Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
c
c
c
c
c
c
Electronic transactions are fast emerging as an alternative means of carrying out
transactions instead of paper based transactions. However with the increase in the
transactions taking place on the internet the issue of authenticity and veracity was
looming large. Contracts worth huge sum of money were being entered into
without ensuring the validity and authenticity of the parties.
Traditionally hand written signatures were used for the following purposes;
a)Ê To identify a person, by signing the signatory marks the text in his/her own
unique way and makes it attributable to him/her.
b)Ê To validate the personal involvement of the person in the act of signing.
c)Ê To associate the signer with the content of the document , or as a proof the
signer¶s intention that it has legal effect.
d)Ê To attest to the intent of a party to be bound by the signed contract.
e)Ê To show the intent of a person to endorse authorship of a text.
f)Ê To show intent of the person to associate himself with the content of a
document written by someone else;
g)Ê As a matter of ceremony signing calls to the signer attention the legal
significance of his act;
h)Ê To provide efficiency and logistics along with clarity.
Similarly a need was felt to incorporate an instrument that would validate online
transactions. using the technology of cryptography, the concept of Digital
Signatures was introduced. The UNCITRAL Model Law on E-Commerce is based
on the recognition of the functions of a signature in the paper form. It focuses on
the 2 basic functions of a digital signature namely;
The primary benefit of public key cryptography is that it allows people who have
no pre existing security arrangement to exchange messages securely. The need for
sender and receiver to share secret keys via some secure channel is eliminated; all
communications involve only public keys, and no private key is ever transmitted or
shared. The use of public key cryptography is made in digital signatures. They are
signatures used for marking or signing an electronic document. The process is
analogous to the paper based signatures and it is a digital code that can be attached
to an electronically attached message that uniquely identifies the sender and
ensures that the document has not been altered.
As is the case with Electronic Data Interchange (EDI), the process of creating and
verifying digital signatures can be completely automated with minimal human
interaction. Compared to the tedious and labour-intensive paper methods such as
checking specimen signature cards, digital signatures yield a high degree of
assurance without adding greatly to the resources required for processing
documents.
Message
To verifier
Private Key
VALID YES/NO?
Public key
A digital signature serves the same purpose as a handwritten signature. However, a
handwritten signature is easy to counterfeit. A digital signature is superior to a
handwritten signature as it is nearly impossible to counterfeit, plus it attests to the
contents of the information as well as to the identity of the signer.
The advantages of digital signatures are;
a) Uniqueness
b) Inability to forge
c) Ease of authentication
d) Impossibility of denial
e) Economy of generation
f) Ease of generation
!: If a public and a private key pair are associated with an
identified signer, the digital signature attributes the message to the signer. The
signature must indicate by whom the document or message is signed and shall be
difficult for any other person to produce without authorization.
! "#"$$ !: The digital signature identifies the signed
message with much greater certainty and precision than paper signatures. The
signature must comprise of a non repudiation service, which provides proof of the
origin or delivery of data in order to protect the sender against false denial by the
recipient or the sender that the data has been received or sent.
%%"& : Serving the ceremonial and approval functions of the signature, a
person should be able to create a signature to mark the event, indicate approval and
authorization and establishing legal consequences.
%% ': Generally a signature must be able to provide the best possible
authenticity and validity with the least possible expenses.
From the above discussion we can conclude that Digital signatures are signatures
which are used to authentic and validate electronic transactions on the internet
through the use of technology.
The same plaintext encrypts to different cipher text with different keys. The
security of encrypted data is entirely dependent on two things: the strength of the
cryptographic algorithm and the secrecy of the key. The science of cryptography
further includes Encryption and decryption techniques. In these two keys are
involved, a public key and a private key. Each user has a pair of keys of which the
private key is kept secret and the public key is made open to all. If X wants to send
a message to Y, Y shall encrypt the message with Ys Public Key and send it to Y.
The message shall be seen only by Y. This ensures the following purposes;
a)Ê it protects the information content
b)Ê establishes the authenticity of the sending party
c)Ê preventing undetected modification of the message
d)Ê preventing repudiation
e)Ê preventing unauthorized use
In 1977, a year after the publication of the Diffie-Hellman paper, three researchers
at MIT developed a practical method using the suggested ideas. This became
known as RSA, after the initials of the three developers -- Ron Rivest, Adi Shamir,
and Leonard Adelman -- and is probably the most widely-used public key
cryptosystem. It was b patented in the US in 1983, duly adopted as a standard, and
has always been widely available outside the US in implementations developed
locally even though, until recently, its export was restricted. In addition to being
the first publicly known examples of high quality public-key algorithms, have been
among the most widely used. Others include the Cramer-Shoup cryptosystem,
ElGamal encryption. A digital signature is a two way process involving the signer
i.e a creator of the digital signature and the recipient i.e the verifier of the digital
signature.
