DIGITAL

SIGNATURES
&
ELECTRONIC
SIGNATURES









SUBMITTED TO : Ms Kajori Bhatnagar. SUBMITTED BY : ArshBir 

204/14 

Section-D , Bcom LLB
 


ACKNOWLEDGEMENT


I would like to express my special thanks of gratitude to my

IT teacher Ms Kajori Bhatnagar for their guidance and

support in completing my project.


I would also like to thank my friends and family who helped

me with the material and supported me in every possible way.

Introduction
The most important aspect of execution of documents through the electronic medium is of
course the affixation of signatures electronically in place of manual signatures. The Act
following the lead of United Nations Commission on International Trade Law (UNCITRAL)
Model Law on Electronic Commerce (the ‘UNCITRAL Model Law’) and the American Bar
Association Guidelines (ABA) on technology otherwise known as the ‘public key system.’
Since the passage of the Act in 2000, digital signatures have been successfully introduced and
used in India by the Registrar of Companies in the Ministry of Company Affairs and the
Department of Income Tax. Since 2007, all filings with the Registrar of Companies (RoC)
have to be done electronically by use of digital signatures. Since 2008, all tax filings have to
be made electronically.

It is important to note that all transactions cannot be concluded by the use of electronic
signatures. The IT Act excludes from its preview a negotiable instrument, power of attorney,
trust, will or any contract for the sale or conveyance of immovable property or any interest in
such property. Therefore, electronic signatures or digital signatures cannot be attached to
these types of legal documents. Instead these documents will continue to be executed through
traditional paper based transactions. 1

Digital Signatures

Traditional communication channels like posts and

telegraphs have played an important role in the spread
of commerce all over the world. Use of telephone
further fast forwarded the whole process of business
transactions. As the business become complex it was
realized that one needs faster processing of
information. This led to the development of ‘paperless

1 Viswanatham Aparna, Cyber Law Indian & International Perspectives, Lexis Nexis Butterworths Wadhwa,
Nagpur, 2012, p. 48-49.
approach’ to various business processes such as inquiries, purchase orders, pricing, order
status, shipping, etc. in the form of standards and protocols. This paperless approach is often
refered to as Electronic Data Interchange (EDI) –an application to application exchange of
standard business documents in an electronic format between two or more entities through
computers. EDI replaces human-readable paper or electronic based documents with machine-
readable electronically coded documents. With EDI, the sending computer creates the
message and the receiving computer interprets the message without human involvement.
Business documents such as purchase orders, shipment notices, invoices and fund transfer
advice may be transmitted via EDI. One can transmit and receive EDI transaction with
companies such as banks, transport carriers, customers and suppliers. The companies, with
which one exchanges EDI documents, are referred to as trading partners.

S 32- Authentication of electronic records

(1) Subject to the provisions of this section, any subscriber may

authenticate an electronic record by affixing his digital signature.

(2) The authentication of the electronic record shall be effected by the use
of asymmetric crypto system and hash function which envelop and
transform the initial electronic record into another electronic record.
Explanation.-For the purposes of this sub-section, "hash function" means an
algorithm mapping or translation of one sequence of bits into another,
generally smaller, set known as "hash result" such that an electronic record
yields the same hash result every time the algorithm is executed with the
same electronic record as its input making it computationally infeasible-

(a) to derive or reconstruct the original electronic record from the hash
result produced by the algorithm;

(b) that two electronic records can produce the same hash result using the
algorithm.

2 The Information Technology Act, 2000

 (3) Any person by the use of a public key of the subscriber can verify the
electronic record.

(4) The private key and the public key are unique to the subscriber and
constitute a functioning key pair.

The idea was to adopt a technology that makes communication or transactions legally
binding. The functional equivalent approach extended notions such as ‘writing’, ‘signatures’
and ‘original’ of traditional paper based requirements to a paperless world. That is, in order
to be called legally binding all electronic communications or transactions must meet the
fundamental requirements-

1. Authenticity of sender to enable the recipient to determine who really sent the
message

2. Message’s integrity, the recipient must be able to determine whether or not message
received has been modified en route or is incomplete

3. Non repudiation, the ability to ensure that the sender cannot falsely deny sending the
message, nor falsely deny the contents of the message.

