0755-44078646 info@tenderalert.in

Wednesday, 19 August 2015

Indian Government’s Guidelines for Usage of Digital Signatures in e-Governance

 Department of Information Technology, Ministry of Communications and Information Technology Government of India had introduced the guidelines for usage of digital signature in e-governance. These guidelines are very important and useful and people who want to know about how digital works should also read these guidelines.
These guidelines are uploaded on the website of International Center for Information Systems and Audit (ICISA) in the year of 2010.

Read the full Guidelines in PDF from Here

In this article we will talk about some important points of this article. Below are some important points of article. 

OVERVIEW OF DIGITAL DIGNATURES

Digital Signatures

A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. A digital signature can be used with any kind of message, whether it is encrypted or plaintext. Thus Digital Signatures provide the following three features:-
Authentication- Digital signatures are used to authenticate the source of messages. The ownership of a digital signature key is bound to a specific user and thus a valid signature shows that the message was sent by that user.
Integrity - In many scenarios, the sender and receiver of a message need assurance that the message has not been altered during transmission. Digital Signatures provide this feature by using cryptographic message digest functions (discussed in detail in section 4.4).
Non Repudiation – Digital signatures ensure that the sender who has signed the information cannot at a later time deny having signed it.

Digital Signature versus Handwritten Signatures

A handwritten signature scanned and digitally attached with a document does not qualify as a Digital Signature. A Digital Signature is a combination of 0 & 1s created using crypto algorithms.
 An ink signature can be easily replicated from one document to another by copying the image manually or electronically. Digital Signatures cryptographically bind an electronic identity to an electronic document and the digital signature cannot be copied to another document. Further, paper contracts often have the ink signature block on the last page, allowing previous pages to be replaced after the contract has been signed. Digital signatures on the other hand compute the hash or digest of the complete document and a change of even one bit in the previous pages of the document will make the digital signature verification fail. As can be seen in the underlying figure, a Digital Signature is a string of bits appended to a document. The size of a digital signature depends on the Hash function like SHA 1 / SHA2 etc used to create the message digest and the signing key. It is usually a few bytes



Overview of how Digital Signatures work

The Digital Signatures require a key pair (asymmetric key pairs, mathematically related large numbers) called the Public and Private Keys. Just as physical keys are used for locking and unlocking, in cryptography, the equivalent functions are encryption and decryption. The private key is kept confidential with the owner usually on a secure media like crypto smart card or crypto token. The public key is shared with everyone. Information encrypted by a private key can only be decrypted using the corresponding public key.
In order to digitally sign an electronic document, the sender uses his/her Private Key. In order to verify the digital signature, the recipient uses the sender’s Public Key.  Let us understand how the Digital Signatures work based on an example. Assume you are going to send the draft of a contract to your lawyer in another town. You want to give your lawyer the assurance that it was unchanged from what you had sent and that it is really from you.
1. You copy-and-paste the contract into an e-mail note. Get electronic form of a document ( eg : - word or pdf file)
2. Using special software, you obtain a message hash (fixed size bit string) of the contract.
3. You then use your private key to encrypt the hash.
4. The encrypted hash becomes your digital signature of the contract and is appended to the contract.
At the other end, your lawyer receives the message.
1. To make sure the contract is intact and from you, your lawyer generates a hash of the received contract.
2. Your lawyer then uses your public key to decrypt the Digital Signature received with the contract.
3. If the hash generated from the Digital Signature matches the one generated in Step 1, the integrity of the received contract is verified.





Legal Validity of Digital Signatures

The Indian Information Technology Act 2000 (http://www.mit.gov.in/content/information-technology-act) came into effect from October 17, 2000. One of the primary objectives of the Information Technology Act of 2000 was to promote the use of Digital Signatures for authentication in e-commerce & e-Governance.

Towards facilitating this, the office of Controller of Certifying Authorities (CCA) was set up in 2000. The CCA licenses Certifying Authorities (CAs) to issue Digital Signature Certificates (DSC) under the IT Act 2000. The standards and practices to be followed were defined in the Rules and Regulations under the Act and the Guidelines that are issued by CCA from time to time.

The Root Certifying Authority of India (RCAI) was set up by the CCA to serve as the root of trust in the hierarchical Public Key Infrastructure (PKI) model that has been set up in the country. The RCAI with its self-signed Root Certificate issues Public Key Certificates to the licensed CAs and these licensed CAs in turn issue DSCs to end users.

 Section 5 of the Act gives legal recognition to digital signatures based on asymmetric cryptosystems. The digital signatures are now accepted at par with the handwritten signatures and the electronic documents that have been digitally signed are treated at par with the paper based documents.
An Amendment to IT Act in 2008 has introduced the term electronic signatures. The implication of this Amendment is that it has helped to broaden the scope of the IT Act to include other techniques for signing electronic records as and when technology becomes available.


Read the full Guidelines in PDF from Here

1 comment