Source: Freepik
Did you know that in June 2024, more than 80% of all incoming emails at RWTH Aachen University were identified as suspicious by the email security defense systems? [1] You may now be thinking of terms such as phishing emails or spam emails.
At some point, every recipient of an email asks themselves the question: How do I know whether the sender address is trustworthy and genuine? On the other hand, every sender asks themselves at some point: How do I know whether my email has demonstrably reached the recipient unchanged? One answer to this is: Always sign emails digitally! We would like to take a closer look at this process with you in the following blog post.
What Are Digitally Signed Emails?
A digitally signed email contains a unique value of the email content. The digital signature of the email is generated by calculating the checksum of the email content and encrypting it with the sender’s private cryptographic key. A checksum is a value that can be used to verify the integrity of data. You can think of it like a fingerprint of the data.
A public key certificate (also known as an X.509, S/MIME or user certificate) is required to digitally sign emails. The email application you use, for example Microsoft Outlook or Mozilla Thunderbird, attaches a digital signature to every outgoing email with the help of this public key certificate. In the following section, we explain how you can apply for such a user certificate for your digital email signature.
Applying for User Certificates at RWTH Aachen University
Employees and students of RWTH Aachen University have been able to apply for user certificates via the RA portal since mid-August 2023. After applying, you will receive a .p12 file containing the private key, public key and certificate. This can then be integrated into your own email application. The application is possible for employees and students without a separate identity check, as the identity check is relied on when hiring employees or enrolling students. All other RWTH members must complete a personal identity check with a valid ID document.
Verifiable Unaltered Email: The Red Seal Symbol
The recipient’s email application checks in the background whether the digital signature is intact. If this is the case, the email is marked with a (usually) red seal symbol (like a red ribbon) in the email navigation bar. This lets you know that a digitally signed email has demonstrably arrived unchanged.
Source: IT Center Help
Recognizing the Authenticity of the Email and the Sender
So how do you know whether an email you have received has been signed by the real sender? This is where public key certificates play a crucial role again. These certificates must contain the sender address and can optionally contain the full name of the certificate holder. The senders can only be clearly and securely “known” if they never pass on their private cryptographic keys, i.e. their .p12 files, to third parties.
“The digital signature on this message is Valid and Trusted”
What does it mean when the email application adds the note “The digital signature on this message is Valid and Trusted” to a received email? “Valid” means that the digital signature is intact. Emails are rated as “trusted” if the user certificate provided was issued by a certification authority that the email application trusts. Trusted certification authorities comply with the Certificate Authority/Browser Forum guidelines for issuing S/MIME certificates and are audited.
Source: IT Center Help
Of course, the e-mail application also checks whether the certificate was issued for the sender address and whether the certificate is still valid and has not been revoked.
What Else Should I Bear in Mind When Sending Signed Emails?
If your e-mail application allows it, you should always set a master password. This procedure protects the integrated private cryptographic key.
You should keep your own .p12 file and therefore your own private key safe and never pass it on to third parties. If you change computers, it is advisable to take the .p12 file with you and reintegrate it into both the new computer and the email application.
If you use several computers from which you want to sign emails, you can of course integrate the existing .p12 file on all devices. You should also consider whether you want to install your own cryptographic keys on mobile devices such as smartphones, which can be stolen or lost more easily.
What Do I Do Now?
It is best to apply directly for your user certificates in the RA portal for your personal mailboxes and configure the email application so that your emails are always digitally signed. Outlook and Thunderbird users can find instructions on how to do this on IT Center Help. OWA users, on the other hand, cannot sign digitally. They can only see whether a received email has been digitally signed.
Digitally Signing Documents
It is also possible to digitally sign documents. To do this, you need to configure your own PDF application. Instructions for Adobe Acrobat, JSignPDF and LibreOffice are also available on IT Center Help.
[1] IT Center Help
Responsible for the content of this article are Mirko Koch, Bernd Kohler, Jelena Nikolić, and Katerina Papachristou.
Leave a Reply