Company Products Solutions Support Services Contact
Home Deutsch
Consulting
eInvoicing
PKI
Signature applications
eGovernment
Secure log-on
Solutions


secure e-mail

Files

Authentication

IHK applications

 E-Mails: Signature and encryption


All S-MIME-enabled e-mail clients (including MS Outlook, MS Outlook Express, Mozilla, Netscape) today already feature signature and encryption functionalities as standard features. Standard-compliant, software-based key pairs and certificates can hence be easily integrated. In order to integrate a signature card, additional software or middleware is needed to link the signature card and the reader with the existing e-mail functions, e.g. Nexus Personal.

An e-mail signature is generated by the signature functionalities of the e-mail client. The actual signature is triggered by entering a PIN, everything else runs automatically in the background. The sender discloses his identity with the e-mail signature and protects the data against unwanted manipulation. With this method, the sender's private key is used which should only be at his personal disposal, for instance, as a signature card.

The signature check at the recipient end first checks the data for manipulation, then whether the e-mail address in the certificate matches the sender's address and whether the origin of the certificate is classified as trustworthy. This is where the sender's public key is used which is inseparably linked to the certificate and provides information regarding the sender and the issuer of the certificate, i.e. the trust center. This means that the recipient of a signed e-mail can be certain from whom the message came and can recognise whether the message was changed at any time after it was signed. In order to be able to receive and check a signed e-mail, the recipient only needs an e-mail client with S-MIME capability rather than additional signature equipment.

However, a signed e-mail does not automatically warrant confidentiality. This is because the data is sent in plain text, similar to a sealed postcard that contains the sender's personal signature, but which can still be read by the postman. In order to make an e-mail confidential, it must be additionally encrypted. When encrypting an e-mail, it is necessary for the recipient of the e-mail to also have a personal key pair because the e-mail is encrypted using the recipient's public key.

This means that it can only be opened by the recipient who has the matching private key. In the case of the e-mail signature, the e-mail address contained in the certificate is compared with the recipient's e-mail address in order to definitely ensure that only the individual in possession of the e-mail address and the matching private key is able to view the data.
The recipient's public key which is used at the sender end to encrypt the e-mail can be passed on without concern and at the key holder's request published in D-TRUST's certificate repository (LDAP) and made available for free downloading. The majority of e-mail clients feature a search function so that certificates and/or public keys can be easily downloaded from the LDAP.

An e-mail can, of course, be encrypted for several recipients at the same time and also automatically encrypted for the sender, so that the confidential data is also encrypted at the sender's own workplace and stored there for the sender only.

Advanced certificates are used for the above-described e-mail signature and encryption methods. This is because a qualified certificate cannot be used for encryption purposes and the signature functionalities of standard e-mail clients do not meet with the legal requirements. The signature exchange format is called PKCS#7
CERTIFICATE AND
PKI SERVICES

• Apply for:
 - Standard Signature Card
 - Multisign Signature Card
Renew
Revoke
Directory Services
ROOT Certificates
D-TRUST