What is digitally signed email, and why do I sign my emails?

I may be being slightly evangelical here, but I believe there are huge benefits to be had by making use of digital signatures and secure email. I would like to explain what it is all about, how it works (basically) and why you may want to do the same.

So what is digitally signed email?

Using digital signatures allows you to confirm, without doubt, that an email came from the person that sent it and that it has not been altered by anyone else while on route to you. It can also secure the email to ensure only the intended person can read it.

How does it work?

To send secure or signed email you first need a Digital Certificate. Digital Certificates are based on the common cryptography technique known as public/private key encryption. I am not going to go in to how this works here, but it is the same system that is used in secure websites and SSL (that padlock you see in your web browser).

To obtain a certificate you have two options. You can either generate your own (which is not recommend as I’ll explain later) or go to a certification authority who will sell you one. They will perform security checks on you to ensure you are who you say you are. This is a critical process as you need to be able to trust the certificate when it says its valid. Once this is complete you will be able to download and install your certificate. All computers have a built in list of trusted certification authorities. Any certificate generated by one of these companies will automatically be trusted and show as valid by your computer. If you generate your own certificate, the recipient will get a warning that they do not trust it, which partially defeats the point.

Your certificate consists of two parts, the ‘public’ and ‘private’ keys. The private key is very important and must be kept safe and secret. You should never give anyone a copy of your private key. Some certification authorities will allow you to download another copy of your private key, should you lose it. Please dont get worry or think to yourself ‘this sounds complicated’, these are things you don’t have to worry about since its all part of the operating system and it all just works in the background.

Once you have your certificate installed and configured, when you send an email you can choose to ‘Apply a digital signature’. This means that when you click send, the email client will look at the contents of your email, open your private key from your digital certificate and generate a signature. It then attaches this signature and the public part of your certificate in the email. When the recipient opens your email, the email client should notice that there is a signature attached. Using this signature it can then verify that your email has not been altered. It will then go off and check with the certification authority that you used to purchas your certificate from that you are valid and trusted. After all this, your recipient should just see a red rosette on the email showing everything is good and trusted.

The real benefits come in when both parties have digital certificates. Once I have sent someone my public key (which is done every time I send a signed email), if they too have a certificate their email client can use the combination of theirs and my certificate to encrypt the email to me so only I can read it. When I receive that email (which will appear as garbage to anyone else), I then use my secret private key to decrypt and display the message. Again this all happens transparently in the background by my email client, so all I see is the email (exactly as they sent it, guaranteed to be unaltered) and a small blue rosette to show it was encrypted.

There are other methods of sending secure email, typically involving 3rd party products, but I really like this way as it is the ‘purist’ way of doing it. It is the most widely accepted and secure method – mainly because nearly all email clients support it out of the box (and its not just a Microsoft thing either), it is a common internet standard (known as ‘S/MIME’).

So why do I sign my emails?

Well basically, I sign all my emails in attempt to spread the word, to get people to read this article and hopefully go and get themselves a digital certificate for email. In an ideal world everyone that I do business with would have a digital certificate. That way I can send sensitive information as easily as sending an email (simply because I AM just sending an email), and I can be confident that only they can read the email.

If you are interested in sending secure and trustworthy email, then please drop me a line via the contact page on my website. I can point you in the right direction and help you get set up.

Ben Nichols

BN Information Security Limited
w: http://www.bn-is.com