KMS uses the certificates issued by Certificate Services to create key pairs. A user's key pair consists of a public key, stored in Active Directory and available to anyone, and a private key, kept on the client computer in a secure location. Private keys are available only to the user. The keys are bound to the user by the certificate that the keys were created from.
Every Advanced Security user has at least two key pairs. During
enrollment, the Key Management Server generates a key pair for
message encryption, while Microsoft Outlook generates a key pair
for digital signatures. A copy of every user's private key is
securely stored in an encrypted database on the user's
Note If you choose to have KMS issue X.509v1 certificates to older clients in your organization, your users will have an extra signature key pair. One key pair will be used to digitally sign messages with version 3 certificates, the other key pair will be used with version 1 certificates.
In public key encryption, the sender retrieves the recipient's public key from Active Directory and uses it to encrypt a message. Only the recipient's corresponding private key can decrypt it. This ensures that no other users can read the contents.
To digitally sign a message, the sender must use his or her private key. Recipients use the sender's public key to verify the source of the message because only the correct public key will work with the private signing key. This enables recipients to be sure of the identity of the sender.
Because a digital signature contains information based on the contents of the message, verification of the signature also means the integrity of the data is intact. A digitally signed message cannot be tampered with while in transit without being detected.
Digital signatures are also binding for those who sign messages
with them. When a user includes a digital signature to make a
commitment, they cannot back out of that commitment later by
claiming they were impersonated. This is known as
Related TopicsDual Key Pair Systems