Sending an e-mail with a fake address? Nowadays, this is no problem for internet fraud­sters. It’s made easy because many companies don’t take every measure possible to add ad­di­tion­al security to their e-mails when sending con­fir­ma­tion of orders or other important and sensitive documents to their customers. This opens the door to criminals. Phishing, a technique that has become in­creas­ing­ly wide­spread in the past few years, is a par­tic­u­lar­ly dangerous form of fraud­u­lent e-mailing. Here, fraud­sters send e-mails in the name of companies or other seemingly trust­wor­thy senders, with the hope of obtaining access to personal or payment in­for­ma­tion of their un­sus­pect­ing re­cip­i­ents.

The best security solution for this is to use digital sig­na­tures. Elec­tron­i­cal­ly signed e-mails like this can ensure the recipient that the content has arrived without being ma­nip­u­lat­ed and that the sender is indeed exactly who is expected.

What’s the purpose of a digital signature?

An elec­tron­ic signature guar­an­tees the integrity of both the data and the sender of an e-mail. They’re usually used to au­then­ti­cate the origin of digital in­for­ma­tion – not just e-mails, but documents and macros too. In this way, a digital signature fulfils a similar role to that of its namesake for paper documents: it ensures the au­then­tic­i­ty of the person or company listed as the sender of elec­tron­ic in­for­ma­tion.

By using a digital signature, you can protect the integrity of any data you transfer online. The recipient can be certain that nobody has accessed or tampered with the content because the elec­tron­ic signature acts as a seal. This means that in cases of dispute, this signature can be used to prove exactly where an e-mail came from. Both the person (or company) who signed and the content of the e-mail are on display for the recipient to see.

Digital signature vs. e-mail signature

A digital signature shouldn’t be confused with the classic, stylish signature that you can create and include in any e-mail program. Despite the similar name, the latter refers to a text-based signature at the bottom of an e-mail that appears in a similar form to a hand-drawn signature and usually precedes contact in­for­ma­tion of the sender, like a name, an address, a telephone number, and a job title. Instead, a digital signature is a general elec­tron­ic signature, typically com­pris­ing three al­go­rithms:

  • A key gen­er­a­tion algorithm (re­spon­si­ble for selecting a random private key and cor­re­spond­ing public key)
  • A signing algorithm (produces the signature when presented with the message and the private key)
  • A signature verifying algorithm (re­spon­si­ble for accepting or rejecting au­then­tic­i­ty claims)

Creating a digital signature

If you’re looking to digitally sign your e-mails, there are two standard practices available: S/MIME and OpenPGP. Both work on the same basic principle, but they use different data formats; the majority of software solutions only support one of these two formats. The basic principle when it comes to creating a digital signature is the concept of asym­met­ric en­cryp­tion. This means that the sender receives two keys from the key gen­er­a­tion algorithm: a private key and a public key. The mail program of the sender au­to­mat­i­cal­ly creates a checksum of the mail content, encrypts the checksum with the private key, and then attaches it to the e-mail. The public key is either sent with an at­tach­ment or obtained by the recipient via a public directory. The mail program of the receiver then decrypts the checksum, re­cal­cu­lates it and then checks the results. If the results match, you can be sure that the message has been signed with the private key that matches the cor­re­spond­ing public key. The au­then­ti­ca­tion is suc­cess­ful and the e-mail is proven to have come from a trust­wor­thy source and to have arrived without ma­nip­u­la­tion.

One re­quire­ment for the use of digital sig­na­tures is that your e-mail client is con­fig­ured correctly in advance. If that’s the case, the process described above will take place au­to­mat­i­cal­ly in the back­ground, without you noticing. For in­for­ma­tion on how to set up your e-mail client for this, check out the support page for the software you’re using, for example Microsoft Outlook or Mozilla Thun­der­bird.   How is the public key organized so as to be unique to each sender? Needless to say, this procedure would only make sense if the recipient can identify the sender beyond any rea­son­able doubt. So the official cer­ti­fi­ca­tion authority (CA) only provides the key after first iden­ti­fy­ing the sender; only once the cer­ti­fi­ca­tion authority has issued a cer­tifi­cate can the key be of­fi­cial­ly validated. Since the recipient’s system has to recognize the key in order to ensure the au­then­tic­i­ty of the cer­tifi­cate, this in­for­ma­tion also has to be down­loaded and installed by the cer­ti­fi­ca­tion authority. The e-mail program then later picks up the au­then­ti­ca­tion au­to­mat­i­cal­ly.

