20-06-2012, 12:01 PM
Digital Signatures & the Indian law
[attachment=24880]
3. Digital Signatures - legal issues
The technical concepts relating to digital signatures have been discussed
in detail in the previous chapter. Let us take an overview of this concept
using a simple illustration.
Illustration
Sanya uses a digital signature software
(e.g. PGP) installed on her computer, to
generate a public and private key pair.
Simply put, these keys are very large
numbers.
She then stores her private key very
securely on her computer. She uploads her
public key to the website of a licensed
certifying authority (CA). She also couriers
a filled in application form and photocopies
of her passport and Income Tax PAN card
to the CA.
After following some verification
procedures, the CA sends Sanya a
hardware device by post. This device
contains Sanya’s digital signature
certificate. The digital signature certificate
contains Sanya’s public key along with
some information about her and the CA.
Sanya then has to accept her digital
signature certificate.
All digital signature certificates are stored in
the online repository maintained by the
Controller of Certifying Authorities (e.g. at
www.cca.gov.in)
Each Certifying Authority stores digital
signature certificates issued by it in an
online repository.
In order to digitally sign an electronic
record, Sanya uses her private key.
In order to verify the digital signature, any
person can use Sanya’s public key (which
is contained in her digital signature
certificate).
In case Sanya had originally generated her
private key on a smart card or USB Crypto
Ecommerce - Legal Issues
- 44 - © 2008 Rohas Nagpal. All rights reserved.
Token then the subsequent signatures
created by her would be secure digital
signatures.
Note: The smart card / crypto token have a
chip built into it, which has technology to
enable the signing operation to happen in
the device itself. The private key does not
come out of the device in its original form.
In case Sanya had generated and stored
her private key on a hard disk, floppy, CD,
pen drive etc then subsequent signatures
are not secure digital signatures.
Ecommerce - Legal Issues
© 2008 Rohas Nagpal. All rights reserved. - 45 -
3.1 Authenticating electronic records
According to section 3 of the IT Act
3. (1) Subject to the provisions of this section any subscriber
may authenticate an electronic record by affixing his digital
signature.
(2) The authentication of the electronic record shall be effected
by the use of asymmetric crypto system and hash function
which envelop and transform the initial electronic record into
another electronic record.
Explanation—For the purposes of this sub-section, "hash
function" means an algorithm mapping or translation of one
sequence of bits into another, generally smaller, set known
as "hash result" such that an electronic record yields the
same hash result every time the algorithm is executed with
the same electronic record as its input making it
computationally infeasible—
(a) to derive or reconstruct the original electronic record
from the hash result produced by the algorithm;
(b) that two electronic records can produce the same
hash result using the algorithm.
(3) Any person by the use of a public key of the subscriber can
verify the electronic record.
(4) The private key and the public key are unique to the
subscriber and constitute a functioning key pair.
Let us examine some of the terms used in this section:
Subscriber is a person in whose name the Digital Signature
Certificate is issued.
Authenticate means “to give legal validity to”, “establish the
genuineness of”.
Illustration
Pooja has issued a certificate stating that
Sameer has been employed in her
company for 3 years. Pooja affixes her
digital signature to this certificate. Pooja
has authenticated the certificate.
Electronic record means data, record or data generated, image
or sound stored, received or sent in an electronic form or micro
film or computer generated micro fiche.
Ecommerce - Legal Issues
- 46 - © 2008 Rohas Nagpal. All rights reserved.
Affixing digital signature means adoption of any methodology
or procedure by a person for the purpose of authenticating an
electronic record by means of digital signature.
Asymmetric crypto system is a system of using mathematically
related keys to create and verify digital signatures. The key pair
consists of a private key and a public key. The private key pair
is used in conjunction with a one-way hash function to create
digital signatures. The public key is used to verify the digital
signatures created by the corresponding private key.
A one-way hash function takes variable-length input – say, a
message of any length – and produces a fixed-length output; say,
160-bits. The hash function ensures that, if the information is
changed in any way – even by just one bit – an entirely different
output value is produced.
