The Digital Signature and message encryption implementation on email messages is achieved by mechanisms implemented directly in the email client software and that follows the S/MIME standard.
Both S/MIME message encryption and Digital Signatures are based on encryption technologies. Message body encryption creates a completely unreadable message body and Digital Signature. The diagram below shows how the encryption process generates a one-time Symmetric Key (also called a Session Key) that encrypts the message body.
The Symmetric Key is then encrypted with each recipient’s public key so that only the recipient can decrypt the Symmetric Key. The message is then sent. On the recipient end, the Private Key is used to decrypt the Symmetric Key, which is then used to decrypt the message. This process is transparent to the user and is performed with no interaction between clients. Symmetric encryption is much faster than asymmetric encryption. The reason is because symmetric encryption encrypts the data (message body) in bulk.
In the diagram on the following page, it illustrates the message encryption and decryption process. The four main steps detailed in the illustration are as follows:
1 | Message is encrypted with Session Key. | |
2 | Session Key is encrypted with recipient’s public key. | |
3 | After encrypted message is received, recipient decrypts Session Key with the recipient’s Private Key. | |
4 | Message is decrypted with Session Key. | |
When you add a Digital Signature to a message, a hash value of the message contents is computed. User Keys aren’t used to compute the hash value and the hash doesn’t identify anyone. The hash is only a small, unique digital fingerprint of the message. This hash value is then encrypted with the sender’s Private Key, and can be decrypted with the public key found in the sender’s certificate.
The recipient decrypts the original hash value with the sender’s public key, which might be sent with the signed message or can be found in the sender’s certificate. Your client verifies signatures. For encrypted messages, it decrypts the message first. The client computes a new hash value based on the text received and compared to the original hash value. If they match, you can trust the content’s integrity and the sender’s identity.