Electronic signature technology adopts various encryption methods, but its principle can be simply described by taking the simple and understandable RSA(Rivest Shamir Adleman) public key system as an example. RSA encryption is based on a mathematical assumption that large numbers cannot be decomposed into prime factors. It uses two functions of big prime numbers, one as the public key and the other as the private key. Because these two keys are complementary, the ciphertext encrypted with the public key can be decrypted with the private key, and vice versa. Therefore, the sender of the mail only needs to encrypt the mail with the public key of the receiver, and only the receiver with the private key can decrypt and read the encrypted mail, thus realizing the encryption of the mail, thus ensuring that the mail will not be read by any third party, even if it is intercepted by a third party in the transmission process, it will not be leaked.
When a user signs an e-mail with his e-certificate, the e-mail will get a value that can be used to check the integrity of the e-mail according to the content of the e-mail, which will be encrypted with the private key in the e-certificate and then sent out together with the public key and the content of the e-mail. Because only the corresponding public key can decrypt the encrypted content of the private key, and the digest function can collect fixed-length abstracts from data of any size, the data source used for collection will get different results even if one bit of data changes, and any change in the content of the mail cannot match the original value of checking the integrity of the mail. When the recipient receives the e-mail, he can know whether the content of the e-mail has been tampered with or not, and at the same time, he can know which e-certificate the sender is using. Because the authoritative certificate authority of the third party will verify whether the applicant has the right to use the e-mail address when issuing the e-certificate, the recipient can also verify the e-certificate used by the sender through the certificate authority (see figure 1) to confirm that the received e-mail really comes from the user of the e-mail address, so as to realize the authentication of the sender's authenticity and the integrity of the e-mail content.
Electronic signature technology is very complicated, but it is very convenient to use. Whether it is signature, encryption or decryption, the specific steps will be realized through e-mail client software. At present, mainstream email client software such as FoxMail, Outlook Express and Outlook can all support it. You only need to apply for an e-cert and specify which e-cert will be used for each e-mail address on the e-mail client software. When you need to sign or encrypt the e-mail you sent, please click the corresponding button. When the e-mail with electronic signature is received, the work of verifying the integrity and decryption of the e-mail will also be automatically completed by the e-mail client software.
Use examples
When using email security technology for the first time, you must spend some time applying for and installing e-cert and configuring email client software. This process may be a bit cumbersome, but compared with the security of your email communication, it is very worthwhile to spend this time. Here, take Thawte as an example to introduce the whole process of use.
Registration unfreezing
After registering in www.thawte.com, you can use the free electronic signature service provided by this website.
First, please open Thawte's homepage with a browser, point the mouse to "Products" in the middle navigation bar, click "Free Personal Email Certificate" in the pop-up shortcut menu (as shown in Figure 2) to enter the personal email certificate page, and click the red "Join" at the top of the page to open the registration page. Before registering, it should be noted that almost all Web programs on Thawte use the ".exe" extension. Therefore, if you install the tool software such as FlashGet on your system and download it automatically according to the file extension, you need to temporarily set the download software not to monitor the clicking action on the browser.
Thawte provides a wizard-like registration page, in which several points need special attention: First, the second registration wizard will ask you to select the language in which you will enter your personal information in the "Charset ForText Input" drop-down menu, and it is recommended to enter your personal information in English to avoid mistakes in certificate processing in the future; In the fourth step, don't choose the Chinese option, just click "Next" to enter the next step and use the default "Use my browser settings". Secondly, in the sixth step of the registration wizard, the wizard will ask you to enter your phone number and set up multiple questions and answers to verify your identity if you forget your password. You can choose to answer the questions set by the website or set your own questions, but the total number of questions can't be less than 5, otherwise you can't enter the next step.
After setting all the registration options, the registration wizard will prompt "E-mail message has been sent" and inform you that you need to receive the verification email from the website, and follow the prompts in the email to prove that you really have the right to use the email. Please check your mailbox to find the verification email sent by Thawte, open the link "/cgi/enroll/personal/step8.exe" specified in the email with a browser, enter the corresponding contents in the email in the two input boxes of "Probe" and "Ping" on the page, and then click "Next" to enter the next step and complete the registration step.
Apply for e-cert
After the registration is completed, you need to apply for an electronic certificate. For an electronic signature, the most important thing is to have an electronic certificate to prove the authenticity of the signature.
You must click "Next" on the registration page, or return to the homepage of the website and click "Login" on the personal e-cert page again, and then log in with the account you just registered in the login window of the website (see Figure 3) to apply for an e-cert. The first login to the website will automatically navigate to the certificate application page. Click Apply on the certificate request page to open the certificate request wizard. There are many steps in the certificate application wizard. As long as you keep clicking "Next", you can use the default options. The only thing to note is that when you reach the step of configuring X.509v3 certificate extension, two buttons will appear. You can click the "Accept" button in "Accept Default Extension" to select the default configuration. When the application wizard is finally completed, a dialog box will pop up asking you to confirm whether to apply for an e-cert on the current website.
In the process of applying for the certificate, the website will ask us to choose the email address to be included. Since this is your first application, by default, the website only generates certificates for the e-mail address you filled in when registering, but in fact, you can include multiple e-mail addresses in one e-certificate.
Install e-cert
After applying for an electronic certificate, you need to install one on your computer so that the electronic signature system can work normally.