This led to the acceptance of cryptography, a data encryption technique, which provided just
that kind of message protection. Based on the nature and number of keys cryptography has
evolved into Symmetric (private key cryptographic system) and Asymmetric (public key
cryptographic system) cryptography. In symmetric cryptography a single key is used for both
encryption and decryption of a message, whereas in asymmetric cryptography encryption and
decryption of a message, whereas in asymmetric cryptography encryption and decryption is
done involving an asymmetric key pair consisting of a public and a private key.

A digital signature is not a digitalized image of a handwritten signature. It is a block of data at

the end of an electronic message that attests to the authenticity of the said massage. Digital
signatures are an actual transformation of an electronic message using public key
cryptography. It requires a key pair (private key for encryption and public key for decryption)
and the recipient (verifier of the digital signature). A digital signature is complete, if and only
if, the recipient successfully verifies it. 3

Cryptography

The concept of cryptography is not a new one. People have always sought to protect the
message. Encryption dates back to Lysander of Sparta who was one of the first military rulers
to encode messages to communicate to his soldiers. During the World War I, the British
decrypted a German message urging Mexico to ally with Germany, which convinced United
States to end the war. This concept was also used in World War II by the Nazi Germany.in
1949, Claude Shannnon established the scientific basis for modern cryptography with the
development of information theory which provided a mathematical basis for annylzing
cryptographic systems.4

Creating a Digital Signature

STEP 1: Signer demarcates what is to be signed. The delimited information t be signed is

termed the ‘message’.

STEP 2: A hash function in the signer’s software computes a hash result (message digest or
digital fingerprint) unique to the message.

STEP 3: The signer’s software then transforms (encrypts) the hash result into a digital
signature using signer’s private key. The resulting digital signature is thus unique to both the
message and private key used to create it.

STEP 4: The digital signature (a digitally signed hash result of the message) is attached to its
message and stored or transmitted with its message. Since a digital signature is unique to its
message, it is useful if it maintains a reliable association with its message.

3 Ryder Rodney, Guide to Cyber Laws, Wadhwa Nagpur, 3rd Edition, 2003, p. 56

4 Gupta Apar, Information Technology Act, Wadhwa & Company, Nagpur, 1st Edition, 2007, New Delhi, p 54.
The basic problem with the aforesaid digital signature regime is that it operates in online,

software driven space, without human intervention. Sender sends a digitally signed message;

recipient receives and verifies it. The only requirement is that both sender and the recipient to

have digital signature software at their respective ends. How about authenticity? Suppose A

sends to B a digitally signed message, how would B make sure that it is the message indeed

originated from A? How to authenticate that the message was from A only?

This calls for participation of a trusted third party (TTP) to certify for

individuals’ (subscribers) identities, and their relationship to their public keys. The trusted

third party is referred to as a Certifying Authority (CA). The function of a CA is to verify and

authenticate the identity of a subscriber (a person whose name the Digital Signature

Certificate is issued).

A digital signature certificate securely binds the identity of the subscriber. It contains name of

the subscriber, his public key information, name of this certifying authority who issued the

digital signature certificate, its public key in an online, publically accessible repository

maintained by the Controller of Certifying Authorities or in the repository maintained by the

CA. Every CA has to maintain operation as per its certification practice statement (CPS). The

CPS specifies the practices that each CA employs in issuing digital signature certificates.

Public Key Infrastructure (PKI) is about the management and regulation of key pairs by

allocating duties between contracting parties (Controller, CA/ Subscribers), laying down the

licensing and business norms for CAs and establishing business processes/applications to

construct contractual relationships in a digitalized world. The idea is to develop a sound

public key infrastructure for an efficient allocation and verification of digital signatures

certificates. 5

S. 36 deals with digital signature certificate. It is issued by the Certifying Authority under the
IT Act. By issuing DSC, certifying authority certifies that:

(a) it has complied with the provisions of this Act and the rules and regulations made
thereunder;

(b) it has published the Digital Signature Certificate or otherwise made it available to such
person relying on it and the subscriber has accepted it;

