Digital Signatures Question - Outlook 2003

[MKielman]

I recently began using digital signatures in Outlook and noticed that I
can edit a digitally signed message but the digital signature still
appears to be valid. I understand that I can check the original Sent
date and Modified date but shouldn't the digital signature no longer be
valid?

Thanks!

 

[Brian Tillman]

I recently began using digital signatures in Outlook and noticed that
I can edit a digitally signed message but the digital signature still
appears to be valid. I understand that I can check the original Sent
date and Modified date but shouldn't the digital signature no longer
be valid?

Do you mean you can edit the message in your Inbox? That seems normal to
me. The signature is relevant to the sending address not to the content of
the message. It's not like it's a checksum or anything. My understanding
is that a digital signature tells you that the original message came from
the person the sender claims to be (and allows you to send encrypted mail to
that address), not that the content of the message has any validity. You
couldn't forward that message, for example, and use the attached signature
to pretend to be the original sender.

 

[MKielman]

Brian,

Yes I can edit it in my Inbox. However, my understanding that digital
signatures also provide message integrity. If I were to send you a
signed message, I am simply taking a hash of that message and using my
private key to encrypt it. You would then use my Public key to decrypt
the hash to verify that it was me then you could use the hash to prove
that the message has not been altered. I just assumed that when I
recieve a signed message and the certificate shows as being valid, that
I successful decrypted the signed hash AND that I used the hash to
verify message integrity. Is this not what Outlook does? I understand
that I am unable to forward a signed message using that signature but I
shouldn't be able to edit a signed message in my Inbox and have the
signature continue to be valid.

See this link:

http://www.microsoft.com/technet/pr...7c5-89d4-4e15-9300-5fc355ea83a4.mspx?mfr=true

Please advise,
Megan

 

[MKielman]

Brian,

Yes I can edit it in my Inbox. However, my understanding that digital
signatures also provide message integrity. If I were to send you a
signed message, I am simply taking a hash of that message and using my
private key to encrypt it. You would then use my Public key to decrypt
the hash to verify that it was me then you could use the hash to prove
that the message has not been altered. I just assumed that when I
recieve a signed message and the certificate shows as being valid, that
I successful decrypted the signed hash AND that I used the hash to
verify message integrity. Is this not what Outlook does? I understand
that I am unable to forward a signed message using that signature but I
shouldn't be able to edit a signed message in my Inbox and have the
signature continue to be valid.

See this link:

http://www.microsoft.com/technet/pr...7c5-89d4-4e15-9300-5fc355ea83a4.mspx?mfr=true

Please advise,
Megan

 

[Brian Tillman]

Yes I can edit it in my Inbox. However, my understanding that digital
signatures also provide message integrity. If I were to send you a
signed message, I am simply taking a hash of that message and using my
private key to encrypt it. You would then use my Public key to decrypt
the hash to verify that it was me then you could use the hash to prove
that the message has not been altered.

Digitally signing a message is completely distinct from encrypting it and in
public key encryption, you encrypt a message using your recipient's public
key, not your private key.

I just assumed that when I
recieve a signed message and the certificate shows as being valid,
that I successful decrypted the signed hash AND that I used the hash
to verify message integrity. Is this not what Outlook does? I
understand that I am unable to forward a signed message using that
signature but I shouldn't be able to edit a signed message in my
Inbox and have the signature continue to be valid.

See this link:

http://www.microsoft.com/technet/pr...7c5-89d4-4e15-9300-5fc355ea83a4.mspx?mfr=true

Read what that link says:

"Data integrity An additional security service that digital signatures
provide is data integrity. Data integrity is a result of the specific
operations that make digital signatures possible. With data integrity
services, when the recipient of a digitally signed e-mail message validates
the digital signature, the recipient is assured that the e-mail message that
is received is, in fact, the same message that was signed and sent, and has
not been altered while in transit. Any alteration of the message while in
transit after it has been signed invalidates the signature. In this way,
digital signatures are able to provide an assurance that signatures on paper
cannot, because it is possible for a paper document to be altered after it
has been signed."

Note that it says "in transit", not "after the message has been received".
A digital signature guarantees that the message arrived intact, not that you
can't alter it once you have it.

 

[MKielman]

Digitally signing a message is completely distinct from encrypting it
and in public key encryption, you encrypt a message using your
recipient's public key, not your private key.

I understand the difference between digital signatures and encryption.
For your understanding, the senders private key is used to digitally
sign messages.

Read what that link says:

"Data integrity An additional security service that digital signatures
provide is data integrity. Data integrity is a result of the specific
operations that make digital signatures possible. With data integrity
services, when the recipient of a digitally signed e-mail message
validates the digital signature, the recipient is assured that the
e-mail message that is received is, in fact, the same message that was
signed and sent, and has not been altered while in transit. Any
alteration of the message while in transit after it has been signed
invalidates the signature. In this way, digital signatures are able to
provide an assurance that signatures on paper cannot, because it is
possible for a paper document to be altered after it has been signed."

Note that it says "in transit", not "after the message has been
received". A digital signature guarantees that the message arrived
intact, not that you can't alter it once you have it.

Thanks.

 

[Brian Tillman]

I understand the difference between digital signatures and encryption.
For your understanding, the senders private key is used to digitally
sign messages.

I'm aware of that. You're the one who brought up encryption.