Digital Signature 2

TABLE OF CONTENTS

1. Background: ................................ ................................ ................................ ..... 3

2. What are Digital Signatures (DS): ................................ ................................ ........ 3
3. Use of electronic signatures ................................ ................................ .............. 3
4. DS V/s handwritten signature ................................ ................................ ............ 3
5. Ensuring authorisation in DS ................................ ................................ ............. 3
6. How it works ................................ ................................ ....................... 4
6.1 For individuals ................................ ................................ ..................... 4
6.2 Digital certificates for machines: ................................ ................................ ....... 4
7. Classes of Digital Signatures ................................ ................................ ............. 5
8. The components of a digital signature ................................ ............................... 6
9. Benefits of DS ................................ ................................ ................................ ... 6
10. IT Act 2000 ................................ ................................ ................................ ...... 6
11. Current business applications of DS ................................ ................................ ... 6

Background:
For centuries, a document was considered authentic only if it carried the signatures of the
authorised person
and paper was the most common medium to carry the signature. In the information technology
age, the

paper is slowly disappearing and the business transactions are being executed electronically. The
Digital
Signature (DS) has been accorded legal sanctity in many countries including India by special
legislations.
Digital signatures have been confused with electronic signatures. Electronic signatures are
scanned copies of
a physical written signature.
2. What are Digital Signatures (DS):
A DS functions for electronic documents like a handwritten signature does for printed documents.
DS is a
signature in electronic form attached to an electronic record. It is a tool for message origination,
authentication and non-repudiation that affixes a coded message to the document, data or
messages and
guarantees the identity of the sender.
DS have been in use for quite a while to authenticate various e-commerce and m-commerce
transactions.
Today, the processes of creating and verifying a digital signature provide a high level of
assurance to the
involved parties that the e -signature is genuinely the signers, and that the electronic document
(or the e contract) is authentic.
A DS actually provides a greater degree of security than a handwritten signature. The recipient of
a digitally
signed message can verify both that the message originated from the person whose signature is
attached
and that the message has not been altered either intentionally or accidentally since it was
signed.
Furthermore, secure DSs cannot be repudiated; the signer of a document cannot later disown it
by claiming
the signature was forged.
3. Use of electronic signatures
It is executed or adopted by a person with intent to sign the record. DS identifies the following:
origin of the message
ensures the integrity of the message
verifies the identity of the sender
authenticates that identity
4. DS V/s handwritten signature
DS is generically the electronic equivalent of the handwritten signature. In India, the Information
Technology
Act 2000 considers a DS as a personalised thumb print . It defines it to mean authentication of an
electroni c
record by a person in whose name the DS certificate is issued by means of an electronic method.
5. Ensuring authorisation in DS
Through encryption (which is process of converting normal text to a coded message) and
decryption (the
process of convererting the coded text to its original plan text form) and signature certification,
the
authentication is ensured. DS certificates are essential for establishing whether the authorisation
is from the
purported owner.

6. How it works
Digital signatures are nothing but a cryptographic (encrypted) signature assurance scheme that
lets both

parties (sender and receiver) trust an electronic document and treat it as valid and tamper -proof
as long as
the said document stays in an electronic format.
According to ISO/IEC 7498-2, a digital signature is defined as data appended to, or a
cryptographic
transformation of a data unit, that allows the recipient of a data unit to prove the source and
integrity of the
data unit and protect against forgery.
6.1 For individuals
A digital signature involves two componentsthe public key and the private key. The sender
signs a
document using his private key that ensures the documents safety in transit as the text is
encrypted
and only the sender has access to his private key. Therefore, by signi ng a document with it, he
authenticates that it has originated with him and not been tampered with en route. The recipient
of
this document uses the senders public key to authenticate the encrypted document and to
decrypt it
into a readable text format.
There are several ways to authenticate a person or the information on a computer. Some of them
are password, checksum, CRC (cyclic redundancy check), private key encryption, public key
encryption and digital certificate.

6.2 Digital certificates for machines:

Its not just individuals who need to be authenticated. Servers need to prove their credentials too.
Thats where a Digital Certificate (DC) comes into the picture, ensuring that the information
sent
to and received from a Web server is authentic , and that the Web server in question can be
trusted.
A DC essentially consists of a public key certification information, with information of the user
such
as name and ID. DS uses a pair of mathematically related signing keys (the private key), known
onl y
to the person signing.
It can be trusted since it is verified by an independent source known as a Certificate Authority.

The role of the certificate authority is to ensure that the system on either side can be trusted.
A Certification Authority (CA) issues certificates and stands responsible for them. The CA signs
these
certificates. This enables users to know which CA created each certificate. The signature also
ensures that a third party has not altered or corrupted the certificate at any point of time .
In India, the Indian IT Act authorises the Controller of Certifying Authorities (CCA) to licence and
regulate the working of CAs, who, in turn, issue digital signature certificates for electronic
authentication of users.
Some of the organisations acting as licenced CAs are the National Informatics Centre,
Customs
and Central Excise, Institute for Development & Research in Banking Technology ,
SafeScrypt, Tata Consultancy Services , MTNL and (n)Code Solutions .
It is the responsibility of the CCA to certify the public keys of CAs using its own private key. This
enables users in cyberspace to verify that a given certificate is issued by a licenced CA. The Root
Certifying Authority of India (RCAI) is the CCA for India. The CCA maintains the National
Repository
of Digital Certificates (NRDC). This repository contains all the certificates issued by all the CAs in
the
country.

