCTIONS
- NAVMED Pol 08-005 of 28 Jan 08 (click to view)
- All Navy Medicine personnel shall protect
sensitive information from unauthorized access
and disclosure - DOD Inst. 8500.2 IA Implemen. 06 Feb 03
- DOD 8580.02R, DOD Health Information Security
Regulation of 12 July 07 - SECNAVINST 5211.5E, DON Privacy Program
- DON CIO Washington D.C 061525Z Oct 04
4OVERVIEW
- In order to understand the digital signature and
encryption of email, it is important to first
understand the following terms - Establishment of Trust
- Public Key Infrastructure
- Public Key Cryptography
- Public Key Certificate
5ESTABLISHING TRUST
- DIGITALLY SIGNING OR ENCRYPTING A MESSAGE IS HOW
AN INDIVIDUAL PROVES THEIR IDENTITY, OR
ESTABLISHES TRUST, OVER A NETWORK. - TRUST BETWEEN END USERS OVER A NETWORK REQUIRES
A THIRD PARTY INFRASTRUCTURE, OR PUBLIC KEY
INFRASTRUCTURE (PKI). -
6PUBLIC KEY INFRASTRUCTURE
- PKI
- THE FRAMEWORK/SERVICES THAT PROVIDE FOR THE
GENERATION, DISTRIBUTION, CONTROL, TRACKING, AND
DESTRUCTION OF PUBLIC KEY CERTIFICATES. PKI
ENABLES THE USE OF ENCRYPTION, DIGITAL SIGNATURE,
AND ACCESS AUTHENTICATION SERVICES IN A
CONSISTENT MANNER ACROSS A WIDE VARIETY OF
APPLICATIONS. -
7SECURITY BENEFITS OF PKI
- AUTHENTICATION-ASSURES A PERSON/SYSTEM IS EXACTLY
WHO/WHAT THEY CLAIM TO BE. - DATA INTEGRITY-ASSURES TRANSMITTED DATA HAS NOT
BEEN ALTERED. - NON-REPUDIATION-PROTECTS AGAINST A PERSON DENYING
LATER THAT A COMMUNICATION TOOK PLACE. - CONFIDENTIALITY-PROTECTS AGAINST DISCLOSURE OF
INFORMATION TO UNAUTHORIZED USERS. -
8PUBLIC KEY CRYPTOGRAPHY
- Public Key Cryptography is the physical
implementation of individual identity and
security in the PKI via assignment of Key Pairs - A KEY IS AN ELECTRONIC FILE.
- A PAIR OF KEYS IS CREATED AT THE SAME
TIME - BY SPECIAL SOFTWARE.
- INFORMATION ENCRYPTED WITH ONE KEY CAN
- ONLY BE DECRYPTED WITH THE OTHER KEY.
-
USERS PRIVATE KEY
USERS PUBLIC KEY
9PUBLIC KEY CRYPTOGRAPHY
PUBLIC KEY CRYPTOGRAPHY FACILITATES THE FOLLOWING
TASKS
- ENCRYPTION-EMAIL, ATTACHMENTS, DOCUMENTS, AND
FILES CAN BE ENCRYPTED SO THAT ONLY THE RECIPIENT
CAN READ THEM. - DIGITAL SIGNATURES-ELECTRONICALLY SIGN EMAIL,
DOCUMENTS, AND FORMS WITH DIGITAL SIGNATURE. - SECURE COMMUNICATIONS WITH WEB SITES-YOU KNOW THE
WEB SITE YOU ARE ACCESSING AND IT KNOWS WHO YOU
ARE (MUTUAL AUTHENTICATION)
10PUBLIC KEY CERTIFICATE
- AN ELECTRONIC DOCUMENT THAT OFFICIALLY LINKS
TOGETHER A USERS IDENTITY AND PUBLIC KEY. - CERTIFICATES ARE STORED IN A DIRECTORY SERVER AND
MAY BE SENT WITH SIGNED EMAIL.
