Tutorials | Email Security Using Digital Signatures
This is a very basic introduction to encryption and digital signatures. It explains how they work and gives some examples of how they are used. To better understand digital signature you must first grasp a basic understanding of how encryption works. Encryption mixes or modifies a message or document so it cannot be read and understood, except by the intended recipient. A key is necessary to reverse the modification or mixing of data, to make the message readable. Encryption is used for secrecy in communication by keeping the data unreadable until it is delivered. Digital signatures are used to verify that a message or document was authored by a certain person, and that it was not altered and/or modified by anyone else. This process of verifying the integrity of a document is called authentication. Encryption is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Authentication is the process of verifying that information is coming from a trusted source. These two processes work hand in hand for digital signatures.
These two processes can be used separately or together to add even more security. A message can be encrypted, but not digitally signed and only people with a key can read the message. The problem here is that the reader cannot be certain as to who wrote the actual message. On the other hand the message may be digitally signed, but not encrypted. The problem here is that everyone can read it and find out who wrote or sent it. Again, the message may be encrypted to begin with then digitally signed. This will allow others to see who wrote it, but only the person with the key can read it. The best way though, is to first digitally sign the message, then encrypt it. This will allow only the person holding the key to see who the message is from and be able to read it too.
Technologies such as this are used everywhere and they are used to secure network traffic between different computers. They are used to keep email safe and private. They are also used in controlling access to files and allow people to use electronic commerce over the Internet. Here we will discuss mainly the email usage of digital signatures.
One of the most common digital signature mechanisms, the Digital Signature Algorithm (DSA) is the basis of the Digital Signature Standard (DSS). As with other digital signature algorithms, DSA lets one person with a secret key "sign" a document, so that others with a matching public key can verify it must have been signed only by the holder of the secret key. Digital signatures depend on hash functions, which are one-way computations done on a message. They are called "one-way" because there is no known way (without infeasible amounts of computation) to find a message with a given hash value. In other words, a hash value can be determined for a given message, but it is not known to be possible to construct any message with a given hash value. Hash functions are similar to the scrambling operations used in symmetric key encryption, except that there is no decryption key: the operation is rreversible. The result has a fixed length, which is 160 bits in the case of the Secure Hash Algorithm (SHA) used by DSA. In practice, digital signatures are used to sign the hash values of messages, not the messages themselves. Thus it is possible to sign a message's hash value, without even knowing the content of the message. This makes it possible to have digital notaries, who can verify a document existed and was signed, without the notary knowing anything about what was in the document.
Digital signatures can assure that a document was signed by a person with a certain public key, but it may be important to know who that person is. Anyone can create a public key with software, and say their name is this, and their address is that. But how can you be sure that if they're telling you the truth or just pretending that they are someone they?re not?
Here are two ways to answer this very important question and both involve certificates, which are digitally signed statements that prove the identity of the key holder. The main difference is in who issues the certificates. One approach which is used by PGP (Pretty Good Privacy) a hybrid cryptosystem, allows anyone to vouch or testify to anyone else's identity. Ultimately, the user must decide in whom to believe when a statement is made that a key belongs to a certain person. If someone you trust introduces someone else by vouching for the authenticity of his key, then you are more likely to believe it than if you were introduced by a stranger. In the PGP approach, one person can sign another person's key, as a statement that the key belongs to the owner. This overall structure is called the web of trust.
The other approach, more favored by the government uses formal certificate authorities or CAs. CA?s work with the Public Key Infrastructures (PKI) which houses the certificate storage facilities of a certificate server and provides the certificate management facilities. The root CA issues certificates of authenticity, after asking the applicant to present credentials such as driver's licenses, passports, social security number or other such items. Usually, the CAs are organized in hierarchies; for example, a national government might operate a root CA, which accredits secondary CAs, which accredit individual users.
What I wish to accomplish here is to instill the importance of email security to you. How would you like it if a letter you mailed through the post office and was read by someone you didn?t even know? Worst yet, what if that letter had been altered? The same goes for your electronic counterparts. They can be read, altered from the original and sent on to its intended destination or even multiple destinations. This can be changed with the use of digital signatures. Earlier, I shared with you the very basics of what a digital signature is and what it can do for you. Now I?m going to explain in even simpler terms and tell you how to obtain your very own personal certificate for free.
Once you apply for a key through one of the many certificate authorities this is how it works: After receiving your certificate you will be given two keys. One will be public for all to see and the other will be private and kept to yourself. These keys will be used to encrypt (scramble) and decrypt (unscramble) your messages. Now if someone uses your public key to encrypt a message to you, you can decrypt with your private key. Now, using your private key you can, with the help of your email software, digitally sign your own messages. This is when the software hashes the message with an algorithm and crunches the message data into what will be called the message digest. Next, your software will encrypt the message digest with your private key. Now you have your digitally signed message ready to be sent to whomever you wish. When the person you sent the message has to use your public key to decrypt your signature back into the message digest. If the message is readable then this proves that you signed it an all is well with the world.
Now, here is how you can get a free certificate of your own. Go to Thawte and read the available information on there certificates. Thawte is actually a subsidiary of the well known VeriSign company. To obtain your certificate you have to go through a simple, although a little long, registration process. There are no catches, it actually is free and you can obtain multiple certificates. Once you?re at the site it?s pretty clear as to where to you need to go. Here is what you will see:
"A thawte Personal E-mail certificate allows you to secure your e-mail communications by digitally signing and encrypting your e-mails? absolutely FREE! Click here to get your personal certificate now!"
So, click where it tells you and let?s start. The first step is of course to read over the Terms and Conditions for the Thawte Personal Certificates. By clicking to go to the next page you are accepting these terms. Step two, you?ll be asked to select a language and enter your name, day, date and year of birth. Be honest. On the third step or page you will be asked for identification number relative to yourself, like driver license number, passport number, social security and so on. Keep answering the questions and around the seventh page or step you will see a summary of what you have entered. Make sure it is correct and click next. Now you will be sent a mail ping or message to your email account with what are called probe and ping values. This is to verify your location and identity. Once you have made it through to step fourteen you will be through the registration process and will be able to request a certificate. I personally chose the x.509 format that supports Microsoft Internet Explorer, Outlook and Outlook Express. After requesting a certificate you can go to the view certificate status and see all the certificates you have requested and received. By clicking on the certificate summary you can now fetch your certificate. Now install. You?re ready to use your very own digital certificate. It may take a little practice to learn how to use it but it will be worth the effort. Remember, it?s free!
Network Associates Inc. ?Introduction to Cryptography?
http://www.pgpi.org/doc/pgpintro/#p1#p1 Internet. 1990-1999
Thawte. ?Personal Email Certificates?
Youd, David. ?An Introduction to Digital Signatures?
http://www.youdzone.com/signature.html Internet. 1996
Anonymous. (2004). Who Do You Trust?
Electronic Design 52 (27), 58
Etheridge, Y. (2001). PKI-How and Why It Works.
Health Management Technology 22 (11), 20
Udell, J. (2004). Making E-mail Identity Work.
Infoworld, 26 (11), 31
Please Note: if you have any questions about this tutorial please ask on our support forums
If you have written a tutorial of your own and would like to have it here on Cyber Tech Help all you have to do is Submit your tutorial and it will be reviewed by the Administrator.