A

Seminar Report
On

DIGITAL SIGNATURE
In partial fulfillment of requirements for the degree of
Bachelor of Technology In Computer Engineering

Department of Computer science and Engineering CHANDRAVATI GROUP OF INSTITUTIONS BHARATPUR 321001

Submitted By
SURABHI AGRAWAL

Submitted To
Ms. POOJA SONI

09ECHCS053

(Seminar Head).

ACKNOWLEDGEMENT
I would like to pay a great thanks to my institution and a special one to my seminar head Ms. Pooja Soni without whose extent support, I would never have been able to complete my seminar report. I would also like to pay on record a sincere thanks to Almighty, my parents, my family and my friends who have helped me a lot to get the matter.

Surabhi Agrawal 09ECHCS053 Deptt: Computer Science

2 Digital Signature

PAGE INDEX
Topic
ABSTRACT 1. 2. 3. 4. 5. 6. 7. 8. 9. Introduction What is Digital Signature Why and where Digital Signature used Act of Digital Signature Difference in Conventional and Digital Signature Paper V/s Digital Signature Classes, Deliverables, Contents How Digital Signature works Signing and Verification 9.1 Signing Ceremony 9.2 Verification Ceremon 10.Form 16 and Digital Signature Saral eSign 11.Security Services in Digital Signature 12.Attacks on Digital Signature 12.1 Attack Types 12.2 Forgery Types 13.Security Considerations Risks not Mitigated 14.Advantages and Disadvantages 15.Conclusion BIBLIOGRAPHY

Page No.
5 6 7 9 10 13 14 15 17 19

21 22 23

24 25 26 27

3 Digital Signature

FIGURE INDEX
Figure
1. Figure 1.1- Cryptography 2. Figure 2.1- Private Key 3. Figure 2.2- Digital Signature Structure 4. Figure 4.1- IDRBT Certificate 5. Figure 6.1- Paper Signature 6. Figure 6.2- Digital Signature 7. Figure 8.1- Way of Signing Messages 8. Figure 9.1- Signing of Document 9. Figure 9.2- Verification of Document 10.Figure 11.1- Non Repudiation Mechanism

Page No.
6 7 8 11 14 14 17 19 20 22

4 Digital Signature

Abstract

Scope
i. ii. iii. iv. A Digital Signature is an XDS document (changed from June public comment version) There are four Use Cases considered for this year. Vendor must provide signature mechanism for XDS Submissions Possibility to use digital signatures without having an XDS registry. Approach is determined by other domain-specific groups (e-Prescribing, eReferral)

Out of Scope
i. ii. iii. iv. Certificate management. Standards and implementations are available Focus begins with signing, not encryption. Partial Document Signature

5 Digital Signature

1. Introduction

Cryptography is one best technology that has made giant effect in protecting data and information in recent years. It is the science of securing your information by means of a code. Cryptography provides an encryption for the data and information that passes via single/multiple channels. This is done to keep the data from any external or third party influence. Digital signature is one of the kinds of encrypting your signature that is specific to you and saves it from forgery of any kind A digital signature or e-signature for short is an electronic signature that can be utilized to authenticate the identity of the sender of a message or the signer of a document

Fig1.1- Cryptography

6 Digital Signature

2. What is Digital Signature?

A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real. This indeed is so commonly observed now in internet transactions A digital signature can be used with any kind of message, transactions and the like, whether it is encrypted or not, simply so that the receiver can be sure of the senders identity and that the message arrived intact. Hash value of a message when encrypted with the private key of a person is his digital signature on that e-Document Digital Signature of a person therefore varies from document to document thus ensuring authenticity of each word of that document. As the public key of the signer is known, anybody can verify the message and the digital signature.

Fig2.1- Private Key

Concepts
A 1024 bits number is a very big number much bigger than the total number of electrons in whole world. Trillions of Trillions of pairs of numbers exist in this range with each pair having following property A message encrypted with one element of the pair can be decrypted ONLY by the other element of the same pair. Two numbers of a pair are called keys, the Public Key & the Private Key. User himself generates his own key pair on his computer.

7 Digital Signature

Any message irrespective of its length can be compressed or abridged uniquely into a smaller length message called the Digest or the Hash. Smallest change in the message will change the Hash value.

