Digital Signatures

Subject - Cyber Laws & Rights
M. tech. 3rd Sem., ISM.
By: Prashant Kr. Vats,
M.tech., Ph.D.
INDIRA GANDHI DELHI TECHNICAL UNIVERSITY
FOR WOMEN

Digital Signatures
• Points we will study
• First What are Electronic Signatures
• Regarding Electronic Signatures, What are they, When They are used, What
are their Benefits, What are various fields into which Electronic Signatures
are used
• Legal Recognition of electronic signatures as per Indian IT Act 2000
• Legal Recognition of electronic signatures in other Countries
• Then We will study in this presentation that what are Digital Signatures
• How they are different from Electronic Signatures
• Characteristics of Digital Signatures,
• Advantages of Digital Signatures
• Different Methods of Digital Signatures – Public key and Private Key
• How we can digitally sign any document
• Legal Recognitions of Digital Signatures as per Indian IT Act 2000
• Role of Certifying Authorities
• Controller of Certifying Authorities (CCA).
• Duties of CCA
• In last we will study about some cases related to Digital Signatures

Security Issues in Internet Based E-Commerce
• Security is an essential part of any transaction that takes place over the
internet. Customers will lose his/her faith in e-business if its security is
compromised. Following are the essential requirements for safe e-
payments/transactions −
• Confidentiality − Information should not be accessible to an unauthorized
person. It should not be intercepted during the transmission.
• Integrity − Information should not be altered during its transmission over
the network.
• Availability − Information should be available wherever and whenever
required within a time limit specified.
• Authenticity − There should be a mechanism to authenticate a user before
giving him/her an access to the required information.
• Non-Repudiability − It is the protection against the denial of order or
denial of payment. Once a sender sends a message, the sender should not
be able to deny sending the message. Similarly, the recipient of message
should not be able to deny the receipt.
• Encryption − Information should be encrypted and decrypted only by an
authorized user.
• Auditability − Data should be recorded in such a way that it can be audited
for integrity requirements.

Electronic Signatures
• Symbols or other data in digital form attached
to an electronically transmitted document as
verification of the sender’s intent to sign the
document.

Electronic Signatures
• An e-signature or electronic signature, is a legal way to get
consent or approval on electronic documents or forms.
• It can replace a handwritten signature in virtually any process.
• An electronic signature is intended to provide a secure and
accurate identification method for the signatory to provide a
seamless transaction.
• According to current U.S. legislation and the Electronic
Signature & Records Association (ESRA), eSignatures are
defined as:
• “an electronic sound, symbol or process that is attached to or
logically associated with a record and executed or adopted by a
person with the intent to sign the record.”
• The versatility of its definition—sound, symbol or process—
allows eSignature vendors like AssureSign, Adobe to offer
multiple solutions with the capacity to capture an electronic
signature by way of voice, computer, or even a mobile device.

Where Electronic Signatures are being Used
• Let’s take a look at some of the frequent instances where e-signs can be applied,
especially in the business world.
• Vendor/supplier agreements - Businesses, especially SMEs, are usually
disadvantaged when it comes to negotiating with vendors; thus, it is essential for
managers to be in a position to lock-in the terms and prices immediately when an
agreement is reached. When managers or business owners sign documents online,
they get to finalize any deal they have with their vendors within minutes, hence
capitalizing on the earlier mentioned benefit.
• Sales contracts - When managers esign documents, they are guaranteed of closing
more deals faster. For many organizations, sales contracts are the most regularly
signed documents – and most vital. Whether it’s business-to-consumer (B2C) or
business-to-business (B2B) sales agreements, e-signatures can come in handy.
• Customer approvals -For businesses that deal with custom-made goods, that final
approval prior to manufacturing is very important. E-signs help you capture and
store approvals securely, and with ease, so you can move on quickly to completing
the order.
• Employee on-boarding
• There is a plethora of paperwork linked to hiring a new employee. Employment offer
letters, background check consent, performance appraisal letters, contact forms,
employee handbooks … the list is endless. All those forms can be executed quickly
and securely via electronic signatures.

Where Electronic Signatures are being Used
• Let’s take a look at some of the frequent instances where e-signs can be applied,
especially in the business world.
• Intellectual property licensing and other standard legal agreements
• Since e-signatures are legally binding and admissible even in courts, they are perfect
for common legal agreements, such as intellectual property licensing and NDAs.
• Secure online banking
• Using e-signatures guarantees a reasonable level of security, which is of utmost
significance when it comes to your money. Financial institutions prefer the use of e-
sign technology, as it minimizes the possibility of manipulation of transaction
records to the most significant extent.
• Filing tax returns
• You can use electronic signatures to ease the demanding process of filing tax
returns. In fact, The Internal Revenue Service (IRS) strongly encourages people and
businesses to file their returns electronically to get a faster refund. Electronic
signatures make the process so convenient and seamless that the number of returns
filed electronically in 2014 increased from 25, 000 to almost 100 million in 2017.
• E-signing legal documents
• Lawyers, investigators, attorneys, and other players in the legal industry, engage
with paperwork that relies on signatures on a daily basis. As a lawyer, when you e-
sign documents as opposed to signing them manually, you save a lot of time. This
saved time can be used to serve your clients and doing other vital duties.

