Encryption, Digital Certificates and Signatures

What are Digital Certificates and Public Keys?

A digital certificate is a special kind of machine-readable document issued by a trusted Certificate Authority (CA) to an individual or organization which is unique to them. It is kept secret and access to it is usually protected by a password. There is a public part of the certificate which is included with your digital signature (see below). In order for someone to send you something encrypted so that only you can read it they require their own digital certificate and the public part of your certificate.

An easier way to use digital signatures and encryption is to generate your own key pair. This is like a digital certificate but you do not need a CA to give it to you, you can create it yourself (see below).

What is a Digital Signature and How Can One Tell If It Is Valid?

Most modern commercial e-mail clients can use a digital certificate to sign an e-mail message as well as to encrypt it. If you sign an e-mail message with your digital signature then a special attachment (the digital signature) is added to the message which is generated by your e-mail client reading both the content of the message and your digital certificate. When you send the message to other people, their e-mail client can compare the contents of the message with both the sender and the digital signature. If a single character of the message has been changed or the actual sender does not match the certificate then the e-mail client will report that the signature is invalid and the message has either been forged, tampered with, or both. It is very easy to impersonate (technically known as spoof) anyone via simple e-mail. A digitally signed e-mail is at least as assuring as a document signed by hand in ink on letterhead and has the same legal status in the UK (Electronic Communications Act 2000, Electronic Signatures Regulations 2002) and the rest of the European Union (Directive 1999/93/EC).

Note that most e-mail that you send can easily be read by system administrators of mail servers that the mail passes through as well as others who monitor (sniff) internet traffic If you encrypt your e-mail using your digital certificate (this requires that the recipient has a digital certificate) then only you and the intended recipient will be able to read the message.

If you use Microsoft Outlook, a message with a valid signature will appear in your list of messages with an icon that looks like this:(note the tiny red ribbon) and when you open the message you will see this icon: next to a line indicating the e-mail address of the person who signed the message. You can click on this icon to see the internal details of the certificate including the name of the person to whom it was issued if the certificate has been fully notarized.  Other e-mail clients will have similar mechanisms. If you read your e-mail on a web browser then it is likely to simply show an attachment which looks like this: smime.p7s (web-based e-mail clients tend not to be smart enough to check digital signatures).

Note that if you generate your own keys then you first need to ensure that the recipient of your message has set up their email client to process the extra text that the signing or encryption adds to your e-mail message. To encrypt you will have had to exchange public keys. There is no formal mechanism for building up trust for personally generated keys other than for you to digitally sign the keys that you trust from people you have met and for them to sign your key. Keys that are signed by people that you trust then inherit trust and an informal web of trust is created.

How Can One Get a Digital Certificate or Genaterate Keys For E-Mail?

There are many reputable Certifying Authorities who issue certificates, usually for a fee.

Currently updating this section to include free X509 certifying authorities.

If you wish to generate your own keys, I recommend GNU Privacy Guard (GnuPG) which can be found at http://www.gnupg.org/. A Windows version is available to download from http://www.gpg4win.org/. A MacOS version is available to download from https://gpgtools.org/

Creative Commons License
This work is licensed under a Creative Commons License.