Tip

Securing your customer's email with digital signatures

VARs and consultants charged with securing their customers' email systems should understand what digital signatures can and can't do. While digital signatures bind a sender to a message, they should never be applied beyond their scope, lest the customer think a greater security has been imparted to the signed email than the technique is capable of providing.

A digital signature is data appended to a message. The data identifies and authenticates the sender and message using public key

    Requires Free Membership to View

encryption. The sender uses a one-way hash function to generate a hash code from the message data. The sender then encrypts the hash-code with a private key. The receiver recomputes the hash-code from the data and decrypts the received hash with the sender's public key. If the two hash-codes are equal, the receiver is given an indication that the data has not been corrupted while in transit, and that it appears to have come from the designated sender.

Dual signatures can link two messages within a message unit. The segments may be addressed to different people such that the message parts may only be read by the intended recipient, yet provide a quick way to check the structural integrity of the overall message.

If one part of the message needs to be more secure than the other, another layer of encryption can be applied on top of the "message plus signature" data. A digital envelope is a way to encrypt data and to send the key for that encryption along with the data. Most enveloping schemes use a symmetric method to encrypt the data and an asymmetric one to encrypt the key.

Digital signatures may best be used as a negative indicator. If a user expects a digital signature with a message and finds none (or one that computes to an unexpected value) the user is forced to authenticate the message by some other means or reject it entirely. The biggest conceptual problem with digital signatures is that a positive result (that is, everything seems OK) does not necessarily validate message accuracy.

Commercial products use digital signature techniques to control email. Internal mail can be identified by signatures signed by a company's private key so they may not egress beyond the internal network. External mail may likewise be identified and sorted. In short, a signature is a tool that makes quick classification easier. Email benefits from this because of the volume and speed in which decisions must be made as to disposition. Signatures are no substitute for authentication processes, however.

Customers that want to identify the sender of incoming mail can use digital signature technology. It may be embedded in an application used to filter email for the entire organization or appear in the end user's machine. Different areas within organizations may use digital signatures in different ways. For example, the help desk may wish to assume that a sender is valid so as to speed response and have little need to validate a signature on their own. But, an executive may have to be more careful in how they reply to messages in order to minimize any economic espionage by competitors and thus need the assurance of a sender's signature. The balance of how this technology is implemented depends on the specifics of the situation.

About the author
Larry Loeb has been online since the world revolved around {!decvax}. He's been in many of last century's dead tree magazines about computers, having been a Consulting Editor to the late, lamented BYTE magazine, among other things. You can reach him at larryloeb@larryloeb.com.


 

This was first published in November 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.