Digital Signature Project

DIGTAL SIGNATURE
1 Digital Signature Project
Chapter 1
Introduction. Computer Technology change the way Communication and businesses . It leads to emergence of new method of communication and businesses as well as practices. Indeed, all the functional areas of Communication and business will undergo change. The new technology transformed business processes, the way products and services are created and marketed, the organisation structure of the enterprise and the nature of the enterprise itself. New era of E- communication, E-commerce began.
To better understand what electronic communications is, electronic transaction and electronic business lets look at a process we are all familiar with: writing and sending a check, mailing the message i.e. E-mail, sending or transferring data file to other computer, online fund transfer, online shopping etc. The simplest electronic version of the check can be a text file, created with a word processor, asking your bank to pay someone a specific sum. However, sending this check over an electronic network poses several security problems such as . Since anyone could intercept and read the file, you need confidentiality. Since someone else could create a similar counterfeit file, the bank needs to authenticate that it was actually you who created the file.
Since you could deny creating the file, the bank needs nonrepudiation. Since someone could alter the file, both you and the bank need data integrity. Some time in Computer base communication, when people to communicate a message (E-mail), such a message would not be read or understood by anyone else. There is need for protecting message send on computer or data transmitted between terminals and computers or between computers. There is need of protect the confidentiality or integrity of the data, message, E- transaction of fund, E-business etc. Confidentiality refers to the accidental or intentional disclosure of data to an unauthorized individual. Integrity refers to data, which has not been exposed to accidental or malicious alteration or destruction. There must be some mechanism to prevents unauthorized recipients of the data from interpreting its meaning. There must be some mechanism to prevent unauthorized individuals from manipulating the data, message, on line business transaction in such a way that the original data is changed in a predetermined manner. To overcome these issues, some secured method should be use and which must be recognised by Law .
And to be effective, this mechanism must cost less than the expected loss (risk) if the protection were not provided. To overcome all above problem use of Digital Signature in computer base transaction or electronic transaction is the best and secured option. Digital Signature, to understand how a digital signature is created and how it achieves the same functionality as that of a handwritten signature is by no means an easy task. This is because the technical concepts involved in creating a digital signature seem far removed from the realm of law, although the objective of affixing digital signature to an electronic record is purely legal. The differences between digital signatures and other electronic signatures are significant, not only in terms of process and result, but also because those differences make digital signatures more serviceable for legal purposes. However, some electronic signatures, though perhaps legally recognizable as signatures, may not be as secure as digital signatures, and may lead to uncertainty and disputes. The Information Technology Act 2000 (IT Act) prescribes digital signatures as a means of authentication of electronic records. In short, a digital signature has the same function as that of a handwritten signature in case of E-communication, Ebusyness etc . Digital signatures are applications of asymmetric key cryptography, and Hash Function to understand what is cryptography we must have to see roots of cryptography, to discusses its types, to familiar with its working and how we will make detailed discussion on how asymmetric key cryptography same time what is hash function its features how it use to create a
digital signature. Cryptography has a long and interesting history. Cryptography is a process encryption in which the original intelligible message, that we referred as plain text, is converted into apparently random nonsense, that we referred to as cipher text. The encryption process consists of an algorithm and a key. The key is a short bit stream that controls the algorithm. The algorithm will produce a specific output on a specific key. Changing the key changes the output of the algorithm. Cryptography is primarily used as a tool to protect national secrets and strategies. It is extensively used by the military, the diplomatic services and the other sector. The concept of securing messages through cryptography has a long history. Indeed, Julius Caesar is credited with creating one of the earliest cryptographic systems to send military messages to his generals. Kahns book titled The Codebreakers traces cryptography from its initial use by the Egyptians more than 4000 years ago, to its role in the World Wars in the 20th century Cryptography is the study of secret (crypto-) writing (-graphy) and is concerned with developing algorithms which may be used to: i) Conceal the context of some message from all except the sender and recipient (privacy or secrecy), and/or ii) Verify the correctness of a message to the recipient
(authentication) ______
Basic Terminology
Plaintext: This is what you want to encrypt (it is the original message). Cipher text - the transformed message Enciphering or encryption: The process by which plaintext is converted into cipher text Key - some critical information used by the cipher, known only to the sender & receiver. Deciphering or Decryption: Recovering plaintext from cipher text Cryptography - the art or science encompassing the principles and methods of transforming an intelligible message into one that is unintelligible, and then retransforming that message back to its original form Cipher - an algorithm for transforming an intelligible message into one that is unintelligible by transposition and/or substitution methods
Cryptanalysis - the study of principles and methods of transforming an unintelligible message back into an intelligible message without knowledge of the key. Also called code breaking Cryptology - both cryptography and cryptanalysis Code - an algorithm for transforming an intelligible message into an unintelligible one using a code-book.
_______
Type of Cryptography There are two type Cryptography i) Symmetric Cryptography ii) Asymmetric Cryptography Symmetric cryptography : Symmetric cryptography uses the same key for both encryption and decryption. Using symmetric cryptography, it is safe to send encrypted messages without fear of interception (because an interceptor is unlikely to be able to decipher the message); however, there always remains the difficult problem of how to securely transfer the key to the recipients of a message so that they can decrypt the message. dig The important thing to note is that the same secret key is used for encryption and decryption in classical cryptography. It is for this reason that classical cryptography is also referred to as symmetric key cryptography
It was essentially impossible to provide key management for large-scale networks. With symmetric cryptography, as the number of users increases on a network, the number of keys required to provide secure communications among those users increases rapidly. For example, a network of 100 users would require almost 5000 keys if it used only symmetric cryptography. Doubling such a network to 200 users increases the number of keys to almost 20,000. Thus, when only using symmetric cryptography, key management quickly becomes unwieldy even for relatively smallscale networks.
Asymmetric Cryptography : A major advance in cryptography occurred with the invention of public-key cryptography, i.e. nothing but Asymmetric key cryptography. In Asymmetric cryptography there are two different key for encryption and decryption i.e. one key for encryption and other key for decryption. The primary feature of public-key cryptography is that it removes the need to use the same key for encryption and decryption. With public-key cryptography, keys come in pairs of matched public and private keys. The public portion of the key pair can be distributed in a public manner without compromising the private portion, which must be kept secret by its owner. An operation (for example, encryption) done with the public key can only be undone with the corresponding private key. The invention of public-key cryptography was of central importance to the field of cryptography and provided answers to many key management problems for large-scale networks. But till there is a problem of key management. In cryptographic systems, the term key refers to a numerical value used by an algorithm to alter information, making that information secure and visible only
to individuals who have the corresponding key to recover the information. Consequently, the term key management refers to the secure administration of keys to provide them to users where and when they are required. For all its benefits, however, public-key cryptography did not provide a comprehensive solution to the key management problem. Indeed, the possibilities brought forth by public-key cryptography heightened the need for sophisticated key management systems to answer questions such as the following: a)How can one easily encrypt a file once for a number of different people using public-key cryptography? b)If someone lose his keys, how can he decrypt all of his files that were encrypted with those keys? c)How do one know that he really have Alice's public key and not the public key of someone pretending to be Alice? d)How can one know that a public key is still trustworthy? Conventional Encryption . Let P be the plain text and C be the cipher text. Then C = EK(P), which means that encryption of the plain text P using key K gives the cipher text C. Similarly P = DK(C) represents the decryption of C to get the plain text again. Then DK(EK(P)) = P.
The security of conventional encryption depends on several factors. First, the encryption algorithm must be powerful enough so that it is impossible to decrypt a message on the basis of the cipher text alone. Beyond that, the security of the conventional encryption depends on the secrecy of the key, not the secrecy of the algorithm. There are five general methods of Cryptography. They are Substitution Ciphers Transposition Ciphers Expansion Ciphers Compassion Ciphers Block Ciphers Substitution Ciphers . XOB VLR OBXAV If you received that message, at first the message would look like a random set of letters placed together but upon further examination you may be able to decipher the message as: ARE YOU READY You can decode the message by subtracting 3 from the original letters and substituting in the corresponding letter. This method of encryption is known as Caesar's method as he used this method of encryption to send messages. In Substitution Ciphers, the letters, digits, or the symbol, or a group of them in a message are replaced by another letter, digit, or
symbol. But the order of their occurrence in the message is not changed. One of the oldest known substitution cipher is the Caesar cipher. In this method Plain text: a b c d e f g h i j v w x y z k l m n o p q r s t u
Cipher text: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C So if the plain text is College, then the cipher text is FROOHJH. It is secure only as long as the enemy does not know, or guess, the idea.
Transposition Cipher A Transposition Cipher is also knows as permutation cipher. In a transposition cipher, the order in which characters in a message occur is changed, but the characters themselves are not disguised. Transposition ciphers, sometimes called "rail fence ciphers," are a unique and fun way to encipher a message. There are lots of ways to create transposition ciphers. An example of one type of transposition cipher is given below. Write our your secret message on two lines, writing one letter on the top line, the next letter on the second line, until the entire message has been written. Then write out your message by writing the characters from the first and then second line in order!
Plain Message: THIS IS FUN! Line 1: T I I F N Line 2: H S S U ! Enciphered Message: TIIFNHSSU! You can try other ways for making a transposition cipher as well. After transposing your message on two lines you may want to write out your enciphered message by starting at the end of the second line, working your way right to left, until the entire message is written. An example is given below. Plain Message: THIS IS FUN! Line 1: Line 2: T H I S I S F U N !
Enciphered Message: !USSHNFIIT Can you think of another way to encipher a transposition message? The following is another example of Transposition cipher with a Key. The cipher is keyed by a word or phrase not containing repeated letters. In this example MANGO is the key. The purpose of the key is to number the columns, column 1 being under the key letter closest to the start of the alphabet, and so on. The plain text is written horizontally, in rows. The cipher text is read out by columns start with the column whose key letter is the lowest. MANGO 31425
i t i s v Plain Text: eryea s y t o l It is very easy to learn and is a good fun earna n d I s a Cipher Text: goodf unabc TRYADONSEONSDBIESENGUIYTRIOAVALAAFC Expansion Cipher : The Expansion Cipher adds nonsense text with in the actual character of the message to disguise them. Compassion Cipher : The Compassion Cipher removes characters from the plane text to disguise it. The removed characters are sent separately. Block Cipher : The Block Cipher divide a long plain text message into block of equal size. Other techniques like permutation, substitution, compassion and expansion are applied to each block separately, before transmitting the message. At receiver end, the blocks are decrypted individually. Traditional cryptography depends on relatively simple encryption and decryption methods as the encryption and decryption has to be done by people, or simple machines. They also depend on long and complex keys for encryption and decryption. When cryptography is done on a computer, the computer depends on complex algorithms as well as long key for data encryption Hardware and software both use in cryptology (Cryptology is the art of both of the devising and breaking ciphers). As we discuss above one of the landmark developments in
the history of cryptography was the introduction of the revolutionary concept of public-key cryptography.
_______
Hash function
A more fundamental process, termed a "hash function" in computer terminology, is used in both creating and verifying a digital data. A hash function creates in effect a digital freeze frame of the data, a code usually much smaller than the data but nevertheless unique to it. If the data changes, altered the hash result of the message will invariably be different. Hash functions enable the software for creating data verification to operate on smaller and predictable amounts of data, while still providing a strong evidentiary correlation to the original data content. The idea of hashing started in the earliest days of computing. The first true electronic computers began to run in 1949 and 1950.
A proposal for hash search was described by Hans Peter Luhn in an IBM technical memorandum in 1953. What he wanted was a function that would deliberately abuse keys producing practically the equivalent of the mathematical concept of uniformly distributed random variables.
The basic requirements for a cryptographic hash function are:

