Digital Signatures in Email
Many of our customers require that electronic digital signatures be added to outbound email messages. Here we discuss what these are, what they do for you, and how to add them using LuxSci SecureLine email encryption.
What are Digital Signatures?
In short, adding a digital signature to an email message allows:
- The recipient to know for certain who sent the message (as the “From” and other standard sender information associated with an email message is easily forged).
- The recipient can know for certain when the message was sent.
- The recipient can know for certain that the message was not tampered with after being sent
While digital signatures themselves do not provide any kind of encryption, they do provide important components to email security — resolving issues with message modification, false messages, message replay, and repudiation (the “i didn’t send that” excuse).
Typically digital signatures are added to a message using public key cryptography. The sender has a “private key” that only s/he has access do. S/he attaches some content to the message, including a digital fingerprint, and encrypts it using that “private key”. That content can only be opened using the sender’s “public key” — but anyone can have that. If you can open the message with the sender’s public key, then you know that the private key was used to encrypt it and thus who sent it. Once open, you can compare the digital fingerprint with a new one associated with the message contents to see if they have been altered and you can look at other data saved therein, like a sent time stamp.
Use of digital signatures essentially requires either:
- The sender and recipient to both use the same kind of public key cryptography (i.e. PGP or S/MIME), or
- The message to be sent and received through a third party web site or application that takes care of the encryption and signature verification for the sender and recipient. This way is much “easier” but perhaps less secure… as it involves trusting the third party.
Digital Signatures at LuxSci
There are essentially three ways to use Digital Signatures with LuxSci email.
This is by far the simplest method. When a customers sends secure messages using SecureLine Escrow:
- The message is encrypted and also digitally signed using PGP (a LuxSci system PGP certificate is used … the sender doesn’t need to generate his/her own certificate).
- When the recipient picks up the message in the web-based Escrow portal, the digital signature is verified and displayed so the recipient can be sure that (a) the message was not modified, (b) exactly when it was sent, and (c) exactly who sent it.
In this case, while the sender of the message is not using his/her own certificate to establish identity, the LuxSci system has already established the user’s identity though the login process and thus “vouches” for the sender’s identity. It is not possible to send forged emails in this way unless the sender’s account or password is stolen.
This is not quite as secure as using your own PGP or S/MIME certificate for identity verification, but it eliminates the need to:
- Generate your own certificate
- Protect your certificate
- Send only to recipients who can verify digital signatures using the same technology.
SecureLine PGP and S/MIME
SecureLine-licensed users can:
- Have LuxSci auto-generate PGP and/or S/MIME certificates for them
- Import existing PGP and S/MIME certificates, if some are already in use
- Add the PGP and/or S/MIME public keys of recipients to address book entries
So, when sending secure email messages via LuxSci WebMail or SMTP:
- LuxSci will automatically use PGP or S/MIME if the sender has a certificate and a certificate for the recipient can be found (in the sender’s address book or shared address book or in the recipient’s LuxSci account … if the recipient is a LuxSci SecureLine user as well).
- In addition to encrypting the message using PGP or S/MIME, LuxSci will also digitally sign the message
When the recipient opens the message in his/her email system, s/he can decrypt it and verify the digital signature. This mechanism does require that the recipient is using some technology that supports PGP or S/MIME. It does not require the LuxSci sender to have any special software involved or to use any special email program.
LuxSci SecureLine does not currently support sending messages that are “signed only” … messages can be either encrypted only or encrypted and signed (depending on what certificates are available for the sender and recipient).
Email Program-Based PGP and S/MIME
Any email user or LuxSci or any other email service can configure his/her email program to use PGP or S/MIME for sending of messages.
- S/MIME is recommended as it comes built into most modern email programs. Use of PGP usually requires some kind of add on or plug-in, which may cost additional money.
- You will need to get and install a certificate into your program
- You will need to set up your email program with the public keys of your recipients if you want to send encrypted email to them. If all you are going to do is send digitally signed messages, then this is not necessary.
Then, when you send a message, you can choose to encrypt and/or sign messages at will. Once again, this mechanism does require that the recipient is using some technology that supports the same PGP or S/MIME method that you have chosen to use.