DIGITAL SIGNATURES

TABLE OF CONTENTS
1. 2. 3. 4. 5. 6. 6.1 6.2 7. 8. 9. 10. 11. Background: ................................ ................................ ................................ ..... 3 What are Digital Signatures (DS): ................................ ................................ ........ 3 Use of electronic signatures ................................ ................................ .............. 3 DS V/s handwritten signature ................................ ................................ ............ 3 Ensuring authorisation in DS ................................ ................................ ............. 3 How it works ................................ ................................ ....................... 4 For individuals ................................ ................................ ..................... 4 Digital certificates for machines: ................................ ................................ ....... 4 Classes of Digital Signatures ................................ ................................ ............. 5 The components of a digital signature ................................ ............................... 6 Benefits of DS ................................ ................................ ................................ ... 6 IT Act 2000 ................................ ................................ ................................ ...... 6 Current business applications of DS ................................ ................................ ... 6

1.

Background: For centuries, a document was considered authentic only if it carried the signatures of the authorised person and paper was the most common medium to carry the signature. In the information technology age, the paper is slowly disappearing and the business transactions are being executed electronically. The Digital Signature (DS) has been accorded legal sanctity in many countries including India by special legislations. Digital signatures have been confused with electronic signatures. Electronic signatures are scanned copies of a physical written signature.

2.

What are Digital Signatures (DS): A DS functions for electronic documents like a handwritten signature does for printed documents. DS is a signature in electronic form attached to an electronic record. It is a tool for message origination, authentication and non -repudiation that affixes a coded message to the document, data or messages and guarantees the identity of the sender. DS have been in use for quite a while to authenticate various e-commerce and m-commerce transactions. Today, the processes of creating and verifying a digital signature provide a high level of assurance to the involved parties that the e -signature is genuinely the signers, and that the electronic document (or the e contract) is authentic. A DS actually provides a greater degree of security than a handwritten signature. The recipient of a digitally signed message can verify both that the message originated from the person whose signature is attached and that the message has not been altered either intentionally or accidentally since it was signed. Furthermore, secure DSs cannot be repudiated; the signer of a document cannot later disown it by claiming the signature was forged.

3.

Use of electronic signatures It is executed or adopted by a person with intent to sign the record. DS identifies the following: origin of the message ensures the integrity of the message verifies the identity of the sender authenticates that identity

4.

DS V/s handwritten signature DS is generically the electronic equivalent of the handwritten signature. In India, the Information Technology Act 2000 considers a DS as a personalised thumb print . It defines it to mean authentication of an electroni c record by a person in whose name the DS certificate is issued by means of an electronic method.

5.

Ensuring authorisation in DS Through encryption (which is process of converting normal text to a coded message) and decryption (the process of convererting th e coded text to its original plan text form) and signature certification, the authentication is ensured. DS certificates are essential for establishing whether the authorisation is from the purported owner.

Digital Signatures

Page 3 Of 6

6.

How it works Digital signatures are nothing but a cryptographic (encrypted) signature assurance scheme that lets both parties (sender and receiver) trust an electronic document and treat it as valid and tamper -proof as long as the said document stays in an electronic format. According to ISO/IEC 7498 -2, a digital signature is defined as data appended to, or a cryptographic transformation of a data unit, that allows the recipient of a data unit to prove the source and integrity of the data unit and protect against forgery. 6.1 For individuals A digital signature involves two components the public key and the private key. The sender signs a document using his private key that ensures the documents safety in transit as the text is encrypted and only the sender has access to his private key. Therefore, by signi ng a document with it, he authenticates that it has originated with him and not been tampered with en route. The recipient of this document uses the senders public key to authenticate the encrypted document and to decrypt it into a readable text format. There are several ways to authenticate a person or the information on a computer. Some of them are password, checksum, CRC (cyclic redundancy check), private key encryption, public key encryption and digital certificate.

6.2

Digital certificates for machines: Its not just individuals who need to be authenticated. Servers need to prove their credentials too. Thats where a Digital Certificate (DC) comes into the picture, ensuring that the information sent to and received from a Web server is authentic , and that the Web server in question can be trusted. A DC essentially consists of a public key certification information, with information of the user such as name and ID. DS uses a pair of mathematically related signing keys (the private key), known onl y to the person signing. It can be trusted since it is verified by an independent source known as a Certificate Authority. The role of the certificate authority is to ensure that the system on either side can be trusted.