In interpreting this provision, the term “digital signature” must not be
compared to “signature” in the conventional sense. This is because
although a person usually has one conventional handwritten
signature for all messages, he will have a different digital signature
for every message that he signs.
Illustration
Mr. Sen writes a message as under:
Here, Mr. Sen’s signature is as marked in
the above message. Every document he
signs will bear this signature.
However, his digital signature for this
message could be
Although his digital signature for the
message in Figure 1 is as shown in Figure
iQA/AwUBO0BCsFPnhMicaZh0EQJllgCgt1qtfq
azO2ppYNdZN685h2QtYQsAoOgZ
eH3gqHf5Tisz1C7tzvHC09zx
=g/BR
Figure 2: Digital Signature
Dear Mr. Gupta,
I accept the terms and conditions
discussed by us today.
Mr. S Sen
Figure 1: Conventionally signed message
Ecommerce - Legal Issues
© 2008 Rohas Nagpal. All rights reserved. - 47 -
2, his digital signature for any and every
other message will be different.
E.g. if he changes the word “today” in the
message in Figure 1 to “yesterday”, his
digital signature for the new message could
be:
What the law implies here is that a person may authenticate an electronic
record by means of a digital signature, which is unique to the message
being digitally signed.
The public key and private key are basically two very large numbers that
are mathematically related to each other. If a particular private key was
used to “sign” a message, then only the corresponding public key will be
able to verify the “signature”.
The law also lays down that the private key and public key are unique to
each subscriber. This implies that no two subscribers should have the
same public and private key pair. This is practically achieved by using
very large numbers (hundreds of digits) as keys. The probability of two
persons generating the same key pair is thus extremely remote.
iQA/AwUBO0BDdlPnhMicaZh0EQIOBQCgiu0v
AT47Q7VJsgeQYWU69OtV+MMAoL772XDQB
vzPYOKSWDS6wjucho1T
=TSAn
Figure 3: New Digital Signature
Ecommerce - Legal Issues
- 48 - © 2008 Rohas Nagpal. All rights reserved.
3.2 Secure digital signature
A secure digital signature should satisfy the following conditions:
1. It should be unique to the subscriber affixing it. A digital
signature is unique and is based upon the message that is signed
and the private key of the signer.
2. It should be capable of identifying such subscriber. What this
implies is that the digital signature should be verifiable by the
public key of the signer and by no other public key.
3. It should be created in a manner or using a means under the
exclusive control of the subscriber. This implies that the signer
must use hardware and software that are completely free of any
unauthorized external control.
4. It should be linked to the electronic record to which it relates
in such a manner that if the electronic record were altered,
the digital signature would be invalidated. All standard
software programs used to create digital signatures contain this
feature. Without this feature the whole purpose of creating digital
signatures would be defeated.
According to notification G.S.R. 735 (E), notified by the Central
Government on the 29th of October, 2004, a secure digital signature is
one to which the following security procedure has been applied:
(a) a smart card6 or hardware token7, as the case may be, with
cryptographic module8 in it, is used to create the key pair;
(b) the private key used to create the digital signature always
remains in the smart card or hardware token as the case may be;
© the hash of the content to be signed is taken from the host system
to the smart card or hardware token and the private key is used to
create the digital signature and the signed hash is returned to the
host system;
(d) the information contained in the smart card or hardware token, as
the case may be, is solely under the control of the person who is
purported to have created the digital signature;
6 a device containing one or more integrated circuit chips.
7 means a token which can be connected to any computer system using
Universal Serial Bus (USB) port.
8 This can be understood as the software, e.g., PGP, used to generate the key
pair used for creating and verifying a digital signature.
Ecommerce - Legal Issues
© 2008 Rohas Nagpal. All rights reserved. - 49 -
(e) the digital signature can be verified by using the public key listed
in the Digital Signature Certificate issued to that person;
(f) the standards referred to in rule 6 of the Information Technology
(Certifying Authorities) Rules, 2000 have been complied with, in
so far as they relate to the creation, storage and transmission of
the digital signature; and
(g) the digital signature is linked to the electronic record in such a
manner that if the electronic record was altered the digital
signature would be invalidated.
