Digital Signatures in E-mail



What they're for, and how they work


You've seen them, but probably don't use them: They’re digital signatures.


The term digital signature does not refer to a computerized graphical representation of your handwritten name. Instead, it's a technological method of enforcing what's called information integrity. That is, a digital signature proves that:


1. The digitally signed item really did come from the purported sender, and

2. It has not been altered in transit.


Digital signatures can be applied to any kind of computer file, but are most commonly used:


1. With e-mail, where a sender can digitally sign a message he sends you;

2. By software publishers, who digitally sign program files offered for download; and

3. By secure websites (which you access using the https:// prefix).


This article covers use of digital signatures with e-mail. Below, you will find out why you might consider implementing the ability to digitally sign e-mails you send, or requiring senders you do business with to sign their e-mails.


When you receive a digitally signed e-mail, you can click on web links in the message and open the attachments, and trust they will be safe—so long as you trust the person who sent you the message. It is virtually impossible for some kind of virus to modify a digitally signed message in transit and add links to malicious websites, or for the message to have come from someone other than who it appears to have come from.


Digital signatures can also prevent corporate intrigue, such as a devious businessman intercepting a competitor's messages to alter the terms of contracts, change data in reports, or otherwise surreptitiously corrupt the message or attachments.


Such attacks on e-mail integrity sound outlandish, and they actually are difficult to carry out and quite rare. But, some large organizations have their mail servers programmed to strip certain types of attachments or web links from e-mails that are not digitally signed, just to be safe. So the ability to sign your e-mails can sometimes come in handy.


Another potentially valuable use of digital signatures involves requiring your business partners to sign messages they send to you. For example, let's say you're a wholesaler and want to accept orders from your retail business customers via e-mail for convenience, or you're a financial services provider and your clients e-mail their transaction requests to you. If you require your customers or clients to digitally sign their messages, they cannot claim that someone sent an unauthorized order if they later change their mind. When used in this fashion, you are said to be enforcing non-repudiation.



What they look like


When you receive a digitally signed e-mail, it will usually be displayed in your inbox with an icon that looks something like this Digitally signed email icon, as opposed to the normal icon that looks like this Regular email icon. When you open the message, you might see this stamp on it Digitally signed email icon, or other messages about who signed the e-mail and whether there are any problems with the digital signature.


If you get a digitally signed e-mail and you don't see any such icon or other indication that the message is signed, this means your computer is not configured to understand digital signatures. In such a case, you will probably notice a strange attachment that you can't open; this is the signature data itself.



More technical detail


Digital signatures work using highly complex mathematical computations, combined with digital certificates and the PKI system.


A digital certificate is a computer file used for identification. Anyone who wants to send signed e-mail has to get his own digital certificate, and then, once installed properly in his computer, he can just click a button to apply a digital signature to any outgoing message. When you use a digital certificate for e-mail, it is often referred to as your Digital ID.


The PKI system is a standard method by which your computer confirms the validity and authenticity of digital certificates. Your computer does this by innately trusting certain digital certificate issuers, such as Comodo, Entrust, GlobalSign, GeoTrust, and VeriSign (now Symantec). All modern personal computers already have the software necessary to recognize and verify any digital certificate that was issued by all the major trustworthy providers of digital certificates.


By combining data from a verified digital certificate with the e-mail message in question, your computer can perform computations to see whether anything has been changed in the message (including the name of the sender). Because of the complexity of these computations, and the fact your computer only trusts reputable certificate providers, it is virtually impossible for someone to forge a digital certificate or digital signature, or to alter a signed e-mail message.


Keep in mind that digital signatures are not to be confused with encryption. Encryption is a way to scramble messages in transit to ensure confidentiality, but it does not ensure integrity the way a digital signature does because it doesn't involve the sender's digital certificate. An e-mail message can be both encrypted and digitally signed, by the way.



Difficulties and caveats


Despite being around for many years, e-mail programs still do not handle signed e-mails in a user-friendly and intuitive manner. This can reduce their effectiveness. For example, part of the value of a digital certificate is the confirmation that the individual it represents is really the one who sent the message. It is possible for a crook to get an e-mail address that is similar to someone you know, and get a certificate issued in that person's name for the fake e-mail address. If this impostor sends you a signed e-mail, the digital certificate itself will give you clues that it may not be from the impersonated individual. However, no e-mail program automatically displays this information; you would have to decide to click your way into where that information is, and, when you do, you might have difficulty interpreting what you find if you're not familiar with examining digital certificates.



How you can use digital signatures


If you work for a large organization, such as the Department of Defense, you may already have digital certificates assigned to you and installed on your system or present on a smart card you use to log in to your computer, making it easy to sign your messages.


If not, you can read more about how to get a Digital ID for signing e-mail. If you want to require your vendors or customers to send digitally signed e-mails for certain business transactions, you should direct them to this article and the above link as well.


For more information and help setting up your system to allow for digital signatures, encryption, and all the other modern technologies and methods available to ensure confidentiality and integrity, please contact J.D. Fox Micro.



Legal Note


In this article, we described the probative capabilities of digital signatures, such as "non-repudiation". Digital certificates only perform the technical aspect of these functions, though, and do not necessarily have intrinsic forensic value. If you plan to implement digital certificates into your business processes for these purposes, please ensure that you also put relevant policies, procedures, user training, and contracts in place that are necessary to provide the level of legal protection you seek.



Click here to read more about how to get a Digital ID.


Click here to jump to the links to issuers of digital certificates for e-mail.




Browse More Articles

Resource Center Home