Trust levels of cer­tifi­cates

The pair of keys that is used to sign an e-mail digitally has to be verified by the cer­ti­fi­ca­tion authority. This authority checks and confirms the identity of the applicant making the request. There are different levels of quality assurance cer­tifi­cates. Depending on how the identity check performs, a cer­tifi­cate may be awarded in either Class 1, Class 2, or Class 3.

  • Cer­tifi­cate level Class 1: a top-level, Class 1 cer­tifi­cate means that the applicant simply receives an e-mail from the cer­tifi­cate authority that must be ac­knowl­edged.
  • Cer­tifi­cate level Class 2: for Class 2 cer­tifi­cates, the applicant must submit a copy of a valid photo ID to the cer­ti­fi­ca­tion authority to prove his/her identity.
  • Cer­tifi­cate level Class 3: this Class 3 cer­ti­fi­ca­tion is the strictest form of iden­ti­fi­ca­tion for digital sig­na­tures. It requires the applicant to be verified in person. Often this involves the applicant heading to their local post office or des­ig­nat­ed gov­ern­ment building with an identity card to have their identity of­fi­cial­ly confirmed.

Special cer­tifi­cates: gateway cer­tifi­cates or team cer­tifi­cates

The cer­tifi­cates mentioned above are usually issued for e-mail addresses for a specific sender. The­o­ret­i­cal­ly, you’d need a separate cer­tifi­cate for every person in a company.

A special exception to these cer­tifi­cates above is the gateway cer­tifi­cate, otherwise known as a domain cer­tifi­cate. This cer­tifi­cate is valid for all e-mail addresses reg­is­tered under a par­tic­u­lar e-mail domain (e.g. @company.com). The problem with this is that although the use of this gateway cer­tifi­cate is stan­dard­ized in­ter­na­tion­al­ly, some e-mail clients can’t process them properly. When it comes to Outlook Express, for example, neither sending nor receiving e-mails with gateway cer­tifi­cates is possible. Microsoft Outlook will un­for­tu­nate­ly register the cer­tifi­cate as invalid upon reception and return an error message. 

A team cer­tifi­cate can be awarded to an e-mail address that’s managed by a number of people rather than just one in­di­vid­ual, like info@company.com, or ap­pli­ca­tion@company.com, for example. Here there aren’t any problems during sending or receiving, because the same technical con­di­tions are in place. The dif­fer­ence only occurs in the handling of the cer­ti­fi­ca­tion authority.

Re­quire­ments of a digital signature

In order to gain the access mentioned above, a signature must meet certain con­di­tions. Most programs, including Outlook, check these con­di­tions au­to­mat­i­cal­ly when an e-mail with a digital signature is being sent or received, and notify the user in cases when some re­quire­ments aren’t fulfilled and so the integrity of the signature can’t be guar­an­teed. Since a digital signature is always as­so­ci­at­ed with a cer­tifi­cate, it’s sensible to ensure that the cer­tifi­cate is current and valid. The cer­tifi­cate must also be issued by a trusted cer­ti­fy­ing body (cer­tifi­cate authority). While some e-mail programs offer their own solutions, there are a number of reliable, expert CAs that can help. Some of the best known examples include.

Digital signature vs. e-mail en­cryp­tion

Digital sig­na­tures are often used in com­bi­na­tion with e-mail en­cryp­tion, but the two do work in­de­pen­dent­ly of one another. Signing an email digitally means - quite literally - putting a digital mark onto an e-mail to guarantee the au­then­tic­i­ty of the sender. This protects the e-mail from ma­nip­u­la­tion, but it can still be read by third parties on its way from sender to recipient, just like an elec­tron­ic version of a postcard. Digital sig­na­tures also protect content too: your e-mail can’t be edited, but it can still be in­ter­cept­ed and read. So picture your elec­tron­ic postcard in a clear, plastic envelope. E-mail en­cryp­tion goes a step further. Sticking with the postcard example, we can imagine en­cryp­tion to be sealing our elec­tron­ic postcard inside an opaque envelope. The e-mail content is protected on its journey, and only the person who has the required key can decrypt the message at the other end and open the envelope to read the postcard. This makes e-mail com­mu­ni­ca­tion trust­wor­thy and con­sid­er­ably more secure. Further in­for­ma­tion on en­cryp­tion and how to use it with PGP can be found in our digital guide to e-mail en­cryp­tion.

Go to Main Menu