[attachment=24880]
3. Digital Signatures - legal issues
The technical concepts relating to digital signatures have been discussed
in detail in the previous chapter. Let us take an overview of this concept
using a simple illustration.
Illustration
Sanya uses a digital signature software
(e.g. PGP) installed on her computer, to
generate a public and private key pair.
Simply put, these keys are very large
numbers.
She then stores her private key very
securely on her computer. She uploads her
public key to the website of a licensed
certifying authority (CA). She also couriers
a filled in application form and photocopies
of her passport and Income Tax PAN card
to the CA.
After following some verification
procedures, the CA sends Sanya a
hardware device by post. This device
contains Sanya’s digital signature
certificate. The digital signature certificate
contains Sanya’s public key along with
some information about her and the CA.
Sanya then has to accept her digital
signature certificate.
All digital signature certificates are stored in
the online repository maintained by the
Controller of Certifying Authorities (e.g. at
www.cca.gov.in)
Each Certifying Authority stores digital
signature certificates issued by it in an
online repository.
In order to digitally sign an electronic
record, Sanya uses her private key.
In order to verify the digital signature, any
person can use Sanya’s public key (which
is contained in her digital signature
certificate).
In case Sanya had originally generated her
private key on a smart card or USB Crypto
Ecommerce - Legal Issues
- 44 - © 2008 Rohas Nagpal. All rights reserved.
Token then the subsequent signatures
created by her would be secure digital
signatures.
Note: The smart card / crypto token have a
chip built into it, which has technology to
enable the signing operation to happen in
the device itself. The private key does not
come out of the device in its original form.
In case Sanya had generated and stored
her private key on a hard disk, floppy, CD,
pen drive etc then subsequent signatures
are not secure digital signatures.
Ecommerce - Legal Issues
© 2008 Rohas Nagpal. All rights reserved. - 45 -
3.1 Authenticating electronic records
According to section 3 of the IT Act
3. (1) Subject to the provisions of this section any subscriber
may authenticate an electronic record by affixing his digital
signature.
(2) The authentication of the electronic record shall be effected
by the use of asymmetric crypto system and hash function
which envelop and transform the initial electronic record into
another electronic record.
Explanation—For the purposes of this sub-section, "hash
function" means an algorithm mapping or translation of one
sequence of bits into another, generally smaller, set known
as "hash result" such that an electronic record yields the
same hash result every time the algorithm is executed with
the same electronic record as its input making it
computationally infeasible—
(a) to derive or reconstruct the original electronic record
from the hash result produced by the algorithm;
(b) that two electronic records can produce the same
hash result using the algorithm.
(3) Any person by the use of a public key of the subscriber can
verify the electronic record.
(4) The private key and the public key are unique to the
subscriber and constitute a functioning key pair.
Let us examine some of the terms used in this section:
Subscriber is a person in whose name the Digital Signature
Certificate is issued.
Authenticate means “to give legal validity to”, “establish the
genuineness of”.
Illustration
Pooja has issued a certificate stating that
Sameer has been employed in her
company for 3 years. Pooja affixes her
digital signature to this certificate. Pooja
has authenticated the certificate.
Electronic record means data, record or data generated, image
or sound stored, received or sent in an electronic form or micro
film or computer generated micro fiche.
Ecommerce - Legal Issues
- 46 - © 2008 Rohas Nagpal. All rights reserved.
Affixing digital signature means adoption of any methodology
or procedure by a person for the purpose of authenticating an
electronic record by means of digital signature.
Asymmetric crypto system is a system of using mathematically
related keys to create and verify digital signatures. The key pair
consists of a private key and a public key. The private key pair
is used in conjunction with a one-way hash function to create
digital signatures. The public key is used to verify the digital
signatures created by the corresponding private key.
A one-way hash function takes variable-length input – say, a
message of any length – and produces a fixed-length output; say,
160-bits. The hash function ensures that, if the information is
changed in any way – even by just one bit – an entirely different
output value is produced.
