Understanding Digital Signatures
Digital signatures are a way to verify that an email message is really
from the person who supposedly sent it and that it hasn't been changed.
What is a digital signature?
You may have received emails that have a block of letters and numbers
at the bottom of the message. Although it may look like useless text
or some kind of error, this information is actually a digital
signature. To generate a signature, a mathematical algorithm is used
to combine the information in a key with the information in the
message. The result is a random-looking string of letters and
Why would you use one?
Because it is so easy for attackers and viruses to "spoof" email
addresses (see Using Caution
with Email Attachments for more information), it is sometimes
difficult to identify legitimate messages. Authenticity may be
especially important for business correspondenceif you are
relying on someone to provide or verify information, you want to be
sure that the information is coming from the correct source. A signed
message also indicates that changes have not been made to the content
since it was sent; any changes would cause the signature to break.
How does it work?
Before you can understand how a digital signature works, there are
some terms you should know:
- Keys - Keys are used to create digital signatures. For every
signature, there is a public key and a private key.
- Private key - The private key is the portion of the key you use to
actually sign an email message. The private key is protected by a
password, and you should never give your private key to anyone.
- Public key - The public key is the portion of the key that is
available to other people. Whether you upload it to a public key ring
or send it to someone, this is the key other people can use to check
your signature. A list of other people who have signed your key is
also included with your public key. You will only be able to see their
identify if you already have their public keys on your key ring.
- Key ring - A key ring contains public keys. You have a key ring
that contains the keys of people who have sent you their keys or whose
keys you have gotten from a public key server. A public key server
contains keys of people who have chosen to upload their keys.
- Fingerprint - When confirming a key, you will actually be
confirming the unique series of letters and numbers that comprise the
fingerprint of the key. The fingerprint is a different series of
letters and numbers than the chunk of information that appears at the
bottom of a signed email message.
- Key certificates - When you select a key on a key ring, you
will usually see the key certificate, which contains information about
the key, such as the key owner, the date the key was created, and the
date the key will expire.
- "Web of trust" - When someone signs your key, they are
confirming that the key actually belongs to you. The more signatures
you collect, the stronger your key becomes. If someone sees that your
key has been signed by other people that he or she trusts, he or she
is more inclined to trust your key. Note: Just because someone
else has trusted a key or you find it on a public key ring does not
mean you should automatically trust it. You should always verify the
The process for creating, obtaining, and using keys is fairly
- Generate a key using software such as PGP, which stands for Pretty Good Privacy,
or GnuPG, which stands for GNU Privacy Guard.
- Increase the authenticity of your key by having your key signed
by co-workers or other associates who also have keys. In the process
of signing your key, they will confirm that the fingerprint on the key
you sent them belongs to you. By doing this, they verify your identity
and indicate trust in your key.
- Upload your signed key to a public key ring so that if someone
gets a message with your signature, they can verify the digital
- Digitally sign your outgoing email messages. Most email clients
have a feature to easily add your digital signature to your
Authors: Mindi McDowell, Allen Householder
September 22, 2004