Creating a digital signature involves the following steps;
a)Ê The signer demarcates what is to be signed which is termed as the message.
b)Ê A HASH function computes a hash result unique to the message.
c)Ê The signers software encrypts the hash result into a digital signature using
the signers private key. The resulting digital signature is thus unique to both
the message and the private key used to create it.
d)Ê The digital signature is attached to the message and stored or transmitted
with its message.
Verifying a digital signature involves the following steps;
a)Ê The recipient receives the digital signature and the message.
b)Ê The recipient applies the signers public key on the digital signature
c)Ê Recipient recovers the hash result or the message digest from the digital
signature
d)Ê The recipient creates a new hash result with the same hash function used by
the signer to create the digital signature.
e)Ê The two hash results are compared and if the same are identical then it
implies that the
message is unaltered.
Ê
)
c
cc
c*+
c
c
Digital signatures are a means to ensure validity of electronic transactions however
who guarantees about the authenticity that such signatures are indeed valid or not
false. In order that the keys are secure the parties must have a high degree of
confidence in the public and private keys issued. The user must have confidence in
the skill, knowledge and security arrangements of the parties issuing the public and
private keys. This brings in the role of TTPs or CAs, TTPs or CAs help in
establishing what is known as a public key infrastructure. A public key
infrastructure helps to provide confidence that;
a)Ê A user¶s public key has not been tampered with and it corresponds to the
user¶s private key.
b)Ê The entities issuing cryptographic keys can be trusted to retain or recreate
the public and private keys that may be used for confidentiality encryption
where the use of such a technique is authorized.
There is often a possibility of what is referred to as the man in middle attacks,
these are instances wherein a person uses a false key and intercepts a message
between two individuals, obtains the key of anyone through the false key and can
alter the message. In a public key environment, it is vital that you are assured that
the public key to which you are encrypting data is in fact the public key of the
intended recipient and not a forgery. One can encrypt only to those keys which
have been physically handed to him. However in case a person is completely
unknown or has never met then in such cases it is essential for a trustworthy
authority to step in. The purpose of a trusted third party is that with the help of a
certificate the prospective signer is associated with a key pair. This certificate that
binds the key with a particular holder is referred to as the digital signature
certificate. Certifying authorities issue certificates based on classes, class I
certificates are issued to individuals, business and government organizations,
primarily used for web browsing and personal e-mails. Class II certificates may be
issued to individuals belonging to business and government organizations that are
ready to assume the responsibility of verifying the accuracy of information
submitted to the individual. It is used primarily for organizations functional and
administrative needs. Class III certificates may be issued for both individuals and
organizations, are used primarily for e-commerce applications such as electronic
banking, EDI and membership based on-line services.
Section 21 of the Act provides for license to issue electronic signature certificates
before the Controller of certifying authority. The license once granted shall be non
transferable and non heritable. Every application for issue of a license shall be in
the prescribed form as may be directed by the government. Section 22(2) provides
that every application for the issue of license shall be accompanied by
a)Ê A certification practice statement
b)Ê A statement including the procedures with respect to identification of the
applicant
c)Ê Payment of such fee not exceeding 25000 as may be prescribed by the
central government.
The Act also lays down the provisions for the procedure of grant or rejection of
license as well as the renewal of license.
It must be noted here that the application for licensed certifying authority shall be
made in the prescribed format provided under Rule 10 of the Information
Technology (certifying Authorities) rules, 2000. The application for grant of a
license shall be accompanied by a non refundable fee of 25000, provided under
Rule 11 of the Rules.
The Act prescribes that every certifying Authority must follow certain procedures;
a)Ê Make use of hardware, software and procedures that are secure from
intrusion or misuse.
b)Ê Provide a reasonable level of reliability
c)Ê Adhering to security provisions to ensure that secrecy and privacy of digital
signatures is assured.
d)Ê Become the repository of all electronic signature certificate issued under the
Act
e)Ê Publish information regarding its practices, electronic signature certificates
and current status of such certificate.