Benefits of Electronic Signatures
• Understanding the Benefits of Electronic Signatures
• Before you can give serious consideration to the use of electronic signatures in your business, you
have to understand the benefits and advantages. Let's examine a few of the most notable ones:
• 1. Simple and Intuitive
• The biggest benefit of electronic signatures is that they're simple and easy to use. There are a number
of different online solutions, but we'll use eversign as an example. With their system, you upload a
document, declare signers and recipients, and deliver a secure link to the recipient. The recipient signs
the document and the process is complete. It's that easy! If you can open a link and click a button, you
can use electronic signatures.
• 2. High Level of Security
• Believe it or not, electronic signatures are safer and more secure than traditional paper documents.
Not only do they contain a signature, but they also contain traceable information on who signed the
document, when they signed it, and where they signed it. That's much stronger and more enforceable
than your average paper-based transaction.
• 3. Convenient
• We operate in a geographically dispersed business world. These days, even small, local businesses deal
with different suppliers, customers, and partners in various cities, states, and countries. Electronic
signatures allow for remote authentication, which makes it a much more convenient solution than the
alternative of mailing and/or printing and scanning.
• 4. Faster Turnaround
• The convenience of electronic signatures means there's a much faster turnaround. Instead of sending
a document to one party, getting them to print, sign, and scan it, sending it to the next party, and
repeating the process down the line, everyone can sign off within seconds. This faster turnaround
gives businesses greater versatility in time-sensitive situations.
• 5. Lower Cost
• Finally, electronic signatures are more cost-effective than the traditional pen and paper method. Not
only do you save on paper, but you also save on postage, mailing supplies, and time (which is money).
Over the years, every little bit adds up.

Electronic Signature As per Indian IT Act 2000
• Sec. 3. Authentication of electronic records.–(1) Subject to the provisions of this
section any subscriber may authenticate an electronic record by affixing his digital
signature.
• (2) The authentication of the electronic record shall be effected by the use of
asymmetric crypto system and hash function which envelop and transform the
initial electronic record into another electronic record.
• Explanation.– For the purposes of this sub-section, ―
• hash function‖ means an algorithm mapping or translation of one sequence of bits
into another, generally smaller, set known as ―hash result‖ such that an electronic
record yields the same hash result every time the algorithm is executed with the
same electronic record as its input making it computationally infeasible–
• (a) to derive or reconstruct the original electronic record from the hash result
produced by the algorithm;
• (b) that two electronic records can produce the same hash result using the
algorithm.
• (3) Any person by the use of a public key of the subscriber can verify the electronic
record.
• (4) The private key and the public key are unique to the subscriber and constitute a
functioning key pair.
CHAPTER II
[DIGITAL SIGNATURE AND ELECTRONIC SIGNATURE]

• 3A. Electronic signature.—
• (1) Notwithstanding anything contained in section 3, but subject to the
provisions of sub-section
• (2), a subscriber may authenticate any electronic record by such
electronic signature or electronic authentication technique which—
• (a) is considered reliable; and
• (b) may be specified in the Second Schedule.
• (2) For the purposes of this section any electronic signature or electronic
authentication technique shall be considered reliable if—
• (a) the signature creation data or the authentication data are, within the
context in which they are used, linked to the signatory or, as the case
may be, the authenticator and to no other person;
• (b) the signature creation data or the authentication data were, at the
time of signing, under the control of the signatory or, as the case may be,
the authenticator and of no other person;
• (c) any alteration to the electronic signature made after affixing such
signature is detectable;
• (d) any alteration to the information made after its authentication by
electronic signature is detectable; and
• (e) it fulfils such other conditions which may be prescribed.

CHAPTER III
ELECTRONIC GOVERNANCE
• 4. Legal recognition of electronic records.— Where any law provides
that information or any other matter shall be in writing or in the
typewritten or printed form, then, notwithstanding anything contained
in such law, such requirement shall be deemed to have been satisfied if
such information or matter is–
• (a) rendered or made available in an electronic form; and
• (b) accessible so as to be usable for a subsequent reference.
• 5. Legal recognition of 1 [electronic signatures].— Where any law
provides that information or any other matter shall be authenticated
by affixing the signature or any document shall be signed or bear the
signature of any person, then, notwithstanding anything contained in
such law, such requirement shall be deemed to have been satisfied, if
such information or matter is authenticated by means of 1 [electronic
signature] affixed in such manner as may be prescribed by the Central
Government.
• Explanation.–For the purposes of this section, ―signed‖, with its
grammatical variations and cognate expressions, shall, with reference to
a person, mean affixing of his hand written signature or any mark on any
document and the expression ―signature‖ shall be construed
accordingly

• 6. Use of electronic records and 1 [electronic
signatures] in Government and its agencies.–(1)
Where any law provides for—
• (a) the filing of any form, application or any other
document with any office, authority, body or
agency owned or controlled by the appropriate
Government in a particular manner;
• (b) the issue or grant of any license, permit,
sanction or approval by whatever name called in
a particular manner;
• (c) the receipt or payment of money in a
particular manner,

• 10A. Validity of contracts formed through
electronic means.—
• Where in a contract formation, the
communication of proposals, the acceptance
of proposals, the revocation of proposals and
acceptances, as the case may be, are
expressed in electronic form or by means of
an electronic records, such contract shall not
be deemed to be unenforceable solely on the
ground that such electronic form or means
was used for that purpose.

CHAPTER V
SECURE ELECTRONIC RECORDS AND SECURE ELECTRONIC SIGNATURE
• 14. Secure electronic record.—Where any security procedure has
been applied to an electronic record at a specific point of time, then
such record shall he deemed to be a secure electronic record from
such point of time to the time of verification.
• 15. Secure electronic signature.—An electronic signature shall be
deemed to be a secure electronic signature if—
• (i) the signature creation data, at the time of affixing signature, was
under the exclusive control of signatory and no other person; and
• (ii) the signature creation data was stored and affixed in such
exclusive manner as may be prescribed.
• Explanation.–In case of digital signature, the ―signature creation
data‖ means the private key of the subscriber.
• 16. Security procedures and practices.—The Central Government
may, for the purposes of sections 14 and 15, prescribe the security
procedures and practices: Provided that in prescribing such security
procedures and practices, the Central Government shall have regard
to the commercial circumstances, nature of transactions and such
other related factors as it may consider appropriate.

