Electronic signatures and internet security, an explanation and practical how-to notes.
Disclaimer: If your requirement for secure email goes above that of a casual user, and the failure of security may have serious consequences for you, then you should get expert advice. This document does not contain expert advice. You should not rely on my advice, and I do not accept any liability for the consequences of following advice contained here.
In a hurry?
Simple Notes on Internet Security and Email
It is very easy to forge email; that is, to send email as if it came from someone else.
It is trivial for your email to be read while it is in transit: left to its own, email is like a postcard. I don't like to sound like I live in the backwoods of Montana, but government agencies all over the world are reading email via automated scans. If this upsets you, you don't need to blow up any buildings. Just follow the instructions here.
As for forged email return addresses: Anyone could send you mail pretending it came from me. Or, if you like, anyone could send internet email to your boss, looking like it came from you. If you live in America, someone could send a death threat to the President as if it was from you. The security forces are obliged to investigate all death threats against the President (this is serious, so don't do this to someone as a joke). Commercial email systems used within a company, such as Lotus Notes, have solved this problem: they authenticate the sender of all messages. These notes will tell you how to get this level of security with your internet software, and it doesn't cost a cent. You need to install a digital certificate on your computer.
It is also quite easy for someone to alter the content of email after it has left your machine: this requires more technical skills then the simple forging of a return address, but internet email provides no protection against it.
Digital signatures prove who email comes from, and that it has not been altered in transit. If you establish the habit of using digital signatures for important email, you will have a lot of credibility if you ever need to disown forged mail that appears to be from you. They also allow you to encrypt email so that no one can read it except the recipient. PGP in particular offers levels of encryption that will take Nobel prizes to break. Actually, digital signatures are really about proving who you are, which is useful for all kinds of internet transactions, but I'll concentrate on email.
Forgery sounds hard: Should I really be bothered?
A basic forged return address takes about ten seconds of work, and no technical skills above using a mouse and keyboard.
To forge a return address, you simply alter your email address in the settings in your email software (or in the jargon, your email "client"). It takes about ten seconds, depending on how fast you can type. The next message you send will have the forged return address; this is a favourite trick of junk-mail senders (spammers). All that junk mail that looks like it came from firstname.lastname@example.org (for example) probably didn't (so don't blame Hotmail; most likely, there is no such account). Now, an expert can look through a the technical information in the email headers and can often find an inconsistency indicating that the mail is probably fake, but it is not easy.
Digital certificates are a solution to this problem. There are two popular standards you can use at no cost: SMIME digital certificates, and PGP. I concentrate here on the SMIME digital certificates; but both are widely accepted internet standards. SMIME is a lot easier to set up; PGP offers better and more versatile security.
Digital Certificates and keys: What they do
A digital certificate is like a passport, with quite a bit of information between the covers. The certificate actually contains different parts, most importantly a private key and a public key.
The keys work together to verify that the email came from the "reply to" address. They do this by attaching a digital signature to your email; the verification happens at the receiving end. The signature
Guarantees the correctness of the sender's claimed email address (guarantees it is not a forgery)
Guarantees that the message has not been altered after it was sent (alteration is not prevented, but the signature will be invalidated).
A digital signature is generated by your email software and your private key, working together. These electronic keys are clever: your message's signature can only have been generated by your private key, and it works according to internet standards (either SMIME or PGP), so the sending and receiving software can be different. The SMIME standard is supported by Netscape Messenger/Mozilla/Thunderbird, and Outlook Express, which comes with Microsoft's Internet Explorer. Eudora supports PGP and SMIME, via a plugin. R5 of Lotus Notes also supports SMIME. Webmail clients are starting to offer it (Squirrel has a SMIME plugin but I don't know how often it is installed; you need to ask your adminitrator).
With digital keys, you can also encrypt a message so that it is only readable by the recipient. Signing a message proves who it came from, but anyone can read the message in transit through the internet (although changing the message invalidates the signature). Encrypting makes sure the message is unreadable during transit. Before you can encrypt a message to someone, you need their "public key", which you get automatically if they send you a signed message. It is also possible to get public keys from directories, if your desired correspondent has stored their public key with a directory.
An explanation based on the low-tech equivalent of digital signatures: locked boxes and keys.
How does it work?
Alfred wants to send documents to 100 associates, using a postal service to deliver the package.
He wants to prove to the recipients that the package they receive really came from him (Alfred).
He requests a special lock-box from a famous lock company: we call this box the Alfred signature box. The locks on these boxes are special: they accept two types of key: red and blue. We call it a Signature Box because it will work like a signature in proving who the mail came from.
Every Signature Box shipped to Alfred is identical, but they are also different from Signature Boxes sent to other customers: the Alfred keys don't work for Signature Boxes made for other customers.