Section 35 prescribes the certifying authority to issue electronic signature
certificates. A certifying authority while issuing digital signatures shall certify
amongst other factors that the subscriber holds the private key corresponding to the
public key listed in the Digital signature certificate. The subscriber holds a private
key which is capable of creating a digital signature. The public key to be listed in
the certificate can be used to verify a digital signature affixed by the private key
held by the subscriber. The subscriber¶s public key and private key constitute a
functioning pair. The information contained in the certificate is accurate.
Section 37 and section 38 prescribe for the conditions when the digital signature
may be revoked or suspended. Section 39 provides that where a digital signature
certificate has to be revoked or suspended a notice of suspension or revocation
shall be given.
Chapter VIII provides for the duties of subscribers which include the generation of
a key pair(section 40), acceptance of digital signature certificate(Section 40),
exercising reasonable care to retain control over private key corresponding to the
public key listed in the digital signature certificate and to take steps to prevent its
disclosure and in case the private key corresponding to the public key listed in the
digital signature certificate has been compromised the same shall be communicated
to the certifying authority without delay.
The central government under section 87 of the Act has the powers to make rules
and consequently the Information Technology Certifying Authority Rules (2000)
were framed. Rule 3 provides that a digital signature shall be created and verified
by cryptography that concerns itself with transforming electronic record into
seemingly unintelligible forms and back and again. It shall also use public key
cryptography and hash function necessary for creating and verifying a digital
signature. Rule 4 provides for the procedure of creation of digital signature, the
signer shall apply the hash function in the signers software, thereafter the hash
function shall compute a hash result of standard length which is unique to the
electronic record, the signers software shall transform the hash result into digital
signature using signers private key and the resulting digital signature shall be
unique to both the electronic record and private key used to create it and the digital
signature shall be attached to its electronic record and stored or transmitted with its
electronic record.
Rule 5 provides for the verification of the digital signature, the process being same
as discussed previously. Rule 8 prescribes for the persons who may apply for grant
of license to issue digital signature certificates. Rule 13 to 17 provide for validity,
suspension, renewal, issuance and refusal of license. Rule 23 provides for
compliances by the certifying authorities in addition to the requirements under
section 35 of the Act;
(a) The Digital Signature Certificate shall be issued only after a Digital Signature
Certificate application in the form provided by the Certifying Authority has been
submitted by the subscriber to the Certifying Authority and the same has been
approved by it:
Provided that the application Form contains the particulars given in the Form given
in
Schedule-IV;
(b) No interim Digital Signature Certificate shall be issued;
(c) The Digital Signature Certificate shall be generated by the Certifying Authority
upon receipt of an authorised and validated request for:-
a.Ê New Digital Signature Certificates;
b.Ê Digital Signature Certificates renewal;
(d) The Digital Signature Certificate must contain or incorporate, by reference such
information, as is sufficient to locate or identify one or more repositories in which
revocation or suspension of the Digital Signature Certificate will be listed, if the
Digital Signature Certificate is suspended or revoked;
(e) The subscriber identity verification method employed for issuance of Digital
Signature Certificate shall be specified in the Certification Practice Statement and
shall be subject to the approval of the Controller during the application for a
licence;
(f)Where the Digital Signature Certificate is issued to a person (referred to in this
clause as a New Digital Signature Certificate) on the basis of another valid Digital
Signature Certificate held by the said person (referred in this clause as an
Originating Digital Signature Certificate) and subsequently the originating Digital
Signature Certificate has been suspended or revoked, the Certifying Authority that
issued the new Digital Signature Certificate shall conduct investigations to
determine whether it is necessary to suspend or revoke the new Digital Signature
Certificate;
(g) The Certifying Authority shall provide a reasonable opportunity for the
subscriber to verify the contents of the Digital Signature Certificate before it is
accepted;
(h) If the subscriber accepts the issued Digital Signature Certificate, the Certifying
Authority shall publish a signed copy of the Digital Signature Certificate in a
repository;
(i) Where the Digital Signature Certificate has been issued by the licensed
Certifying Authority and accepted by the subscriber, and the Certifying Authority
comes to know of any fact, or otherwise, that affects the validity or reliability of
such Digital Signature Certificate, it shall notify the same to the subscriber
immediately;
(j) All Digital Signature Certificates shall be issued with a designated expiry date.