Overview of electronic signature law and its legality in
India
• In India, eSignatures are given the same legal
status as handwritten signatures. In fact, India
has accepted electronic signatures as legally valid
since 2000, with the passage of the Information
Technology Act.
• Since then, the government of India has
promoted digital technologies for citizens and
businesses operating in India. This has led to a
rapid adoption of electronic signatures across
India.
• Today, electronic signatures can be used in India
in business settings and are legally admissible in
court.

Here is a brief overview of everything you need to know about
eSignature laws in India
• Can I use electronic signatures to do business in
India?
• Yes, eSignatures are legally valid for most business
contracts.
• Are electronic signatures court-admissible in India?
• Yes, eSignatures are legally valid to be used in court
settings.
• What is the legal model of an electronic signature in
India?
• A tiered model means that all electronic signatures are
fully admissible in court, while other eSignatures may
require additional proof to be validated.

Understanding India’s legal model
• India operates under a Common Law legal system, which means it’s
legal system closely mirrors the method used in the U.S. Over the
past two decades, India’s legal system has transitioned from being
mostly government-controlled to one that is heavily influenced by
the market.
• Common Law legal systems
• A Common Law system is based on legal precedents established by
the court system. It draws heavily from the judicial interpretation of
existing laws. This differs from Civil Law systems, which are based
heavily on a set of codified legal statutes.
• Here is an overview of how a Common Law system operates:
• Common Law refers to a body of unwritten laws based on
precedents established by court systems.
• It is often used in unique cases where there is no legal precedent
to decide the outcome.
• Lower courts may deviate from established precedent if they feel
it is outdated or doesn’t apply.

Electronic signature laws in India
• According to Indian law, contracts are considered legally
valid if two competent parties come to a verbal or written
agreement. But if they choose to conduct business
electronically, the contract is considered legally valid. This is
thanks to the Information Technology Act, which passed in
India in 2000.
• The Information Technology (IT) Act
• The IT Act states that contracts cannot be considered
invalid solely because they are conducted electronically.
The IT Act recognizes two types of legally valid signatures:
• An electronic signature that uses a combination of an
Aadhaar identity number and an electronic Know Your
Customer (eKYC) method. An Aadhaar identity number is a
12-digit that is given to citizens by the government of India.
EKYC services could include things like a PIN.
• A digital signature that is generated using an asymmetric
crypto-system and hash function. This means that the
signer obtains a digital certificate to verify the signature.

According to the IT Act, five factors must be met in
order for the eSignature to be considered valid:
• Electronic signatures must be linked to the person
signing the document. This could be in the form of a
government-issued digital ID.
• The signer must have control over the digital device at
the time of signing.
• Alterations to the document or signature must be
easily detectable after the document has been signed.
• An audit trail must demonstrate the steps taken during
the signing process.
• The signing certificate must be given by a Certifying
Authority (CA), as recognized under the IT Act.

Scenarios when eSignatures are
prohibited
• Electronic signatures are allowed in most
business settings but there are a few situations
where handwritten signatures may be required.
This includes:
• Promissory notes;
• Power of attorney;
• Wills;
• Trust deeds;
• Real estate sales or contracts;

What types of e-signatures are recognized under the IT Act?
• The IT Act recognizes two types of signatures:
• (1) E-signatures that combine an Aadhaar with an eKYC service
• Users with an Aadhaar ID, the unique identification number issued by the Indian
government to all Indian residents, are free to use an online e-signature service to
securely sign documents online. In this case, the online e-signature service integrates
with an Application Service Provider (ASP) to provide users with a mobile or web app
interface that they can interact with.
• The users then use this app interface to apply e-signatures to any online document by
authenticating their identity using an eKYC service such as OTP (one time passcode)
provided by an e-sign service provider. The online e-signature service works with an
accredited service provider to provide certificates and authentication services that
comply with government guidelines.
• (2) Digital signatures that are generated by an asymmetric crypto-system and hash
function
• An ‘asymmetric crypto system’ refers to a secure pair of keys: a private key and a public
key. Both are unique to each user, and can be leveraged to verify and create an e-
signature.
• In this scenario, users obtain a digital signature from a reputed Certifying Authority
(CA) in the form of a digital certificate. These certificates typically include the user’s
name, public key, the expiration date of the certificate, and other necessary
information about the user. Operating systems and browsers typically maintain a list of
trusted CA root certificates that are used to verify digital certificates issued by a CA.
• The user might also be issued a USB token containing the digital-certificate-based ID,
along with a personal PIN, to sign a document.

What are Digital Signatures
• A digital signature is a mathematical scheme
for verifying the authenticity of digital
messages or documents.
• A valid digital signature, where
the prerequisites are satisfied, gives a
recipient very strong reason to believe that
the message was created by a known sender
(authentication), and that the message was
not altered in transit (integrity).

Applications of Digital signatures
• Authentication
• Although messages may often include information about the entity sending a message, that
information may not be accurate. Digital signatures can be used to authenticate the identity of
the source messages. When ownership of a digital signature secret key is bound to a specific
user, a valid signature shows that the message was sent by that user. The importance of high
confidence in sender authenticity is especially obvious in a financial context. For example,
suppose a bank's branch office sends instructions to the central office requesting a change in
the balance of an account. If the central office is not convinced that such a message is truly sent
from an authorized source, acting on such a request could be a grave mistake.
• Integrity
• In many scenarios, the sender and receiver of a message may have a need for confidence that
the message has not been altered during transmission. Although encryption hides the contents
of a message, it may be possible to change an encrypted message without understanding it.
(Some encryption algorithms, known as nonmalleable ones, prevent this, but others do not.)
However, if a message is digitally signed, any change in the message after signature invalidates
the signature. Furthermore, there is no efficient way to modify a message and its signature to
produce a new message with a valid signature, because this is still considered to be
computationally infeasible by most cryptographic hash.
• Non-repudiation
• Non-repudiation, or more specifically non-repudiation of origin, is an important aspect of digital
signatures. By this property, an entity that has signed some information cannot at a later time
deny having signed it. Similarly, access to the public key only does not enable a fraudulent party
to fake a valid signature.

