With threats looming constantly in the digital world, using end-to-end encryption and digital signatures has become a necessity to protect your data online. Read this article to learn how these two work together in Mailfence.
What are end-to-end encryption and digital signatures?
Let’s first explain what are end-to-end encryption and digital signatures.
End-to-End Encryption (E2EE)
End-to-end encryption or E2EE is a method of securing data in-transit (while moving from the source to its destination).
In simple terms, data in plaintext goes through an encryption algorithm, which produces a ciphertext. There are two types of encryption algorithms – symmetric and asymmetric encryption.
Symmetric encryption includes:
- AES
- DES
- RC4
- RC5
- RC6
- Blowfish
- Twofish
- Etc
Asymmetric encryption includes:
- RSA
- Eliptic Curve
- Diffie-Hellman
Here we explain how E2EE works in more detail.
With End-to-End Encryption, the sender encrtypts the data on their system and only the intended recipient can decrypt it. If the recipient can’t decrypt the message then it remains stored on Mailfence’s server (still encrypted, we don’t have the key to decrypt your messages, only you do), at least until the sender deletes it on their end.
With the email thus protected nobody in between (an internet/application service provider, surveillance programs or a hacker, …) can read or tamper with it – thus providing a great deal of confidentiality and protection to all communications.
Digital Signatures
Digital signatures are an equivalent of a handwritten signature or stamped seal, but they offer far more inherent security. A digital signature solves the problem of tampering and impersonation in digital communications – and provides absolute authenticity and integrity to all messages.
They therefore serve three important roles:
- Verifying the sender
- Proving the integrity of the message
- Provoding non-repudiation
Here’s a simple explanation how digital signatures work (we go into more detail in our article on digital signatures):
- First, the sender signs the document with their private key
- The recipient then receives the document and the public key
- If the keys don’t match, the signature is not valid
Digital signing algorithms include:
- RSA
- ElGamal
- DSA
- ECDSA
Differences between end-to-end encryption and digital signatures
Here are the main differences between end-to-end encryption and digital signatures:
| End-to-end encryption | Digital Signatures |
| Used to encode sensitive information in an email or document | Used to verify the authenticity of the document or email message |
| The public key is used to encrypt the data in the email or document | The public key is used to verify the sender’s signature |
| The private key is used to decrypt the data in the email by the recipient | The private key is used to sign the document by the sender |
| The encrypted message is verified only after it is decrypted using the recipient’s private key | The digital signature is verified only if it remains unaltered between the sender and the recipient |
| Requires PGP or similar encryption protocol | The certificate authority (CA) provides a digital certificate |
How Mailfence does it?
Mailfence secure and private email-suite uses OpenPGP.
We leverage the OpenPGP.js – a Javascript implementation of OpenPGP standard which is open-source and well-audited. It allows us to perform crypto-operations of en(de)cryption on the client side.
Every crypto process encapsulates a series of different steps working back and forth between the client and the server over TLS/SSL – in order to successfully carry out a particular operation. Below you will find a step-by-step linear diagram that illustrates how Mailfence End-to-end encryption and digital signatures functions along with other relevant details.
Visit our knowledge base article for a summary of the benefits Mailfence offers
Mailfence to Mailfence
Mailfence to other email providers
Key generation
- The client-browser requests the specific key-generation code from the server after receiving a request from the user – and the server sends that specific code to the client’s browser.
- Next, the key then gets generated on the user device (in browser) and encrypted with the passphrase via AES-256. The public key at this point also gets published on public key servers (the user needs to opt in for this).
- The encrypted key is then pushed onto the server from user’s browser – so that a user can access it any time from any device
Generate your keypair in 5 easy steps in our Knowledge base.
Passphrase Changing
- The client-browser requests the specific passphrase changing code along with the related encrypted key from the server after receiving a request from the user – and the server sends that specific code with the related encrypted key to the client’s browser.
- User decrypts the key by providing the respective passphrase and encrypts it with the new one.
- The key is then pushed back to the server from the user’s browser.
Read how to change your passphrase here.
Key Revocation
- The client-browser requests the specific key revocation code along with the related encrypted key from the server after receiving a request from the user. The server sends that specific code with the related encrypted key to the client’s browser.
- User decrypts the key by providing the respective passphrase.
- The key then gets revoked and its revocation status also gets published on public key servers . The key then gets encrypted back with user passphrase.
- Client browser then pushes the encrypted key back to the server.
Learn about key revocation in our dedicated support.
Key Exportation
- The client-browser requests the specific key exporting code with the related key from the server after receiving a request from the user and the server sends that specific code with the related encrypted key to the client’s browser.
- The user then exports (downloads) that encrypted key onto his device.
Here is how to export your keys.
Key Deletion
- The client-browser requests the specific key deletion code with the related key from the server after receiving a request from the user and the server sends that specific code with the related encrypted key to the client’s browser.
- Finally, the user can delete the key from their device.
Check out how to delete your keys easily in our Knowledge base
Key Expiration Date Modification
- The client-browser requests the specific expiration date modification code with the related key from the server after receiving a request from the user – and the server sends that specific code with the related encrypted key to the client’s browser.
- User decrypts the key by providing the respective passphrase and modifies the expiration date. The user then encrypts the key with their passphrase
- Client browser then pushes the encrypted key back to the server.
Learn how to modify the key’s expiration date in our Knowledge base.
How to Send a Digitally Signed Email with Mailfence?
Sending a digitally signed email is easy with Mailfence.
- The client-browser requests the specific digital signing code with the related key from the server after receiving a request from the user – and the server sends that specific code with the related encrypted key to the client’s browser.
- User decrypts the key by providing the respective passphrase.
- The email message gets digitally signed (PGP/MIME) and is then sent to the recipient.
- Finally, the user can encrypt the key with their passphrase and push it back to the server.
Check our dedicated knowledge base article to send digitally signed emails.
Sending an encrypted and digitally signed email
- The client-browser requests the specific encryption and digital signing code with the related key from the server after receiving a request from the user – and the server sends that specific code with the related encrypted key to the client’s browser.
- User decrypts the key by providing the respective passphrase.
- The email message gets digitally signed (PGP/MIME), encrypted with the public key of the recipient (OpenPGP) and then gets sent.
- Last, the user needs to encrypt the key with the passphrase and push it back to the server
For a detailed “How to” user manual regarding end-to-end encryption and digital signatures, please check our knowledge-base.
