Not to be confused with a standard email signature, “digital signatures” (also known as “electronic signatures”) play an important role in identity verification, message integrity and non-repudiation.
In our previous blog on "Top 4 requirements for email security", we outlined the importance of:
- Message Integrity – the message sent and received are exactly the same.
- Message Confidentiality – the message is not exposed or readable to any third party.
- Message Authenticity – the recipient is very confident about the identity of the sender.
- Non-Repudiation – the sender cannot deny that they have sent a message.
Three of these requirements (integrity, authenticity and non-repudiation) can be met with proper implementation and use of digital signatures.
Read on to learn more about how digital signatures work and the importance of the wider adoption of digital certificates for email security globally.
What are digital signatures and how do they work?
Digital signatures are a feature of public key cryptography (PKI) and PGP encryption. We spoke a little about PKI and PGP in a previous blog called “4 Ways to Encrypt Emails” where I discuss specific modes of PKI such as TLS, PDF, and S/MIME encryption as well as the benefits and challenges with each approach. Through the use of digital certificates, PKI and PGP allows for electronic signing and for encryption – not always used together.
These digital certificates are issued to email addresses, domains, or organisations and can be installed on servers, IoT devices, clients and more. Their purpose is to be a sort of “digital passport” that encrypt data and verifies who is sending data.
(Image source: Wikipedia)
Using a Digital Certificate, a user can apply end-to-end privacy to their email messages. There are three algorithms that are used in digital signatures:
- Key generation algorithm –which generates a private key alongside a corresponding public key and ensures these keys are completely randomly generated. This algorithm is used in the digital certificate and is the basis for PKI.
- Signing algorithm – to sign an email, a hash function creates a hash from the original data and that data is encrypted using the signer’s private key to create a digital signature.
- Verification algorithm – when opening the data in your email or PDF reader software, the software uses the signer’s public key (included in the data) to read the document. It then programs a new hash and checks that this hash is the same as the one provided. If it is, the software can be sure that the data has not been changed, if it is not, the software will give the reader a warning. This provides confidence that the message has not been altered, known as “message integrity”.
Why Use Digital Signatures?
Encryption is great but it’s not useful to encrypt data if the receiver doesn’t know who has sent that data. Encryption must be used with digital identity verification to help recipients feel confident that the messages they receive are safe and sent from a verified identity.
Digital signature provides the additional assurance that the “identity” of the sender is who they say it is. The reason for putting identity in quotation marks is that the level of identity assurance is dependent on the type of certificate a user has.
When applying for a digital certificate for email security, there are various options for validation. For example, you can apply for simple validation of email address, individual validation with additional proof of identity of email user (such as a driving license) and finally, organisational validation with proof of business as well as proof of individual’s identity within the business itself.
These different options for validation allow organisations to match the strength of the certificate validation with the data security risk individual to the organisation itself.
In the case of digitally signing emails, digital certificates (known as S/MIME Certificates) are issued to a user email address and installed on user devices. So the only identity verification happening is the verification that the email address of the sender is in fact, the email address they claim to be sending from.
Hackers can spoof email addresses very easily so digital certificates give recipients a high degree of confidence that the email address is not being spoofed and that the sender is the real owner of the email address.
The sender’s identity is verified with such a high degree of assurance that the sender cannot deny sending that email in a court of law. In addition, the digital signature ensures that in the process of data being sent, there hasn’t been any altering of the data in the message because this altering would have led to a different hash calculated by the software receiving the data.
How Do I Use Digital Signatures For Email?
Organisations wishing to use digital signatures in their organisation or institution will find there are various methods of implementation. The top options are:
- Purchase certificates from a Certificate Authority – this option involves purchasing an S/MIME certificate for all internal employees and managing those certificates internally. This can be costly and time-consuming. You can choose to have the CA manage your private keys or in large jobs, you can keep private keys on-premise with your own HSM. HSMs can, however, be very costly.
- Purchase business licenses for Microsoft or Google for Business – if your organisation already uses Office or GSuite, you can pay to upgrade your licenses and ensure that each user in your organisation is also provided with an S/MIME certificate. This option is less costly than managing your own HSM but prices can still soar when you’re paying for a large number of users.
- Purchase an email gateway solution – email gateway providers aim to provide a suite of email security solutions. This includes encryption and digital signing within the pricing of the user licenses. There are no additional fees and the tools are very easy to set up and manage. Email gateways are often the most affordable solutions but prices vary depending on the provider.
With an S/MIME certificate downloaded on your desktop computer or mobile phone, you can use any email software to sign and encrypt emails.
In Outlook for example, a sender can go to the “Options” tab in the Permissions group and click “Sign Message”. As Microsoft puts it so well:
A digital signature attached to an email message offers another layer of security by providing assurance to the recipient that you—not an imposter—signed the contents of the email message. Your digital signature, which includes your certificate and public key, originates from your digital ID. And that digital ID serves as your unique digital mark and signals the recipient that the content hasn't been altered in transit. For additional privacy, you also can encrypt email messages.
Digital Signatures with Pie Security
Pie Security offers products that help to automatically protect email against unauthorised access of email in transit and at rest.
The centrally managed encryption gateway supports all major email encryption standards like S/MIME, PGP, TLS and PDF encryption and is compatible with any email infrastructure. The built-in data leak prevention module can be configured to filter on credit card numbers, bank account numbers, excessive amounts of email addresses or other personal information.
Keen to learn more about us? Check out our solutions here.