Digital signatures are a way that users can establish integrity within email communications and non-repudiation. Digital signatures are, in short, a thumbprint of the author of the email proving to the recipient who they are, and the legitimacy of the email sent. Digital signatures provide a way for the recipient to digitally ensure that the message was not altered in transit.

Integrity

Integrity is a key component of the CIA triad common in cyber security. I’ll cover that in a different blog post. Integrity ensures that the data is not altered by unauthorized individuals or programs. Digital signatures provide this by using certificates assigned to users. These certificates are composed of a key pair, one private that is only accessible to the owner, and one public that anyone can use. An author can hash their message, use their private key to encrypt it, and send it through the open and untrusted internet to their intended recipient. Once it is received, the recipient can use the author’s public key to decrypt the hash and compare it to the original hash. If the hashes match, the message is intact and which proves the message has not been altered during transit. The recipient can also ensure that the author’s certificates are valid by checking the details and ensuring that they are current and signed by a trusted third party known as a certificate authority.

Non-Repudiation

NIST, National Institute of Standards and Technology, define non-repudiation as “a service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified and validated by a third party as having originated from a specific entity in possession of the private key (i.e., the signatory)”¹. Non-repudiation prevents the author from denying they sent the message, and the recipient is provided proof of the sender’s identity.

Business Use Case

Using digital signatures secures the transmission of data between endpoints. Organizations can fall victim to man-in-the-middle attacks or similar attacks where an attacker can put themselves between 2 legitimate users. This allows the attacker the opportunity to remove good data, replace it with the attacker’s data, and send on to the destination. In a scenario, this would look like this. The accounting department sends a bill for materials and tells the customer to deposit money to this account. The customer receives the email and sends the money to that account. Now imagine if a threat actor came in between those communications. The threat actor could change the account number to one he owns and the customer, thinking the account belongs to the supplier, sends the money, unknowingly, to the threat actor. This is what digital signatures aim to prevent. By hashing and signing the email with the sender’s digital signature, the recipient would receive an alert saying something is off with the email by displaying an invalid certificate error.

Bad guys find great success in using phishing campaigns to trick users into downloading or clicking links from emails that appear to be from legitimate sources. This causes many organizations to create training and awareness programs to warn its users from clicking links or downloading attachments. The problem with this, however, is that it can cause business delays as users must first spend time verifying the links, attachments, and senders before addressing the business reason for the email.  By digitally signing emails and documents with digital signatures, organizations can give peace of mind to their clients and customers that the email ask is legitimate. This thought process can be expanded to websites, software, and other services.

Implementation

Does your organization need digital signatures? It depends. It depends on your organization’s current security posture and strategy. If your organization is just beginning to build the cyber security posture and in the early stages of implementing best practices, then no. Start with the best practices, get those implemented and hammered out. This would be strong password policies, good offsite backups, anti-virus and threat monitoring, strong and practiced incident response and disaster recovery plans, and a strong culture focused on cyber security. If, however, you have all of those and more, and you are looking for the next thing to increase your security well-being, then digital signature implementation could be the next step.

When first implementing digital certificates, it may seem like a math problem. “I have 50 employees, each needs 2 certificates, that’s 100 certificates.” The math is correct but it is much more than that. Having the right infrastructure is key to successfully implementing digital certificates.

Microsoft has a good place to start here. The first step is obtaining a digital ID from a certificate authority. A certificate authority can be GlobalSign, IdenTrust, or DigiCert, plus several others. The IT Department must authorize the digital signature to be used within the email environment to be available for users. Finally, users must learn how to send and receive digitally signed emails. The source address must be in the receiver’s contact list to properly authenticate and read the emails.

Key Terms

Some key terms that everyone should know regarding digital signatures, and PKI (Public Key Infrastructure, which will be a separate blog post) are CA, ORA, CRL, and OCSP.

• CA – Certificate Authority
  • Issues and revokes certifications
  • Can be internally or externally hosted (Verisign)
• ORA – Organizational Registration Authority
  • Internal to organization
  • Authenticates certificate holder prior to issuing a certificate
• CRL – Certification Revocation List
  • Maintained by CA
  • Revokes certificates (employee leaves, key is compromised)
  • Server side
  • Being replaced by OCSP
• OCSP – Online Certification Status Protocol
  • Client-side and server-side hybrid
  • Faster than CRL
  • Keeps a list of revoked certificates

This is a very general overview of digital certificates. Digital certificates provide a way for people to securely communicate through the open and untrusted internet and help combat some common eavesdropping techniques used by attackers. By signing emails with a digital certificate, users can prove their identity, provide integrity within their email communications, and non-repudiation within their environment. There is so much more to digital certificates and PKI that needs to be addressed but I feel this is a good start for any business beginning their research on digital signatures and public key infrastructure.

For Additional Reading and Research; check out these other articles:

• https://www.digicert.com/faq/trust-and-pki/what-is-a-digital-certificate-and-why-are-digital-certificates-important
• https://playbooks.idmanagement.gov/fpki/
• https://www.csoonline.com/article/548388/security-revoke-certificates-when-you-need-to-the-right-way.html
• https://www.techrepublic.com/article/a-beginners-guide-to-public-key-infrastructure/

1. NIST. (2023). Computer Security Resource Center. National Institute of Standards and Technology. https://csrc.nist.gov/glossary/term/non_repudiation ↩︎