Securing your Email – Understanding Public Key and Private Key Encryption

Public Key InfrastructureWith Public Key Encryption, also known as asymmetric key encryption, two different keys, a Private Key and Public key are used simultaneously to both Digitally Sign and Authenticate an email message and/or encrypt it.

The Private Key and Public Key are a mathematically related unique pair of really long random that are 100% mated to each other.  The Private and Public Keys are created by using the information from your “Personal or Business Digital Certificate for Secure Email” and a “Key Generation Utility.”  The Certificate authenticates your email address and optionally your identity.  (See my article, “Securing your Email – Digital Certificate for Secure Email” for information on obtaining one.)  Note:  The Key Generation Utility is usually included as part of the Email Client Software or Web Mail Browser Plug-In.  It may not be necessary to explicitly create the key pair as it may automatic.

So, how does Public and Private Key Encryption work?  For starters, recall that the Private Key and Public key are a related pair – they work together.  Important Safety Tip:  As the names imply, the Private Key must remain private and its’ “pass phrase” (the password to use the key) must remain “private” and ONLY known to you personally.  The Public Key is widely distributed to everyone you want to communicate with so that the recipients can either Authenticate a message from you as genuine, decrypt an encrypted message you send them, or they can encrypt a message that only you can decode with your Private Key.  The Public Key can also be placed on a “Trusted Public Key Server” (think phone directory for everyone’s Public Key) so that others can look up your Public Key to encrypt messages to be sent that only you can decrypt with your Private Key.

NOTE:  For purposes of this discussion we need to assume that regardless of if you are using a Class 1 (Email Address Validated) or Class 2 (Email Address and Identity Validated) Digital Certificate for Secure Email, that YOU are the one and only person associated with your email account and that the Pass Phrase to your Private Key is known ONLY to you.  With a basic Class 1 Digital Certificate for Secure Email, ANYONE who has access to your email account and who may have requested a Digital Certificate for Secure Email without your knowledge could masquerade as you for purposes of sending Digitally Signed and Encrypted Email.

If I want to Digitally Sign an email message so that a recipient will have a high degree of assurance that I was the actual sender of the message, similar to when I have a paper document Notarized, I use my Private Key along with my Public key to tell my Email Client to “Digitally Sign” the message.  I then attach my Public Key with the message as I send it to the recipient.  The Recipients’ Email Client uses the attaché Public Key to process my Digital Signature and verify that the Digital Signature is Authentic and Genuine.  (Recall when I have a paper document Notarized, a licensed independent third party Authenticates my signature by reviewing other Identity documents.  This is similar to what a Certificate Authority would do when issuing a Class 2 Digital Certificate for Secure Email.)

You may be wondering, “How is this any different than if I just sent a regular message since I included the Public Key, the part required for the recipient to authenticate the message?”  The answer is that when I Digitally Signed the message with my Private Key, I had to enter in my super-secret, ultra-secure “pass phrase” known only to me.  The Private Key and Public Key are a mated pair that must be used together to be of any value.  Since only my Public Key can be used to authenticate a message that I personally, Digitally Sign, the message has to be authentic and sent by me.  Assuming that the Recipient uses either the Public Key that I sent along with the message or retrieves my Public Key from a Trusted Public Key Server, the message can be authenticated as legitimately Digitally Signed by me.

Technical Note:  The Email Clients are performing a massive amount of mathematical calculations in the background creating hash totals and checksums which are shorter strings of numbers that represent the original extremely long numbers to expose tampering.  It is possible that the body text which is not encrypted in a Digitally Signed Message could be altered in transit.  The message would still correctly show the Digital Signature as “Authentic” however the “math” would also show that the message had been altered from its’ original content.

To Encrypt a message requires one extra step:  Before I can send a recipient an encrypted message, I need to know their Public Key.  My Email Client software will use the Recipients’ Public Key to encrypt the message.  Then, the Recipients’ Email Client will use the Recipients’ Private Key to decrypt the message.

Taking it one step further, if I use my Private Key and the Recipients Public Key at the same time, I can both Digitally Sign the message and Encrypt it so that the Recipient can Authenticate that I actually sent the message with my Public Key and Decrypt the message with the Recipients Private Key so only the Recipient can read it.

The best way to get started in using Digital Signatures and encrypting email, when appropriate, is to obtain a Digital Certificate for Secure Email and then send a Digitally Signed message to people you want to be able to communicate with securely.  (See my article, “Securing your Email – Digital Certificate for Secure Email” for information on obtaining one.)  Since your Public Key is automatically included in your Digitally Signed Message, the Recipients’ Email Client will automatically store it so that it can be used to either decrypt messages sent by you or encrypt messages that are sent to you from the Recipient.

Note:  If you are not using Microsoft Outlook or Lotus Notes, you will need an “Add-on” application for your email client or web browser.  Options will be discussed in a future article.


  1. What things can be done to improve the CCTV system?

    • CCTV Security can be improved by using Port Based Virtual Private Networks and/or MAC Address Filtering. Every IP Device has a unique identifier, a MAC Address and with the proper type of Managed Network Switch you can control which Camera and Monitors have access to the Source or Stored Feeds based on either the physical Port that the IP Camera is connected to on the Network Switch or Filter based on the MAC address of the IP Camera. Some more advanced IP Cameras support real-time encryption, using either SSL or the same public/private key encryption described for email to secure the source image during transmission to the video recorder.

      The question becomes what are you trying to secure: Interception of the Camera Feed by an unauthorized tap? Interception of the feed transmission over a wide area network/Internet? Integrity of the Transmission from alteration during transmission? Or, access to the stored recordings? Each have different security solution options.

      Thanks for your comments,

      Jason Palmer.

Speak Your Mind