(c) the subscriber holds the private key corresponding to the public key, listed in the Digital
Signature Certificate;

[(ca) the subscriber holds a private key which is capable of creating a digital signature;]

[(cb) the public key to be listed in the certificate can be used to verify a digital signature
affixed by the private key held by the subscriber;]

(d) the subscriber's public key and private key constitute a functioning key pair;

(e) the information contained in the Digital Signature Certificate is accurate; and

(f) it has no knowledge of any material fact, which if it had been included in the Digital
Signature Certificate would adversely affect the reliability of the representations in clauses
(a) to (d).6

There are four classes of Digital Signature Certificate in India-

• CLASS 0- used for the purpose of demonstration and testing

• CLASS 1- used for personal purposes

5 Ahemed Farooq, Cyber Law in India, New Era Law Publishers, 3rd Edition, 2008, p. 78

6 S. 36, The Information Technology Act, 2000

 • CLASS 2- used for forms and electronic contracts by business personnel & private
individuals

• CLASS 3- high assurance certification used for e-commerce applications.

A digital signature certificate may be suspended if:

1. The subscriber request for the suspension or

2. The CA feels it should be suspended in public interest.

The CA may revoke DSC if:

a. When subscriber requests for revocation or

b. On the death of signatory or

c. On winding up of company where subscriber is a company.7

7 Mittal D.P., Law of Information Technology, Taxmann, 2000, P. 48

Electronic Signatures
The object and purpose of electronic signature are similar to that of traditional signature. It is
significant to note that electronic signature is easy to implement because even a typed name
can serve as electronic signature. Consequently, e-signatures are very problematic when it
comes to maintaining integrity and security, as nothing prevents one individual from typing
another individual's name. Due to this reality, an electronic signature that does not
incorporate additional measures of security (the way digital signatures do, as described
above) is considered an insecure way of signing documentation. 8 In many countries,
including the United States, the European Union, India, Brazil and Australia, electronic
signatures (when recognized under the law of each jurisdiction) have the same legal
consequences as the more traditional forms of executing of documents.9

Sec 2 (ta)10 had defines electronic signature a- “Authentication of any electronic record by a
subscriber by means of the electronic technique specified in the second schedule and includes
digital signature.”

3A.11 Electronic Signature.- (1) Notwithstanding anything contained in section

3, but subject to the provisions of subsection (2) a subscriber may
authenticate any electronic record by such electronic signature or electronic
authentication technique which-

(a) is considered reliable ; and

(b) may be specified in the Second Schedule

(2) For the purposes of this section any electronic signature or electronic
authentication technique shall be considered reliable if

8 http://www.arx.com/learn/about-digital-signature/digital-signature-faq/ 12.2.2016 at 12:20 PM.

9 https://en.wikipedia.org/wiki/Electronic_signature
10 The Information Technology Act, 2000
11 The Information Technology Act, 2000.
 (a) the signature creation data or the authentication data are, within the
context in which they are used, linked to the signatory or , as the case
may be, the authenticator and of no other person;

(b) the signature creation data or the authentication data were, at the
time of signing, under the control of the signatory or, as the case may be,
the authenticator and of no other person;

(c) any alteration to the electronic signature made after affixing such
signature is detectable

(d) any alteration to the information made after its authentication by
electronic signature is detectable; and

(e) it fulfills such other conditions which may be prescribed.

(3) The Central Government may prescribe the procedure for the purpose
of ascertaining whether electronic signature is that of the person by whom
it is purported to have been affixed or authenticated

(4) The Central Government may, by notification in the Official Gazette,

add to or omit any electronic signature or electronic authentication
technique and the procedure for affixing such signature from the second
schedule;

Provided that no electronic signature or authentication technique shall be
specified in the Second Schedule unless such signature or technique is
reliable

(5) Every notification issued under sub-section (4) shall be laid before each
House of Parliament.]

