Electronic documents need to be signed to assure recipients of their authenticity, and digital signatures fulfil this need. Dominic K reports (Oct 2006 issue)

Digital signatures have been in use for quite a while to authenticate various e-commerce and m-commerce transactions. Today, the processes of creating and verifying a digital signature provide a high level of assurance to the involved parties that the e-signature is genuinely the signer’s, and that the electronic document (or the e-contract) is authentic.

A digital foundation of trust

Digital signatures are nothing but a cryptographic (encrypted) signature assurance scheme that lets both parties (sender and receiver) trust an electronic document and treat it as valid and tamper-proof as long as the said document stays in an electronic format.

To get technical, according to ISO/IEC 7498-2, a digital signature is defined as “data appended to, or a cryptographic transformation of a data unit, that allows the recipient of a data unit to prove the source and integrity of the data unit and protect against forgery.”

For individuals

A digital signature involves two components-the public key and the private key. The sender signs a document using his private key that ensures the document’s safety in transit as the text is encrypted and only the sender has access to his private key. Therefore, by signing a document with it, he authenticates that it has originated with him and not been tampered with en route. The recipient of this document uses the sender’s public key to authenticate the encrypted document and to decrypt it into a readable text format.

There are several ways to authenticate a person or the information on a computer. Some of them are password, checksum, CRC (cyclic redundancy check), private key encryption, public key encryption and digital certificate.

IT Act 2000

The Indian Information Technology Act 2000 (‘Act’) came into effect from October 17, 2000. The Act is by and large based on the United Nations Commission on International Trade Law (UNCITRAL) model law on electronic commerce.

The objective of the Act is to provide for legal recognition of electronic transactions and digital signatures. Section 5 of the Act gives legal recognition to digital signatures. Digital signatures have been legalised in India since 2000. However, since then, hardly any provisions of the Act have been implemented, except for the appointment of the Certifying Authority which took place in 2001.

A Few Provisions of IT Act 2000

Legal recognition of digital signatures (section 5). “Where any law provides that information or any other matter shall be authenticated by affixing the signature, or any document should be signed or bear the signature of any person, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is authenticated by the means of digital signature affixed in such manner as may be prescribed by the Central Government.”

Electronic Record (Section 2(1) (t)). “Means data, record or data generated, image or sound stored, received or sent in an electronic form, or microfilm or computer generated micro-fiche.”

Legal recognition of Electronic Record (section 4). “Where any law provides that the information or any other matter shall be in writing or in typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is: (a) rendered or made available in an electronic form; and (b) accessible so as to be usable for a subsequent reference.”

Secure Electronic Record (Section 14). “Where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification.”

Secure Digital Signature (Section 15). “If, by application of a security procedure agreed to by the parties concerned, it can be verified that a digital signature, at the time it was affixed, was: (a) unique to the subscriber affixing it; (b) capable of identifying such subscriber; (c) created in a manner or using a means under the exclusive control of the subscriber and is linked to the electronic record to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated, then such digital signature shall be deemed to be a secure digital signature.”

Certifying Authority (Section (2(1)(g)). “Means a person who has been granted a licence to issue a Digital Signature Certificate under section 24” (issuance of certificates by Controller).

Treatment of Certification Authorities (Chapter VI). “This Act authorises the Central Government to appoint a Controller of Certifying Authorities. The duties of the Controller are listed under Chapter VI of the Act, and include exercising supervision over the activities of certification authorities and defining the duties of these certification authorities.”

Towards wider adoption

The adoption of digital signatures in India is still at an early stage. Though the idea of digital signatures appears to be sound, it has not lived up to expectations. At the moment, applications of digital signatures are limited to sectors such as banking and financial services, online stock-trading portals, and engineering conglomerates (to authenticate critical engineering drawings and documents).

For more details please visit http://www.networkmagazineindia.com/200610/coverstory03.shtml