The locks are different for each customer of the lock-box company. Every box Alfred orders uses the same lock as his first box, even boxes he orders five years later.
Since a blue key made for Alfred's lock won't work for any signature boxes issued to other customers, it is called an Alfred Blue Key, and it has his name stamped on it. The lock-box company ships an Alfred Blue Key with each Alfred Signature Box, and each Alfred Blue Key is identical since the lock on each Signature Box shipped to Alfred is identical. The company makes only one Alfred Red Key, for reasons mentioned shortly, but it is quite happy to give a blue key to anyone that wants one. The red key is much more special than the blue key.
Now, more about this special lock on each of Alfred's boxes that accepts two types of keys: an Alfred blue key and an Alfred red key.
The Alfred red key will lock and unlock an open Alfred Signature Box; it is the master key. The Alfred blue key is restricted: It will unlock an Alfred signature box, but it can not be used to lock it. It is an "open only" key.
The famous company making the lock boxes guarantees to the public that it will only make one red key for every customer, and that it hands that unique key to the customer in person. Even if it ships 1000 boxes to that customer, it only ever issues one red key. There is only one Alfred red key, and this fact is trusted by the community at large. The lock-box company also validates that the person claiming to be Alfred really is Alfred (the staff of the lock-box company look at his passport and driver's licence and meet him face-to-face before they hand over his red key). So, if you see a locked Alfred signature box, you can be as sure as your trust in the lock-box company that only Alfred locked that box, since he is the only one with the Alfred red key.
When Alfred wants to send a document, he puts the document into the signature box, and locks it with his red key. No other red key would lock one of Alfred's signature boxes. He then tapes an Alfred blue key on top of the signature box, and sends it to his associate. His associate may already have a blue key from Alfred, so the key taped on the top of the box may not be necessary. It doesn't matter: each blue key from Alfred is the same. In fact, if the blue key falls off, the recipient can ask the lock company to issue an Alfred blue key, and they do this, at no charge. They will issue an Alfred blue key to anyone who asks, registered customer or not. Eventually, there will be hundreds of Alfred blue keys in circulation, all of them identical. From Alfred's point of view, the more the merrier.
So the receivers of the message can verify that it was sent by Alfred simply by seeing that the box is locked, because only he can lock the lock-box that is opened by an Alfred blue key.
Let's go through the chain of trust again: If the recipient trusts that only Alfred has the Alfred red key, and that the locks and red keys can not be reverse engineered or duplicated, and that the lock company only issued one red key, then the recipient trusts that the message really came from Alfred. Note that with this system, it doesn't matter if some of the boxes being shipped to Alfred were stolen. The signature boxes can not be locked without the Alfred red key. Also, anyone with an Alfred blue key can open an Alfred signature box. This system gives Alfred no security about who really opens his mail, but it guarantees to the receiver that the message really came from Alfred.
The Alfred blue key is Alfred's public key. The Alfred red key is Alfred's private key. The company making the locks and keys is the issuing authority.
A low tech equivalent of encrypted mail using locks and keys
We have solved the problem of authenticating the sender (the signature). Now, let's say that James wants to send mail to Bill, and James wants to make sure that only Bill can read it. This time, we are looking at encryption. We don't care about proving that the message came from James: the problem is making sure that only Bill can read the message.
Once again, we use lock-boxes from the lock company, but we don't use signature boxes. We use an Encryption Box. This time, it is Bill, the receiver, who must be a customer of the lock company. James, the sender, does not have to be a customer. The encryption box for this message is a little different to Alfred's signature box: the publicly available Bill blue key locks the open encryption box but does not unlock it. Once again, the private Bill red key both locks and unlocks the box (the blue keys for the signature box do the opposite function to the blue keys for the signature box. Actually, it is not the key that is different, but the lock. A Bill blue key is restricted to locking a Bill encryption box without being able to open it, and the same key will not lock a Bill signature box, but will open it).
So, James is ready to send his document to Bill. James gets a Bill encryption box and a Bill blue key from the lock company (at no charge to him), and he puts the message inside the box, and locks it with the Bill blue key. Only Bill can unlock it, since only Bill has the Bill red key. Thus, James is safe: only Bill can read his message.
However, Bill doesn't know if it was really James who sent him the message.
Encrypting and signing the low-tech way
Since Alfred and Bill are both customers of the lock-box company, they can use a trick. Alfred can be very clever when he sends messages to Bill. He can put his document inside an Alfred signature box, and lock it with the Alfred red key. Then he can get a Bill encryption box and a Bill blue key, and put his locked signature box inside the Bill encryption box. He then locks the Bill encryption box with the Bill blue key.
