In last month's article, The Proliferation of Spam, I discussed how spam has become a problem and some of the problems associated with trying to eliminate spam.
Digital certificate: A digital certificate is an asymmetric key encryption system. What this means is that there is a public and private key. The sender encrypts the message using the private key. The receiver then takes the public key and decrypts the message. Encrypting and decrypting is simply the act of running a mathematical formula on clear text in order to make it unreadable and then running the same formula on it again to turn it back into clear text. The private key is known only to the sender and a message encrypted with the private key can only be decrypted with the public key. It also works in the other direction; a message encrypted with the public key can only be decrypted with the private key. In short, it creates non-repudiation. The sender can't deny he or she sent it.
There is a digital signature standard which has been made into law. It is supposed to be binding like an actual signature on a document, but there are problems with that, that I will get into shortly. The way the standard works is like this: The sender writes a message. The sender then "signs" the message. The software takes the message and generates a message digest for the message. The message digest is a hash algorithm which can be used later to ensure the message is intact. Then, using the sender's private key, the message digest is encrypted. The encrypted message digest is attached to the message. When the receiver gets the message, the software can take the public key and decrypt the message digest. In addition, a new message digest is also created for the message. Once the message digest is decrypted, it is compared to the newly generated message digest. If they match, it is believed that the sender did in fact send the message. Hence, non-repudiation is attached to the message.
The way the sender can be identified is with the public key. In order for the whole system to work properly, the sender must get a digital certificate from a certificate authority (CA). Most CA's offer a lookup facility for their certificates; if you know the public key, you can look up information on that person. You cannot get the private key, of course, but you can verify that they do in fact have a valid certificate. In order to sign your messages, what you need to do is get a certificate from a CA, then install it into your email program. Most packages support certificates including Outlook, Mozilla and Thunderbird. I have used both Mozilla and Thunderbird. The process is relatively easy and once installed they can be configured to require a master password before signing the message. This ensures that I am the only one sending the message.
Go To Page: 1 2
