By ROCCO MAGLIO
Software Engineer, CISSP
Recently a number of emails sent through Gmail were found on a MacBook which the owner of a computer repair told the FBI was dropped off by Hunter Biden, presidential candidate Joe Biden’s son. The veracity of these emails has become an issue in the election because some of the emails can be interpreted as implying Hunter Biden was influence peddling while his father was Vice President.
Many of the popular email services provide a digital signature that validates the integrity of the email by default. If any email is modified after being sent, the digital signature will not match. This signature is signed with the email provider’s private key and verifies that it has not been changed since it left their purview.
This may seem technical, but much of the software that you download provides digital signatures, which should be used to verify that the software you are downloading has not been tampered with. Verifying digital signatures is something that is done millions of times each day. It takes a few minutes to verify the signature as the public keys are easily available and you can easily create a hash to verify that the signed hash is correct.
Gmail provides a digital signature signed with their secret key by default. In the information sent with the email, there is a value DKIM-Signature which provides proof that this document hash was signed with the Gmail secret key. (DKIM stands for Domain Key Identified Mail.)
A document hash is a shortened value determined by the exact contents of the documents. Changing anything on the document will change the hash. It must also be nearly impossible to find two documents that have the same hash value.
If someone was able to steal Gmail’s secret key they could forge any email sent from the service. Gmail tightly guards the key and at the moment no one is claiming that the Gmail key has been compromised.
This digital verification that the email you are looking at is the one that was sent and signed by Google is performed on emails received by Gmail too. The service will tell you if the signed hash does not match the email. This prevents someone from changing the email as it is in transit. This provides confidence in the integrity of the email.
The downside of the integrity provided by digital signatures is that it is difficult to disavow emails. This is why the defense of ‘I never sent that email’ or ‘the email has been modified’ is rarely used because it would only take a couple of minutes to show that the person disavowing the emails was lying.
This is the same issue that prevented the disavowing of emails sent by John Podesta and released by Wikileaks. The digital signatures were there and valid so it was not possible to claim that the emails had been modified or not come from his account.
The DKIM-Signatures on the emails have not been released, but if you have the emails- you have the signature and it would be trivial to verify. These digital signatures are most likely the reason you have not heard the defense of those emails being altered or not sent by who is claimed to have sent them. It would only take a few minutes to verify the signatures.