Cybersecurity: Digital Signing of Email with PGP

Written on .

Cybersecurity: Digital Signing of Email with PGP

What is PGP?

PGP (Pretty Good Privacy) is an encryption software used to ensure the authenticity and integrity of a message or document.

It employs two distinct keys, a public, and a private one (public key cryptography, or asymmetric cryptography).

The public key is used to encrypt messages or files before sending them, while the private key is used to decrypt received messages, or to digitally sign messages.

When you “sign” a message with your PGP private key, you are generating a digital signature that is added to the message.

This signature can be verified by anyone who has your PGP public key, ensuring that the message came from you and has not been modified since you sent it until it was received.

This technology is Open Source, freely available for nearly all operating systems.

Since its introduction in 1991, it has become the standard for document and email message signing and encryption.

How Secure is PGP?

PGP offers a high degree of security in information transmission and data protection, using a sufficiently robust coding system to allow us to trust messages and documents signed and encrypted with this tool. It is assumed to employ an unbreakable algorithm.

Over its 30-year history, some security flaws have occurred, which were promptly resolved, largely thanks to it being open technology that allows anyone to analyze its code.

As with nearly all security systems, its weak point is the human factor, especially if the private key is compromised, or there is an error in its implementation.

Although it is a relatively easy system to use, it requires a minimum level of technical knowledge and the maintenance of certain basic security habits and protocols.

Without a doubt, it offers an additional layer of security to protect online communication privacy. However, it requires users to dedicate more time to establishing a secure cyber environment, encrypting disks, documents, and verifying the signatures of their contacts.

Advantages of Digitally Signing Emails with PGP

  1. Authenticity: By signing an email with PGP, you're guaranteeing the message came from you. This helps prevent fraud and identity theft.
  2. Integrity: A PGP digital signature also verifies that the contents of the email have not been altered in transit. If someone attempts to modify the message, the digital signature will be invalid.
  3. Does not require encryption: Recipients do not need to use PGP or digital signatures to read a digitally signed message. This means you can send digitally signed emails to anyone, regardless of their email settings.

How to Use PGP in Practice?

Assuming you are using Ubuntu operating system and the Thunderbird mail client. Both in their most recent versions.

This guide can apply to other operating systems and mail clients, with some variations.

Step-by-step guide to PGP in Thunderbird

Different versions of Thunderbird may have different menus and options.

  1. Open Thunderbird and go to the “Tools” tab on the menu bar.
  2. Select “Manage Keys” (in some versions, it appears as configure certificates or similar) and click on “Generate (new key pair)”.
  3. Enter the requested information (the email address for which you are generating the key) and click on “Generate keys”.
  4. Follow the on-screen prompts.
  5. Select a secure password for your private key and click «Accept» to generate your PGP keys.
  6. Once are generated, you will find your public key in the “My Keys” section.
  7. Access the “End-to-End Encryption” section found in “account settings” and select the public key you have just created. If it doesn't show up, you have the option to “Add Key” and import it.

To sign an email message, compose your message as usual and click on the OPEN PGP icon (sometimes a lock, other times a shield) in the Thunderbird toolbar.

It will show options like “encrypt, sign, etc. select SIGN

Your message will be signed with your PGP key, and you can send it securely.

To verify a received and PGP-signed email in Thunderbird

When you receive an email signed with PGP, Thunderbird will automatically verify the signature.

If the signature is valid, you will see a green icon on the message. If the signature is invalid, you will see a red icon.

For greater security:

  1. Open the signed email. At the top of the message window, you will see a PGP icon (key, seal, or similar) indicating that the message is signed with PGP.
  2. Click on the icon. If the signature is valid, you will see a message saying “Good signature”. This means that the email comes from the authentic sender and has not been modified in transit. If there are any discrepancies or problems, it will show an error message indicating that the signature is not valid.

This verification allows you to confirm the authenticity of the sender and the integrity of the signed message.

What is the .asc File Included in PGP-Signed Messages?

The .asc file attached to PGP-signed messages contains the digital signature of the message.

It's important to note that the .asc file does not contain the message content itself, but only the digital signature.