Sending an email with a fake address is no big feat for skilled internet fraud­sters. That’s because many companies fail to install ad­di­tion­al security measures when emailing invoices or sensitive documents to customers or clients, po­ten­tial­ly opening the door for criminal activity. Phishing, a technique that has become in­creas­ing­ly wide­spread in the past few years, is a par­tic­u­lar­ly dangerous form of fraud­u­lent e-mailing. Fraud­sters send e-mails in the name of companies or other seemingly trust­wor­thy senders, with the hope of obtaining access to personal or payment in­for­ma­tion of their un­sus­pect­ing re­cip­i­ents.

A reliable security solution to verify trust­wor­thy senders is the use of digital sig­na­tures. When an email includes an elec­tron­ic signature, the recipient can rest assured that its content has not been tampered with and the sender is indeed who they claim to be.

What is a digital signature?

An elec­tron­ic signature guar­an­tees the integrity of both the data and the sender of an e-mail. They’re used to digitally au­then­ti­cate the origin of digital in­for­ma­tion – not just e-mails, but documents, too. In this way, a digital signature fulfils a similar role to a physical signature, and it ensures the au­then­tic­i­ty of the person or company listed as the sender of elec­tron­ic in­for­ma­tion.

By using a digital signature, you can protect the integrity of any data you transfer online. The recipient can be certain that nobody has accessed or tampered with the content because the elec­tron­ic signature acts as a seal. This means that in cases of dispute, this signature can be used to prove exactly where an e-mail came from. Both the person (or company) who signed the email, and the content of the e-mail are on display for the recipient to see.

Digital signature vs. email signature

A digital signature should not be confused with the classic, stylish signature that you can create and include in any e-mail. Despite the similar name, the latter refers to a text-based signature at the bottom of an e-mail that appears in a similar form to a hand-drawn signature and usually precedes contact in­for­ma­tion of the sender, like a name, an address, a telephone number, and a job title. Instead, a digital signature is a general elec­tron­ic signature, typically comprised of three al­go­rithms:

  • A key gen­er­a­tion algorithm (re­spon­si­ble for selecting a random private key and cor­re­spond­ing public key)
  • A signing algorithm (produces the signature when presented with the message and the private key)
  • A signature verifying algorithm (re­spon­si­ble for accepting or rejecting au­then­tic­i­ty claims)

Generally, a digital sig­na­tures is referred to as a cryp­to­graph­ic signature that can be verified by the recipient and ensures that an email has not been tampered with. In com­par­i­son to en­cryp­tion, message signing uses the sender’s private key to sign and to read the signature. En­cryp­tion, on the other hand, converts plain text into cipher text which is a non-readable format.

FvQoAZwz4SI.jpg To display this video, third-party cookies are required. You can access and change your cookie settings here.

Function: how to create a digital signature

If you’re looking to digitally sign your e-mails, there are two standard practices available: S/MIME and OpenPGP. Both work on the same basic principle, but they use different data formats; the majority of software solutions only support one of these two formats.

Fact

Competing systems, ad­di­tion­al effort, and sometimes high costs are often cited as the main reasons for the low dis­tri­b­u­tion of signed emails.

Image: Function of a digital signature
Digital sig­na­tures work via hash functions and a public-private key process.

The basic principle when it comes to creating a digital signature is the concept of asym­met­ric en­cryp­tion. This means that the sender receives two keys from the key gen­er­a­tion algorithm: a private key and a public key. The mail program of the sender au­to­mat­i­cal­ly creates a checksum of the mail content, using a hash function which is encrypted using a secret key and attached to the email.The public key is either sent with an at­tach­ment or obtained by the recipient via a public directory. The mail program of the receiver then decrypts the checksum, re­cal­cu­lates it and then checks the results. If the results match, you can be sure that the message has been signed with the private key that matches the cor­re­spond­ing public key. The au­then­ti­ca­tion is suc­cess­ful and the e-mail is proven to have come from a trust­wor­thy source and to have arrived without ma­nip­u­la­tion.

Business Email
Discover a new way to email
  • Write perfect emails with optional AI features
  • Add cred­i­bil­i­ty to your brand
  • Includes domain, spam filter and email for­ward­ing

One re­quire­ment for the use of digital sig­na­tures is that your e-mail client is con­fig­ured correctly in advance. If that’s the case, the process described above will take place au­to­mat­i­cal­ly in the back­ground, without you noticing. For in­for­ma­tion on how to set up your e-mail client for this, check out the support page for the software you’re using, for example Microsoft Outlook or Mozilla Thun­der­bird.

How do you assign a public key to a sender?

Needless to say, this procedure would only make sense if the recipient can identify the sender beyond any rea­son­able doubt. So the official cer­ti­fi­ca­tion authority (CA) only provides the key after first iden­ti­fy­ing the sender; only once the cer­ti­fi­ca­tion authority has issued a cer­tifi­cate can the key be of­fi­cial­ly validated. Since the recipient’s system has to recognize the key in order to ensure the au­then­tic­i­ty of the cer­tifi­cate, this in­for­ma­tion also has to be down­loaded and installed by the cer­ti­fi­ca­tion authority. The e-mail program then later picks up the au­then­ti­ca­tion au­to­mat­i­cal­ly.