After applying for a certificate, return to the operation interface when you just logged in, click "C E R T I F I C A T E S" *, click the uninstalled certificate displayed as "Pending" in the status bar, and click "F e t c h" at the bottom of the certificate details page. The website will go to the "Install Your MSIE Certificate" page and click "Install Your Certificate" to start installing the certificate you just applied for on your system. During installation, the Create RSA Exchange Key dialog box will be displayed, asking you to confirm the security level of protecting the private key. By default, this option system is medium protection, which means that the e-mail client software needs your approval before calling the private key of the e-certificate. If necessary, you can click "Set Security Level" on the dialog box to change the protection level to advanced password protection for every call. In addition, in the process of installing the certificate, the system will pop up a dialog box twice, asking for confirmation to install the certificate on the current system.
Set up mail client software
After obtaining the e-certificate, you need to set relevant options in the e-mail client software you use, and then you can use the e-certificate to sign or encrypt the e-mail. The following will introduce the settings and usage methods on FoxMail, Outlook Express and Outlook respectively.
( 1)FoxMail
In FoxMail, you only need to select account * Account Properties * security * select, select the check box in front of Thawte certificate name in the pop-up Select Certificate dialog box, and click OK to return to the account properties dialog box. You will find information about the certificate displayed on the right (see Figure 4). Click "OK" to turn off the storage settings of Account Properties, so that you can sign your own e-cert by using the "Signature" and "Encryption" buttons on the toolbar of the mail editing window in the future, or encrypt the mail with the recipient's certificate.
(2) Prospect
Select Tools * Options * Security in Outlook and switch to the Security tab. In the Encrypted Mail column above the Security tab, you can select whether all outgoing messages need to be encrypted or signed through the check box. Click the "Settings" button next to "Default Settings", and you can click "Select" in the pop-up "Change Security Settings" dialog box (see Figure 5) to specify the e-certificate used for encryption and signature, change the encryption algorithm, and choose whether to send the e-certificate with the signed email. After setting, when editing a message with Outlook, you can use "Signature" and "Encryption" on the toolbar of the message editing window to sign with your own e-certificate or encrypt the message with the recipient's certificate.
(3)Outlook Express
In Outlook Express, select Tools * Options * Security, and then switch to the Security tab. Under the Security tab, in the Secure Mail column, you can choose whether all outgoing messages need to be encrypted or signed. Click "Settings" next to it, you can make more detailed settings in the pop-up "Advanced Security Settings" dialog box (see Figure 6), and choose whether to automatically verify the reliability of the certificate when you receive the electronic signature email, and whether to add the other party's electronic certificate to the address book, so as to send encrypted emails to the other party in the future. After the settings are completed, when you edit a message with OutlookExpress, you can use the "Sign" and "Encrypt" buttons on the toolbar of the message editing window to sign your own e-certificate or encrypt the message with the recipient's certificate.
Send and receive secure mail.
After completing the above operations, you are done, and you can use the electronic signature application. In this way, your email system will be more secure.
The method of signing the sent mail is very simple. In the process of setting up the mail client software, you can choose to sign all the sent mail, or click "Sign" when editing the mail after setting the certificate. When the recipient receives a signed or encrypted secure e-mail, the signed e-mail and the encrypted e-mail will be displayed in the inbox with different icons. When reading the email, the software will first display the help page of the secure email, and any problems that may occur in the email will be described in detail on this page (see Figure 7). If there is a problem with the secure email, a description such as "security warning" may appear in the message to inform the user that the email has been tampered with or is not from the so-called sender. Click File * Properties in the message viewing window. In the email properties window, you can view the email address corresponding to the e-certificate used by the sender when signing the electronic signature, as well as the status of the certificate, the e-certificate used for encryption, encryption algorithm and other related information.
After the recipient receives the email signed by the e-certificate, you can automatically get your certificate through the e-mail client software, or click "Install Certificate" under the e-certificate when viewing the signed certificate to install your certificate on your own system. Later, you can use the e-certificate to encrypt the email and send it to you. Similarly, you also need the recipient's e-certificate to send encrypted e-mail, so generally speaking, when setting up the e-mail client, try to select relevant items so that the software can automatically install the certificate on the system when receiving the e-certificate signed e-mail. When you receive an encrypted email, the operation is very simple. The software will automatically ask you to confirm whether you are allowed to decrypt with the private key. Just click "Confirm" to read the email.
Certificate management
You have installed an e-cert on your computer, which is part of your privacy. You must protect and manage it well, otherwise the security measures will be useless.
When you receive encrypted mail, you only need to decrypt the certificate with one click, but only if the electronic certificate containing the private key has been installed on the system. Therefore, if you use multiple computers, you need to install electronic certificates on multiple computers, as follows: During the installation of Outlook Express, select the option * Security * Digital ID; Or during the installation of Outlook, when you click Select to specify a Certificate for encryption and signing, you will run certificate Manager to open the Certificate window (see Figure 8). In the Certificates window, you can not only view and select certificates, but also manage them. Click the name of Thawte's e-certificate in the personal column of the certificate window, then click Export to export the e-certificate to a file, and then import the certificate on other computers through Import in Certificate Manager, so that you can use the e-certificate on other computers. The e-cert of a contact can also be imported and exported in the same way, so that you can still send encrypted emails to the other party on different computers.
In addition, you can log in to the Thawte personal mail certificate page, select "Certificate * View Certificate Status", click to select the e-certificate you are currently using, and repeat the steps of installing the certificate to install the certificate on the new computer. However, we must protect our e-cert carefully and try to use it only on personal computers. If you really need to install the electronic certificate on a computer that others may come into contact with, you should change the protection level of the private key to advanced, so that every time you call the private key, you need to enter a password to enhance security, and delete the certificate through the certificate manager after use.
In case the certificate falls into someone else's hands, you can also consider invalidating the certificate and applying for a new one.