The Gpg4win Compendium 3.0.0-beta1
Chapter 13. Signing e-mails
13.2 Checking signatures with GpgOL
Let’s assume you have received a signed e-mail from the person you are corresponding with.
It is very easy to check this digital signature. All you need is the public OpenPGP or X.509 certificate of your correspondence partner. You should have already imported his public certificate into your certificate administration prior to performing this check (see Chapter 10).
To check a signed OpenPGP or S/MIME e-mail, proceed as you would for decrypting an e-mail (see Chapter 9):
Start Outlook and open a signed e-mail.
GpgOL will automatically transfer the e-mail to Kleopatra for a signature check. Kleopatra will report the result in a status dialog, e.g.:
The signature check was successful! Now close to the dialog in order to read the signed e-mail.
If you want to perform the check again manually, select Extras!Decrypt/Check GpgOL in the menu of the open e-mail.
If the signature check is not successful, it means that the message was changed during the delivery process. Because of the technical nature of the Internet, it is possible that the e-mail was unintentionally modified because of a defective transmission. That is probably the most likely cause. However, it can also mean that the text was changed intentionally.
Section 13.3 has information on how to proceed in such a case.
92
The Gpg4win Compendium 3.0.0-beta1
Chapter 13. Signing e-mails
13.3 Reasons for a broken signature
There are several reasons for a broken signature:
If you receive the message “Bad signature” or “Check failed”, it is a warning that your e-mail may have been manipulated! That means that it is possible that someone changed the e-mail’s contents or the subject line.
At the same time, a broken signature does not necessarily mean that the e-mail was manipulated. It is also possible that the e-mail was modified due to a defective transmission.
In any case, you should always take a broken signature seriously and ask the sender to resend the e-mail!
It is recommended that you set your program to only send e-mails in “text” format and not in “HTML” format. However, if you decide to use HTML for signed or encrypted e-mails, it is possible that formatting information will be lost by the time it reaches the recipient, which can result in a broken signature.
In Outlook 2003 and 2007, you can set the message format to Text only in Extras!Options!E-Mail Format.
93
The Gpg4win Compendium 3.0.0-beta1
Chapter 13. Signing e-mails
13.4 Encryption and signature
You know: A message is usually encrypted using the public certificate of your correspondence partner, who then decrypts the e-mail using his private key.
The reverse possibility – encryption with a private key – does not make sense, since the whole world knows the associated public certificate and could then decrypt the message.
However, as you have already seen in this chapter, there is still another method to create a file using your private key – namely the signature.
A digital signature confirms the author – because if someone successfully applies your public certificate to this file (the signature), this file could only have been encoded by your private key. And only you can have access to this key.
You can combine both options, namely encrypting and signing the e-mail:
1.You sign the message with your own private key. This proves that you are the author.
2.You then encrypt the text using the public certificate of the person you are correpsonding with.
This means that the message has two security characteristics:
1.Your seal on the message: the signature with your private key.
2.A solid outer envelope: encryption using the public certificate of the person you are corresponding with.
Your correspondence partner opens the outer strong envelope with his own private key. This ensures secrecy, because only this key can be used to decode the text. He reads the seal with your public certificate, which proves that you were the author, because if your public certificate matches, the seal (digital signature) can only have been encoded with your private key.
It is pretty tricky when you think about it, but also very simple.
94