o o o o o
the input can be of any length, the output has a fixed length, H(x) is relatively easy to compute for any given x , H(x) is one-way, H(x) is collision-free
As we saw above one-way hash function takes variablelength input say, a message of any length and produces a fixedlength output; say, 160-bits. The hash function ensures that, if the information is changed in any way even by just one bit an entirely different output value is produced. The table below shows some sample output values using SHA (Standard Hash Algorithm). sanya SANYA Sanya c75491c89395de9fa4ed29affda0e4d29cbad290 33fef490220a0e6dee2f16c5a8f78ce491741adc 4c391643f247937bee14c0bcca9ffb985fc0d0ba
It can be seen from the table above that the hash value for sanya is c75491c89395de9fa4ed29affda0e4d29cbad290 while the hash value for SANYA is 33fef490220a0e6dee2f16c5a8f78ce491741adc
By changing the input from sanya to SANYA, an entirely different hash value is generated. What must be kept in mind is that irrespective of the size of the input, the hash output will always be of the same size. Two things must be borne in mind with regard to one-way hash functions:
1
It is computationally infeasible to find two different input data that will yield the same hash output.
2 It is computationally infeasible to reconstruct the original data from its hash output.
______
Digital Signature
As we discuss in our earlier part in computer related communication i.e. E-mail, sending or transferring data file to other computer, online fund transfer, online shopping etc. having some problem of data or message security, confidentiality and authentication etc. There are many mechanism or methods available to secure or keep confidentiality or authenticate but the most effective and legally recognised method that is nothing but a Digital signature.
This is legally recognised because Information Technology Act 2000, authenticate and recognised the electronic or digital communication which is done by Digital Signature As we discuss earlier Digital signature is derived with the help of cryptography and hash function. The fundamental objective of Digital signature in information security is to ensure the following: Confidentiality is used to keep the content of information secret from unauthorized persons. This is achieved through asymmetric encryption. Data integrity addresses the unauthorized alteration of data. This is addressed by hash functions. Authentication is related to identification. This function applies to both entities and information itself. This is achieved through digital signature certificates and digital signatures. Non-repudiation prevents someone from denying previous commitments or actions. This is achieved through digital signature certificates and digital signatures. Digital signature uses Asymmetric cryptography and we know in Asymmetric cryptography there are two different keys are use one for encryption and other for decryption. These keys are refer as key pair, one key is called as Private key and other called as public key Private key remains with the subscriber of Digital signature and private key is publish or disclose to all. The key pair is mathematically so interconnected with each other that message encrypted by private key only can be decrypted its public key and message encrypted by public key only can be decrypted its private key
Keys.. A key is a value that works with a cryptographic algorithm1 to produce a specific cipher text. Keys are basically very, very, very big numbers. Key size is measured in bits. In public key cryptography, the bigger the key, the more secure the cipher text. However, public key size and conventional cryptographys symmetric key size are totally unrelated.
The algorithms used for each type of cryptography are very different and are very difficult to compare. Although the public and private keys are mathematically related, it is very difficult to derive the private key by analysing the public key. Keys are stored by cryptographic software in an encrypted form. These files are called key rings. RSA Algorithm .. In 1978, Ron Rivest, Adi Shamir and Leonard Adleman discovered the first practical public-key encryption and signature scheme, now referred to as RSA (after the names of its inventors) The figure below illustrates a 512-bit RSA public key
A 512-bit RSA public key

_______
Key Pair .. For more understanding key pair, private key and public key which is generated by the key pair generating software PGP (Pretty Good Privacy) is illustrated in following Figures. A 1024 bit RSA public key generated using the PGP (Pretty Good Privacy) digital signature and encryption software.
A 1024 bit RSA public key generated using the PGP (Pretty Good Privacy) digital signature and encryption software.
As we discuss Digital signature message is encrypted by public or private key of the subscriber. After encryption the plain text or intelligible message is converted into apparently random
nonsense, to understand this concept of encryption To understand the concept of Digital signature and cryptography we take a plain text message which is in plain text form and intelligible. This plain text then encrypted by using asymmetric encryption and the plain text message converted into encrypted form which is not intelligible without decrypting. Following figs shows plain text and encrypted message. The figure below illustrates a simple message. Dear Sandesh,
I am in Delhi on the 11th of this month. Will it be convenient for you to meet me at the Nine Garden restaurant for dinner ?
Love, Ravina A simple message
The figure below illustrates the encrypted form of the message above.
hQCMAztC/6WmKod+AQQAiZmIDTpFg9nC5GmN4Azx 2+0JYo1C70Iux+IhhVvhGy9IA+BuURbxeqFroJPEl665fg APrTHHdAHV112eTFieH7BW+LaA0Rt4sLzxb077GJEh+ e2wgMhKkymi6RXYQvlXaswMELm7xVz/F6Kh8Q0MwHI t2jXUc8ayMpw6i7AWAqKkkb86t2XBUfQNw03ZfFG3z7E ZKB+a772HGpM41MOYc7hY6rjwXHEwu5XtQC81SBAq DBUK9A4gh9dWsCypB9y/k3LbpyhOGmmJJymG5Pmbp LSXXyi7b6Js6ZNk7Vtjv2zrBZYjhvRpxCIu7uwC41KKn7g qsvD2fMXHqhgAyL/avwkOSREEw/dstAc94zUeowvBlLg ==tD2W The encrypted form (using asymmetric encryption) of the message above.
______
Functioning of Digital Signature.