Only Bill can open the Bill encryption box, and then Bill uses an Alfred blue key to open the Alfred signature box that was locked inside the Bill encryption box. Alfred knows that only Bill can read his message, and Bill can be sure that it was Alfred who sent him the message.
When you send a signed email, your email software sends to the recipient three things:
Relating this to Digital Keys
If you sent a signed message to someone who has old email software that does not process digital signatures, 2 and 3 appear as an attachment full of numbers and strange text.
- The message (of course)
- Your public key
- The digital signature (a large number)
The special lock that Alfred used in the low tech approach (above) is duplicated with special mathematical algorithms.
To lock the message in the signature box, a number is generated by your email software using your private key (the red key), the contents of the message to be signed, and the clever locking algorithm. This number is attached to your email: it is the digital signature. The mathematics involved means that the number generated is both unique to the message and to the sender's private key. (Technically, the message is first reduced to a numerical summary through a process called hashing, and this summary is the input used. It speeds things up, but doesn't noticeably weaken the security).
At the receiving end, the receiving software uses a related algorithm to validate the number attached to the message (the digital signature). The receiving software takes the digital signature, the message to which the digital signature is attached, and the public key provided, and it runs those three inputs through the unlocking algorithm. This algorithm can make sure those input three matches inputs 1 and 2. There is not enough information for any algorithm known to humanity to generate a digital signature without the private key (this is the really clever bit about the mathematics).
Only the public key is required to do the validation, not the original private key. To emphasise: you need the private key to make the signature, but you only need the public key to validate a signature. The algorithm used is the mathematical equivalent of a lock-box that has one key that only locks it, and one key that only opens it.
Because the precise contents of the message are also used to make the signature, an altered message invalidates the signature, and the signature (just a number) attached to one message is not valid if it is attached to a different message (preventing forgery by copying the signature).
Unlike the red and blue keys in the low tech approach, the public and private keys are mathematically related (but not in a way that would allow someone to create a private key based on the public key).
When signed email arrives, the receiver sees a prominent signed-message icon in their email software (or will see an error message if the signature is not valid). Making a valid digital signature without the private key is very widely believed to be almost impossible; forging a pen-and-paper signature is a great deal easier. The mathematics involved in digital key security relies on factors of large prime numbers, and if your email software is operating at US-level security, the numbers involved are so big that making a valid signature without the private key is almost inconceivable in the life-span allotted to us. Note that non-US residents can easily get their hands on a US-strength email program: see below for more information.
It sounds amazing, but it is backed by a lot of mathematics and computer science. Using a private and public key is why this system is known as Two Key Cryptography.
A digital certificate is issued by a security authority (there are several, and at least one is free). The certificate is hard coded with a certain email address from the moment it is created by the authority, and the authority sends it to only that email address. So to get a digital certificate encoded with a certain email address, you must control that email address. This is your guarantee when someone sends you a signed message.
EncryptionThe discussion above focussed on signed email, which is more useful for most people than encrypted mail. Encrypting a message requires the recipient's public key.
For encrypting, a different algorithm is used. The sender's certificate is not involved. The message encrypted with the recipient's public key can only be decrypted by the matching private key.
What are the weaknesses of digital keys?No security system is perfect. Here are the major weaknesses of this one:
1) Someone could steal your private key from your computer. More than 100 keys fit on a normal floppy disk. Protecting your private key with a password is highly recommended, so that a stolen private key is worthless (and don't store the password on the same computer!).
2) The issuer of the certificate could give to someone else enough information about your certificate for the third party to easily create a copy of your private key. The issuer may be forced to do this by a government, alternatively, the issuer's security could be breached. You can avoid this by using a different approach, PGP (Pretty Good Privacy) where you make the certificate yourself. PGP is also stronger encryption. I use it also from time to time. However, using an issuing authority (the SMIME approach) is handy if you lose your certificate. PGP is less trustworthy because no trusted third party (the issuer) guarantees that the certificate belongs to who it says it does (Thawte has a "web of trust" scheme to negate this; see http://www.thawte.com for more information).
3) The certificate could be forged or cracked. This is virtually impossible with today's computers, if you are using US-level security. No one has reported breaking this security (although the only organisations with the a slightly realistic chance of breaking it would most certainly not report any success). Even "International" (ie exportable from the US) strength software is highly awkward to crack, although it doesn't have a very good shelf life with the increasing power of affordable computers. Also, the difficulty of factoring large prime numbers, the heart of the system, is believed to be fiendishly difficult, but this has never been formally proven, despite around fifty years of trying (an algorithm to solve the problem has also eluded researchers, despite even more intensive efforts).
4) Digital signatures carry a lot more authority than a simple return address, because the forgery is so much more difficult. If you lose your certificate and password, you have a problem, because mail with a digital signature is more authoritative. The best thing to do would be to completely stop using the email address associated with the stolen certificate, and start again.