Advantages of digital signatures
• Saves time
You no longer have to wait for your manager to return from a holiday or conference
for that signature. Digital signatures ensure that businesses save on cost and time
with documents and contracts signed off with a click of a button. There are huge
savings in cost and time especially when the person required to sign is in a
geographically different area. Documents can be signed off almost instantly, from
anywhere. Be it a tablet, phone or computer, digital signatures can seamlessly ensure
this otherwise tedious task is wrapped up in minutes.
• Cost savings
Many companies also see significant cost savings, with little or no expense in ink,
paper, printing, scanning , shipping/delivery or travel expenses. There are also
savings in other indirect costs such as filing, rekeying data, archiving, or tracking.
• Workflow efficiency
With lesser delays, digital signatures ensure better efficiency in workflow. Managing
and tracking documents are made easier, with lesser effort and time involved. Many
features of the digital signatures help speed up the work process. For instance, email
notifications help remind the person to sign, while status tracking, help to know at
which stage the document is at.
• Better customer experience
Digital signatures provide the convenience of signing important documents where
ever a customer or the person to sign is located. Sales persons do not have to wait
for the customer to come to the bank or office. Documents can be signed off at the
door step. This is ideal, especially in remote areas and smaller townships providing
improved and personalized services. The customer has the freedom to be anywhere,
and engage with a company, making services and businesses far more easy, quick and
user – friendly.

Advantages of digital signatures
• Security
When it comes to signatures, authenticity and security is a priority. Digital signatures reduce
the risk of duplication or alteration of the document itself. Digital signatures ensure that
signatures are verified, authentic and legitimate. Signers are provided with PINs, password
and codes that can authenticate and verify their identity and approve their signatures. Time
stamping provides the date and time of the signature and thus provide a track of the
document, minimizing any risk of tampering or fraud. Security features embedded in digital
signatures ensure that documents have not been altered without authorization.
• Legal validity
Digital signatures provides authenticity and ensures that the signature is verified. This can
stand in any court of law like any other signed paper document. Time stamping and ability to
track and easily archive documents improve and simplify audit and compliance.
• Future validity
Digital signatures also hold validity into the future. ETSI PDF Advanced Signatures (PAdES)
with its eIDAS requirements have validity well into the future with its long term signature
formats. Should there be far reaching technological changes, digital signatures would still be
valid for the foreseeable future.
• Environmental benefits
As corporates and business become more conscious of their role in sustainability, digital
signatures is a step ahead in their efforts in reducing waste and being environmental friendly.
• Business efficiency
The costs involved in integrating digital signatures into the work processes is relatively small,
compared to its benefits. With quicker contract turnaround time, and reduced the work flow
time, digital signatures are ideal for both small and large organizations.

Cryptography
[From TCP/IP Protocol Suite by Forouzan]
• We are living in the information age. We need to keep information
about every aspect of our lives. In other words, information is an
asset that has a value like any other asset.
• As an asset, information needs to be secured from attacks. To be
secured, information needs to be hidden from unauthorized access
( confidentiality ), protected from unauthorized change ( Integrity ),
and available to an authorized entity when it is needed (availability)
• During the last three decades, computer networks created a
revolution in the use of information. Information is now distributed.
Authorized people can send and retrieve information from a
distance using computer networks.
• Although the three above mentioned requirements confidentiality,
integrity, and availability have not changed, they now have some
new dimensions.
• Not only should information be confidential when it is stored; there
should also be a way to maintain it confidentiality when it is
transmitted from one computer to another.

Taxonomy of attacks with relation to security goals

Attacks
• Attacks Threatening
Confidentiality
• In general, two types of attacks
threaten the confidentiality of
information: snooping And
traffic analysis.
• Snooping
Snooping refers to
unauthorized access to or
interception of data. For
example, a file transferred
through the Internet may
contain confidential
information. An unauthorized
entity may intercept the
transmission and use the
contents for her own benefit. To
prevent snooping, the data can
be made nonintelligible to the
intercepter by using encryption
techniques discussed in this
book.
• Traffic Analysis
• Although encipherment of data
may make it nonintelligible for
the intercepter, she can obtain
some other type information by
monitoring online traffic. For
example, she can find the
electronic address (such as the
e-mail address) of the sender or
the receiver. She can collect
pairs of requests and responses
to help her guess the nature of
the transaction.

Attacks
• Attacks Threatening Integrity
• The integrity of data can be threatened by several
kinds of attacks:
• modification,
• masquerading,
• replaying, and
• repudiation.
• Modification
• After intercepting or accessing information, the
attacker modifies the information to make it
beneficial to herself. For example, a customer
sends a message to a bank to do some transaction.
The attacker intercepts the message and changes
the type of transaction to benefit herself. Note
that sometimes the attacker simply deletes or
delays the message to harm the system or to
benefit from it.
• Masquerading
• Masquerading, or spoofing, happens when the
attacker impersonates somebody else. For
example, an attacker might steal the bank card and
PIN of a bank customer and pretend that she is
that customer. Sometimes the attacker pretends to
be the receiver entity. For example, a user tries to
contact a bank, but another site pretends that it is
the bank and obtains some information from the
user.
• Replaying
• Replaying is another attack. The attacker obtains a
copy of a message sent by a user and later tries to
replay it. For example, a person sends a request to
her bank to ask for payment to the attacker, who
has done a job for her. The attacker intercepts the
message and sends it again to receive another
payment from the bank.
• Repudiation
• This type of attack is different from others because
it is performed by one of the two parties in the
communication: the sender or the receiver. The
sender of the message might later deny that she
has sent the message; the receiver of the message
might later deny that he has received the message.
An example of denial by the sender would be a
bank customer asking her bank to send some
money to a third party but later denying that she
has made such a request. An example of denial by
the receiver could occur when a person buys a
product from a manufacturer and pays for it
electronically, but the manufacturer later denies
having received the payment and asks to be paid.

