Solved

email signing

Posted on 2012-03-22
14
649 Views
Last Modified: 2012-08-13
Can I ask in outlook 2003 what "email digital signing" is about and what it actually does to maintain the integrity of sent / received email? Is it a free feature within outlook? How can I digitally sign an email before sending it and what is the point in doing so?

Say I send email from myself to user X, and user X decides to edit the email after they receievd it, how will signing the email help there. Would prefer management type responses if poss, jargon freindly.
0
Comment
Question by:pma111
  • 8
  • 5
14 Comments
 
LVL 30

Accepted Solution

by:
IanTh earned 250 total points
Comment Utility
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
I was hoping for some discussion really. I read a couple of links and havent quite grasped it.

Does the certificate prevent tampering of the email by the recipient, or if the user did tamper with the mail after receiving it, would it show up some how?

And who needs the certificate? I.e. both the sender and receiver? Or if you were using it internally can you buy like a corporate cert?
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Do you  buy 1 certificate per user, 1 per email, or one per exchange server?
0
 
LVL 59

Assisted Solution

by:Chris Bottomley
Chris Bottomley earned 250 total points
Comment Utility
The signing is an action taken on the email by the sender.  It basically identifies what the email looked like when it left their client.  If it is received without tampering then the signature and content match and all is well.

If someone picks up on the mail in the journey and makes a change to set for example transfer amount to 1000 from 1 then the content and signature mismatch and the recipient can see that.

This is different from encryption where the content is hidden and hopefully unreadable in any meaningful timeframe.  i.e. the data can be seen by everyone and can be trusted as presented if the sig is ok./

i.e. per http://office.microsoft.com/en-us/outlook-help/secure-messages-with-a-digital-signature-HP001230539.aspx

The key a sender gives to a recipient so that the recipient can verify the sender's signature and confirm that the message was not altered. Recipients also use the public key to encrypt (lock) e-mail messages to the sender.). This information proves to the recipient that you signed the contents of the message and not an imposter, and that the contents have not been altered in transit. For additional privacy, you can also encrypt messages.

Chris
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
However, what if... after a user receives the email. They open it in Outlook, right click, edit the message, save it. And then forward it on. How will the certificate help in that case? I.e. its arrived untampered. But the recipient themselves have then tampered with it and sent it on.
0
 
LVL 59

Expert Comment

by:Chris Bottomley
Comment Utility
Signatures are client specific so unless everyone is using the same pc and outlook install then one per person.

For larger organisations you can have your own certificate server but in most cases I believe they will be hosted by providers.

I have my own for home and used to have a work hosted one for work.  THe work one was not so good as somehow the certificate could not be seen globally .... I had to send it out seperately whereas my provider based certificate simply works.

Chris
0
 
LVL 59

Expert Comment

by:Chris Bottomley
Comment Utility
When a recipient sends the mail on it is no longer signed ... the act of sending it removes the 'received' signature.  Of course if the (re)sender has a certificate and elects to sign the message then the next recipient will see a signed email from you BUT no validation of the sender you received it from.

Chris
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 3

Author Comment

by:pma111
Comment Utility
Whats the liklehood of an email being tampered in transmition in an internal LAN? Theoretical at best?

And also...

However, what if... after a user receives the email. They open it in Outlook, right click, edit the message, save it. And then forward it on. How will the certificate help in that case? I.e. its arrived untampered. But the recipient themselves have then tampered with it and sent it on.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
So, am I right in thinking.

If an email is sat in a users inbox. The user decides to edit the message whilst in their inbox. If they dont send it on, does it flag up as "this user has edited the text of this email from the original".

Or would it only flag it up if "this email was tampered during transmission, it isnt the original".
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
I.e. does it provide accountability to email at rest (sat in the mailbox) as well as email in transit. The issue could be a user receives the email. Then decides to edit it, so in their inbox is appears as modfiied. I wasnt sure if a digital  cert "locks" the email when in the inbox so it cant be amended. Or whether if someone does amend it somewhere the hash then doesnt match thus it flags it up in outlook as "someones messed about with this since it was received, this isnt the original".
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
And does a dig signature consider attachments as well as message txt? i.e. if the attached word document was also edited in transit would that also show as a mismatch?
0
 
LVL 59

Expert Comment

by:Chris Bottomley
Comment Utility
As soon as you modify a signed email from elsewhere the signature is invalid.  i.e. any change to the attachments is a change to the email so the attachments are marked as invalid by virtue of the edit to the email.

Capability wise it is probably high that someone within an intranet CAN hack a message as compared to finding a useful email outside but within an organisation there is little cause in my view for signing ... unless legal requirements apply.

Chris
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Ok Chris,

But, say an email (digitally signed) appears in my inbox,

a) How does it visually appear as either "ok -not tampered" or "tampered"? Can you provide a screenshot? Of how they will visually appear in outlook.

And my core question is,

b) In outlook 2003, if I open an email (digitally signed), right click, edit message, change the text, and save it, does it then also visually appeared as tampered, or does it remain as ok?

My concern is more email at rest (sat in a team/shared inbox) as opposed to in transmission.

I can see dig certs affect in transmission, but I wasnt sure if it "stops there" and any amendement of the email whilst in the inbox will affect the dig sig "ok not tampered"
0
 
LVL 59

Expert Comment

by:Chris Bottomley
Comment Utility
Exact appearance will vary with application version but there will be a bar on the email to show signed or an error with the signature.  The explorer does not in my experience show this status you need the preview or mail active.

I did already say that as soon as a mail is edited in any way the signature becomes invalid.  I.e at rest or in transit, a change renders the sig invalid hence from the moment an email is saved either for retention or as part of a send.

Chris
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now