Manage Learn to apply best practices and optimize your operations.

How e-mail message components are used

Learn what happens when someone's e-mail address differs from the certificate e-mail field value, in this application security Ask the Expert Q&A.

What happens when someone's (translatable) e-mail address changes from the certificate e-mail field value? Is the message's "To" field compared against the certificate SN e-mail field value?
The short answer is no. To explain why, let's look at the elements of an e-mail message and explore how Outlook Express (the most common e-mail client) uses the "From" and "To" fields.

There are three components to an e-mail message:

  • The envelope
  • The headers
  • The message body

The envelope is used internally by Message Transfer Agents (MTA), more commonly referred to as "mail server programs," to route a message. The machine that receives the message generates the envelope headers rather than the sender. The "To" field is derived from the "RCPT TO" command sent from the sender. Messages are routed and delivered based on the envelope's "To" field, regardless of what the message's "To" field says.

When you digitally sign and send a message via Outlook Express, a unique mathematical value based on the message body, is calculated using a hashing or message authentication algorithm. This value is then encrypted with the sender's private key – creating a digital signature for the specific message. This encrypted value is attached to the end of the message along with the sender's digital certificate, which also contains their public key. When Outlook Express receives a signed message, it calculates its own message hash, uses the sender's public key to decrypt the hash value included with the message and compares the two values. If the two values match, the recipient of the signed message can be sure that the message has not been altered and was signed by the owner of the private key corresponding to the public key in the digital certificate.

On the other hand, with a signed e-mail, only the body of an e-mail message is used to create the hash value. The e-mail subject and other header fields such as "From," "To" and "Date" are not used, which means that all but the "From" field can be altered without causing Outlook's verification process to fail. For example, I could change the "To" field to make it look like the e-mail was sent to someone else, because the recipient's digital certificate is not required for a message that is only digitally signed. However, if I change the "From" field, Outlook Express warns me that the "digital ID's e-mail address does not match the sender's," because the sender information in the "From" field is matched to the X.509 subject name on the digital certificate used to sign the e-mail.

To further examine this process, let's look at what happens when a message is encrypted and Outlook Express needs to access the correct private key to decrypt the message. When Outlook encrypts an e-mail message, it first creates a random Message Encryption Key (MEK). The MEK encrypts the message body before it is encrypted by the recipient's public key. The identity of the intended recipient is documented in the message header field called, "RecipientInfo," which specifies the recipient's certificate. When Outlook Express receives an encrypted e-mail, it uses this header value, instead of the message header "To" value, to access the correct digital certificate and private key. The digital certificate is tied to the e-mail address of the recipient.

As you can see, it is far better to sign and encrypt important documents to ensure that they cannot be altered in any way. If the person you are sending such an e-mail to does not have a digital certificate, meaning you can only sign the e-mail, I would add a salutation, date and time in the body of the e-mail and ensure that the context of the message is clear. Also, never Bcc someone in an encrypted e-mail because most e-mail clients make it easy for the "To" recipient to see who was Bcc'd!!

More Information

  • Visit our encryption resource center for news, tips and expert advice.
  • Attend E-mail Security School and learn tactics for securing your e-mail systems.

  • This was last published in February 2006

    Dig Deeper on Email and Messaging Threats-Information Security Threats