Attacks
• Attacks Threatening Availability
• We mention only one attack threatening availability:
denial of service.
• Denial of Service
• Denial of service (DoS) is a very common attack. It may
slow down or totally interrupt the service of a system.
The attacker can use several strategies to achieve this.
She might send so many bogus requests to a server
that the server crashes because of the heavy load.
• The attacker might intercept and delete a server’s
response to a client, making the client believe that the
server is not responding. The attacker may also
intercept requests from the clients, causing the clients
to send requests many times and overload the system.

Cryptography
• Some security services can be implemented using
cryptography.
• Cryptography, a word with Greek origins, means “secret
writing.” However, we use the term to refer to the science
and art of transforming messages to make them secure and
immune to attacks.
• Although in the past cryptography referred only to the
encryption and decryption of messages using secret keys,
today it is defined as involving three distinct mechanisms:
• symmetric-key encipherment,
• asymmetric-key encipherment,
• and hashing.

Symmetric Key Cryptography
• Traditional ciphers are called symmetric-key ciphers (or secret-key ciphers) because the same
key is used for encryption and decryption and the key can be used for bidirectional
communication.
• The original message from Alice to Bob is called plaintext; the message that is sent through
the channel is called the ciphertext.
• To create the ciphertext from the plaintext, Alice uses an encryption algorithm and a shared
secret key.
• To create the plaintext from ciphertext, Bob uses a decryption algorithm and the same secret
key.

ASYMMETRIC-KEY Cryptography
• Asymmetric key cryptography uses two separate keys: one private and one public. If encryption and
decryption are thought of as locking and unlocking padlocks with keys, then the padlock that is
locked with a public key can be unlocked only with the corresponding private key.
• The burden of providing security is mostly on the shoulders of the receiver (Bob, in this case). Bob
needs to create two keys: one private and one public. Bob is responsible for distributing the public
key to the community. This can be done through a public-key distribution channel.
• Asymmetric-key cryptography means that Bob and Alice cannot use the same set of keys for two-
way communication. Each entity in the community should create its own private and public keys.
The given figure shows how Alice can use Bob’s public key to send encrypted messages to Bob. If
Bob wants to respond, he needs to use Alice’s public key.
• Third, asymmetric-key cryptography means that Bob needs only one private key to receive all
correspondence from anyone in the community, but Alice needs n public keys to communicate with
n entities in the community, one public key for each entity. In other words, Alice needs a ring of
public keys.

DIGITAL SIGNATURE
• Another way to provide message integrity and message authentication is a digital signature.
• A digital signature uses a pair of private-public keys.
• When Alice sends a message to Bob, Bob needs to check the authenticity of the sender; he
needs to be sure that the message comes from Alice and not Eve. Bob can ask Alice to sign the
message electronically. In other words, an electronic signature can prove the authenticity of
Alice as the sender of the message. We refer to this type of signature as a digital signature.
• The sender uses a signing algorithm to sign the message. The message and the signature are
sent to the receiver. The receiver receives the message and the signature and applies the
verifying algorithm to the combination. If the result is true, the message is accepted;
otherwise, it is rejected.
• In a digital signature, the signer uses her private key, applied to a signing algorithm, to sign the
document. The verifier, on the other hand, uses the public key of the signer, applied to the
verifying algorithm, to verify the document.

Digital signature
• A digital code (generated and authenticated
by public key encryption) which is attached to
an electronically transmitted document to
verify its contents and the sender's identity.

Difference Between Digital Signature and
Electronic Signature
• Electronic signature and digital signature are often used interchangeably
but the truth is that these two concepts are different. The main difference
between the two is that digital signature is mainly used to secure
documents and is authorized by certification authorities while electronic
signature is often associated with a contract where the signer has got the
intention to do so.
• A digital signature is characterized by a unique feature that is in digital
form like fingerprint that is embedded in a document. The signer is
required to have a digital certificate so that he or she can be linked to the
document.
• Digital signature is often authorized by certification authorities that are
responsible for providing digital certificates that can be compared to
licenses or passports. A digital certificate is used to validate the document
to ascertain its authenticity if it has not been forged. This plays a pivotal
role in verifying the identity of the original person with the signature. The
other key feature of a digital signature is that it is used to secure digital
documents. There are some people who have a tendency of tempering
with digital documents obtained online but with a digital signature, this
can be impossible. The document is secured and can only be accessed by
the authorized person for any alterations or amendments.

• When a digital signature is applied to a certain document, the
digital certificate is bound to the data being signed into one unique
fingerprint. These two components of the digital signature are
unique and this makes it more viable than wet signatures since its
origins can be authenticated. This cryptographic operation helps to
perform the following functions:
• Prove the authenticity of the document and its source
• Make sure that the document has not been tempered with
• Personal identity has been verified.
• The other notable aspect about digital signature is that it is
comprised of different types that are supported by mainly two
document processing platforms that are adobe and Microsoft.
Difference Between Digital Signature
and Electronic Signature

Digital Signature Electronic Signature
Used to secure a document Mainly used to verify a document
A digital signature is authorized
and regulated by certification authorities
Usually not authorized
Comprised of more security features Comprised of less security features
Common types of digital signature are
based on Adobe and Microsoft
Main types of electronic signature include
verbal, electronic ticks or scanned
signatures.
A digital signature can be verified An electronic signature cannot be verified.
Preferred more than electronic signature
due to high levels of authenticity
Easy to use but less authentic
Particularly concerned about securing the
document
Shows intent to sign the contract
Difference Between Digital Signature
and Electronic Signature