Fig2.2- Digital Signature Structure Each individual generates his own key pair [Public key known to everyone & Private Key only to the owner] Private Key Used for making digital signature Public Key Used to verify the digital signature

The signing and the verifying ceremony are done with the help of suitable algorithms.

8 Digital Signature

3. WHY AND WHERE DIGITAL SIGNATURE USED

Why we need DIGITAL SIGNATURE?

a) To provide Authenticity, Integrity and Non-repudiation to electronic documents b) To use the Internet as the safe and secure medium for e-Commerce and eGovernance c) Providing accountability d) Providing document integrity e) Providing non-repudiation f) Providing satisfactory evidence of: Authorship, Approval, Review, and Authentication g) Infrastructural pattern to be further profiled by domain specific groups (ePrescribing, e-Referral).

What type of Document need DIGITAL SIGNATURE? The main purposes for using a digital signature include:
a) Signer verification: By placing a digital signature on any kind of document, especially one that requires it, shows the one who signed it is real and accepts responsibility for the signed document as being real and legal.

b) Authentication: A digital signature will also authenticate the document as being real and valid. It will prove to the executioner that the information contained on the document is valid and can be put in action.

9 Digital Signature

4. ACT FOR DIGITAL SIGNATURE

The Information Technology Act, 2000 provides for the use of Digital Signatures on the documents submitted in electronic form. Under the provision of IT Act, 2000, the office of Controller of Certifying Authorities (CCA) appoints the Certifying Authorities (CA) by issuing Certificates for the same. These CA will issue the Digital Signature to the End Users Directly or through the Registration Authorities (RA) /Local Registration Authorities (LRA). It must be obtained from an ISO 17090 compliant Certificate Authority Including the role extension for the signers role in the healthcare profession For purposes of signature verification, the signers certificate (public key portion) must be available Test certificates can be obtained without rigorous identification requirements for the purpose of the Connection. For test certificates contact lori.fourquet@sbcglobal.net

How Digital Signature will be issued to the End-users.

Information Technology Act, 2000 Controller of Certifying Authorities (CCA) Certifying Authorities (CA) Registration Authorities (RA) Local Registration Authorities (LRA) End Users

10 Digital Signature

Certification Agencies
The Certification Agencies available in India are: Tata Consultancy Services Ltd. National Informatics Centre Institute for Development & Research in Banking Technology (IDRBT) MTNL Customs & Central Excise (CBEC) Code Solutions Ltd., (A division of Gujarat Narmada Valley Fertilizers Company Ltd.) SafeScrypt from Sify Communications E Mudhra

IDRBT Certificate

Fig4.1- IDRBT Certificate

11 Digital Signature

Trust Path
Controller is the Root certifying authority responsible for regulating Certifying Authorities (CAs) Controller certifies the association of CA with his public key Certifying Authority (CA) is the trusted authority responsible for creating or certifying identities. CA certifies the association of an individual with his public key

Role of Controller
Controller of Certifying Authorities as the Root Authority certifies the technologies, infrastructure and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates.

Four CAs has been licensed

1. Safes crypt 1.1 5th Feb 2002 1.2 A subsidiary of Satyam Info way 2. National Informatics Center (NIC) 2.1 17th July 2002 2.2 Govt. of India 3. Institute for Development & Research in Banking Technology (IDRBT) 3.1 6th August 2002 3.2 A society of Reserve Bank of India 4. Tata Consultancy Services (TCS) 4.1 9th September 2002

12 Digital Signature

5. DIFFERENCE IN CONVENTIONAL AND DIGITAL SIGNATURE

A conventional signature is included in the document; it is part of the document. But when we sign a document digitally, we send the signature as a separate document. These are the various major differences:i.

Verification Method

For a conventional signature, when the recipient receives a document, she compares the signature on the document with the signature on file. For a digital signature, the recipient receives the message and the signature. The recipient needs to apply a verification technique to the combination of the message and the signature to verify the authenticity.

ii.

Relationship

For a conventional signature, there is normally a one-to-many relationship between a signature and documents. For a digital signature, there is a one-to-one relationship between a signature and a message.

iii.

Duplicity

In conventional signature, a copy of the signed document can be distinguished from the original one on file. In digital signature, there is no such distinction unless there is a factor of time on the document.