A major benefit of public key cryptography is that it provides a method for employing digital signatures. As illustrated in figure 1, to sign a document or any other item of information, the signer first decide precisely what is to be signed. The decided information to be signed is termed the "message" .Then a hash function in the signer's software computes a hash result, a code unique to the message. The signer's software then transforms the hash result into a digital signature by reference to the signer's private key. This transformation is sometimes described as "encryption". The resulting digital signature is thus unique to both the message and the private key used to create it.
Typically, a digital signature is attached to its message and stored or transmitted with its message. However, it may also be sent or stored as a separate data element, so long as it maintains a reliable association with its message. Since a digital signature is unique to its message, it is useless if wholly dissociated from its message. Verification of a digital signature, as illustrated in Figure 2, is accomplished by computing a new hash result of the original message by means of the same hash function used in creating the
digital signature. Then, using the public key, the verifier checks whether the digital signature was created using the corresponding private key, and whether the newly computed hash result matches the hash result derived from the digital signature. If the signer's private key was used and the hash results are identical, then the digital signature is verified. Verification thus indicates (1) that the digital signature was created using the signer's private key, because only the signer's public key will verify a digital signature created with the signer's private key, and (2) that the message was not altered since it was signed, because the hash result computed in verification matches the hash result from the digital signature, which was computed when the message was digitally signed. Digital signatures enable the recipient of the information to verify the authenticity of the informations origin, and also verify that the information is intact. Thus, digital signatures provide authentication and data integrity.
By seeing above process we can say digital signature also provides non-repudiation, which means that it prevents the sender from claiming that he or she did not actually send the information. These features are every bit as fundamental to cryptography as
privacy, if not more. A digital signature serves the same purpose as a handwritten signature. However, a handwritten signature is easy to counterfeit. A digital signature is superior to a handwritten signature in that it is nearly impossible to counterfeit, plus it attests to the contents of the information as well as the identity of the signer. Illustration Mr "X" uses computer software to generate two keys, a public key and private key. These keys are nothing but extremely large numbers. Although the keys are mathematically related, it is almost impossible to obtain the private key by using the public key. Mr "X" will give his public key to the whole world but will keep his private key to himself. Now Mr "X" wants to enter into a transaction with Mr "Z". He composes an electronic document containing the words I, Mr "X" owe Mr "Z" the sum of Rs. 500 only. Using his computer Mr "X" runs this document through a hash function. The hash function software produces a fixed length of alphabets, numbers and symbols for any document. This is known as the hash result. However, the contents of this fixed length are never the same for two different documents. If even one letter in the document is altered, an entirely different hash result will be generated. When using a particular hash function, the length of the output is always the same, whether the input document is one word
or 1lakh words. Moreover, the hash function software will always produce the same hash result for a particular message. It is practically impossible to reconstruct the original message from the hash result. That is why it is known as a one-way hash function. Mr "X" now uses his computer to sign the hash result of his document. His computer software uses his private key to perform some calculations upon the hash result. This produces a signature, which consists of some digits. This set of digits is attached to the hash result. Mr "X" now sends the original message and the signed message digest (hash result) to Mr."Z". Mr."Z" has the same hash function software on his computer. He also has Mr "X"s public key. When Mr"Z" receives Mr "X"s email, he runs the original document through the hash function software and generates a hash result. He compares this hash result with the one that was sent to him by Mr "X". If the two hash results are the same, it means that the message is unaltered. Mr."Z" also verifies whether Mr "X"s private key was actually used to sign the hash result. For this "Z"s computer uses Mr "X"s public key. Only a message signed by Mr "X"s private key can be verified using Mr "X"s public key. The public key and private key are basically two very large numbers that are mathematically related to each other. If a particular private key was used to sign a message, then only the corresponding public key will be able to verify the signature. The digital signature creation and verification process achieves the following legal requirements:
Signer authentication: A persons digital signature cannot be forged unless his private key is stolen. This means that if a digital signature can be verified by Mr "X"s public key, then it must have been created by Mr "X"s private key. The digital signature verification process thus authenticates the identity of the signer. Message authentication: A digital signature is based upon the hash value (or message digest) of the actual message. Thus a digital signature is unique for each message and automatically authenticates the message. Affirmative act: The process of digital signature creation requires the signer to use his private key (usually by entering a password). This overt act alerts the signer that he is initiating a transaction that may have legal consequences.
------------
Digital Signature Certificates Simply put, a digital signature certificate contains a public key as certified by a Certifying Authority (CA). Let us take a simple illustration. Mr. "X" wants to digitally sign emails and electronic contracts. The first step he would take is to generate a private-public key pair. Once he has done that, he can use his private key to sign contracts etc. Anyone can use Mr. "X"s public key to verify his signature. Thats where the problem begins. How can anyone be sure which is Mr. "X"s public key? What if Mr. "X" denies that a particular public key is actually his? To solve this problem digital signature certificates are used. Mr. "X" would apply to a licenced CA for a digital signature certificate. As part of the application process he would submit identification documents (such as passport, PAN card etc). He would also send his public key to the CA. The CA would then certify the public key as belonging to Mr. "X" and issue a digital signature certificate that contains Mr. "X"s public key along with information identifying him. The digital signature certificate is digitally signed by the CA and is legally recognised under the law.
As can be discuss above, the certificate is intended to do the following: 1. Prove persons identity to another computer 2. Protect email messages It can be noticed that the DSC states that You have a private key that corresponds to this certificate.
The following are some of the details of the certificate: 1. Version This is stated as V3. This signifies that the DSC is based on X509 version 3 technology standards.
the
2. Serial number The serial number is a positive integer assigned by the CA to each DSC issued by it. This number is unique for each DSC issued by the CA. Note: 03 59 aa is a hexadecimal number that corresponds to the decimal number 50696362 3. Signature Algorithm This field identifies the mathematical algorithm used by the CA to sign the certificate [sha1RSA is this case]. for sha1 stands for Secure Hash Algorithm 1 while RSA stands Rivest Shamir Adleman.
4. Issuer This field identifies the CA who has issued this DSC. The table below summarizes the information as contained in the DSC and the brief explanation of what that information stands for.
5. Valid From This indicates that the DSC is valid from 11:31:07 AM on Tuesday, November 20, 2008. 6. Valid To This indicates that the DSC is valid till 11:31:07 AM on November 19, 2009. 7. Subject The subject field identifies the person to whom this DSC has been issued by the CA Ramesh Joshi in this case.
CHAPTER II
Digital Signatures - legal issues
The basic concepts relating to digital signatures have been discussed in detail in the previous chapter. Let us study legal issues of Digital signature. As we discuss Information Technology Act. 2000 Authenticate and reorganisation to Digital signature . The definition of Digital signature and Digital signature Certificate are given under section 2[1(p)] and 2[1(q)] of Information Technology Act. 2000 respectively. Digital signature :- digital signature means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provision of section 3 Digital signature Certificate :- Digital signature Certificate
means a digital Signature Certificate issued under sub section (4)of section 35 Other definitions which are related to Digital signature under section 2 of the Information Technology Act are as given below (D) "affixing digital signature" with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of digital signature; (E) "appropriate Government" means as respects any matter,:(1) Enumerated in List II of the Seventh Schedule to the Constitution. (2) Relating to any State law enacted under List III of the Seventh Schedule to the Constitution, the State Government and in any other case, the Central Government. (F) "asymmetric crypto system" means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature. (G) "Certifying Authority" means a person who has been granted a license to issue a Digital Signature Certificate under section 24. (H) "certification practice statement" means a statement issued by a Certifying Authority to specify the practices that the Certifying Authority employs in issuing Digital Signature Certificates. (M) "Controller" means the Controller of Certifying Authorities appointed under sub-section (l) of section 17.
(X) "key pair", in an asymmetric crypto system, means a private key and its mathematically related public key, which are so related that the public key can verify a digital signature created by the private key. (Z) "license" means a license granted to a Certifying Authority under section 24. (z1) "originator" means a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary. (z2) "prescribed" means prescribed by rules made under this Act. (z3) "private key" means the key of a key pair used to create a digital signature. (z4) "public key" means the key of a key pair used to verify a digital signature and listed in the Digital Signature Certificate. (z7) "subscriber" means a person in whose name the Digital Signature Certificate is issued. (z8) "verify" in relation to a digital signature, electronic record or public key, with its grammatical variations and cognate expressions means to determine whether (a) The initial electronic record was affixed with the digital signature by the use of private key corresponding to the public key of the subscriber.
(b) The initial electronic record is retained intact or has been altered since such electronic record was so affixed with the digital signature. Authenticating electronic records. The idea behind Digital signature was to adopt the technology that makes communication and transaction legally binding .The functional equivalent approach extended notion such as writing, signature and original of traditional paper base requirement to a paperless world. To fulfill this requirement and legally binding to electronic communication and transaction provision are made under section 3 of Information Technology Act 2000 which deals with authentication of an electronic record by affixing digital signature. According to section 3 of the IT Act (1) Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his digital signature. (2) The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record. ExplanationFor the purposes of this sub-section, "hash function" means an algorithm mapping or translation of one sequence of bits into another, generally smaller, set known as "hash result" such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible
1(a) to derive or reconstruct the original electronic record from the hash result produced by the algorithm; 2(b) that two electronic records can produce the same hash result using the algorithm. 1(3) Any person by the use of a public key of the subscriber can verify the electronic record. 2(4) The private key and the public key are unique to the subscriber and constitute a functioning key pair. Let us examine some of the terms used in this section: Subscriber is a person in whose name the Digital Signature Certificate is issued. Authenticate means to give legal validity to, establish the genuineness of. Electronic record means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche. Affixing digital signature means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of digital signature. Asymmetric crypto system is a system of using mathematically related keys to create and verify digital signatures. The key pair consists of a private key and a public key. The private key pair is used in conjunction with a one-way hash function to create digital signatures. The public key is used to verify the digital signatures created by the corresponding private key. A one-way hash function takes variable-length input say, a
message of any length and produces a fixed-length output; say, 160-bits. The hash function ensures that, if the information is changed in any way even by just one bit an entirely different output value is produced. If we interpreting this section the term Digital signature is not same as conventional signature person usually has one conventional handwritten signature for all his transaction messages but in case of digital signature person will have a different Digital signature for every message. Illustration Mr. X writes a message as under:
Dear XYZ, Please verify the term and condition of our contract.
Mr. X Conventionally signed message Here, Mr. Xs signature is as marked in the above message. Every document he signs will bear this signature. However, his digital signature for this message could be iQA/AwUBO0BCsFPnhMicaZh0EQJllgCgt1qtfq azO2ppYNdZN685h2QtYQsAoOgZ eH3gqHf5Tisz1C7tzvHC09zx =g/BR
After Digital Signature Message Although his digital signature for the message in Figure 1 is as shown in Figure 2, his digital signature for any and every other message will be different. E.g. if he changes the word please in the message in Figure 1 to yesterday, his digital signature for the new message could be: iQA/AwUBO0BDdlPnhMicaZh0EQIOBQCgiu0v AT47Q7VJsgeQYWU69OtV+MMAoL772XDQB vzPYOKSWDS6wjucho1T =TSAn After alteration in message Digital Signature What the law implies here is that a person may authenticate an electronic record by means of a digital signature, which is unique to the message being digitally signed. The public key and private key are basically two very large numbers that are mathematically related to each other. If a particular private key was used to sign a message, then only the corresponding public key will be able to verify the signature. The law also lays down that the private key and public key are unique to each subscriber. This implies that no two subscribers should have the same public and private key pair. This is practically achieved by using very large numbers (hundreds of digits) as keys. The probability of two persons generating the same key pair is thus extremely remote. To understand secure digital signature we will discuss following Illustration