Sub-section (2) and (3) advocate subscription of electronic signature to authenticate any
electronic record by adopting a reliable electronic authentication technique. Like digital
signature, emphasis is on creation and verification of electronic signature. Signer creates the
electronic signature recipient verifies it.
Sub-Section (3)-(5) provides that the onus is on the Central Government to prescribe
procedures to authenticate the signer of the electronic record and also to add or omit any
electronic signature or electronic authentication technique.12

UNCITRAL Model Law on Electronic Signatures 2001 provides a specific legal framework
for matters related to electronic signatures. In 2002, the United Nations General Assembly
gave its consent to the Model Law on Electronic Signatures. At the outset the Model Law
makes it clear that there shall be no discrimination between a handwritten signature and
electronic signature. The Model Law for electronic signatures seeks the development of all
forms of electronic signatures including digital signatures. Digital signatures are one of the
many devices used under electronic signatures. The purpose of UNCITRAL Model Law on
Electronic Signatures 2001 provides following statement which signifies the importance of
electronic signature-

“The increased use of electronic authentication techniques as substitutes for handwritten

signatures and other traditional authentication procedures has suggested the need for a
specific legal framework to reduce uncertainty as to the legal effect that may result from the
use of such modern techniques (which may be referred to generally as “electronic
signatures”). The risk that diverging legislative approaches be taken in various countries
with respect to electronic signatures calls for uniform legislative provisions to establish the
basic rules of what is inherently an international phenomenon, where legal harmony as well
as technical interoperability is a desirable objective.”

Section 15 - An electronic signature shall be secure if:

a) The signature creation data at the time of affixation was under the exclusive control of
signatory and no other person; and

b) The signature creation data was stored and affixed in such exclusive manner as is
prescribed.

12 Supra Note 1 at 45.

S. 14 provides that where any security procedure has been applied to an electronic record at a
specific point of time then such record shall be deemed to be a secure electronic record from
such point of time to time of verification.

An example is some sites provide a box where you put your signatures to express your
agreement to a contract and they ask your email id for authentication purposes. Then they
copy your signatures from there put it on a contract and email you the contract then through
email you validate the transaction then you enter into a contact this is another example of
electronic signatures.13

The Certifying Authorities u/s 35 are empowered to issue Electronic Signature Certificate as
well as digital certificates. The signatory has to make an application along with a prescribed
fee and accompanied by a certificate practice statement to the Certifying Authority. The
Controller, appointed by the Central Government is in charge of appointing the Certifying
Authority on an application made in that regard. After receiving application the Certifying
Authority makes enquiries and grant Electronic Signature Certificate. If it rejects the
application, it should record reasons in writing. No application shall be rejected unless the
applicant has been given reasonable opportunity of showing cause against the proposed
rejection further, an individual, HUF, Company, Partnership Firm, AOP, Local Authority and
Government Organization or Agency could become subscriber.

If a person publishes an Electronic Signature Certificate false in certain particulars, such

person shall be punished with imprisonment upto two years and/or a fine upto Rs. 1000/-.
Specifically, a person will be subject to the foregoing punishment if they publish an
Electronic Signature Certificate or otherwise make it available to any other person with the
knowledge that:

a) The certifying authority listed in the certificate has not issued it, or

b) The subscriber listed in the certificate has not accepted it, or

c) The certificate has been revoked or suspended

13 Ratan Jyoti, Cyber Law & Information Technology, Bharat Law House Pvt. Ltd., New Delhi, 2012, P. 88
Unless such publication is for the purpose of verifying an electronic signature created prior to
such suspension or revocation.

Difference between DSC & ESC

Sr. No. Electronic Signature Digital Signature

1. It is a wider term which includes It is a special type of electronic signature
digital signatures also. which involves specific technology and
provides greater assurance of a document’s
authenticity and integrity than other form of
electronic signature.
2. It is technology neutral. It is technology specific.

3. Various methods could be It involves use of asymmetric cryptography

a d o p t e d t o f i x e l e c t r o n i c (public key) to affix signature where
signature. For example: private key encrypts the electronic record to

• A name typed at the end convert it into illegible form which

of E-mail by sender provides greater assurance of a document’s
authenticity and integrity than any other
• A secret code or PIN to
form of electronic signature.
identify sender.
4. Verifying an electronic It can be verified by anyone by using the
signature does require public key of the subscriber without the
same name, number, need for proprietary verification software.
code, sound or finger
print or any technique
used as electronic
signature by the sender.