Public key cryptography is based on two halves of the same key that are "mirror images" of each other. The two halves of the key are called a key pair. One or the other key in the key pair is required to encrypt and decrypt a message. Microsoft Exchange Server uses two key pairs that can be assigned to a user. One key pair is used to digitally sign messages, and the other is used to encrypt messages.
A key pair consists of a public key and a private key. The public key is publicly known and stored in the directory so everyone has access to it. The private key is known only to the key's owner and is stored on the user's hard drive. Microsoft Outlook stores this information in the user's Registry. The Microsoft Exchange Client stores this information in the user's security (.epf) file. By making one key publicly available and keeping the other key secret, public key cryptography simplifies the distribution of keys without compromising their security. For example, a message encrypted with a recipient's public key can be decrypted only with the recipient's private key.
Public key cryptography is computationally slow. Therefore, it is not as effective as secret key cryptography for encrypting large amounts of data. Because of this, Microsoft Exchange Server uses public key cryptography primarily for digital signatures and for the secure exchange of secret keys between users.
To prevent unauthorized persons from being tampering with keys after they have been created, Microsoft Exchange Server uses certificates to establish a trust of keys. A certificate is a user's public key that has been digitally signed by a trusted authority called a Certification Authority (CA). The KM server is a type of CA. Because the KM server uses its private key to sign certificates, a certificate's signature can be verified using the copy of the KM server's public signing key that resides in every user's security file.
In Microsoft Exchange Server, encryption and signing operations use different certificates. Signing certificates are sent with every signed message. This ensures that the recipient can verify a sender's digital signature even when the recipient is offline. In contrast, encryption certificates are available in the global address list so everyone has access to them. Users can make encryption certificates available when they are offline by downloading a copy of the offline Address Book with full details.
Microsoft Exchange Server uses a certificate format that complies with the public X.509 standards.