7. Classes of Digital Signatures

The digital certificate usually contains data such as the owners name, company and
address, as well as
the owners public key, along with the certificates serial number and validity period. The
certificate
also includes the certifying companys ID and its digital signature.
There are three distinct classes ("Classes") of Certificates, Classes 1, 2, and 3. Each class, of
Certificates
provides specific functionality and security features and corresponds to a specific level of trust.
Class 1: These certificates are issued to individuals with a valid e-mail address. Certificates that
do
not hold any legal validity as the validation process is based only on a valid e -mail ID
and involves no direct verification. Class 1 validation procedures are based on the
assurance that the subscribers D istinguished Name (DN) is unique and unambiguous
within the CAs Repository and that the e -mail address in the DN is associated with the
Public Key in the Certificate. Class 1 Certificates are appropriate for Digital Signatures,
encryption, and electronic access control for non-commercial transactions where proof
of identity is not required.
Class 2: Class 2 Certificates are issued to Individuals, and Devices. This category states that a
persons identity is to be verified against a trusted, pre -verified database. Class 2
validation procedures are based on the assurance that subscribers Distinguished Name
(DN) is unique and unambiguous within CAs Repository and that the identity of the
Subscriber based on information provided by the Subscriber in the Certificate
Application does not conflict with the information in a CAs approved and well
recognized business or consumer database(s) (Validating Dat abase). Class 2 Individual
Certificates are appropriate for Digital Signatures, encryption, and electronic access
control in transactions where proof of identity based on information in the Validating
Database is sufficient. Class 2 Device Certificates are appropriate for device
authentication; message, software, and content integrity; and confidentiality
encryption.
Class 3: Class three requires the person present himself or herself in front of a Registration

Authority (RA) and prove his/her identity. Class 3 Certificates are issued to Individuals,
Organizations, Servers & Devices. The validation procedures for Class 3 Certificates
issued to Individuals are based on the personal (physical) presence of the Subscriber
before a CAs authorized person that confirms the identity of the Subscriber using a
well-recognized form of government issued identification and one other identification
credential. The validation procedures for Class 3 Certificates issued to Organizations
are based on a confirmation that the Subscriber Organization does in fact exist, that
the organization has authorized the Certificate Application, and that the person
submitting the Certificate Application on behalf of the Subscriber was authorized to do
so. Class 3 Individual Certificates are appropriate for Digital Signatures, encryption,
and access control in transactions requiring a high assurance about the Subscribers
identity. Class 3 Server Certificates are appropriate for server authentication; message,
software, and content integrit y; and confidentiality encryption.
8. The components of a digital signature
Public key: This is the part that any one can get a copy of and is part of the verification
system.
Name and e-mail address: This is necessary for contact information purposes and to enable
the
viewer to identify the details.
Expiration date of the public key: This part of the signature is used to set a shelf life and to
ensure that in the event of prolonged abuse of a signat ure eventually the signature is reset.
Name of the company: This section identifies the company that the signature belongs too.
Serial number of the Digital ID: This part is a unique number that is bundled to the signature
for
tracking ad extra identification reasons.
Digital signature of the CA (certification Authority) : This is a signature that is issued by
the
authority that issues the certificates.

9. Benefits of DS
DS may be applied to any kind of messages. These messages can be anything from electronic
mail to a
contract, or even a message sent in a more complicated cryptographic protocol (an abstract or
concrete
protocol that performs a security -related function and applies cryptographic methods). Following
are the key
benefits of adopting the DS:
Possible to hold and handle voluminous electronic records in a much easier manner
Easy retrievability of documents
Provides access on the move through Black Berries & removes delay associated with paper work
The non-feasibility of the duplication of well desi gned and managed private keys reduce the
possibility of fraud.
DS ensure the integrity of the transmitted documents and provides the source of the document.

10. IT Act 2000

The Indian Information Technology Act 2000 (Act) came into effect from October 17, 2000. The
Act is by
and large based on the United Nations Commission on International Trade Law (UNCITRAL) model
law on
electronic commerce.
The objective of the Act is to provide for legal recognition of electronic transactions and digital
signatures.

Section 5 of the Act gives legal recognition to digital signatures. Digital signatures have been
legalised in
India since 2000. However, since then, hardly any provisions of the Act have been implemented,
except for
the appointment of the Certifying Authorit y which took place in 2001.
11. Current business application s of DS
At the moment, applications of digital signatures are limited to sectors such as banking and
financial
services, online stock-trading portals, and engineering conglomerates for applications related to
the
authorisation of online fund transfers , certifications, statements & authentication of critical
engineering
drawings and documents.