Trust levels of cer­tifi­cates

The pair of keys that is used to sign an e-mail digitally has to be verified by the cer­ti­fi­ca­tion authority. This authority checks and confirms the identity of the applicant making the request. There are different levels of quality assurance cer­tifi­cates. Depending on how the identity check performs, a cer­tifi­cate may be awarded in either Class 1, Class 2, or Class 3.

  • Cer­tifi­cate level Class 1: a top-level, Class 1 cer­tifi­cate means that the applicant simply receives an e-mail from the cer­tifi­cate authority that must be ac­knowl­edged.
     
  • Cer­tifi­cate level Class 2: for Class 2 cer­tifi­cates, the applicant must submit a copy of a valid photo ID to the cer­ti­fi­ca­tion authority to prove his/her identity.
     
  • Cer­tifi­cate level Class 3: this Class 3 cer­ti­fi­ca­tion is the strictest form of iden­ti­fi­ca­tion for digital sig­na­tures. It requires the applicant to be verified in person. Often this involves the applicant heading to their local post office or des­ig­nat­ed gov­ern­ment building with an identity card to have their identity of­fi­cial­ly confirmed.

Spe­cial­ist cer­tifi­cates: gateway or team cer­tifi­cate

The cer­tifi­cates mentioned above are usually issued for e-mail addresses for a specific sender. The­o­ret­i­cal­ly, you’d need a separate cer­tifi­cate for every person in a company.A special exception to these cer­tifi­cates above is the gateway cer­tifi­cate, otherwise known as a domain cer­tifi­cate. This cer­tifi­cate is valid for all e-mail addresses reg­is­tered under a par­tic­u­lar e-mail domain (e.g. @example.com). The problem with this is that although the use of this gateway cer­tifi­cate is stan­dard­ized in­ter­na­tion­al­ly, some e-mail clients can’t process them properly. When it comes to Outlook Express, for example, neither sending nor receiving e-mails with gateway cer­tifi­cates is possible. Microsoft Outlook will un­for­tu­nate­ly register the cer­tifi­cate as invalid upon reception and return an error message.

A team cer­tifi­cate can be awarded to an e-mail address that’s managed by a number of people rather than just one in­di­vid­ual, like info@exampleg.com, or ap­pli­ca­tion@example.com, for example. Here there aren’t any problems during sending or receiving, because the same technical con­di­tions are in place. The dif­fer­ence only occurs in the handling of the cer­ti­fi­ca­tion authority.

Re­quire­ments of a digital signature

In order to gain the access mentioned above, a signature must meet certain con­di­tions. Most programs, including Outlook, check these con­di­tions au­to­mat­i­cal­ly when an e-mail with a digital signature is being sent or received, and notify the user in cases when some re­quire­ments aren’t fulfilled and so the integrity of the signature can’t be guar­an­teed.Since a digital signature is always as­so­ci­at­ed with a cer­tifi­cate, it’s sensible to ensure that the cer­tifi­cate is current and valid. The cer­tifi­cate must also be issued by a trusted cer­ti­fy­ing body (cer­tifi­cate authority). While some e-mail programs offer their own solutions, there are a number of reliable, expert CAs that can help. Some of the best-known examples include:

Because a digital signature always works in con­junc­tion with a cer­tifi­cate, it must be valid and current. The cer­tifi­cate also needs to have been issued by a trust­wor­thy authority. In the US, in­di­vid­ual states issue lists of approved cryp­tog­ra­phy cer­tifi­cate au­thor­i­ties. IdenTrust, for example, is a large provider of digital cer­tifi­cates for financial and health­care busi­ness­es.

The au­thor­i­ties are monitored according to the US E-Sign code and the UETA to ensure that sig­na­tures are valid and take legal effect, i.e. they are en­force­able.

There are also several industry or­ga­ni­za­tions which address cer­ti­fi­ca­tion issues and promote relevant standards, including the Cer­tifi­cate Authority Security Council, the Common Computing Security Standards Forum and the CA/Browser Forum.

Digital signature vs. email en­cryp­tion

Digital sig­na­tures are often used in com­bi­na­tion with e-mail en­cryp­tion, but the two do work in­de­pen­dent­ly of one another. Signing an email digitally means - quite literally - putting a digital mark onto an e-mail to guarantee the au­then­tic­i­ty of the sender. This protects the e-mail from ma­nip­u­la­tion, but it can still be read by third parties on its way from sender to recipient, just like an elec­tron­ic version of a postcard. Digital sig­na­tures also protect content too: your e-mail can’t be edited, but it can still be in­ter­cept­ed and read. Picture your elec­tron­ic postcard in a clear, plastic envelope.E-mail en­cryp­tion goes a step further. Sticking with the postcard example, we can imagine en­cryp­tion to be sealing our elec­tron­ic postcard inside an opaque envelope. The e-mail content is protected on its journey, and only the person who has the required key can decrypt the message at the other end and open the envelope to read the postcard. This makes e-mail com­mu­ni­ca­tion trust­wor­thy and con­sid­er­ably more secure. Further in­for­ma­tion on en­cryp­tion and how to use it with PGP can be found in our digital guide to email en­cryp­tion.

Go to Main Menu