If Mr.X uses a digital signature software (e.g. PGP) installed on his computer, to generate a public and private key pair then he installed key on a hard disk, floppy, CD, pen drive etc without obtaining the Digital signature Certificate, from Certifying Authority and he distributes his public key among people and he uses his private key for signing messages, then subsequent signatures are not secure digital signature. It means to secure your Digital signature you must obtained Digital signature Certificate from certifying Authority. Now Mr.X uses a digital signature software (e.g. PGP) installed on his computer, to generate a public and private key pair. He then stores his private key very securely on his computer. He uploads his public key to the website of a licensed certifying authority (CA). He also couriers a filled in application form and required documents photocopies i.e. photocopies of passport and Income Tax PAN card to the CA. After following some verification procedures, the CA sends Mr.X a hardware device by post. This device contains Mr.X s digital signature certificate. The digital signature certificate contains Mr.X s public key along with some information about his and the CA. Mr.X then has to accept his digital signature certificate. All digital signature certificates are stored in the online repository maintained by the Controller of Certifying Authorities (e.g. at www.cca.gov.in) Each Certifying Authority stores digital signature certificates issued by it in an online repository. Then in order to digitally sign an electronic record, Mr.X uses his private key.
In order to verify the digital signature, any person can use Mr.Xs public key (which is contained in her digital signature certificate). In this case the Digital Signature use by Mr X is secure Digital signature. Section 15 of Information Technology Act 2000 deals with secure digital signature Secure digital signature A secure digital signature should satisfy the following conditions: (a). It should be unique to the subscriber affixing it. A digital signature is unique and is based upon the message that is signed and the private key of the signer. (b). It should be capable of identifying such subscriber. What this implies is that the digital signature should be verifiable by the public key of the signer and by no other public key. (c). It should be created in a manner or using a means under the exclusive control of the subscriber. This implies that the signer must use hardware and software that are completely free of any unauthorized external control. It should be linked to the electronic record to which it relates in such a manner that if the electronic record were altered, the digital signature would be invalidated. All standard software programs used to create digital signatures contain this feature. Without this feature the whole purpose of creating digital signatures would be defeated. According to notification G.S.R. 735 (E), notified by the Central Government on the 29th of October, 2004, a secure digital signature is one to which the following security procedure has been applied:
(a) a smart card (a device containing one or more integrated circuit chips.)or hardware token(means a token which can be connected to any computer system using Universal Serial Bus (USB) port.), as the case may be, with cryptographic module(This can be understood as the software, e.g., PGP, used to generate the key pair used for creating and verifying a digital signature.) in it, is used to create the key pair; (b) the private key used to create the digital signature always remains in the smart card or hardware token as the case may be; (c) the hash of the content to be signed is taken from the host system to the smart card or hardware token and the private key is used to create the digital signature and the signed hash is returned to the host system; (d) the information contained in the smart card or hardware token, as the case may be, is solely under the control of the person who is purported to have created the digital signature; (e) the digital signature can be verified by using the public key listed in the Digital Signature Certificate issued to that person; (f) the standards referred to in rule 6 of the Information Technology (Certifying Authorities) Rules, 2000 have been complied with, in so far as they relate to the creation, storage and transmission of the digital signature; and (g) the digital signature is linked to the electronic record in such a manner that if the electronic record was altered the digital signature would be invalidated.
_____
Controller of Certifying Authority. As per now we understand what is Digital signature and what is its legal consequences now we will discuss about the issuing authority, control over issuing authority, public key management and repository function etc related Digital signature with respect to law. The Certifying Authority is business organisation who issue the Digital signature to subscriber, who fulfills term and condition which are prescribed by Central Government of India under IT Act 2000 or published in Official gazette. There are many function
and duties, precautionary measures, confidentiality about Digital signature etc are assign to Certifying Authority under IT Act 2000. The main function of Controller of Certifying Authority is to regulate the working of the Certifying Authority. The Controller of Certifying Authority is also has investigation power and Controller of Certifying Authority also has power to direct a person to decrypt the information under his control under IT Act 2000 If such person refuses to comply with CCA then there is provision of imprisonment under IT Act 2000 Thus we can say Controller of Certifying Authority and Certifying Authority sets the base for the development of electronic commerce and electronic governance in India. Now we will discuss the Sections which are related to Controller of Certifying Authority and Certifying Authority Section 17 of the IT Act 2000 deals with the appointment of the Controller of Certifying Authority. Appointment of Controller and other officers. under Section 17 (1) The Central Government may, by notification in the Official Gazette, appoint a Controller of Certifying Authorities for the purposes of this Act and may also by the same or subsequent notification appoint such number of Deputy Controllers and Assistant Controllers as it deems fit. (2) The Controller shall discharge his functions under this Act subject to the general control and directions of the Central Government. (3) The Deputy Controllers and Assistant Controllers shall perform the functions assigned to them by the Controller under the general superintendence and control of the Controller.
(4) The qualifications, experience and terms and conditions of service of Controller, Deputy Controllers and Assistant Controllers shall be such as may be prescribed by the Central Government. (5) The Head Office and Branch Office of the office of the Controller shall be at such places as the Central Government may specify, and these may be established at such places as the Central Government may think fit. (6) There shall be a seal of the Office of the Controller.
As we discuss that CCA is regulates the working of the Certifying Authority under IT Act 2000 these functions are deals under section 18 of said Act. Functions of Controller under section 18 The Controller may perform all or any of the following functions, namely: (a) exercising supervision over the activities of the Certifying Authorities. (b) certifying public keys of the Certifying Authorities.
(c) laying down the standards to be maintained by the Certifying Authorities. (d) specifying the qualifications and experience which employees of the Certifying Authorities should possess. (e) specifying the conditions subject to which the Certifying Authorities shall conduct their business. (f) specifying the contents of written, printed or visual materials and advertisements that may be distributed or used in respect of a Digital Signature Certificate and the public key. (g) specifying the form and content of a Digital Signature Certificate and the key. (h) specifying the form and manner in which accounts shall be maintained by the Certifying Authorities. (i) specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them. (j) facilitating the establishment of any electronic system by a Certifying Authority either solely or jointly with other Certifying Authorities and regulation of such systems. (k) specifying the manner in which the Certifying Authorities shall conduct their dealings with the subscribers. (l) resolving any conflict of interests between the Certifying Authorities and the subscribers. (m) laying down the duties of the Certifying Authorities.
(n) maintaining a data base containing the disclosure record of every Certifying Authority containing such particulars as may be specified by regulations, which shall be accessible to public. Besides the function mentioned under section 18 there are many other functions such as i) Act as repository ii)License to issue Digital signature iii)Renewal of license iv) suspension of license v)power to delegate vi) power to investigate etc which we will discuss now. As we discuss early that there is key pair for every Digital signature Certificate subscriber i.e. Private key and public key, private key is confidential and which remains with the subscriber of digital signature and public key is disclose or publish for all public. Public key should be easily accessible to all public, for that purpose Controller of Certifying Authority act as repository which is given under section 20 of IT Act 2000. Controller to act as repository under Section 20 (1) The Controller shall be the repository of all Digital Signature Certificates issued under this Act. (2) The Controller shall : (a) make use of hardware, software and procedures that are secure .iJm intrusion and misuse. (b) observe such other standards as may be prescribed by the Central Government, to ensure that the secrecy and security of the digital signatures are assured. (3) The Controller shall maintain a computerised data base of all public keys in such a manner that such data base and the public keys are available to any member of the public.
As we know that Certifying Authority is Business organization which issues the Digital signature to subscriber who apply for Digital signature under prescribe rules and regulation of IT Act 2000, to work as Certifying Authority for Business organization there is need of license. Controller of Certifying Authority issued license to such business organisation which full fills the condition under IT Act 2000 for working as Certifying Authority. This provision of granting license, renewal and suspension of license are discuss under Section 21, 23 and 25 of the IT Act 2000 respectively. License to issue Digital Signature Certificates. Under Section 21 (1) Subject to the provisions of sub-section (2), any person may make an application, to the Controller, for a license to issue Digital Signature Certificates. (2) No license shall be issued under sub-section (1), unless the applicant fulfills such requirements with respect to qualification, expertise, manpower, financial resources and other infrastructure facilities, which are necessary to issue Digital Signature Certificates as may be prescribed by the Central Government (3) A license granted under this section shall (a) be valid for such period as may be prescribed by the Central Government. (b) not be transferable or heritable. (c) be subject to such terms and conditions as may be specified by the regulations.
Renewal of license under Section 23. An application for renewal of a license shall be (a) in such form. (b) accompanied by such fees, not exceeding five thousand rupees, as may be prescribed by the Central Government and shall be made not less than forty-five days before the date of expiry of the period of validity of the license. Suspension of license under Section 25. (1) The Controller may, if he is satisfied after making such inquiry, as he may think fit, that a Certifying Authority has : (a) made a statement in, or in relation to, the application for the issue or renewal of the license, which is incorrect or false in material particulars. (b) failed to comply with the terms and conditions subject to which the license was granted. (c) failed to maintain the standards specified under clause (b) of sub-section (2) of section 20. (d) contravened any provisions of this Act, rule, regulation or order made there under, evoke the license:Provided that no license shall be revoked unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed revocation. (2) The Controller may, if he has reasonable cause to believe that there is any ground for revoking a license under sub-section (1), by
order suspend such license pending the completion of any inquiry ordered by him: Provided that no license shall be suspended for a period exceeding ten days unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed suspension. (3) No Certifying Authority whose license has been suspended shall issue any Digital Signature Certificate during such suspension. There are many issues, grievance relating to Digital signature. Controller of Certifying Authority is not able to attend, resolve, solve all grievances, issues related to Digital Signature by himself for that it is necessary to assign or allow to exercise his power by some other person. When Controller of Certifying Authority think necessary to assign or allow to exercise his powers which are conferred under IT Act 2000 him to some other persons he can delegate his power for official functions under Section 27. Power to delegate under Section 27 The Controller may, in writing, authorise the Deputy Controller, Assistant Controller or any officer to exercise any of the powers of the Controller under this Chapter. If there is any contravention with norms mention in IT Act 2000 related to Digital Signature by Certifying Authority or Subscriber of Digital signature then powers are given to Controller of Certifying Authority to investigate. If the contravention are affecting public interest or national security then Controller of Certifying Authority can access the computer and data and even direct any person to decrypt the message or data if he is comply with that then there is provision under IT Act 2000.
Section 28 and Section 29 of IT Act deals with power to investigate and access to computer and data respectively. Power to investigate contraventions under Section 28. (1) The Controller or any officer authorised by him in this behalf shall take up for investigation any contravention of the provisions of this Act, rules or regulations made there under. (2) The Controller or any officer authorised by him in this behalf shall exercise the like powers which are conferred on Income-tax authorities under Chapter XIII of the Income-tax Act, 1961 and shall exercise such powers, subject to such limitations laid down under that Act. 29. Access to computers and data. (1) Without prejudice to the provisions of sub-section (1) of section 69, the Controller or any person authorised by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this Act, rules or regulations made thereunder has been committed, have access to any computer system, any apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system. (2) For the purposes of sub-section (1), the Controller or any person authorised by him may, by order, direct any person incharge of, or otherwise concerned with the operation of, the computer system, data apparatus or material, to provide him with such reasonable technical and other assistance as he may consider necessary.
