Understanding Email Encryption and Digital Signatures
Last Updated: February 14, 2016
Email is generally considered to be a very insecure system.
Email messages have to go through many other computers (email servers), before reaching their destination, and at each computer a copy of the message is made before forwarding the message on.
Although the copies are normally only temporary they don’t have to be.
Normally a copy is retained on the sending computer, and also the receiving computer, and these copies are generally stored unprotected.
The only way of protecting email is to encrypt it. This is very seldom used because spam, and virus checkers can’t work on encrypted email.
So the choice is you either have virus/spam checking or encryption, but generally not both.
Email Encryption and Digital Signatures
In order to protect the contents of your email you can :
- Encrypt it.– This makes the content unreadable so that to anyone viewing the email it is just gibberish.
- Sign it– This allows the recipient to be confident that it was you who sent the message, and that the message hasn’t been changed.
Both processes require the use of keys.
These keys are simply numbers (128 bit being common) that are then combined with the message using a particular method (algorithm- RSA) to either encrypt or sign the message.
Symmetrical Keys and Public and Private Keys
Almost all encryption methods in use today employ public and private keys.
These are considered much more secure than the old symmetrical key arrangement.
With a symmetrical key, a key is used to encrypt or sign the message, and the same key is used to decrypt the message.
This is the same as the keys (door, car keys) we deal with in everyday life.
The problem with this type of key arrangement is if you lose the key anyone who finds it can unlock your door.
With Public and Private keys, two keys are used that are mathematically related (they belong as a key pair), but are different.
This means a message encrypted with a public key cannot be decrypted with the same public key.
To decrypt the message you require the private key.
If this type of key arrangement were used with your car. Then you could lock the car, and leave the key in the lock as the same key cannot unlock the car.
This type of key arrangement is very secure and is used in all modern encryption/signature systems.
Sending and Receiving Encrypted Email
Consider two users user A and User B.
User A wants to send an encrypted email to user B. To do this User A requires the Public key of User B.
So how does User A obtain this key?
Well because the key is public it can be sent to him in a email, posted on a website, forwarded from someone else.
It makes no difference to user B, as the key is public.
So User A uses the public key from user B to encrypt the email message.
When user B receives the message he decrypts it using the Private key.
If anyone else sees the message they can’t read it as they don’t have the private key.
Digital signatures use the same public/private key technology as digital encryption.
The keys are again generated as a key pair, and are used to sign and verify an email signature.
The old way of sealing an envelope was to use sealing wax, and a signature ring, a digital signature serves the same purpose in the digital world,
Signing a Message
Again using User A and User B as an example.
User A signs an email with his private signature key and sends the message .
User B opens the message, and can verify the signature by using the public signature key of user A , which , because it is public can actually be sent ( and is ) with the email.
Digital Certificates and Key Exchange
We have repeated said the because public keys are public they can be freely sent around the Internet and used.
The problem is how do you know they are genuine?
How do you know that the public key you are using belongs to User B?
The answer is to a use a digital certificate to provide secure key exchange.
It serves the same purpose as a passport does in everyday life.
Obtaining A digital Certificate
You get a digital certificate from a recognized Certificate authority (CA). Just like you get a passport from a passport office.
In fact the procedure is very similar.
You fill out the appropriate forms add your public keys (they are just numbers) and send it/them to the certificate authority.
The certificate authority does some checks ( depends on authority), and sends you back the keys enclosed in a certificate.
The certificate is signed by the Issuing Certificate authority, and this it what guarantees the keys.
Now when someone wants your public keys, you send them the certificate they verify the signature on the certificate, and if it verifies, then they can trust your keys.
Certificates normally cost money, but there are a few companies that offer them free for non- commercial use:
In order to send encrypted emails to someone, you must have the public key of the recipient.
So before secure email can be sent between two people, they must exchange their public keys with each other.
There are several ways that public keys can be distributed:
- Send directly via email or other mechanism to specific partners.
- Publish the key on a website for everyone to access.
- Upload a key to a key server.
Which you use depends on the level of trust you need.
Generally for a small number of people to exchange encrypted email then direct transfer of keys between individuals is the easiest.
Very Simple Email Encryption
A very easy way to encrypt an email message is to use an online encryption service.
The mail below shows the encryptfree.com service.
You simple paste the text into the text box enter a password and click encrypt.
The recipient of the email message just needs to do the opposite.
You can exchange the password by telephone SMS or email etc.
The nice thing about this is that it requires no software to be installed on either machine.
Using Encrypting Email Attachments
Generally the email message doesn’t need to be secured but the supporting files like tax returns etc do.
In this case you simply encrypt the email attachments before sending and decrypt them at the other end.
There are many file encryption tools you can use and the sender and receiver must use the same tool.
The easiest one is the free open source 7ZIP tool which is a file compression tool that supports encryption.
If you are new to this software then this article explains how to use
The only way of completely protecting the contents of an email is to encrypt it.
Because email encryption and virus scanning don’t work well together, email encryption is seldom used.
Commercial systems are difficult to set up and maintain, but for individuals, and small businesses they are usually an overkill and simple alternatives are available that offer a reasonable level of protection.
Useful Articles and Resources: