Categories World Wide Web

Continued from Secure Web Services

You can enhance your e-mail with certificates in a number of ways. First, signing an e-mail message with a certificate gives recipients assurance that you are indeed who you say you are. This is important, because SMTP--the protocol used to send the majority of e-mail through the Internet--simply passes on whatever address the sender specifies (a fact that "spammers" use to their advantage). Closely related is the ability to verify that a message has not been altered somewhere along the line. Signing a message can also have legal or contractual implications: A valid certificate makes it difficult for the sender to "repudiate" a message (that is, to claim falsely that he did not send it).

The process for signing messages is the same regardless of which e-mail client is used. The first step is to calculate a hash value for the message content. The hash is signed with the sender's private key and the signiture is attached to the message along with the sender's certificate. The recipient first uses the sender's public key (which comes with the certificate) to verify the certificate, then calculates the same hash value for the message content and compares it with the attached value. Matching values prove the message content was not altered.

Certificates also provide the ability to encrypt messages--the inverse of the process just described. To hide the contents of an outgoing message, you encrypt it with the recipient's public key. At that point, the only way to decode the message is by using the recipient's private key, which, presumably only the recipient has. An ironic twist to this is that the sender can't read the message archived in his own Sent Items folder.

Next: Clients

Published as PC Tech Feature in the 4/20/99 issue of PC Magazine.

Related Links
• Making E-Mail Secure -- PC Tech
• Internet Security Standards -- PC Tech