Question

One of the problems with the Internet email system is that sending forged emails is relatively straightforward, i.e., it is easy to send an email with a fake sender/from address. One solution to this problem would be for a domain’s mail servers to digitally sign any email originating from the domain. For this to be useful, the public key would need to be made available to clients to validate the signatures. It is proposed that the public keys of the mail servers will be verified and signed by a certification authority (same as SSL/TLS certificates) and distributed via a standardised URL for the domain, e.g., https://mybusiness.com/email.pubkey.
(a) Explain how the client would obtain the public key and validate the email server’s digital signatures.

(b) Discuss the problem of trusting the obtained public key and how this solution results in public keys that can/cannot be trusted.

(c) Indicate whether you believe this approach could be used to prevent forged emails and explain why it would/would not be possible to send counterfeit emails in such a system.

Answer 1

a)

Digital certificates help us overcome this problem. A digital certificate is a means of binding public keys to their owner. These are issued by Certificate Authorities (CAs) who validate the owners of public keys. The CA does this by validating (through various processes), the identity of the owner of the public key. Once it has done this it will bind the public key to a digital certificate and sign it using its private key to attest authenticity. The CA’s public key is available to all parties who need to validate the CA’s assertion of public key ownership.

However, digital certificates still require a chain of trust to confirm that the certificate belongs to the person or organisation that you think it does and have not been compromised. Criminals have been known to obtain certificates that were then used to sign software that included malware. Stolen certificates have also been used to sign malware.

b)

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization.

c)

An email signing certificate — sometimes referred to as an S/MIME
certificate or a personal authentication certificate — is something that
you can use to help email recipients verify whether an email is coming from
you. These certificates do two things:

• assert identity through the use of unique
  digital signatures, and
• use public key encryption to provide secure,
  end-to-end encryption for your emails. And considering that most email servers
  nowadays also use SSL/TLS encryption, it means that you can enjoy both data at
  rest and data in transit protection.

When you assert
your identity, not only are you affirming that you are who you claim to be,
but you’re also instilling trust and confidence in your email recipients.
They’ll be more likely to click on your links or engage with your emails if they
know you’re you.