Sending an e-mail with a fake address? Nowadays, this is no problem for internet fraud­sters. It’s made easy because many companies don’t take every measure possible to add ad­di­tion­al security to their e-mails when sending con­firm­a­tion of orders or other important and sensitive documents to their customers. This opens the door to criminals. Phishing, a technique that has become in­creas­ingly wide­spread in the past few years, is a par­tic­u­larly dangerous form of fraud­u­lent e-mailing. Here, fraud­sters send e-mails in the name of companies or other seemingly trust­worthy senders, with the hope of obtaining access to personal or payment in­form­a­tion of their un­sus­pect­ing re­cip­i­ents.

The best security solution for this is to use digital sig­na­tures. Elec­tron­ic­ally signed e-mails like this can ensure the recipient that the content has arrived without being ma­nip­u­lated and that the sender is indeed exactly who is expected.

What’s the purpose of a digital signature?

An elec­tron­ic signature guar­an­tees the integrity of both the data and the sender of an e-mail. They’re usually used to au­then­tic­ate the origin of digital in­form­a­tion – not just e-mails, but documents and macros too. In this way, a digital signature fulfils a similar role to that of its namesake for paper documents: it ensures the au­then­ti­city of the person or company listed as the sender of elec­tron­ic in­form­a­tion.

By using a digital signature, you can protect the integrity of any data you transfer online. The recipient can be certain that nobody has accessed or tampered with the content because the elec­tron­ic signature acts as a seal. This means that in cases of dispute, this signature can be used to prove exactly where an e-mail came from. Both the person (or company) who signed and the content of the e-mail are on display for the recipient to see.

Digital signature vs. e-mail signature

A digital signature shouldn’t be confused with the classic, stylish signature that you can create and include in any e-mail program. Despite the similar name, the latter refers to a text-based signature at the bottom of an e-mail that appears in a similar form to a hand-drawn signature and usually precedes contact in­form­a­tion of the sender, like a name, an address, a telephone number, and a job title. Instead, a digital signature is a general elec­tron­ic signature, typically com­pris­ing three al­gorithms:

  • A key gen­er­a­tion algorithm (re­spons­ible for selecting a random private key and cor­res­pond­ing public key)
  • A signing algorithm (produces the signature when presented with the message and the private key)
  • A signature verifying algorithm (re­spons­ible for accepting or rejecting au­then­ti­city claims)

Creating a digital signature

If you’re looking to digitally sign your e-mails, there are two standard practices available: S/MIME and OpenPGP. Both work on the same basic principle, but they use different data formats; the majority of software solutions only support one of these two formats. The basic principle when it comes to creating a digital signature is the concept of asym­met­ric en­cryp­tion. This means that the sender receives two keys from the key gen­er­a­tion algorithm: a private key and a public key. The mail programme of the sender auto­mat­ic­ally creates a checksum of the mail content, encrypts the checksum with the private key, and then attaches it to the e-mail. The public key is either sent with an at­tach­ment or obtained by the recipient via a public directory. The mail programme of the receiver then decrypts the checksum, re­cal­cu­lates it and then checks the results. If the results match, you can be sure that the message has been signed with the private key that matches the cor­res­pond­ing public key. The au­then­tic­a­tion is suc­cess­ful and the e-mail is proven to have come from a trust­worthy source and to have arrived without ma­nip­u­la­tion.

One re­quire­ment for the use of digital sig­na­tures is that your e-mail client is con­figured correctly in advance. If that’s the case, the process described above will take place auto­mat­ic­ally in the back­ground, without you noticing. For in­form­a­tion on how to set up your e-mail client for this, check out the support page for the software you’re using, for example Microsoft Outlook or Mozilla Thun­der­bird.   How is the public key organised so as to be unique to each sender? Needless to say, this procedure would only make sense if the recipient can identify the sender beyond any reas­on­able doubt. So the official cer­ti­fic­a­tion authority (CA) only provides the key after first identi­fy­ing the sender; only once the cer­ti­fic­a­tion authority has issued a cer­ti­fic­ate can the key be of­fi­cially validated. Since the recipient’s system has to recognise the key in order to ensure the au­then­ti­city of the cer­ti­fic­ate, this in­form­a­tion also has to be down­loaded and installed by the cer­ti­fic­a­tion authority. The e-mail programme then later picks up the au­then­tic­a­tion auto­mat­ic­ally.