Controller of the Certifying Authority can recognised the foreign Certifying Authority if he take the previous approval of the Central Government. If he gives Recognition to any foreign Certifying Authorities then he must publish notification in the Official Gazette. Section 19 of the IT Act 2000 Clarify the Recognition of foreign Certifying Authorities. Recognition of foreign Certifying Authorities under Section 19. (1) Subject to such conditions and restrictions as may be specified by regulations, the Controller may with the previous approval of the Central Government, and by notification in the Official Gazette, recognise any foreign Certifying Authority as a Certifying Authority for the purposes of this Act. (2) Where any Certifying Authority is recognised under subsection (1), the Digital Signature Certificate issued by such Certifying Authority shall be valid for the purposes of this Act. (3) The Controller may, if he is satisfied that any Certifying Authority has contravened any of the conditions and restrictions subject to which it was granted recognition under sub-section (1) he may, for reasons to be recorded in writing, by notification in the Official Gazette, revoke such recognition. Other procedural functions of Controller of Certifying Authority such as Application for license Procedure for grant or rejection of license and Notice of suspension or revocation of license are given under Section 22, 24 and 26 respectively of IT Act 2000. Application for license under Section 22 (1) Every application for issue of a license shall be in such form as may be prescribed by the Central Government.
(2) Every application for issue of a license shall be accompanied by (a) a certification practice statement. (b) a statement including the procedures with respect to identification of the applicant. (c) payment of such fees, not exceeding twenty-five thousand rupees as may be prescribed by the Central Government. (d) such other documents, as may be prescribed by the Central Government. Procedure for grant or rejection of license under Section 24. The Controller may, on receipt of an application under sub-section (1) of section 21, after considering the documents accompanying the application and such other factors, as he deems fit, grant the license or reject the application: Provided that no application shall be rejected under this section unless the applicant has been given a reasonable opportunity of presenting his case. Notice of suspension or revocation of license under Section 26. (1) Where the license of the Certifying Authority is suspended or revoked, the Controller shall publish notice of such suspension or revocation, as the case may be, in the database maintained by him. (2) Where one or more repositories are specified, the Controller shall publish notices of such suspension or revocation, as the case may be, in all such repositories:
Provided that the data base containing the notice of such suspension or revocation, as the case may be, shall be made available through a web site which shall be accessible round the clock: Provided further that the Controller may, if he considers necessary, publicise the contents of database in such electronic or other media, as he may consider appropriate.
-----------------------
Certifying Authority. Up to now discuss things about Controller of Certifying Authority such as his appointment functions working etc. under IT Act 2000. Now we will discuss about of the Certifying Authority, under IT Act 2000. Digital signature is recongnised under IT Act 2000.Digital Signature is issue by private business organisation, to trust such private business organisation by subscriber of Digital signature some strict rules, guideline and procedure is must related to 1] Secrecy of Subscribers Personal information 2] Secrecy of Subscribers Private key 3] Necessary measures for data protection 4] Reliable service to subscriber All above issues related to Certifying Authority and Digital signature, are discus under Section 30,31,32,33 and 34 of the Information Technology Act 2000 are discus
Certifying Authority to follow certain procedures under Section 30 Every Certifying Authority shall, (a) make use of hardware, software and procedures that are secure from intrusion and misuse; (b) provide a reasonable level of reliability in its services which are reasonably suited to the performance of intended functions. (c) adhere to security procedures to ensure that the secrecy and privacy of the digital signatures are assured and (d) observe such other standards as may be specified by regulations. Certifying Authority to ensure compliance of the Act, etc under Section 31. Every Certifying Authority shall ensure that every person employed or otherwise engaged by it complies, in the course of his employment or engagement, with the provisions of this Act, rules, regulations and orders made thereunder. Display of license under Section 32. Every Certifying Authority shall display its license at a conspicuous place of the premises in which it carries on its business. Surrender of license under Section 33. (1) Every Certifying Authority whose license is suspended or revoked shall immediately after such suspension or revocation, surrender the license to the Controller. (2) Where any Certifying Authority fails to surrender a license under sub-section (1), the person in whose favour a license is
issued, shall be guilty of an offence and shall be punished with imprisonment which may extend up to six months or a fine which may extend up to ten thousand rupees or with both. Disclosure under Section 34. (1) Every Certifying Authority shall disclose in the manner specified by regulations : (a) its Digital Signature Certificate which contains the public key corresponding to the private key used by that Certifying Authority to digitally sign another Digital Signature Certificate. (b) any certification practice statement relevant thereto. (c) notice of the revocation or suspension of its Certifying Authority certificate, if any and (d) any other fact that materially and adversely affects either the reliability of a Digital Signature Certificate, which that Authority has issued, or the Authoritys ability to perform its services. (2) Where in the opinion of the Certifying Authority any event has occurred or any situation has arisen which may materially and adversely affect the integrity of its computer system or the conditions subject to which a Digital Signature Certificate was granted, then, the Certifying Authority shall :(a) use reasonable efforts to notify any person who is likely to be affected by that occurrence or (b) act in accordance with the procedure specified in its certification practice statement to deal with such event of situation.
------------------
Digital Signature Certificate .. As we discuss earlier that if any person generates key pairs with the help of Digital Signature key generating Software (PGP)and he installed the private key in his computer and distributed the public key to public without obtaining the Digital Signature Certificate then such key is not secure key or such key will not recognised by law. It means every person orgenisation who wants to use Digital Signature and eligible under IT Act 2000 must obtained the Digital Signature Certificate from Certifying Authority. For that provisions related Digital Signature Certificate are discuss under Section 35,36,37,38 and 39 of IT Act 2000,such as Certifying Authority to issue Digital Signature Certificate. 2. Representations upon issuance of Digital Signature Certificate 3. Suspension of Digital Signature Certificate 4. Revocation of Digital Signature Certificate
1. 55 Digital Signature Project
5. Notice of suspension or revocation
Certifying Authority to issue Digital Signature Certificate. (1) Any person may make an application to the Certifying Authority for the issue of a Digital Signature Certificate in such form as may be prescribed by the Central Government. (2) Every such application shall be accompanied by such fee not exceeding twenty-five thousand rupees as may be prescribed by the Central Government, to be paid to the Certifying Authority. (3) Every such application shall be accompanied by a certification practice statement or where there is no such statement, a statement containing such particulars, as may be specified by regulations. (4)On receipt of an application under sub-section (1), the Certifying Authority may, after consideration of the certification practice statement or the other statement under sub-section (3) and after making such enquiries as it may deem fit, grant the Digital Signature Certificate or for reasons to be recorded in writing, reject the application: Provided that no Digital Signature Certificate shall be granted unless the Certifying Authority is satisfied that (a) the applicant holds the private key corresponding to the public key to be listed in the Digital Signature Certificate. (b) the applicant holds a private key, which is capable of creating a digital signature. (c) the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the applicant:
Provided further that no application shall be rejected unless the applicant has been given a reasonable opportunity of showing cause against the proposed rejection. Representations upon issuance of Digital Signature Certificate under Section 36 While issuing a Digital Signature Certificate a Certifying Authority must certify that: (a)It has complied with the provisions of the IT Act and allied rules. (b)It has published the Digital Signature Certificate or otherwise made it available to such person relying on it and the subscriber has accepted it. (c)The subscriber holds the private key corresponding to the public key, listed in the Digital Signature Certificate. (d)The subscriber's public key and private key constitute a functioning key pair. (e)The information contained in the Digital Signature Certificate is accurate. (f)It has no knowledge of any material fact, which if it had been included in the Digital Signature Certificate would adversely affect the reliability of the representations made in (a) to (d) above Suspension of Digital Signature Certificate under Section 37 (1) Subject to the provisions of sub-section (2), the Certifying Authority which has issued a Digital Signature Certificate may suspend such Digital Signature Certificate57 Digital Signature Project
(a) on receipt of a request to that effect from (i) the subscriber listed in the Digital Signature Certificate or (ii) any person duly authorised to act on behalf of that subscriber. (b) if it is of opinion that the Digital Signature Certificate should be suspended in public interest (2)A Digital Signature Certificate shall not be suspended for a period exceeding fifteen days unless the subscriber has been given an opportunity of being heard in the matter. (3)On suspension of a Digital Signature Certificate under this section, the Certifying Authority shall communicate the same to the subscriber. Revocation of Digital Signature Certificate under Section 38. (1) A Certifying Authority may revoke a Digital Signature Certificate issued by it (a) where the subscriber or any other person authorised by him makes a request to that effect or (b) upon the death of the subscriber, or (c) upon the dissolution of the firm or winding up of the company where the subscriber is a firm or a company. (2) Subject to the provisions of sub-section (3) and without prejudice to the provisions of sub-section (1), a Certifying Authority may revoke a Digital Signature Certificate which has been issued by it at any time, if it is of opinion that (a) a material fact represented in the Digital Signature Certificate is false or has been concealed.
(b) a requirement for issuance of the Digital Signature Certificate was not satisfied. (c) the Certifying Authoritys private key or security system was compromised in a manner materially affecting the Digital Signature Certificates reliability. (d) the subscriber has been declared insolvent or dead or where a subscriber is a firm or a company, which has been dissolved, wound-up or otherwise ceased to exist. (3) A Digital Signature Certificate shall not be revoked unless the subscriber has been given an opportunity of being heard in the matter. (4) On revocation of a Digital Signature Certificate under this section, the Certifying Authority shall communicate the same to the subscriber. Notice of suspension or revocation under Section 39. (1) Where a Digital Signature Certificate is suspended or revoked under section 37 or section 38, the Certifying Authority shall publish a notice of such suspension or revocation, as the case may be, in the repository specified in the Digital Signature Certificate for publication of such notice. (2) Where one or more repositories are specified, the Certifying Authority shall publish notices of such suspension or revocation, as the case may he. in all such repositories.
_______
Duties Of Subscriber.. As we know that the person or organisation who wants to use Digital signature must obtained the Digital signature Certificate from Certifying Authority, once the Digital signature Certificate issued to the subscriber of Digital signature then his Digital signature becomes secure Digital signature. This Digital signature having same effect as our regular physical signature in the eyes of law. We always take lots of precautionary measure about our regular physical signature before applying it on any document. Same or we can say more precautionary measure must be taken by the subscriber of Digital signature, because Digital signature is technological issue which having legal binding. There are many duties and obligations of the Digital signature subscriber which help him to secure his Digital signature. All these duties and
obligations are discuss under section 40, 41 and 42 of IT Act 2000. Generating key pair under Section 40. Where any Digital Signature Certificate, the public key of which corresponds to the private key of that subscriber which is to be listed in the Digital Signature Certificate has been accepted by a subscriber, then, the subscriber shall generate the key pair by applying the security procedure Acceptance of Digital signature Certificate. (1)A subscriber shall be deemed to have accepted a Digital Signature Certificate if he publishes or authorizes the publication of a Digital Signature Certificate : (a) to one or more persons. (b) in a repository, or otherwise demonstrates his approval of the Digital Signature Certificate in any manner. (2) By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably rely on the information contained in the Digital Signature Certificate that : (a) the subscriber holds the private key corresponding to the public key listed in the Digital Signature Certificate and is entitled to hold the same. (b) all representations made by the subscriber to the Certifying Authority and all material relevant to the information contained in the Digital Signature Certificate are true. (c) all information in the Digital Signature Certificate that is within the knowledge of the subscriber is true.
42. Control of private key. (1) Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public key listed in his Digital Signature Certificate and take all steps to prevent its disclosure to a person not authorised to affix the digital signature of the subscriber. (2) If the private key corresponding to the public key listed in the Digital Signature Certificate has been compromised, then, the subscriber shall communicate the same without any delay to the Certifying Authority in such manner as may be specified by .the regulations. Explanation :- For the removal of doubts, it is hereby declared that the subscriber shall be liable till he has informed the Certifying Authority that the private key has been compromised.
Offence relating to Digital Signature Certificates

