Screen with bytes of info

RSS Feed
Technology Bytes

Signed and Secure E-mail


@ with padlock

     I was working on getting some website SSL\TLS certificates when I came across a website that gave me a digital ID to use as part of authenticating myself with my account on their website.  I was told I could also use it to sign e-mails and to receive encrypted e-mails.  So I decided to do some investigation and decided to share what I've learned.

What is a signed e-mail?
     A digitally signed e-mail (using a digital ID) is an e-mail with basically an additional piece of information.  That information is used to prove or disprove that the message (or data) in the e-mail hasn't been altered since it has been signed.  The signature is generated by taking the message and creating a hash value and then encrypting that hash value with a private key.

     Below is an illustration of how signing works.  Data is the e-mail message.
Signing illustration

     For the recipient to determine if the e-mail has or has not been altered and if it really came from the sender, the signed information is used to verify the message as seen in the following illustration.
Verification illustration

What is an encrypted e-mail?
     An encrypted e-mail is a message that has been altered to prevent anyone from reading it except the intended recipient.  This is accomplished by using two types of encryption: asymmetric and symmetric encryption.  First the message is encrypted with a secret key (symmetric) and then the secret key is encrypted by the recipient's public key (asymmetric).  The message (or data) is not decipherable except for the recipient who has the private key that goes with the public key, uses it to decrypt the secret key, and then uses the secret key to decrypt the message.

     The following illustration demonstrates how a message (Clear text) gets encrypted sent through the internet and then decrypted by the recipient.
Message encryption illustration

What are public and private keys?
     There are two types of cryptography: symmetric and asymmetric.

Symmetric Key Cryptography
     Symmetric key cryptography uses a single key to encrypt and decrypt information.  Anyone who has the key can do either operation.  Most people are used to symmetric as we can relate this to a car door lock; you use the same key to lock or unlock the door.  If you lose the key and someone finds it, they could lock or unlock the car door.

Asymmetric Key Cryptography
     Asymmetric key cryptography uses two keys.  What one encrypts (locks) the other can decrypt (unlock) and vice-versa.  However, if one encrypts data, the same key CANNOT be used to decrypt it.  This is why it's called asymmetric.  One of the keys is called the public key because it is usually distributed to anyone freely while the other one is called the private key because the owner of the keys keeps this one private from anyone else.

     Here is an illustration for asymmetric key cryptography:
Asymmetric encryption illustration

Why would I want my e-mails signed?
     The purpose of signed e-mails is to verify the person sending it and verifying that the contents in the message haven't been changed since it was sent by the sender.  It's not often that someone gets an e-mail from someone that has been altered by someone to say something else but a signed e-mail just ensures that nothing has happened in transit.  This is similar to the wax seals used in the 10th century.

     NOTE:  You can send signed e-mails to anyone without requiring anything from them.  Sending signed e-mails also sends your public key so its a way to distribute your public key to others so they can encrypt messages to you.
A wax seal on an envelope

Why would I want to encrypt my e-mails?
     E-mails go through several routers and servers and are cached (copies are saved/stored) along the way.  Sending an e-mail unencrypted allows anyone along it's path to grab a copy of it and store it for later reading or possible distribution.  Information that you put in such an e-mail without encryption should be considered public readable.  However, if there is information such as a password, financial information, or other sensitive data (credit card numbers), it would be wise to have it encrypted to ensure that only the person receiving the message can decrypt it.

     NOTE: You can only encrypt an e-mail if you have the recipient's public key which means the recipient has to have obtained a digital ID and to have given you the public key (possibly by signing an e-mail to you).

How do I know that some hacker isn't forging a signed e-mail after altering it?
     Someone could intercept your message, remove your signature, put their signature on it, and then send it on.  For this reason, there is what is called a Certificate Authority (CA).  CAs are companies that issue digital certificates.  When a person wants a digital ID, they usually don't generate one themselves, they go to a CA to get one.  You can relate it to getting a drivers license.  You go to the CA (drivers license office) to get an ID.  People don't accept an ID that you create yourself.  CAs go through a process to be "trusted" by web browsers and e-mail clients.  When a CA issues an ID, it is signed by their own certificate saying it was issued by them.  So when a signed e-mail is sent, the recipient can see if the signature certificate (public key) was signed by a trusted CA.  Most e-mail clients check this automatically and generate a warning if it wasn't issued by a trusted CA.  A hacker cannot generate a "trusted" signature so your e-mail would generate a warning if they tried to forge the signature.

How do I know that some hacker isn't able to decrypt my encrypted message and read it?
     First, remember that only the private key can decrypt what the public key has encrypted.  If a hacker has the private key, then he is able to decrypt it.  But as long as you keep the private key safe and not publicly available, they cannot use the private key.  So, then the other method is to try to generate or guess the private key to decrypt the message.  Theoretically, it is possible with time and computing power to figure out what the private key is.  However, depending upon the bit size of the key, it is practically impossible due to the amount of time and power required.  For example, according to digicert.com, it would take 1.5 million years on a 2.2 Ghz AMD Opteron processor with 2GB RAM to break a 1,024 bit certificate and, using the same computer, it would take a little over 6.4 quadrillion years to break a 2,048 bit certificate.  Most certificates use either 1,024 or 2,048 bits.

If I send an encrypted message to someone, how will I be able to read it?
     It is true that if you encrypt a message to someone else, you will be using their public key and thus would not be able to decrypt it since you don't have their private key.  But in truth, that's not all that happens.  Recall that the message is encrypted with a symmetric secret key and that the secret key is then encrypted by the recipient's public key.  When you encrypt a message, the e-mail client should automatically encrypt the secret key with your public key (if you have one) as well.  This way only you and the recipient can actually decrypt the message.

Do I have to send an encrypted message one at a time or can I send it to multiple recipients?
     Just like I mentioned above that the e-mail client should automatically encrypt the secret key with both the recipient's public key and your public key (if you have one), if you try to send an encrypted message to multiple recipients, it will separately encrypt the secret key with each public key.  This way each recipient can use their own private key to decrypt the secret key and then be able to read the message.  Just note that you must have a public key for each recipient.

How do I get a digital ID (public and private keys)?
     To get a digital ID, you must request one from a Certificate Authority (CA).  Digital IDs are tied to an e-mail address (usually) and you can have multiple IDs if you have multiple e-mail addresses.  You fill out a form with the CA which includes your e-mail address and they will more than likely send you a code to your e-mail address which you have to copy and paste into a given webpage to verify to them that you own the e-mail address.  After that, they will generate and install the digital ID into the web browser you are using.  You will have to export it from your browser and import it into all e-mail clients that you use with your e-mail address.

How do I get a digital ID for FREE?
     Most CAs charge for digital IDs but I have found one that will give as many as you need for free.  The company is called, StartCom and their website is https://www.startssl.com

     When you sign up for them, you must use a compatible browser.  Internet Explorer, FireFox, Apple Safari are some that are compatible.  I strongly suggest to NOT use a mobile device such as a phone to register as it is difficult to export your digital ID from your phone.  You can always transfer the certificate to your phone afterward, but I recommend not using your phone for initial setup.

     StartCom issues you a digital ID as part of the sign up process to use as a way to sign in to your account with their website.  Whenever signing up, they will send an e-mail to verify.  Use the same browser window you used to sign up to verify.

     If you are using an iPhone and want to sign and decrypt e-mails with it, you must import your certificate.  I strongly suggest to NOT e-mail the certificate to yourself as that would make the certificate freely available.  I suggest setting up a small web server or some file transfer app that would allow you to retrieve the certificate using a secure means rather than using the internet.