In interpreting this provision, the term “digital signature” must not be
compared to “signature” in the conventional sense. This is because
although a person usually has one conventional handwritten
signature for all messages, he will have a different digital signature
for every message that he signs.
Illustration
Mr. Sen writes a message as under:
Here, Mr. Sen’s signature is as marked in
the above message. Every document he
signs will bear this signature.
However, his digital signature for this
message could be
Although his digital signature for the
message in Figure 1 is as shown in Figure
iQA/AwUBO0BCsFPnhMicaZh0EQJllgCgt1qtfq
azO2ppYNdZN685h2QtYQsAoOgZ
eH3gqHf5Tisz1C7tzvHC09zx
=g/BR
Figure 2: Digital Signature
Dear Mr. Gupta,
I accept the terms and conditions
discussed by us today.
Mr. S Sen
Figure 1: Conventionally signed message
Ecommerce - Legal Issues
© 2008 Rohas Nagpal. All rights reserved. - 47 -
2, his digital signature for any and every
other message will be different.
E.g. if he changes the word “today” in the
message in Figure 1 to “yesterday”, his
digital signature for the new message could
be:
What the law implies here is that a person may authenticate an electronic
record by means of a digital signature, which is unique to the message
being digitally signed.
The public key and private key are basically two very large numbers that
are mathematically related to each other. If a particular private key was
used to “sign” a message, then only the corresponding public key will be
able to verify the “signature”.
The law also lays down that the private key and public key are unique to
each subscriber. This implies that no two subscribers should have the
same public and private key pair. This is practically achieved by using
very large numbers (hundreds of digits) as keys. The probability of two
persons generating the same key pair is thus extremely remote.
iQA/AwUBO0BDdlPnhMicaZh0EQIOBQCgiu0v
AT47Q7VJsgeQYWU69OtV+MMAoL772XDQB
vzPYOKSWDS6wjucho1T
=TSAn
Figure 3: New Digital Signature
Ecommerce - Legal Issues
- 48 - © 2008 Rohas Nagpal. All rights reserved.
3.2 Secure digital signature
A secure digital signature should satisfy the following conditions:
1. It should be unique to the subscriber affixing it. A digital
signature is unique and is based upon the message that is signed
and the private key of the signer.
2. It should be capable of identifying such subscriber. What this
implies is that the digital signature should be verifiable by the
public key of the signer and by no other public key.
3. It should be created in a manner or using a means under the
exclusive control of the subscriber. This implies that the signer
must use hardware and software that are completely free of any
unauthorized external control.
4. It should be linked to the electronic record to which it relates
in such a manner that if the electronic record were altered,
the digital signature would be invalidated. All standard
software programs used to create digital signatures contain this
feature. Without this feature the whole purpose of creating digital
signatures would be defeated.
According to notification G.S.R. 735 (E), notified by the Central
Government on the 29th of October, 2004, a secure digital signature is
one to which the following security procedure has been applied:
(a) a smart card6 or hardware token7, as the case may be, with
cryptographic module8 in it, is used to create the key pair;
(b) the private key used to create the digital signature always
remains in the smart card or hardware token as the case may be;
© the hash of the content to be signed is taken from the host system
to the smart card or hardware token and the private key is used to
create the digital signature and the signed hash is returned to the
host system;
(d) the information contained in the smart card or hardware token, as
the case may be, is solely under the control of the person who is
purported to have created the digital signature;
6 a device containing one or more integrated circuit chips.
7 means a token which can be connected to any computer system using
Universal Serial Bus (USB) port.
8 This can be understood as the software, e.g., PGP, used to generate the key
pair used for creating and verifying a digital signature.
Ecommerce - Legal Issues
© 2008 Rohas Nagpal. All rights reserved. - 49 -
(e) the digital signature can be verified by using the public key listed
in the Digital Signature Certificate issued to that person;
(f) the standards referred to in rule 6 of the Information Technology
(Certifying Authorities) Rules, 2000 have been complied with, in
so far as they relate to the creation, storage and transmission of
the digital signature; and
(g) the digital signature is linked to the electronic record in such a
manner that if the electronic record was altered the digital
signature would be invalidated.