13 Digital Signature

6. PAPER SIGNATURES V/s DIGITAL SIGNATURE

Parameter

Paper

Electronic

Authenticity

May be forged

Cannot be copied

Integrity

Signature independent of the document

Signature depends on the contents of the document

Non-repudiation

a. Handwriting expert needed b. Error prone

a) Any computer user b) Error free

V/s
Fig6.1- Paper Sign Fig6.2- Digital Signature

14 Digital Signature

7. CLASSES, DELIVERABLES, CONTENTS

Classes
There are 4 general classes of Digital Signature. i. ii. Class 0: Issued for demonstration/test purpose. Class 1: Issued to Individuals/private subscribers. This class of certificate will authenticate only the User name and E-mail address.

iii.

Class 2: Issued to both business personal and private individuals. This class of certificates confirms the information provided by the subscriber. Class 3: Issued to Individuals as well as Organizations. This class of certificate is used in the E-commerce application wherein high assurances of the certificates are required. This certificate is issued to an individual only on their personal appearance before the CA.

iv.

Deliverables
The Digital Signature is provided with the following deliverables. i. ii. iii. iv. USB Token: Digital Signature allotted to the user . Password: Password required accessing the Digital Signature. Driver Software: Software required installing the Digital Signature in the system. Interface Software: Software which enables the user to embed the Digital Signature with the document.

Note: Only one document can be attached with the Digital Signature at a time.

15 Digital Signature

Contents
A digital signature typically contains: i. ii. iii. iv. v. vi. Owner's public key The Owner's name Expiration date of the public key The Name of the issuer (the CA that issued the Digital ID) Serial number of the digital signature, and The digital signature of the issuer.

16 Digital Signature

8. HOW DIGITL SIGNATURE WORKS?

Assume you were going to send the draft of a certain contract to your lawyer in another town. You want to give your lawyer the assurance that it was unchanged from what you sent and that it is really from you. Here then would be the process: 1. You copy-and-paste the contract (its a short one!) into an e-mail note. 2. Using special software, you obtain a message hash (mathematical summary) of the contract. 3. You then use a private key that you have previously obtained from a publicprivate key authority to encrypt the hash. 4. The encrypted hash becomes your digital signature of the message. (Note that it will be different each time you send a message.)

Signed Messages

Fig8.1- Way of Signing Messages

17 Digital Signature

How Signatures look?

I agree efcc61c1c03db8d8ea8569545c073c814a0ed755 My place of birth is at Gwalior. fe1188eecd44ee23e13c4b6655edc8cd5cdb6f25 I am 62 years old. 0e6d7d56c4520756f59235b6ae981cdb5f9820a0 I am an Engineer. ea0ae29b3b2c20fc018aaca45c3746a057b893e7 I am an Engineer. 01f1d8abd9c2e6130870842055d97d315dff1ea3 Note: These are digital signatures of same person on different documents

There may be three patterns possible for digital signature i. ii. iii. Digital Signatures are numbers Same Length 40 digits They are document content dependent

18 Digital Signature

9. SIGNING AND VERIFICATION

9.1 Signing Ceremony

Original Document Co mbined Signed Document

Hash Function

Asymmetric Algo

Private key used for Signing

Fig9.1- Signing Document

Explanation
In order to create a digitally signed documents the signing application: i. ii. Creates a digest of the document to be signed Creates a cryptographic hash of the digest using the private key of the signer Attaches the hash to the original document.

iii.

19 Digital Signature

9.2 Verification Ceremony

Original Document Message Hash

Equal?

Signed Document

Public Key Signer

Signature

Original hash (Signed Document)

Fig9.2- Verification of Document

Explanation
Begin with the signed document plus the signature, apply the algorithm using the public key of the signer that you may obtain from the signature, and you should end up with the same hash as the one that the signer created with their private key.

20 Digital Signature

10.

FORM 16 AND DIGITAL SIGNATURE

Under the provision of IT Act, 2000 the digitally signed Form 16 has the same validity as of the physically signed form so as TDS Certificates issued under Income Tax Act. Further, Circular No. 2/2007 dated 21/5/2007 from the Income Tax Dept clarifies, "The Central Board of Direct Taxes have, therefore, in exercise of powers under section 119 of the Income-tax Act, 1961, decided for the proper administration of this Act to allow the deductors, at their option, in respect of the tax to be deducted at source from income chargeable under the head "Salaries" to use their digital signatures to authenticate the certificates of deduction of tax at source in Form 16.