A Certification Authority (CA) iss ues certificates and stands responsible for them. The CA signs these certificates. This enables users to know which CA created each certificate. The signature also ensures that a third party has not altered or corrupted the certificate at any point of time . In India, the Indian IT Act authorises the Controller of Certifying Authorities (CCA) to licence and regulate the working of CAs, who, in turn, issue digital signature certificates for electronic authentication of users. Some of the organisations acting as licenced CAs are the National Informatics Centre, Customs and Central Excise, Institute for Development & Research in Banking Technology , SafeScrypt, Tata Consultancy Services , MTNL and (n)Code Solutions . It is the responsibility of the CCA to certify the public keys of CAs using its own private key. This enables users in cyberspace to verify that a given certificate is issued by a licenced CA. The Root Certifying Authority of India (RCAI) is the CCA for India. The CCA maintains the National Repository of Digital Certificates (NRDC). This repository contains all the certificates issued by all the CAs in the country. 7. Classes of Digital Signatures The digital certificate usually contains data such as the owners name, company and address, as well as the owners public key, along with the certificates serial number and validity period. The certificate also includes the certifying companys ID and its digital signature. There are three distinct classes ("Classes") of Certificates, Classes 1, 2, and 3. Each class, of Certificates provides specific functionality and security features and corresponds to a specific level of trust. Class 1: These certificates are issued to individuals with a valid e-mail address. Certificates that do not hold any legal validity as the validation process is based only on a valid e -mail ID and involves no direct verification. Class 1 validation procedures are based on the assurance that the subscribers D istinguished Name (DN) is unique and unambiguous within the CAs Repository and that the e -mail address in the DN is associated with the Public Key in the Certificate. Class 1 Certificates are appropriate for Digital Signatures, encryption, and electronic access control for non -commercial transactions where proof of identity is not required. Class 2: Class 2 Certificates are issued to Individuals, and Devices. This category states that a persons identity is to be verified against a trusted, pre -verified database. Class 2 validation procedures are based on the assurance that subscribers Distinguished Name (DN) is unique and unambiguous within CAs Repository and that the identity of the Subscriber based on information provided by the Subscriber in the Certificate Application does not conflict with the information in a CAs approved and well recognized business or consumer database(s) (Validating Dat abase). Class 2 Individual Certificates are appropriate for Digital Signatures, encryption, and electronic access control in transactions where proof of identity based on information in the Validating Database is sufficient. Class 2 Device Certificates are appropriate for device authentication; message, software, and content integrity; and confidentiality encryption. Class 3: Class three requires the person present himself or herself in front of a Registration Authority (RA) and prove his/her identity. Class 3 Certificates are issued to Individuals, Organizations, Servers & Devices. The validation procedures for Class 3 Certificates issued to Individuals are based on the personal (physical) presence of the Subscriber before a CAs authorized person that c onfirms the identity of the Subscriber using a well-recognized form of government issued identification and one other identification credential. The validation procedures for Class 3 Certificates issued to Organizations are based on a confirmation that the Subscriber Organization does in fact exist, that

Digital Signatures

Page 5 Of 6

the organization has authorized the Certificate Application, and that the person submitting the Certificate Application on behalf of the Subscriber was authorized to do so. Class 3 Individual Certificates a re appropriate for Digital Signatures, encryption, and access control in transactions requiring a high assurance about the Subscribers identity. Class 3 Server Certificates are appropriate for server authentication; message, software, and content integrit y; and confidentiality encryption. 8. The components of a digital signature Public key: This is the part that any one can get a copy of and is part of the verification system. Name and e-mail address: This is necessary for contact information purposes and to enable the viewer to identify the details. Expiration date of the public key : This part of the signature is used to set a shelf life and to ensure that in the event of prolonged abuse of a signat ure eventually the signature is reset. Name of the company: This section identifies the company that the signature belongs too. Serial number of the Digital ID : This part is a unique number that is bundled to the signature for tracking ad extra identific ation reasons. Digital signature of the CA (certification Authority) : This is a signature that is issued by the authority that issues the certificates.

9.

Benefits of DS DS may be applied to any kind of messages. These messages can be anything from electronic mail to a contract, or even a message sent in a more complicated cryptographic protocol (an abstract or concrete protocol that performs a security -related function and applies cryptographic methods). Following are the key benefits of adopting the DS: Possible to hold and handle voluminous electronic records in a much easier manner Easy retrievability of documents Provides access on the move through Black Berries & removes delay associated with paper work The non-feasibility of the duplication of well desi gned and managed private keys reduce the possibility of fraud. DS ensure the integrity of the transmitted documents and provides the source of the document.

10.

IT Act 2000 The Indian Information Technology Act 2000 (Act) came into effect from October 17, 2000. The Act is by and large based on the United Nations Commission on International Trade Law (UNCITRAL) model law on electronic commerce. The objective of the Act is to provide for legal recognition of electronic transactions and digital signatures. Section 5 of the Act gives legal recognition to digital signatures. Digital signatures have been legalised in India since 2000. However, since then, hardly any provisions of the Act have been implemented, except for the appointment of the Certifying Authorit y which took place in 2001.

11.

Current business application s of DS At the moment, applications of digital signatures are limited to sectors such as banking and financial services, online stock-trading portals, and engineering conglomerates for applications related to the authorisation of online fund transfers , certifications, statements & authentication of critical engineering drawings and documents.

Digital Signatures

Page 6 Of 6

References: http://www.digitalsignatureindia.com/ http://en.wikipedia.org/wiki/E -sign http://www.networkmagazineindia.com

Digital Signatures

Page 7 Of 6