Rule 25 provides that before issuing digital signature certificates the certifying
authority shall confirm that the users name does not appear in the list of
compromised users, comply with all privacy statements, obtain consent of the
person requesting the digital signature certificate that the details of such digital
signature certificate can be published on a directory service. Rule 26 prescribes for
all digital signature certificates to have a designated expiry date after which the
certificate shall expire and shall not be re-used.
,
c--c
c-c+c
c
c
c
The primary legislation that deals with Digital Signatures is the Information
Technology
Act, 2000, the Act has been recently amended in the year 2008 but is yet to be
notified, at many places the words Digital Signatures have been replaced with
electronic signatures primarily to make the system more technology neutral in
contrast to technology specific. The shortcoming which was prevalent in the
unamended act and which was widely criticized was that asymmetric cryptography
system was made with specific reference to digital signatures and any other means
of authentication that did not use this technology were not recognized under the
Act.
!.)of the Act provides for penalty in case of publication of false electronic
signature certificates. no person shall publish an electronic signature certificate or
make it available to any person if the certifying authority listed in the certificate
has not issued it, or the subscriber listed in the certificate has not accepted it or the
certificate has been revoked or suspended, unless such publication is for the
purpose of verifying an electronic signature created prior to such suspension or
revocation. Any contravention of the provisions under this section shall entail a
punishment of 2 years and a fine of Rs 1 lakh.
!)of the Act, which consisted of only documents was substituted with
electronic records produced for the inspection of the courts, implying that all
audio, video, data text or multimedia files generated, stored, received or sent in
electronic form or microfilm or computer generated micro film could be produced
for inspection of the court and such electronic records shall be treated as
documentary evidence under the Indian Evidence Act, 1872.
!.of the Indian Evidence Act reads that an admission is a statement, oral
or documentary contained in an electronic form, which suggests any inference as to
any fact in issue or relevant fact and which is made by any of the persons and
under the circumstances, hereinafter mentioned. This has led the admissibility of
evidences made through the electronic media, video conferences etc.
!.)provides for the proof as to digital signatures, the court in such cases
can direct the Certifying Authority or the person in question to produce the Digital
Signature Certificate. It may also ask any person to apply the public key listed in
the digital signature certificate and verify the digital signature purported to have
been affixed by that person.
!13provides that the court shall presume that the digital signature
certificate is authentic and the information thus contained is valid and correct and
to the extent of only the information that has been verified and not beyond that.
With the growth of technology the use of internet has gone through serious
changes. All transactions are carried on the internet and it is being used as the most
efficient and trouble free mode of conducting business, be it tax returns, patent
filing, electronic banking and almost all transactions which took hours to complete
manually can just be completed with the help of a click in minimal time. However
as the online transactions increase the issue of authenticity has also been a factor to
consider. Keeping this in mind the concept of digital signatures was introduced in
India. The concept though initially was not very well accepted in the industry
however with the increase in the amount of transactions that are being performed
on the internet the laws have been liberalized a little bit to include these
instruments for almost all kind of transactions. Though a welcome step to
encourage electronic commerce and at the same time ensure authenticity, presents
in front of us certain issues which are as follows;
1.Ê Digital signature essentially is a technology specific instrument which has
because of its technical complexities not been received well in the
industry. The recent amendments in the Information Technology Act have
substituted the words electronic signatures in place of digital signatures.
The attempt is to make it more technology neutral and stating that digital
signatures are one class of electronic signatures. However the absurdity in
the Act can be viewed from the instance that the words electronic
signatures have not been substituted evenly throughout the Act.
2.Ê As there has been an increase in the use of digital signatures the need of
the hour is to educate and impart awareness to people regarding the use of
digital signatures.
3.Ê Verification of digital signatures is an important procedure for
establishing evidence in the court of law. The procedure again is very
complex technically and it is required that a process which is more
flexible and easily understood should be adopted.
4.Ê A concern that may creep up with the passage of time is the over
dependence on digital signatures as a means to authenticate and validate
electronic transactions and the question if we have any other means of
authentication of electronic transactions. The reason for this concern apart
from digital signatures being technology specific is that they are
expensive in terms of establishing and utilizing certifying authorities.
As has always been the case with technology, it is extremely difficult to prepare a
regulatory framework that aptly corresponds to the changes in technology. In case
of digital signatures the recent amendments must be lauded for making changes
that lessen the technical complexities and encourage the use of digital signatures in
carrying out electronic transactions.