Anti-Phishing Working Group
   
   
 


Home

Phishing Archive

Report Phishing

Events

APWG News

Resources

Membership

APWG Member Site

Contact Us

APWG Sponsors:

 

What Are S/MIME Digital Signatures?

An S/MIME digital signature allows an email recipient to verify that the “From:” address in a message has not been forged or 'spoofed', by checking two things:

  1. The "From:" address is correct (e.g. 'visa.com' and not 'visa-security.com')
    • see item 1 in the sample email below
  2. The digital signature is valid
    • this is indicated by some type of visual cue, such as the red ribbon in item 2 of the sample email below

When a recipient receives a digitally signed email in their S/MIME-compliant email client , the signature is verified automatically. S/MIME is supported in over 350 million deployed email clients, including Microsoft Outlook, Lotus Notes, Novell Groupwise, Netscape Communicator, Mac Mail, etc. If the signature is valid, that result is presented in the email client as a visual cue (see sample email above). This visual cue in the email client is unspoofable for two reasons:

  • It is generated by the email client software after the email has been opened and the signature has been verified.
  • It is based on strong cryptography.

An S/MIME digital signature includes the following elements:

  • A digital certificate
    • The digital certificate includes information about the sender who signed the message. It is issued by a 3rd party Certificate Authority (CA) that is accredited for certificate issuance (this includes companies such as VeriSign, Thawte, etc.). The CA verifies that the sender’s information, specifically the email address, is owned by that sender. The email address is then embedded in the digital certificate. It is this 3rd party verification of the ownership of the email address that ensures the message content came from the address in the “From:” field of a digitally signed email.
  • An encrypted representation of the message that cannot be spoofed
    • This ensures that the contents of the message were not changed after it was sent.

The digital signature verification that happens in the email client typically involves the following tests:

  • Validate that the email address in the “From:” field of the email matches the email address in the digital certificate.
  • Validate that the certificate was issued by a trusted certificate authority.
  • Validate that the message was not tampered with in transit, by decrypting the encrypted representation of the message and comparing it to a newly generated representation of the received message.
  • Validate that the certificate has not expired.

If the digital signature passes these tests, then the recipient’s email client displays the visual cue like in the sample email above. If the digital signature is deemed to be invalid, a different visual cue will be displayed with associated error messages warning the user of a possible spoof.

 
 

About Us | Contact Us