Digital signatures: more security online by signing e-mails

Sending an e-mail with a fake address? Nowadays, this is no problem for internet fraudsters. It’s made easy because many companies don’t take every measure possible to add additional security to their e-mails when sending confirmation of orders or other important and sensitive documents to their customers. This opens the door to criminals. Phishing, a technique that has become increasingly widespread in the past few years, is a particularly dangerous form of fraudulent e-mailing. Here, fraudsters send e-mails in the name of companies or other seemingly trustworthy senders, with the hope of obtaining access to personal or payment information of their unsuspecting recipients.

The best security solution for this is to use digital signatures. Electronically signed e-mails like this can ensure the recipient that the content has arrived without being manipulated and that the sender is indeed exactly who is expected.

A digital signature shouldn’t be confused with the classic, stylish signature that you can create and include in any e-mail program. Despite the similar name, the latter refers to a text-based signature at the bottom of an e-mail that appears in a similar form to a hand-drawn signature and usually precedes contact information of the sender, like a name, an address, a telephone number, and a job title. Instead, a digital signature is a general electronic signature, typically comprising three algorithms:

• A key generation algorithm (responsible for selecting a random private key and corresponding public key)
• A signing algorithm (produces the signature when presented with the message and the private key)
• A signature verifying algorithm (responsible for accepting or rejecting authenticity claims)

If you’re looking to digitally sign your e-mails, there are two standard practices available: S/MIMEand OpenPGP. Both work on the same basic principle, but they use different data formats; the majority of software solutions only support one of these two formats.

The basic principle when it comes to creating a digital signature is the concept of asymmetric encryption. This means that the sender receives two keys from the key generation algorithm: a private key and a public key. The mail programme of the sender automatically creates a checksum of the mail content, encrypts the checksum with the private key, and then attaches it to the e-mail.

The public key is either sent with an attachment or obtained by the recipient via a public directory. The mail programme of the receiver then decrypts the checksum, recalculates it and then checks the results. If the results match, you can be sure that the message has been signed with the private key that matches the corresponding public key. The authentication is successful and the e-mail is proven to have come from a trustworthy source and to have arrived without manipulation.

One requirement for the use of digital signatures is that your e-mail client is configured correctly in advance. If that’s the case, the process described above will take place automatically in the background, without you noticing. For information on how to set up your e-mail client for this, check out the support page for the software you’re using, for example Microsoft Outlook or Mozilla Thunderbird.  

How is the public key organised so as to be unique to each sender?

Needless to say, this procedure would only make sense if the recipient can identify the sender beyond any reasonable doubt. So the official certification authority (CA) only provides the key after first identifying the sender; only once the certification authority has issued a certificate can the key be officially validated. Since the recipient’s system has to recognise the key in order to ensure the authenticity of the certificate, this information also has to be downloaded and installed by the certification authority. The e-mail programme then later picks up the authentication automatically.

The pair of keys that is used to sign an e-mail digitally has to be verified by the certification authority. This authority checks and confirms the identity of the applicant making the request. There are different levels of quality assurance certificates. Depending on how the identity check performs, a certificate may be awarded in either Class 1, Class 2, or Class 3.

• Certificate level Class 1: a top-level, Class 1 certificate means that the applicant simply receives an e-mail from the certificate authority that must be acknowledged.

• Certificate level Class 2: for Class 2 certificates, the applicant must submit a copy of a valid photo ID to the certification authority to prove his/her identity.

• Certificate level Class 3: this Class 3 certification is the strictest form of identification for digital signatures. It requires the applicant to be verified in person. Often this involves the applicant heading to their local post office or designated government building with an identity card to have their identity officially confirmed.

The certificates mentioned above are usually issued for e-mail addresses for a specific sender. Theoretically, you’d need a separate certificate for every person in a company.

A special exception to these certificates above is the gateway certificate, otherwise known as a domain certificate. This certificate is valid for all e-mail addresses registered under a particular e-mail domain (e.g. @company.com). The problem with this is that although the use of this gateway certificate is standardised internationally, some e-mail clients can’t process them properly. When it comes to Outlook Express, for example, neither sending nor receiving e-mails with gateway certificates is possible. Microsoft Outlook will unfortunately register the certificate as invalid upon reception and return an error message. 

A team certificate can be awarded to an e-mail address that’s managed by a number of people rather than just one individual, like info@company.com, or application@company.com, for example. Here there aren’t any problems during sending or receiving, because the same technical conditions are in place. The difference only occurs in the handling of the certification authority.

In order to gain the access mentioned above, a signature must meet certain conditions. Most programmes, including Outlook, check these conditions automatically when an e-mail with a digital signature is being sent or received, and notify the user in cases when some requirements aren’t fulfilled and so the integrity of the signature can’t be guaranteed.

Since a digital signature is always associated with a certificate, it’s sensible to ensure that the certificate is current and valid. The certificate must also be issued by a trusted certifying body (certificate authority). While some e-mail programmes offer their own solutions, there are a number of reliable, expert CAs that can help. Some of the best known examples include.

• GlobalSign
• CAcert
• StartSSL

Digital signatures are often used in combination with e-mail encryption, but the two do work independently of one another. Signing an email digitally means - quite literally - putting a digital mark onto an e-mail to guarantee the authenticity of the sender. This protects the e-mail from manipulation, but it can still be read by third parties on its way from sender to recipient, just like an electronic version of a postcard. Digital signatures also protect content too: your e-mail can’t be edited, but it can still be intercepted and read. So picture your electronic postcard in a clear, plastic envelope.

E-mail encryption goes a step further. Sticking with the postcard example, we can imagine encryption to be sealing our electronic postcard inside an opaque envelope. The e-mail content is protected on its journey, and only the person who has the required key can decrypt the message at the other end and open the envelope to read the postcard. This makes e-mail communication trustworthy and considerably more secure. Further information on encryption and how to use it with PGP can be found in our digital guide to e-mail encryption.