Technical aspect of Digital Signature
• The digital signature is created and verified by using the Public Key
Infrastructure (PKI) technology that requires two keys that is a public key
and a private key for encrypting and decrypting the information.
• The message is encrypted with a public key can only be decrypted using
the corresponding private key and vice versa. The unique feature in public
key infrastructure is that the public and private keys are related to each
other and only the public key can be used for encrypting messages that
can be decrypted using the corresponding private key. The public key is
shared, whereas the private key is known only to its possessor.
• The digital signature is based on Cryptography. Cryptography is the science
to secure communications by converting the message (encrypting ) into an
unreadable format and only the person with a secret key can decrypt
(read) it. Cryptography systems can be broadly classified into two types
i.e., symmetric-key and asymmetric.
• In symmetric systems, both the sender and recipient have same keys and
asymmetric system each user has two keys a public key that is known to
everyone and a private key that is known only the recipient of messages.
In India signature uses an asymmetric system that has a public key and
private key.

Digital Signature Certificates
• Digital Signature Certificates are digital format certificate to
prove identity in the digital world.
• The digital signature certificates are issued by Certifying
Authorities under the authority of Controller of Certifying
Authorities.
• A Digital Signature Certificate is an electronic document
that can be used to verify that the public key belongs to the
particular individual.
• Digital Signature Certificates contains Public key of the
certificate owner, Name of the owner, Validity “from” and
“to” dates, Name of the issuing authority, Serial number of
the certificate, Digital signature of the issuing authority
name of the person, etc.
• There are three different classes of digital certificate. They
class I, class II and class III. Depending on the type, each
digital certificate provides specific functions.

Legal aspect Digital Signature
• Section 3 of the Information Technology Act 2000 provides for
authentication of electronic records. It provides that the electronic
records can be authenticated by using digital signatures.
• It lays down technology requirements for digital signatures. It
prescribes the use of an asymmetric crypto system and hash
function for authentication of electronic records.
• Authentication of an electronic document is important as it ensures
that the message has not been tampered and confirms the
creator’s identity, making it non repudiable, i.e., the sender cannot
deny its creation. The object of authentication is achieved by the
use of asymmetric system and hash function which convent the
electronic message into an unreadable format to prevent tampering
of electronic record.
• A hash function is the method or scheme used for encrypting and
decrypts digital signatures. A hash function produces a hash value
which is also known as a message digest. It plays an important role
in ensuring that the message has not been tampered and
information is safe and secure.

Functions of Electronic Signature
• The concept of electronic signature was introduced under section
3A of the Information Technology (Amendment) Act 2008.
• An electronic signature means authentication of an electronic
record by a subscriber by any means of electronic authentication
techniques.
• An electronic signature technique can be used as an authorized
electronic signature if such technique is notified by the central
government in the official gazette or in the second schedule of the
Act.
• There are different types of electronic signature, however, all of
them are not secure; hence only the techniques notified in the
official gazette or in the second schedule can be used as a
legitimate electronic signature.
• For example typed name, a digitized image of a signature is also a
form of electronic signature, but is prone to tampering and are
insecure. The electronic signature technique has to be reliable to be
recognized as an electronic signature.

• Information Technology Act 2000 is based on Article 6 “Compliance with a
requirement for a signature” of UNCITRAL Model Law on Electronic
Signatures 2001. The following are the requirement of an electronic
signature.
a) It has to be reliable.
b) The central government may notify in the official gazette the technique
and procedure for electronic signature or specify in the second schedule
of the Information Technology Act 2000.
An electronic Signature shall be considered as reliable if it fulfills following
requirement,
a) The technique should be such that it can be linked to the creator of the
message.
b) The technique of electronic signature must be under the control of the
maker of the signature.
c) Any change or alteration to the electronic signature after affixation
must be detectable.
d) Any change or alteration of data after affixing electronic signature must
be detectable.

• The Central Government is the authority to declare the technique
as reliable electronic signature and can add or remove any
technique from the electronic authentication technique. As on date
the central government has not issued any notification on the
concept of electronic signature and thus the electronic signature
has not gained much attention. In this regard the Delhi high court
has directed the central government to frame policy on electronic
signature for authentication of electronic records. The only method
of authentication of electronic records in India presently being
digital signature as there are no guidelines on use of electronic
signature.
The legal recognition of electronic signature has been provided
under section 5 of information technology Act 2000. This section
equates electronic signature as traditional handwritten signature. It
provides that if any, information or document if confirmed by
electronic signature shall have the same effect as the affixing of
signature if done according to the prescribed manner. The central
government shall prescribe the manner in which electronic
signature has to be affixed.

Offenses related to Electronic Signature
• The offenses related to electronic signature are generally related identity theft, publication of false
electronic signature certificate, publication of electronic certificate with fraudulent purpose.
• Section 66C of the Act punishes for identity theft. This Act punishes fraudulent use of electronic
signature of any other person and such person shall be punished with imprisonment of up to three
years and will also liable to pay fines which may extend up to one lakh.
• Misrepresentation or suppression of material fact in order to obtain any license or electronic
signature is an offense under section 71 of the Act. This section is applicable in following cases
a) If a person makes a misrepresentation to the Controller or Certifying authority.
b) If a person suppresses any material fact from, the Controller or Certifying authority.
• Such misrepresentation or suppression of material fact with the intent to obtain any license or
electronic certificate from, the Controller or Certifying authority is punishable with imprisonment of
up to two years and fine up to rupees one lakh. The information to be provided to the Controller or
Certifying authority should be proper and correct and presentation of wrong, incorrect or false
information is an offense under Section 71 of the Act.
• Publication of electronic signature certificate which is false in certain particulars is an offense under
section 73 of the Act. The following shall amount to publication of false particulars in an electronic
certificate,
a) Publication of Electronic signature certificate which the certifying authority has not issued.
b) Publication of Electronic signature certificate which subscriber of the certificate has not accepted.
c) Publication of Electronic signature certificate which is revoked or suspended.
• Sec 74 of the Act punishes creation, publication or providing of electronic signature certificate for
fraudulent or unlawful purpose with imprisonment for a term which may extend up to two years or
a fine which may extend up to one lakh.