As of now we discuss digital signature basic concept and legal issues, in this chapter we will discuss about offences related to Digital signature which are covers under the IT Act 2000. If any person orgenisation giving false details or information for obtaining the Digital signature means if he makes any misrepresentation to Certifying Authority or Controller of Certifying Authority then it is punishable offence under Section 71 of the IT Act 2000.
Section 71 of IT Act states that Whoever makes any misrepresentation to, or suppresses any material fact from, the Controller or the Certifying Authority for obtaining any license or Digital Signature Certificate, as the case may be. shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. This section applies to: 1. a person, who, for obtaining a digital signature certificatea. makes a misrepresentation to the Certifying Authority, b. suppresses any material fact from the Certifying Authority. 2. a person obtaining a license to operate as a Certifying Authoritya. makes a misrepresentation to the Controller, b. suppresses any material fact from the Controller. Let us examine the essential terms of this section.
Misrepresentation implies presenting information incorrectly, improperly or falsely. There must be a deliberate intention to deceive. Illustration I Mr X is applying for a digital signature certificate. He fills in his name as Y and also submits photocopies of Ys pan card and passport as proof of identity.
Mr. X is liable for misrepresenting information to the Certifying Authority. Suppress means to hide any information . Illustration II XYZ Ltd is applying for a licence to become a Certifying Authority. In the application form One of the questions is In case any of the company directors been convicted for a criminal offence, then please mention relevant details. One of the XYZs directors has been convicted in the past. But, XYZ officials submit the filled in form with the answer to this question being left blank. The officials will be liable for suppressing information from the Controller. Material fact implies something that is relevant, pertinent or essential. The punishment provided is imprisonment up to 2 years and / or fine up to Rs 1 lakh
Misrepresentation to CA or Controller (Summary) Actions covered Misrepresentation to CA or Controller for certificate / license. Penalty Imprisonment up to 2 years and / or fine up to Rs 1 lakh
Relevant authority Appeal lies to Investigation Authorities
Judicial Magistrate First Class Court of Session 1. Controller of Certifying Authorities (CCA) 2. Person authorised by CCA 3. Police Officer not below the rank of Deputy Superintendent 1. Complainant details 2. Suspect details 3. How and when the contravention was discovered and by whom 4. Other relevant information
Points to mention in complaint
As we know that for secure and legal binding Digital signature the subscriber must obtained Digital signature Certificate from the Certifying Authority. If any person publish any Digital signature Certificate which is not issued by the Authorised Certifying Authority then it is offence under Section 73 of IT Act 2000
Section 73 states that Penalty for publishing Digital Signature Certificate false in certain particulars. (1) No person shall publish a Digital Signature Certificate or otherwise make it available to any other person with the knowledge that :65 Digital Signature Project
(a) The Certifying Authority listed in the certificate has not issued it; or (b) The subscriber listed in the certificate has not accepted it; or (c) The certificate has been revoked or suspended, unless such publication is for the purpose of verifying a digital signature created prior to such suspension or revocation. (2) Any person who contravenes the provisions of sub-section (1) shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. Illustration 1 Mr.X has created a fake digital signature certificate purporting to have been issued by Noodle Certifying Authority. Mr.X plans to use this certificate to carry out some financial frauds. He posts this certificate on his website. He is liable under this section. Illustration 2 Mr Y has applied to XYZ Certifying Authority for a digital signature certificate. XYZ in due course issues the certificate to Mr. Y. He however does not accept it as some of the details are incorrect in the certificate. In the meanwhile XYZ Ltd publishes his certificate in their online repository. In this case XYZ Ltd will be liable under this section.
Illustration 3
Mr. Y is employed with ABC Ltd. He has obtained a digital signature certificate for official purposes on 1st January. He quits his job on 1st July and her certificate is revoked on that day. ABC Ltd continues to keep Mr. Ys revoked certificate in its online repository even after 1st July. ABC Ltd will be liable under this section. They will not be liable if the purpose behind keeping Mr. Ys certificate in their repository is to verify documents signed by Mr. Y between 1st January and 1st July. The punishment provided for this section is imprisonment up to 2 years and / or fine up to Rs 1 lakh. Publishing False Certificates(Summary) Actions covered Publishing a digital signature certificate false in certain respects. Imprisonment up to 2 years and / or fine up to Rs 1 lakh Judicial Magistrate First Class Court of Session 1. Controller of Certifying Authorities (CCA) 2. Person authorised by CCA 3. Police Officer not below the rank of Deputy Superintendent
Penalty Relevant authority Appeal lies to Investigation Authorities
1. Complainant details 2. Suspect details 3. How and when the contravention was discovered and by whom 4. Other relevant information
Digital signature has same effect as our Physical Signature and it is binding by law, because of that if any person uses the Digital signature for unlawful gain or unlawful purpose then such person liable for punishment under Section 74 of IT Act 2000. Simply we can says that fraudulent use of Digital signature is punishable under IT Act 2000. Section 74 States that Publication for fraudulent purpose. Whoever knowingly creates, publishes or otherwise makes available a Digital Signature Certificate for any fraudulent or unlawful purpose shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. . Creating a digital signature certificate is technologically not a very difficult task. All that is needed is a computer running the Windows 2003 Server operating system and having Certificate Services installed. This makes it easy for criminals to create and publish digital signature certificates for fraudulent and unlawful purposes. Let us examine some of the terms used in this section. Creates means to bring into existence. Illustration Mr. X has a computer running the Windows 2003 Server
operating system and having Certificate Services installed. He uses this computer to generate a digital signature certificate for himself and Mr Y. He has created the said certificates. Publishes means to make known to others. Illustration Mr. X uploads Mr. Y s digital signature certificate onto a publicly accessible part of his website. He has published her certificate. The concept of make available can be explained using a simple illustration. Illustration Mr. X has a computer running the Windows 2003 Server operating system and having Certificate Services installed. He uses this computer to generate a digital signature certificate in Mr. Y s name. He then gives this certificate to Mr. Z who plans to misuse it to spoof Mr. Ys emails. Here Mr. X has made the certificate available to Mr. Z for an unlawful purpose. The punishment provided for violating this section imprisonment up to 2 years and / or fine up to Rs 1 lakh. Creating certificate for unlawful use(Summary) Actions covered Creating or publishing a certificate for fraudulent or unlawful purpose. Imprisonment up to 2 years and / or fine up to
is
Penalty
Rs 1 lakh Relevant authority Appeal lies to Investigation Authorities Judicial Magistrate First Class Court of Session 1. Controller of Certifying Authorities (CCA) 2. Person authorised by CCA 3. Police Officer not below the rank of Deputy Superintendent 1. Complainant details 2. Suspect details 3. How and when the contravention was discovered and by whom 4. Other relevant information
__________
As we discuss early this Act provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce" which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government and other its agencies. Same time Act also assign some duties to each and every indivisual or agencies who use transactions carried out by means of electronic data interchange regarding furnishing the documents, information or maintaining the books of account or records etc, failure to that penalty is provided in the Section 44 of the It Act 2000. Section 44 States that
Penalty for failure to furnish information, return, etc. If any person who is required under this Act or any rules or regulations made thereunder to(a) furnish any document, return or report to the Controller or the Certifying Authority fails to furnish the same, he shall be liable to a penalty not exceeding one lakh and fifty thousand rupees for each such failure; (b) file any return or furnish any information, books or other documents within the time specified therefore in the regulations fails to file return or furnish the same within the time specified therefore in the regulations, he shall be liable to a penalty not exceeding five thousand rupees for every day during which such failure continues; (c) maintain books of account or records, fails to maintain the same, he shall be liable to a penalty not exceeding ten thousand rupees for every day during which the failure continues.
LIST OF LICENCE C.A.