USERS IDENTITY
USERS PUBLIC KEY
VALIDITY PERIOD
ISSUERS SIGNATURE
11 ENCRYPTION
- When sending e-mail, sensitive information must
be ENCRYPTED under the following conditions - PHI Personally identifiable medical information
under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) (Examples
Names, Social Security Numbers, Medical Record
Numbers, Health Plan Beneficiary Numbers, Phone
and Fax numbers, Email addresses) - PII - Personally Identifiable Information
protected under the Privacy act of 1974
(Examples Full Name (if not common), telephone
number, street address, email address, drivers
license number, credit card numbers)
12 ENCRYPTION (cont.)
- OPSEC Indicators (Examples valuable information
to adversaries, such as large group or troop
movements, habits at work, financial
transactions) - Confidential Contract Information
- Other Sensitive information not approved for
public release - NOTE All emails containing PHI or PII shall be
marked as FOR OFFICIAL USE ONLY (FOUO) PRIVACY
SENSITIVE. Any misuse or unauthorized disclosure
may result in both civil and criminal penalties.
ENCRYPTION ICON IN MICROSOFT OUTLOOK 2003
13 DIGITAL SIGNATURE
- Email must be DIGITALLY SIGNED under the
following conditions - Official Business
- Requests or responses to requests for resources
- Organization position/information external to the
organization (division, department, command). - Contract information, financial or funding
matters - Personnel management matters
- In addition to encrypting for all messages
qualifying for ENCRYPTION
DIGITAL SIGNATURE ICON IN MICROSOFT OUTLOOK 2003
14 REQUIRED ITEMS
- In order for personnel to be able to send and
receive encrypted and digitally signed email,
there are certain required items for workstation
setup and then Outlook configuration - Current CAC (Common Access Card) and PIN. You
have to put your CAC in the card reader and use
your PIN when you want to send this type of
email. Your CAC card contains certificates, a
way of verifying your identity. The framework
and services that control these public key
certificates is called the Public Key
Infrastructure or PKI.
15 REQUIRED ITEMS
- Identified Workstation. Setup and configuration
of Microsoft Outlook 2003 will only be valid for
the workstation on which you set it up. If you
travel to another, you have to set it up again. - Current Card Reader. The current CAC Reader is
ActivClient 6.1 x86. You must also see the
associated card reader icon in the task bar/tray
in the lower right hand area of your computer
screen. When you insert your card, the icon
should change as noted below
ActivClient Agent - No Smart Card
ActivClient Agent Smart Card Inserted
16 REQUIRED ITEMS
- Microsoft Outlook 2003 You must have a fully
functioning Microsoft Outlook 2003 office
application installed on your government computer.
ITEMS 1-4 MUST BE IN PLACE BEFORE PROCEEDING
FOR ANY HARDWARE OR SOFTWARE PROBLEMS, CONTACT
THE IMD HELPDESK AT 953-7200 OR EMAIL
NMCP-HELPDESK_at_MED.NAVY.MIL
17Step One Insert CAC (Common Access Card) into
Keyboard or Card Reader
SETUP
NOTE Make sure that the icon in the tray
changes to reflect the card insertion
18SETUP (cont.)
- Step Two Reviewing Your Certificates (in
Internet Explorer)
Step 3 Verify current certificates (make sure
they are up to date) you may remove the old ones
(delete the outdated ones), and close. Then,
click on Clear SSL State, apply, and OK.
Step 2 Click on Content Tab, and then Click
Certificates
Step 1 Go to TOOLS-INTERNET OPTIONS
19SETUP (cont.)
- Step Three Making Your Certificates Available
To Windows (you need to do this to install your
Certificates on your workstation)
Step 1 Double click on ActivClient Agent icon
in system tray area of desktop.
Step 2 Pull down the TOOLS menu and select
ADVANCED-MAKE CERTIFICATES AVAILABLE TO WINDOWS.
Click OK after you are successful.
NOTE If the icon indicates that it is
ActiveGold versus ActivClient, then you have
the OLD version of the CAC Reader installed and
you need to contact the IMD Helpdesk at 953-7200.
20SETUP (cont.)
Before exiting out of the program, double click
on My Certificates, then on the Signature and
Encryption Certificates to verify your email
address.
