About email

About email

We got used to postmen bringing letters with good news in their dense-packed bags since early childhood - so we expect only good things from mail.

Then we receive night telegrams bringing some bad news to us, and we start expecting new mail with presentiment. However, we still have trust for what we get by mail. As for blackmail messages, letters from swindlers alleging they are serving in the army in a distant country together with your son, snatched or poison-pen letters, stuff like this happens only in detective stories. Or in soap operas.

That is why people fall for swindlers so easily.

The same threats (or to a greater extent) are related to email messages.

To a greater extent - because when we get an email message, we do not have any information about the sender except for his account and return address, which can happen to be wrong. To be sure, we can call the person who is stated as the sender, and ask whether he or she has actually sent the email and written the text you got or the message was amended "en route." In this case, it is not worth using email at all, and we can call our friends instead.

Today email clients comprise cryptographic options to make the user sure of their reliability. Each user can easily encrypt his or her email messages or provide them with electronic signatures now by generating a key pair and obtaining a certificate by means of the program itself for this purpose.

Does correspondence become more reliable when you use such options?

So to make sure the message with an electronic signature is authentic (to verify its sender and integrity), you need to verify the signature used in the message.

Let us analyze now what is confirmed and who confirms this if the letter is signed by means of the operating system installed on the computer and based on the keys generated by the same system and stored in this system while authenticity of the signature is verified based on the certificate issued by the same system and stored in the system.

Even provided we are sure the default applications run properly and have not been corrupted by any intruders, we can confirm only the way the letter was sent: from this computer and using this account. In this case, the certificate and keys bear no relation to the person.

Do such manipulations make sense? In addition to sending messages on my behalf signed using my electronic signature, anyone using my computer when I am away can also read my encrypted letters (unless I deleted them from the Sent folder) as well as encrypted letters from the Incoming folder.

At the same time, I cannot use my certificates with the email client on someone else's computer (even if I use the same email account) without extra manipulations, which, in addition to being quite complicated, impair security (I will have to copy the keys and certificate to a disk, which can be stolen).

Things are different when you use SHIPKA PCDST. You can generate keys using SHIPKA, and they will be stored in the device instead of your computer, you can obtain certificates from certification authorities or issue self-signed certificates storing them directly in the device. Having this information with yourself and not in any other computers, you will be able to use it on different computers.

Moreover, no one will be able to send a message signed "by you" or read your encrypted mail (whether from the Sent or Incoming folders) when you are away.

 

Using SHIPKA PCDST, you can work like this with Outlook, OutlookExpress and The Bat! email clients (both using CSP (Microsoft Cryptography Service Provider interface) settings and using PGP based on PKCS#11 interface).

Even if you happen to have left your SHIPKA near computer, no one will be able to use it without knowing the PIN code.

This means that when using SHIPKA PCDST to protect your email, you can be sure: it is your email correspondence with your friends and colleagues that is protected but not correspondence between your computer and their computers.