5) There are some issues with sending someone your public key. Say you have just got your digital certificate, and you want to send your public key to someone so they can send you encrypted mail. You ask Charlie the courier to take your public key to Bob. Unfortunately, Charlie is not trustworthy. He actually gives Bob his private key, but says its yours. Charlie also offers to take Bob's mail back to you. Charlie then decrypts it, because Bob actually used Charlie's key. Charlies reads the mail, and then encrypts it using your key, so you don't see anything wrong. In other words, you need to trust the directory service which shares public keys. See the links below for more information.
6) Some email clients are not compatible with the standard, such as older browsers and many of the web-mail sites. To these users the signature appears as an attachment full of weird text, and they get no validation of the signature. MIME is the standard for sending attachments, and SMIME means Secure MIME. I imagine it would be hard to send signed mail from a web-mail site.
7) It doesn't solve some legitimate security concerns, such as sending genuinely anonymous mail (merely forging a return address still leaves lots of fingerprints giving clues about where the mail came from), and having an anonymous reply to address (where someone can reply to you, but not know who they are replying to).See the www.pgpi.com site for some starting links on these requirements. They are both possible, and with a little reading you can obtain a completely anonymous internet existence, in the era supposedly witnessing the end of privacy.
Getting a free certificate
Now you need a digital ID card, called a certificate. You can get this for free, from www.thawte.com.(Do this for Netscape, Internet Explorer or Opera). Another well known provider is Verisign, but you have to pay $10 for an ID that signs email. Thawte is just as good, and free. There are a few steps to go through; the process may take half-an-hour, including waiting for some email from Thawte. Have your passport number ready.
1) I am not an expert on this topic. I have little idea of how the encryption algorithms work. I know the algorithm to factor prime numbers is the key to the whole thing, and that this is believed to by a very time consuming problem to solve, falling into the most complex category of algorithms (NP complete), but this level of difficulty has never been proven. This applies to both PGP and SMIME. If your requirement for secure email goes above that of a casual user, and the failure of the security risks serious consequences, then you should get expert advice. You should not rely on my advice, and I do not accept any liability for the consequences of following advice contained here.
2) If you get a digital ID, your private keys are stored, in some form, on the issuing authority's computers. I don't know the legal ramifications of this (could a Government or security agency seize your private key?).
If this bothers you, you should use "Pretty Good Privacy" (next topic) which is very secure and very private. Your private keys are generated on your machine, and no one else has them, barring theft from your computer. Even then, they are password protected.
The most secure approach: Pretty Good Privacy
PGP is the best alternative to the SMIME system. It is most interesting if you want incredibly high security, or if you want to encrypt a wide range of documents, outside your internet usage.
PGP is famous software, widely used for signing and encrypting email. It works very well with Internet Explorer and Eudora, and can be used with Netscape (with Netscape, you need to copy and paste email you wish to encrypt using PGP). The key programmer who promoted it is American, and he found himself in lots of serious legal trouble for sharing this software around the world (which he did on a matter of principle, and good for him.).
PGP offers even more powerful security than the US-standard SMIME certificate security.
NEW for Windows users: You can now easily use PGP with Netscape. It has worked easily with Outlook and Eudora for some time. You need to go to the PGPI site first, and download the latest PGP version (free).
Then go here: http://bear-software.freeservers.com to download the plugin for Netscape. This is an actively developed plugin.The software from PGPI already includes a plugin for Outlook and Eudora.
Or you can go here for a Mozilla/Thunderbird opensource plugin for PGP: http://enigmail.mozdev.org/
See www.pgpi.com for the international site, which was needed in the past to avoid problems with old-fashioned US laws. MIT is the core source of the distribution. It is free for private use, but not for commercial use. The international people claimed that whenever MIT issues a new release, they buy a printout of the source code and ship it out of the US, which is not illegal, and then scan it in to a computer. Electronically shipping the source code was at that time illegal. Go figure. There is no restriction on the source code, so this is nowjust a reminder of the silliness of laws.
There is a completely open source version of PGPI called GNU Privacy Guard. http://www.gnupg.org/
There is some talk that one of the PGP algorithms violates a US patent, but there seems to be no adverse consequences so far. MIT doesn't seem very worried. But it was reason enough for the GNU version.
http://www.counterpane.com/pki-risks.html Risks of PKI Ten weaknesses of PKI (public key infrastructure), the real-world way that digital signatures are actually used.
http://www.McCune.cc/PGP.htm A practical guide to the latest PGP software, with a small collection of well chosen links, and useful answers to questions about using it.
http://www.xs4all.nl/~respub/crypto/english/book.html A summary of digital eavesdropping techniques and how they deal with current encryption technologies
Comments. Page modified: September 12, 2004