Saral eSign
Saral e Sign is software developed to digitally sign Form 16 through the digital Signature of the user. User should have a valid Digital Signature issued by any of the Certifying Authorities licensed under CCA. Process flow of Saral eSign: i. ii. iii. Picks the data from the software (Saral TDS/SPP) with TDS certificate prepared in Excel format. Convert the Excel certificate to PDF and apply Digital signature to all PDF files, with one time authentication. Display all the Certificates generated.

21 Digital Signature

11.

SECURIY SERVICES IN DIGITAL SIGNATURE

Digital Signature provides many security services such as message confidentiality, message authentication, message integrity, and nonrepudiation. A digital signature can directly provide the last three but for message confidentiality we still need encryption/decryption mechanism. These security mechanisms are discussed as follows:-

i.

Message Authentication

A secure digital signature scheme, like a secure conventional signature can provide message authentication. ii.

Message Integrity

The integrity of the message is preserved even if we sign the whole message because we cannot get the same signature if the message is changed.

iii.

Nonrepudiation

Fig11.1- Nonrepudiation Mechanism Nonrepudiation can be provided using a trusted party.

iv.

Confidentiality:
Digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption must be applied.

22 Digital Signature

12.

ATTACKS ON DIGITAL SIGNATURE

There are certain attacks and forgeries associated with the Digital Signature.These are discussed as below.

12.1 Attack Types

12.1.1 Key Only Attack The attacker is only given the public verification key. 12.1.2 Known Message Attack The attacker is given valid signatures for a variety of messages attacker but not chosen by the attacker. 12.1.3 Chosen-Message Attack The attacker first learns signatures on arbitrary messages of the attacker's choice. known by the

12.2 Forgery Types

12.2.1 Existential Forgery Existential forgery is the creation (by an adversary) of any message/signature pair (m, ), where was not produced by the legitimate signer. 12.2.2 Selective Forgery Selective forgery is the creation (by an adversary) of a message/signature pair (m, ) where m has been chosen by the adversary prior to the attack.

23 Digital Signature

13. SECURITY CONSIDERATIONS

Digital Signatures help mitigate risk for the following attacks: i. ii. In the storage or transmission of documents, characteristics of clinician orders reflected in the prescription could be modified. In the storage or transmission of documents, characteristics of countersigned clinician orders reflected in the prescription could be modified. A forged prescription could be introduced.

iii.

Risks Not Mitigated

The following scenarios will not be mitigated by using digital signatures and require additional security: i. ii. iii. iv. v. vi. Corruption or bribery of a user, or counter-signer Theft of a private key Compromise of the physicians workstation to allow access to the signing key The confirmation process could be corrupted or modified. The dispensing system could be corrupted or modified, including simple attacks like burglary. The dispensing feedback could be corrupted, modified, or destroyed.

24 Digital Signature

14. ADVANTAGES AND DISADVANTAGES

Advantages
i. Imposter prevention: By using digital signatures you are actually eliminating the possibility of committing fraud by an imposter signing the document. Since the digital signature cannot be altered, this makes forging the signature impossible. Message integrity: By having a digital signature you are in fact showing and simply proving the document to be valid. You are assuring the recipient that the document is free from forgery or false information. Legal requirements: Using a digital signature satisfies some type of legal requirement for the document in question. A digital signature takes care of any formal legal aspect of executing the document.

ii.

iii.

Disadvantage
The disadvantages of using digital signatures involve the primary avenue for any business: money. This is because the business may have to spend more money than usual to work with digital signatures including buying certificates from certification authorities and getting the verification software.

25 Digital Signature

15. CONCLUSION

Digital signatures are an essential breakthrough in the spheres of cryptography. Wherever there is a smart card the use of a digital signature almost becomes indispensable. A digital signature is very unique and is one very effective means of safeguarding your transaction concerns. Digital signature is a very effective way of securing all your financial transactions so that you will experience more convenience in terms of doing various business and money matters. This way you will not worry and go with the problems of the traditional transactions that use signatures.

26 Digital Signature

REFERENCES

[1] IHE Web sites: www.ihe.net [2] Technical Frameworks, Supplements Fill in relevant supplements and frameworks [3] Non-Technical Brochures: Calls for Participation IHE Fact Sheet and FAQ IHE Integration Profiles: Guidelines for Buyers IHE Connect-a-thon Results Vendor Products Integration Statements

27 Digital Signature