Legal Validity of Digital Signatures
• The Indian Information Technology Act 2000
(http://www.mit.gov.in/content/information-technology-act) came into
effect from October 17, 2000.
• One of the primary objectives of the Information Technology Act of 2000
was to promote the use of Digital Signatures for authentication in e-
commerce & e-Governance.
• Towards facilitating this, the office of Controller of Certifying Authorities
(CCA) was set up in 2000.
• The CCA licenses Certifying Authorities (CAs) to issue Digital Signature
Certificates (DSC) under the IT Act 2000.
• The standards and practices to be followed were defined in the Rules and
Regulations under the Act and the Guidelines that are issued by CCA from
time to time.
• The Root Certifying Authority of India (RCAI) was set up by the CCA to
serve as the root of trust in the hierarchical Public Key Infrastructure (PKI)
model that has been set up in the country.
• The RCAI with its self-signed Root Certificate issues Public Key Certificates
to the licensed CAs and these licensed CAs in turn issue DSCs to end users.

Legal Validity of Digital Signatures
• Section 5 of the Act gives legal recognition to digital
signatures based on asymmetric cryptosystems. The
digital signatures are now accepted at par with the
handwritten signatures and the electronic documents
that have been digitally signed are treated at par with
the paper based documents.
• An Amendment to IT Act in 2008 has introduced the
term electronic signatures. The implication of this
Amendment is that it has helped to broaden the scope
of the IT Act to include other techniques for signing
electronic records as and when technology becomes
available.

Digital Signature Certificates
• Certificates serve as identity of an individual for a certain purpose, e.g. a driver's
license identifies someone who can legally drive in a particular country.
• Likewise, a Digital Signature Certificate (DSC) can be presented electronically to
prove your identity or your right to access information or services on the Internet.
• A Digital Signature Certificate is an electronic document which uses a digital
signature to bind together a public key with an identity — information such as the
name of a person or an organization, their address, and so forth.
• The certificate can be used to verify that a public key belongs to the individual.
Digital certificates are the digital equivalent (i.e. electronic format) of physical or
paper certificates.
• Examples of physical certificates are driver's licenses, passports or membership
cards.
• Digital Signature Certificates are endorsed by a trusted authority empowered by
law to issue them, known as the Certifying Authority or CA.
• The CA is responsible for vetting all applications for Digital Signature Certificates,
and once satisfied, generates a Digital Certificate by digitally signing the Public key
of the individual along with other information using its own Private key.

Classes of Digital Certificates

CHAPTER VI
REGULATION OF CERTIFYING AUTHORITIES
• 17. Appointment of Controller and other officers.—
• (1) The Central Government may, by notification in the Official Gazette, appoint a
Controller of Certifying Authorities for the purposes of this Act and may also by the
same or subsequent notification appoint such number of Deputy Controllers ,
Assistant Controllers, other officers and employees as it deems fit.
• 18. Functions of Controller.—The Controller may perform all or any of the following
functions, namely:
• a) exercising supervision over the activities of the Certifying Authorities;
• (b) certifying public keys of the Certifying Authorities;
• (c) laying down the standards to be maintained by the Certifying Authorities;
• (e) specifying the conditions subject to which the Certifying Authorities shall conduct
their business;
• (f) specifying the contents of written, printed or visual materials and advertisements
that may be distributed or used in respect of a [electronic signature] Certificate and
the public key;
• (g) specifying the form and content of a [electronic signature] Certificate and the key;
• (h) specifying the form and manner in which accounts shall be maintained by the
Certifying Authorities;
• (l) resolving any conflict of interests between the Certifying Authorities and the
subscribers;
• 19. Recognition of foreign Certifying Authorities.—(1) Subject to such conditions and
restrictions as may be specified by regulations, the Controller may with the previous
approval of the Central Government, and by notification in the Official Gazette,
recognize any foreign Certifying Authority as a Certifying Authority for the purposes of
this Act.

• 21. License to issue electronic signature Certificates.—
• (1) Subject to the provisions of sub-section (2), any person may make an
application, to the Controller, for a license to issue electronic signature Certificates.
• (2) No license shall be issued under sub-section (1), unless the applicant fulfils such
requirements with respect to qualification, expertise, manpower, financial
resources and other infrastructure facilities, which are necessary to issue electronic
signature.
• (3) A license granted under this section shall—
• (a) be valid for such period as may be prescribed by the Central Government;
• (b) not be transferable or heritable;
• (c) be subject to such terms and conditions as may be specified by the regulations.
• 23. Renewal of license
• 24. Procedure for grant or rejection of license.
• 25. Suspension of license
• 28. Power to investigate contraventions.—(1) The Controller or any officer
authorized by him in this behalf shall take up for investigation any contravention of
the provisions of this Act, rules or regulations made there under.
• 29. Access to computers and data.—(1) Without prejudice to the provisions of sub-
section (1) of section 69, the Controller or any person authorized by him shall, if he
has reasonable cause to suspect that 2 [any contravention of the provisions of this
Chapter] has been committed, have access to any computer system, any apparatus,
data or any other material connected with such system, for the purpose of
searching or causing a search to be made for obtaining any information or data
contained in or available to such computer system

CHAPTERVII
ELECTRONIC SIGNATURE CERTIFICATES
• 35. Certifying authority to issue electronic
signature Certificate.
• 36. Representations upon issuance of Digital
Signature Certificate.
• 37. Suspension of Digital Signature Certificate
• 38. Revocation of Digital Signature Certificate
• 39. Notice of suspension or revocation

