WHAT IS DEGITAL SIGNATURE?

# A Digital Signature Certificate, like hand written signature, establishes the identity of the sender filing the documents through internet which sender can not revoke or deny. Accordingly, Digital Signature Certificate is a digital equivalent of a hand written signature which has an extra data attached electronically to any message or a document. # Digital Signature also ensures that no alterations are made to the data once the document has been digitally signed. A DSC is normally valid for 1 or 2 years, after which it can be renewed # A Digital Signature is a method of verifying the authenticity of an electronic document. .

WHAT IS DEGITAL SIGNATURE?

Digital signatures are going to play an important role in our lives with the gradual electronization of records and documents. The IT Act has given legal recognition to digital signature meaning, thereby, that legally it has the same value as handwritten or signed signatures affixed to a document for its verification. The Information Technology Act, 2000 provides the required legal sanctity to the digital signatures based on asymmetric cryptosystems. The digital signatures are now accepted at par with handwritten signatures and the electronic documents that have been digitally signed are treated at par with paper documents.

What is a Digital Signature Certificate ( DSC) ?

Digital Signature Certificate is your PASSPORT on the Internet used to: Identify yourself Help the software application to authenticate you and: Help you to secure your data Give legal sanctity to the transaction

Handwritten Signatures

Signature v. autograph
Intention of the signer

Signature is any mark that has been affixed by the signer with the intent to be bound by the contents of the document. Once affixed, the signature and the document becomes one composite thing. Integrity

Proof of Handwritten Signatures

If a handwritten signature is disputed, then call on the following:

Witness to the signature A person with intimate knowledge of the persons signature Handwriting expert

Authentication and Nonrepudiation

Let us begin by looking at the differences between conventional signatures and digital signatures
Inclusion :A conventional signature is included in the document; it is part of the document. But when we sign a document digitally, we send the signature as a separate document.

Verification Method: For a conventional signature, when the recipient receives a document, he compares the signature on the document with the signature on file. For a digital signature, the recipient receives the message and the signature. The recipient needs to apply a verification technique to the combination of the message and the signature to verify the authenticity.

Let us begin by looking at the differences between conventional signatures and digital signatures Relationship: For a conventional signature, there is normally a one-to-many relationship between a signature and documents. For a digital signature, there is a one-to-one relationship between a signature and a message. Duplicity: In conventional signature, a copy of the signed document can be distinguished from the original one on file. In digital signature, there is no such distinction unless there is a factor of time on the document.

Types of Electronic Signatures

Biometric signatures
E.g. iris scans, finger-prints, voice (none totally perfect yet).

Non-biometric signatures
E.g. digital signatures

Public Key Cryptography

2 key pairs: 1 private key and an associated public key Private key kept secret by owner Public key published widely Golden rule: anything encrypted with a public key can only be decoded with the private key, and vice versa

Yee Fen Lim

Public Key Cryptography: Superman example

Superman writes: I love you Superman encrypts message with his private key Anyone with Supermans public key can decode the message

Authenticity

Yee Fen Lim

10

Public Key Cryptography: Superman example

How does Superman ensure only Lois Lane can read his message? Superman encrypts his already encrypted message with Lois Lanes public key Only Lois Lane can decode the message as she is the one with the private key

Confidentiality

Yee Fen Lim

11

Role of Controller (CCA)

Controller of Certifying Authorities as the Root Authority certifies the technologies, infrastructure and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates

Seven CAs have been licensed by CCA

Safescrypt National Informatics Center (NIC), Government of India Institute for Development & Research in Banking Technology (IDRBT) A Spciety of Reserve Bank of India Tata Consultancy Services (TCS) MTNL Trustline GNFC (Gujarat Narmada Fertilizer Corporation) E-MudhraCA

How To Get & Use Digital Signature

Application Request

Go to http://nicca.nic.in Download DSC Request Form Fill-in the Form Sign the Form at Required Place Get the Form Countersigned and Verified from HOD along with his/her Official Stamp Enclose Identification Proof Enclose Fee (if required) in Form of Bank Draft Send to NIC Office

Digital Signatures & the Indian law

Authenticating electronic records According to section 3 of the IT Act
3. (1) Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his digital signature. (2) The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record. (3) Any person by the use of a public key of the subscriber can verify the electronic record. (4) The private key and the public key are unique to the subscriber and constitute a functioning key pair.

TERMS USED

Subscriber is a person in whose name the Digital Signature Certificate is issued. Authenticate means to give legal validity to, establish the genuineness of. Electronic record means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche. Affixing digital signature means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of digital signature.

TERMS USED
Asymmetric crypto system is a system of using mathematically related keys to create and verify digital signatures. The key pair consists of a private key and a public key. The private key pair is used in conjunction with a one-way hash function to create digital signatures. The public key is used to verify the digital signatures created by the corresponding private key. A one-way hash function takes variable-length input say, a message of any length and produces a fixed-length output; say, 160-bits. The hash function ensures that, if the information is changed in any way even by just one bit an entirely different output value is produced.

Secure digital signature

A secure digital signature should satisfy the following conditions:
1. It should be unique to the subscriber affixing it. A digital signature is unique and is based upon the message that is signed and the private key of the signer. 2. It should be capable of identifying such subscriber. What this implies is that the digital signature should be verifiable by the public key of the signer and by no other public key. 3. It should be created in a manner or using a means under the exclusive control of the subscriber. This implies that the signer must use hardware and software that are completely free of any unauthorized external control. 4. It should be linked to the electronic record to which it relates in such a manner that if the electronic record were altered, the digital signature would be invalidated. All standard software programs used to create digital signatures contain this feature.

Digital Signature Certificates

Any person can make an application to the Certifying Authority (CA) for the issue of a Digital Signature Certificate. Each application is required to be accompanied by: 1. The prescribed fee (not exceeding twenty-five thousand rupees) to be paid to the CA. 2. A certification practice statement or a statement containing specified particulars.

On receipt of an application the Certifying Authority may grant the Digital Signature Certificate or for reasons to be recorded in writing, reject the application.

Suspension of Digital Signature Certificate

The Certifying Authority, which has issued a Digital Signature Certificate, may suspend such Digital Signature Certificate:

1. on a request from the subscriber listed in the Digital Signature Certificate, 2. on a request from any person duly authorized to act on behalf of that subscriber, 3. if it is of opinion that the Certificate should be suspended in public interest.
A Digital Signature Certificate cannot be suspended for a period exceeding 15 days unless the subscriber has been given an opportunity of being heard in the matter On suspension of a Digital Signature Certificate the Certifying Authority shall communicate the same to the subscriber.

What are the different types of Digital Signature Certificates?

Class 1: These certificates do not hold any legal validity as the validation process is based only on a valid e-mail ID and involves no direct verification. Class 2: Here, the identity of a person is verified against a trusted, pre-verified database. Class 3: This is the highest level where the person needs to present himself or herself in front of a Registration Authority (RA) and prove his/ her identity.

e-GOVERNANCE APPLICATIONS USING DIGITAL SIGNATURES

The following are some of the eGovernance applications already using the Digital Signatures: MCA21 a Mission Mode project under NeGP which is one of the first few e-Governance projects . NeGP to successfully implement Digital Signatures in their project. Income Tax e-filing IRCTC DGFT RBI Applications (SFMS) NSDG eProcurement eOffice eDistrict applications of UP, Assam etc