The licenced Certifying Authorities in India include:
1. SAFESCRYPT 2. NIC 3. IDRBT 4. TCS 5. MTNL 6. CUSTOM AND CENTRAL EXCISE

7. (n)CODE SOLUTION CA (GNFC)

The disclosure records of these Certifying Authorities can be obtained from the website of the Controller of Certifying Authorities at: www.cca.gov.in
Schedule I specifies the form for application for grant of license to be a certifying authority. SCHEDULE-I
Form for Application for grant of License to be a Certifying Authority For Individual
1. Full Name * Last Name/Surname First Name Middle Name
2. Have you ever been known by any other name? If Yes, Last Name/Surname First Name Middle Name
3. Address
Residential Address *
Flat/Door/Block No. Name of Premises/Building/Village Road/Street/Lane/Post Office Area/Locality/Taluka/Sub-Division Town/City/District State/Union Territory Pin Telephone No. Fax Mobile Phone No. Office Address *
Name of Office Flat/Door/Block No. Name of Premises/Building/Village Road/Street/Lane/Post Office Area/Locality/Taluka/Sub-Division Town/City/District State/Union Territory Pin Telephone No. Fax 4. Address for Communication * Tick as applicable A or B 5. Fathers Name * Last Name/Surname First Name
Middle Name
6. Sex * (For Individual Applicant only) Tick as applicable :Male / Female 7. Date of Birth (dd/mm/yyyy) 8. Nationality * 9. Credit Card Details Credit Card Type Credit Card No. Issued By 10. E-mail Address 11. Web URL address 12. Passport Details # Passport No. Passport issuing authority Passport expiry date (dd/mm/yyyy) 13. Voters Identity Card No. # 14. Income Tax PAN No. # 15. ISP Details ISP Name * ISPs Website Address, if any Your User Name at ISP, if any 16. Personal Web page URL address, if any 17. Capital in the business or profession * Rs._________________ (Attach documentary proof) For Company /Firm/Body of Individuals/Association of Persons/ Local Authority 18. Registration Number *
19. Date of Incorporation/Agreement/Partnership * 20. Particulars of Business, if any: * Head Office Name of Office Flat/Door/Block No. Name of Premises/Building/Village Road/Street/Lane/Post Office Area/Locality/Taluka/Sub-Division Town/City/District Pin State/Union Territory Telephone No. Fax Web page URL address, if any No. of Branches Nature of Business 21. Income Tax PAN No.* 22. Turnover in the last financial year Rs.__________________ 23. Net worth * Rs.__________________ (Attach documentary proof) 24. Paid up Capital * Rs.__________________ (Attach documentary proof) 25. Insurance Details Insurance Policy No.* Insurer Company *
26. Names, Addresses etc. of Partners/Members/Directors (For Information about more persons, please add separate sheet(s) in the format given in the next page) * No. of Partners/Members/Directors Details of Partners/Members/Directors A. Full Name Last Name/Surname First Name Middle Name B. Address Flat/Door/Block No. Name of Premises/Building/Village Road/Street/Lane/Post Office Area/Locality/Taluka/Sub-Division Town/City/District State/Union Territory Pin Telephone No. Fax No. Mobile Phone No. C. Nationality (In case of foreign national, Visa details) D. Passport Details # Passport No. Passport issuing authority Passport expiry date E. Voters Identity Card No. # F. Income Tax PAN No. #
G. E-mail Address H. Personal Web page URL, if any 27. Authorised Representative * Name Flat/Door/Block No. Name of Premises/Building/Village Road/Street/Lane/Post Office Area/Locality/Taluka/Sub-Division Town/City/District Pin State/Union Territory Telephone No. Fax Nature of Business For Government Ministry/Department/Agency/Authority 28. Particulars of Organisation * Name of Organisation Administrative Ministry/Department Under State/Central Government Flat/Door/Block No. Name of Premises/Building/Village Road/Street/Lane/Post Office Area/Locality/Taluka/Sub-Division Town/City/District Pin
State/Union Territory Telephone No. Fax No. Web page URL Address Name of the Head of Organisation Designation E-mail Address 29. Bank Details Bank Name * Branch * Bank Account No. * Type of Bank Account * 30. Whether bank draft/pay order for licence fee enclosed * Y / N, If yes, Name of Bank Draft/pay order No. Date of Issue Amount 31. Location of facility in India for generation of Digital Signature Certificate * 32. Public Key @ 33. Whether undertaking for Bank Guarantee/Performance Bond attached * : Y / N (Not applicable if the applicant is a Government Ministry/Department/Agency/ Authority) 34. Whether Certification Practice Statement is enclosed * : Y / N 35. Whether certified copies of business registration document are enclosed : Y / N (For Company/ Firm/ Body of Individuals/ Association of Persons/ Local Authority) If yes, the documents attached:
i. ii. iii.
___________________ ___________________ ___________________
36. Any other information Date : _____________ Signature of the Applicant : ______________ Instructions : 1. 2. 3. 4. Columns marked with * are mandatory. For the columns marked with #, details for at least one is mandatory. Column No. 1 to 17 are to be filled up by individual applicant. Column No. 18 to 27 are to be filled up if applicant is a Company/ Firm/ Body of Individuals/ Association of Persons/ Local Authority. 5. Column No. 28 is to be filled up if applicant is a Government organisation. 6. Column No. , 29, 30, 31 and 34 are to be filled up by all applicants. 7.
8. @ Column No. 32 is applicable only for application for renewal of licence.
9. Column No. 33 is not applicable if the applicant is a Government organisation.
________
Schedule IV specifies the form for application for issue of digital signature certificates
Form for Application for issue of Digital Signature Certificate For Individuals / Hindu Undivided Family Applicant 1. Full Name * [Name of the Karta in case of Hindu Undivided Family] Last Name/Surname First Name Middle Name 2. Have you ever been known by any other name? If Yes, Last Name/Surname First Name Middle Name
3. Address A. Residential Address * Flat/Door/Block No. Name of Premises/Building/Village Road/Street/Lane/Post Office Area/Locality/Taluka/Sub-Division Town/City/District State/Union Territory Pin Telephone No. Fax Mobile Phone No. B. Office Address * Name of Office Flat/Door/Block No. Name of Premises/Building/Village Road/Street/Lane/Post Office Area/Locality/Taluka/Sub-Division Town/City/District State/Union Territory Pin Telephone No. Fax 4. Address for Communication * Tick as applicable A or B 5. Fathers Name *
Last Name/Surname First Name Middle Name 6. Sex * (For Individual Applicant only) Tick as applicable: Male / Female 7. Date of Birth (dd/mm/yyyy) 8. Nationality * 1. 2. In case of foreign national, visa details 3. Credit Card Details 1. Credit Card Type 2. Credit Card No. 3. Issued By 4. E-mail Address 5. Web URL address 9. Passport Details # Passport No. Passport issuing authority Passport expiry date (dd/mm/yyyy) 10. Voters Identity Card No. # 11. Income Tax PAN No. # 12. ISP Details ISP Name * ISPs Website Address, if any Your User Name at ISP, if any 13. Personal Web page URL address, if any For Company / Firm / Body of Individuals / Association of Persons / Local Authority 14. Registration Number * 15. Date of Incorporation/Agreement/Partnership * 16. Particulars of Business, if any: *
Head Office Name of Office Flat/Door/Block No. Name of Premises/Building/Village Road/Street/Lane/Post Office Area/Locality/Taluka/Sub-Division Town/City/District Pin State/Union Territory Telephone No. Fax Web page URL address, if any No. of Branches Nature of Business 17. Income Tax PAN No.* 18. Turnover in the last financial year Rs.______________________ 19. Names, Addresses etc. of Partners/Members/Directors (For Information about more persons, please add separate sheet(s) in the format given in the next page) * No. of Partners/Members/Directors Details of Partners/Members/Directors A. Full Name Last Name/Surname First Name Middle Name B. Address Flat/Door/Block No.
Name of Premises/Building/Village Road/Street/Lane/Post Office Area/Locality/Taluka/Sub-Division Town/City/District State/Union Territory Pin Telephone No. Fax No. Mobile Phone No. C. Nationality In case of foreign national, Visa details D. Passport Details # Passport No. Passport issuing authority Passport expiry date E. Voters Identity Card No. # F. Income Tax PAN No. # G. E-mail Address H. Personal Web page URL, if any For Government Organisations / Agencies 20. Particulars of Organisation * Name of Organisation Administrative Ministry/Department Under State/Central Government Flat/Door/Block No. Name of Premises/Building/Village
Road/Street/Lane/Post Office Area/Locality/Taluka/Sub-Division Town/City/District Pin State/Union Territory Telephone No. Fax No. Web page URL Address Name of the Head of Organisation Designation E-mail Address 21. Bank Details Bank Name * Branch * Bank Account No. * Type of Bank Account * 22. Type of Digital Signature Certificate required * 23. Any other detail
Date : _________ Signature of the Applicant : __________ _____________________________________________________________________________ ________________________________ Instructions : 1. Columns marked with * are mandatory as applicable. 2. For the columns marked with #, details for at least one is mandatory. 3. Column No. 1 to 17 are to be filled up by individual applicants.
4. Column No. 18 to 23 are to be filled up if applicant is a Company/ Firm/ Body of Individuals/ Association of Persons/ Local Authority. 5. Column No. 24 is to be filled up if applicant is a Government organization. 6. Column No. 25 & 26 are to be filled up by all applicants.
______
Last page Conclusion

