Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
While Heartbleed distracts, hackers hit US universities
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Apple kicks off public OS X beta testing
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
BlackBerry Releases BES 10 Security Update to Address 'Heartbleed' Flaw
Verizon: Web apps are the security punching bag of the Internet
Cisco announces security service linked with new operations centers
Dell launches virtual storage accelerator, aims to boost SAN performance
Free OS X Mavericks now powers half of all Macs
Even the most secure cloud storage may not be so secure, study finds  
3D printing will transform these five industries
Most but not all sites have fixed Heartbleed flaw
NEC launches face-recognition protection for PCs
Hundreds of medical professionals targeted in multi-state tax scam
Super-high frequencies could one day deliver your mobile video
Americans cool with lab-grown organs, but not designer babies
IT Departments Not Losing Ground to Managed Service Providers (Yet)
Where's my gigabit Internet, anyway?
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report

Why everyone should sign digital documents

Related linksToday's breaking news
Send to a friendFeedback

Sign up to receive this and other networking newsletters in your inbox.

E-mail and electronic documents have become a normal part of today's business. Unfortunately, signing those documents using digital signatures is still relatively rare.

Why should everyone sign e-mail and other forms of electronic communication?

The problem is that forging messages is ridiculously easy in today's technical environment. Take word-processing documents, for example. The properties sheet can be filled out any way you want; it is simple to enter somebody else's name or somebody else's company in the appropriate fields. Send such a document to a recipient who assumes that the identification of the author must be correct, and you can have a real problem.

In a famous case from the 1990s, a secretary at a large firm complained of sexual harassment. As evidence of systematic discrimination, she presented e-mail from the company system showing that her boss had fired her to protect the CEO against her claims of sexual harassment. The e-mail was convincing enough to win a $100,000 settlement from the company. However, a few months later, records of her boss' cellular phone calls strongly suggested that he had not been in the office when the incriminating e-mail had been written. It turned out that the secretary possessed her boss' e-mail account password; she was convicted of perjury for having forged that incriminating message using her boss' e-mail account.

One obvious lesson is that absolutely nobody should have anyone else's e-mail account password. If one of your users needs to let someone else read and answer their e-mail, you should arrange for proxy privileges so that the colleague can help without being able to forge e-mail.

Another problem that facilitates forgery is the ease with which anyone can forge e-mail headers for Internet delivery. Spammers do this all the time; junk e-mail arrives from countries all over the world - at least, so the headers would fraudulently indicate. Some criminals use easy forgery to cause trouble for their victims; they insert someone else's reply addresses in offensive or annoying e-mail so that recipients effectively mail bomb innocent people.

There was a case in Texas a few years ago where a clueless junk mailer called Craig Nowak stupidly used the reply address "" in his junk e-mail. As a result, the legitimate firm received over 5,000 e-mail messages complaining about the junk. The company's angry CEO Tracy LaQuey Parker sued Nowak and won a $19,000 judgment against him for damage to her company's good name.

Until we see authentication integrated into TCP/IP, it will be difficult to prevent criminals from forging e-mail sent through the 'Net. However, with a little effort, it is possible to make life harder for forgers. Wherever possible, everyone should sign their electronic messages using a digital signature.

There are many products available that allow every message to be signed so that its integrity and authenticity can be confirmed. Personally, I have used pretty good privacy (PGP) for many years and sign my messages so that anyone can check to see that they are unchanged and really mine. Because I use digital signatures consistently, I could reasonably repudiate any message that is not digitally signed with my PGP private key.

I also accept that I will not be able to repudiate authorship of these messages. However, honest people need have no fear of nonrepudiation. As long as I can be sure that no one has compromised the pass phrase that protects my PGP private key, I can be sure that no one will successfully forge communications in my name.

There are still problems preventing widespread acceptance of digital signatures. For one thing, most signature software tools do not successfully interoperate with each other. For another, the tools fail to support all e-mail packages.

I urge producers of popular cryptographic software to insure that competing products can verify their digital signatures. I also hope that digital signatures will become completely automatic for users of popular e-mail and document preparation software.

M. E. Kabay, Ph.D., CISSP, is Security Leader, INFOSEC Group, at Adario, Inc. He can be reached at Adario specializes in all aspects of information security consulting and training, including e-commerce, enterprise security policies and communications security.


Check out the new "Computer Security Handbook, 4th Edition" edited by Seymour Bosworth and Michel E. Kabay; Wiley (New York), ISBN 0-4714-1258-9. Available now at your technical bookstore or visit Amazon.

M. E. Kabay, Ph.D., CISSP is Associate Professor of Information Assurance in the Department of Computer Information Systems at Norwich University in Northfield, Vt. Mich can be reached by e-mail by clicking here. He invites inquiries about his information security and operations management courses and consulting services. Visit his Web site for papers and course materials on information technology, security and management.

E-mail security products to launch at RSA show
Network World, 01/17/00.

The Uniform Electronic Transactions Act
Network World, 01/17/00.

Protecting electronic transactions
Network World, 01/12/00.

Digital watermarking
Network World, 01/03/00.

Archive of Network World on Security newsletters

Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.