- If your email address is INCORRECT, exit out of
the window and you will need to update it via one
of the 3 methods below before proceeding (ensure
your certificates are still valid, i.e. not
revoked or expired) - Update it yourself at the following link
- https//www.dmdc.osd.mil/ump/umpsecurity.htm
- Go to any of the CAC PIN reset stations, which
are located at each of the Branch Health Clinics,
Tricare Prime Clinics, DFA Suite (Bldg 1, 3rd
Deck), Qtr Deck (Bldg 2, 2nd Deck, and Human
Resources (MILPERS, Bldg 3, 4th Deck), to have it
updated - Call the IMD Helpdesk at 953-7200 for assistance
21 OUTLOOK CONFIGURATION
- The next steps require configuring Microsoft
Outlook 2003 so that email can be digitally
signed and encrypted - Step One Open Microsoft Outlook 2003
1. Click on TOOLS-OPTIONS
2. Select the SECURITY Tab and click on the
Settings button. Leave only the Send clear
text box checked for now, otherwise ALL of your
outgoing email will automatically be digitally
signed.
22 OUTLOOK CONFIGURATION
- Step Two Change Security Settings
2. Click on the 1st Choose button. Click on
the DOD EMAILSmart Card certificate and OK.
This certificate may be listed 1st or 2nd for
you, so look closely.
1. Make sure Active Client Certificates is in
the Security Settings Name and that all of the
boxes are checked.
3. Click on the 2nd Choose button. Click on
the remaining certificate and OK, and then OK
again.
23 OUTLOOK CONFIGURATION
- Step Three Publish to the Global Access List
(GAL)
1. Click on Apply, and then on the Publish to
GAL button on the bottom left. Once they have
been published successfully, click on OK, and
then click on Apply and OK. Enter your CAC
PIN when prompted, and then OK after it is
accepted.
24 SENDING A DIGITALLY SIGNED MESSAGE
- To prepare to send a digitally signed
message, make sure that you have Microsoft
Outlook 2003 open and New Message selected.
1. Click on NEW MESSAGE. You should see two new
envelope icons in the Standard Toolbar. If
not, from the main menu select TOOLS-CUSTOMIZE
and check the box for show standard and
formatting toolbars on 2 rows
2. To digitally sign a message, click on the
envelope with the red digitally sign symbol on
it before sending. You will have to insert your
CAC and enter your PIN.
25 SENDING AN ENCRYPTED MESSAGE
1. To encrypt a message, you need to click on the
envelope with the blue padlock on it before
sending the message.
2. When encrypting, you must also digitally
sign, so both envelope icons must be selected.
3. You will be required to insert your CAC and
type in your PIN before the message can be sent.
26 Department of Defense (DoD) Global
Directory Service
If you cannot send an encrypted message to
another user (this usually happens if the
individual has a Department of Defense email
address outside of the Global Directory), you
will need to go to a place called the Department
of Defense (DoD) Global Directory Service to
retrieve their Public Key Certificate.
This is an example of the error message that you
might see in Microsoft Outlook 2003 if you are
unsuccessful in sending an encrypted message to
another user
27 Department of Defense (DoD) Global
Directory Service
To get to this DoD-wide repository in order to
search for and retrieve a certificate, go to
https//dod411.chamb.disa.mil (CAC is required).
The website will look like the picture below
Type in the last name (at a minimum) of the
individual whose certificates you want to
retrieve and click SEARCH.
28 Department of Defense (DoD) Global
Directory Service
After clicking on the SEARCH button, one or more
users will appear in a window like the one below.
Click on the last name of the desired user to
expand the certificate
Under Certificate Download Options, click
Download Certificates) as vCard
29 Department of Defense (DoD) Global
Directory Service
Once the next window appears below, click on
Hardware (CAC) Certificate for under Select a
certificate from the available certificates for
vCard download.
This window will pop up right after you click
Hardware (CAC) Certificate for the user that
you have selected. Click on OPEN (NOTE YOU
MUST HAVE MICROSOFT OUTLOOK 2003 OPEN FOR THIS TO
WORK!).
30 Department of Defense (DoD) Global
Directory Service
After clicking OPEN, the users Contact
information will automatically open in Microsoft
Outlook and you can click on the Certificates
tab to view the certificate. SAVE AND CLOSE the
Contact.
If the individual is already in your Contacts
List, you will receive a Duplicate Contact
Detected message and be prompted to Update new
information... if you desire.
31PROBLEMS/ASSISTANCE
- ACCESS IT SUPPORT VIA INTRANET
- ACCESS IA (INFORMATION ASSURANCE) VIA IT INTRANET
LINK - CALL IT HELPDESK _at_ 953-7200
- EMAIL NMCP-Helpdesk_at_med.navy.mil
(INFORMATION TECHNOLOGY)