Now Days Information Technology involves each and every sector e.g. Banking, Medical, Education, Industries etc. And we know due to IT involvement every sector making fast progress. Digital signature turns the concept of traditional paper-based signing and turn it into an electronic "fingerprint. This "fingerprint, or coded message, is unique to both the document and the signer and binds both of them together. The digital signature ensures the authenticity of the signer. Any changes made to the document after it is signed invalidate the signature, thereby protecting against signature forgery and information tampering. Digital signatures help organizations sustain signer authenticity, accountability, data integrity and non-repudiation of electronic documents and forms.
As people get assure about confidentiality about their communication or transaction on Internet ,Computers ,Computer network etc more people will adopt the concept of Digital signature. This is not only fastest mode of communication but also cheaper than conventional mode of communication . Now days entire world facing the problem of global warming, and all are agreed that this is because of the technology, industrialisation, modernisation and concretisation. It wiil be great full if we use innovated technology for protection and conservation of our environment. As we all uses paper base transaction, each and every transaction is mostly depends on paper, but nobody think that the papers which we is how it comes to us. Every years huge amounts of trees are cut for making papers. And cutting of trees is the major cause of global warming, as we are not very much eager in plantation at least we should stop the cutting of trees or limited the use of the things which are reason for cutting the trees. As we discuss above Global warming is the major problem, to stop this and for protection and conservation of forest we can utilised the technology. How it is possible, as we discuss earlier features of Digital Signature which helps to make electronic transaction secure. As people comes to know electronic transaction is secured more and more people will start to use it and as we know that it will develop the paperless office or business or communication which help to stop or limit cutting of trees and it will protect our forest . How it is possible see the following example. The average digital signature user signs just over 2 documents per workday, or 500 per year (based on Co Sign customer usage statistics). These numbers equal a usage reduction of half of a tree,
of a barrel of oil, and 150 pounds of carbon emissions per signer, per year.

Digital Signature Project

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Digital Signature Project

Diunggah oleh

Hak Cipta:

Format Tersedia

DIGTAL SIGNATURE

1 Digital Signature Project

3 Digital Signature Project

6 Digital Signature Project

9 Digital Signature Project

12 Digital Signature Project

The basic requirements for a cryptographic hash function are:

17 Digital Signature Project

A 512-bit RSA public key

20 Digital Signature Project

Love, Ravina A simple message

Functioning of Digital Signature.

27 Digital Signature Project

28 Digital Signature Project

33 Digital Signature Project

40 Digital Signature Project

43 Digital Signature Project

44 Digital Signature Project

46 Digital Signature Project

47 Digital Signature Project

49 Digital Signature Project

51 Digital Signature Project

5. Notice of suspension or revocation

59 Digital Signature Project

61 Digital Signature Project

Offence relating to Digital Signature Certificates

Relevant authority Appeal lies to Investigation Authorities

Points to mention in complaint

Penalty Relevant authority Appeal lies to Investigation Authorities

67 Digital Signature Project

Points to mention in complaint

Points to mention in complaint

LIST OF LICENCE C.A.

1. SAFESCRYPT 2. NIC 3. IDRBT 4. TCS 5. MTNL 6. CUSTOM AND CENTRAL EXCISE

7. (n)CODE SOLUTION CA (GNFC)

72 Digital Signature Project

73 Digital Signature Project

74 Digital Signature Project

75 Digital Signature Project

76 Digital Signature Project

77 Digital Signature Project

78 Digital Signature Project

___________________ ___________________ ___________________

9. Column No. 33 is not applicable if the applicant is a Government organisation.

79 Digital Signature Project

80 Digital Signature Project

81 Digital Signature Project

82 Digital Signature Project

83 Digital Signature Project

84 Digital Signature Project

Last page Conclusion

87 Digital Signature Project

Anda mungkin juga menyukai

_________ _ ___________