Public key infrastructure
• A public key infrastructure (PKI) is a set of roles, policies, hardware, software and
procedures needed to create, manage, distribute, use, store and revoke digital
certificates and manage public-key encryption. The purpose of a PKI is to facilitate
the secure electronic transfer of information for a range of network activities such as
e-commerce, internet banking and confidential email. It is required for activities
where simple passwords are an inadequate authentication method and more
rigorous proof is required to confirm the identity of the parties involved in the
communication and to validate the information being transferred.
• In cryptography, a PKI is an arrangement that binds public keys with respective
identities of entities (like people and organizations). The binding is established
through a process of registration and issuance of certificates at and by a certificate
authority (CA). Depending on the assurance level of the binding, this may be carried
out by an automated process or under human supervision.
• The PKI role that assures valid and correct registration is called a registration
authority (RA). An RA is responsible for accepting requests for digital certificates and
authenticating the entity making the request.[1]
• In a Microsoft PKI, a registration authority is usually called a subordinate CA.[2]
• An entity must be uniquely identifiable within each CA domain on the basis of
information about that entity. A third-party validation authority (VA) can provide this
entity information on behalf of the CA.
• The X.509 standard defines the most commonly used format for public key
certificates.[

Legal Recognition of Electronic
Signatures across the Globe
• United States: Electronic Signatures in Global and National Commerce
Act
• Enacted in June of 2000, the E-Sign Act was the United States’ first major
federal law that ensures the legality of contracts signed with e-signatures.
The E-Sign Act stipulates that signatures on documents and contracts
should not be denied legal effect or ruled unenforceable simply because
of their digital nature.
• United States: Uniform Electronic Transactions Act
• The UETA was proposed by the National Conference of Commissioners of
Uniform State Laws with the goal of bringing consistency to various state
laws on the subject of e-signatures and online document archiving. The
UETA – which has been adopted by 47 states thus far – paved the way for
electronic checks and signatures. It is frequently held up as an example of
a law that protects the legal enforceability of electronic agreements.
• Canada: Personal Information Protection and Electronic Documents Act
• Canada’s Personal Information Protection and Electronic Documents Act,
better known as PIPEDA, regulates how consumer data should be treated
with regard to privacy and security. The law is intended to promote e-
commerce by increasing the consumers’ trust in dealing with businesses in
Canada’s private sector.

• Australia: Electronic Transactions Act 1999
• Australia’s Electronic Transactions Act provides a regulatory framework
that facilitates the use of electronic transactions and ensures that no
transaction will be ruled invalid simply because it was completed
electronically. This act was most recently amended in 2011 to provide
even more protections to Australian consumers and businesses.
• European Union: European Directive 199/93/EC
• The EU Directive was the first wide-scale e-signature legislation to take
effect in the European Union. All member states were required to be in
compliance by July of 2001. The Directive is similar to the U.S. E-Sign Act,
in that it provides protections for businesses and consumers that agree to
conduct business online using e-signatures and digital documents.
• United Kingdom: Electronic Communications Act 2000
• Based on the framework provided by the EU Directive, the United
Kingdom’s Electronic Communications Act provides guarantees as to the
legal acceptability of e-signatures with regard to encryption services,
electronic communications, and data storage for people living in England,
Scotland, and Wales.

• United Kingdom: Electronic Signatures Regulation 2002
• The Electronic Signatures Regulation 2002 went hand in hand with the
2000 Act in implementing the rules already put in place by the European
Union in its 1999 Directive. Based on the 2002 regulations, an e-signature
in the United Kingdom is any form of electronic data that is attached to or
associated with another piece of electronic data. These regulations are
considered broad in scope.
• India: Information Technology Act 2000
• India’s Information Technology Act, also known as the IT Act, was designed
to address the growing concerns of businesses conducting transactions
online within India. The Act itself provides legal recognition for electronic
documents and digital signatures, although much of the initial framework
was disassembled in an amendment to the Act, which was passed by
India’s parliament in 2008.
• Japan: Law Concerning Electronic Signatures and Certification Services
• The bulk of Japan’s e-signature regulations derive from the Law
Concerning Electronic Signatures and Certification Services. The law
promotes the use of electronic records and states that e-signatures are
important to the nation’s economy and to the quality of life for its citizens.

• China: Electronic Signature Law of the People’s Republic of China
• Adopted in 2004, the Electronic Signature Law of the People’s Republic of
China aimed to standardize the way that e-signatures were created in China and
protect the interests of people who participate in transactions online. By
standardizing and regulating how electronic data should be handled, the Electronic
Signature Law in effect provides all the framework necessary to ensure that e-
signatures remain legally binding in China.
• New Zealand: Electronic Transactions Act
• When it went into full effect in 2003, New Zealand’s Electronic Transactions
Act recognized the important role that e-commerce and e-signatures will play in
the country’s future economy. To foster that, the Act provides protections to
consumers and businesses and allows for electronic communication between
businesses and the government.
• United Nations: UNCITRAL Model Law on Electronic Signatures
• Many countries that have more recently adopted e-signature legislation have done
so under the guidance of the U.N.’s UNCITRAL Model Law on Electronic
Signatures (MLES). Adopted in 2001, the MLES establishes a reliable set of
technical criteria that legislators can use when creating their own e-signature laws.
The MLES is technology neutral and non-discriminatory, and it puts more emphasis
on the certificates that are used in the creation of an e-signature than the specific
country or location where the signature was made.

Digital Signatures

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Digital Signatures

Semelhante a Digital Signatures (20)

Mais de Dr. Prashant Vats

Mais de Dr. Prashant Vats (20)

Último

Último (20)

Digital Signatures