Trust levels of cer­ti­fic­ates

The pair of keys that is used to sign an e-mail digitally has to be verified by the cer­ti­fic­a­tion authority. This authority checks and confirms the identity of the applicant making the request. There are different levels of quality assurance cer­ti­fic­ates. Depending on how the identity check performs, a cer­ti­fic­ate may be awarded in either Class 1, Class 2, or Class 3.

  • Cer­ti­fic­ate level Class 1: a top-level, Class 1 cer­ti­fic­ate means that the applicant simply receives an e-mail from the cer­ti­fic­ate authority that must be ac­know­ledged.
  • Cer­ti­fic­ate level Class 2: for Class 2 cer­ti­fic­ates, the applicant must submit a copy of a valid photo ID to the cer­ti­fic­a­tion authority to prove his/her identity.
  • Cer­ti­fic­ate level Class 3: this Class 3 cer­ti­fic­a­tion is the strictest form of iden­ti­fic­a­tion for digital sig­na­tures. It requires the applicant to be verified in person. Often this involves the applicant heading to their local post office or des­ig­nated gov­ern­ment building with an identity card to have their identity of­fi­cially confirmed.

Special cer­ti­fic­ates: gateway cer­ti­fic­ates or team cer­ti­fic­ates

The cer­ti­fic­ates mentioned above are usually issued for e-mail addresses for a specific sender. The­or­et­ic­ally, you’d need a separate cer­ti­fic­ate for every person in a company.

A special exception to these cer­ti­fic­ates above is the gateway cer­ti­fic­ate, otherwise known as a domain cer­ti­fic­ate. This cer­ti­fic­ate is valid for all e-mail addresses re­gistered under a par­tic­u­lar e-mail domain (e.g. @company.com). The problem with this is that although the use of this gateway cer­ti­fic­ate is stand­ard­ised in­ter­na­tion­ally, some e-mail clients can’t process them properly. When it comes to Outlook Express, for example, neither sending nor receiving e-mails with gateway cer­ti­fic­ates is possible. Microsoft Outlook will un­for­tu­nately register the cer­ti­fic­ate as invalid upon reception and return an error message. 

A team cer­ti­fic­ate can be awarded to an e-mail address that’s managed by a number of people rather than just one in­di­vidu­al, like info@company.com, or ap­plic­a­tion@company.com, for example. Here there aren’t any problems during sending or receiving, because the same technical con­di­tions are in place. The dif­fer­ence only occurs in the handling of the cer­ti­fic­a­tion authority.

Re­quire­ments of a digital signature

In order to gain the access mentioned above, a signature must meet certain con­di­tions. Most pro­grammes, including Outlook, check these con­di­tions auto­mat­ic­ally when an e-mail with a digital signature is being sent or received, and notify the user in cases when some re­quire­ments aren’t fulfilled and so the integrity of the signature can’t be guar­an­teed. Since a digital signature is always as­so­ci­ated with a cer­ti­fic­ate, it’s sensible to ensure that the cer­ti­fic­ate is current and valid. The cer­ti­fic­ate must also be issued by a trusted cer­ti­fy­ing body (cer­ti­fic­ate authority). While some e-mail pro­grammes offer their own solutions, there are a number of reliable, expert CAs that can help. Some of the best known examples include.

Digital signature vs. e-mail en­cryp­tion

Digital sig­na­tures are often used in com­bin­a­tion with e-mail en­cryp­tion, but the two do work in­de­pend­ently of one another. Signing an email digitally means - quite literally - putting a digital mark onto an e-mail to guarantee the au­then­ti­city of the sender. This protects the e-mail from ma­nip­u­la­tion, but it can still be read by third parties on its way from sender to recipient, just like an elec­tron­ic version of a postcard. Digital sig­na­tures also protect content too: your e-mail can’t be edited, but it can still be in­ter­cep­ted and read. So picture your elec­tron­ic postcard in a clear, plastic envelope. E-mail en­cryp­tion goes a step further. Sticking with the postcard example, we can imagine en­cryp­tion to be sealing our elec­tron­ic postcard inside an opaque envelope. The e-mail content is protected on its journey, and only the person who has the required key can decrypt the message at the other end and open the envelope to read the postcard. This makes e-mail com­mu­nic­a­tion trust­worthy and con­sid­er­ably more secure. Further in­form­a­tion on en­cryp­tion and how to use it with PGP can be found in our digital guide to e-mail en­cryp­tion.

Go to Main Menu