You are on page 1of 64



Supplementary Study Material

Board of Studies
The Institute of Chartered Accountants of India
The objective of this supplementary study material is to provide uniform reference
material to the students undergoing the 100 hours Information Technoloy Training

All care has been taken to provide the material in a manner useful to the students.
However the material has not been specifically discussed by the Council of the
institute or any of its Committees and the views expressed herein may not be
taken to necessarily represent the views of the Council or any of its Committees.
In case students have any suggestions to make for future improvement of the
material contained herein, they may write to Board of Studies, C-1, Sector –1,

All rights reserved. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted, in any forms, or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without prior permission, in
writing, from the Institute.

©The Institute of Chartered Accountants of India

Published by Dr. T. P. Ghosh, Director of Studies, The institute of Chartered
Accountants of India, C-1, Sector-1, Noida-201301

Printed at Tarang Printres

In the new scheme of Education and Training, 250 Hours Compulsory Computer
Training has been replaced by 100 Hours Information Technology Training
considering progress in the computer education at the school level. The new
curriculum of 100 Hours ITT has been framed revamping the old curriculum. It
is desired that a student should undergo 100 Hours of Information Technology
Training only after undergoing three months of practical training by which they
are expected to develop knowledge about the practical application of Information
Technology in various areas of professional practice. It is also desired that students
should study the subject of Information Technology concurrently while
undergoing 100 Hours Information Technology Training so that a proper balance
between theoretical knowledge and practical application is achieved.
The Training components would focus on application softwares relevant for
accounting and auditing. In addition, knowledge of electronics spreadsheets,
data base management systems, web technology and systems security and
maintenance are strengthened. In order to provide the students with a reference
material, the Board of Studies is providing a kit comprising of 3 modules of
Compulsory Computer Training Programme and a supplementary study material.
Students are advised to study only the relevant topics of uniform background
material for 250 hours Compulsory Computer Training Programme along with
this supplementary study material. A table giving the page references of the
relevant topics of 250 hours Compulsory Computer Training Programme material
is included in this supplementary study material to facilitate the students for
easy identification.
We acknowledge with thanks the valuable contribution of Dr. Sanjeev Gupta,
Director, Greater Noida Campus, Kalinga Institute of Industrial Technology,
Deemed University, Orissa for preparing material on Visual Basic. Our special
appreciation to Mrs. Indu Arora, Joint Director of Studies for her contribution in
compiling, editing and consolidating this supplementary study material.
We hope that this background material would help in bringing about the
uniformity in approach by the various accredited institutions imparting this
education programme to our students.

Topic Pages

Chapter - 1 : Data Extraction and Data Analysis 3

Chapter - 2 : Visual Basic

Unit -1 : Introducion 13

Unit - 2 : Building a Visual Application 16

Unit - 3 : Working with Comman Controls 27

Unit - 4 : Visual Basic Data Types 34

Unit - 5 : Controlling & Looping Program Flow 38

Unit - 6 : VB Functions 44

Unit - 7 : Arrays 49

Chapter - 3 : Digital Signature and Verification 53
of Electronic records.
Material included in 250 Hours Compulsory Computer Training relevant for
100 Hours Information Technology Training

Sl Topic No of Module No. Page reference of the
no hours in existing relevant material
in ITT material
1 Computer 1 Module I Pages 1-44.
2 Operating systems 6 Module I Pages 98-102,
3 Introduction to 6 Module I Pages 255-351
Word Processor
4 Introduction to 15 Module I Pages 352-503
5 Introduction to 5 Module-2 Pages 1-85
6 Introduction to 15 Module-2 Pages 87-109, 165-244
Data Base
7 Other Utilities 3 Module-2 Pages 246-313
8 Accounting 20 Module-3 Pages 62-72, 217-296
9. Computer aided 12 Module-3 Pages 298-346
audit techniques
10 Web Technology 10 Module -2 Pages 315-368
& System Security Module -3 Pages 1-34
and Maintenance
11 Data Extraction Supplementary Chapter 1
and Data Analysis study material
12 Introduction to 5 Supplementary Chapter 2
Visual BASIC study material
13 Digital signature 2 Supplementary Chapter 3
and verification study material
of Electronic
Time allotted for 2 Module tests, Project and Final Online Examination are in addition to
above mentioned 100 Hours ITT.


In this chapter, we look at how different tools can be used for data extraction. The
basic assumption is that the data are stored in databases. Most of the tools described
in this chapter depend on ODBC (Open Database Connectivity). ODBC is a
programming interface that enables applications to access data in Database
Management Systems that use Structured Query Language as a Data access
standard. Each database program, such as Access or dBASE, or database
management system, such as SQL Server, requires a different driver(a program
file used to connect to a particular database).
Microsoft Excel
Excel (version 9 and above) can work with external databases in three different ways.
z Excel can import data from databases and flat files. Flat file are text files,
which store information in a comma or tab delimited format.
z Excel can retrieve data with Microsoft Query.
z Excel can import data with Visual Basic for Applications (VBA).
Importing data from databases and files
Excel can import data from most data sources by using the command Data-> Import
External Data-> Import Data and then choosing the required data in the Select
Data Source dialog box :

Chapter - 1

The Data Connection Wizard, available when the user right-clicks New Source
in the Select Data Source dialog box, makes it possible to import data from external
data connections not available from the Select Data Source dialog box. These
sources may include OLE (Object Linking and Embedding) DB(Database) data
sources and any data sources a system administrator supplies.
Retrieve data with Microsoft Query
Microsoft Query is a simple front-end, used when the auditor needs to perform
specialized query tasks such as the following:
z Filter rows or columns of data before they are brought into Excel.
z Sort data before it is brought into Excel.
z Join multiple tables
The auditor can use Query to set up ODBC(Open Database Connectivity) data
sources to retrieve data. In Query, one can use the Query Wizard to create a
simple query, or one can use advanced criteria in Query to create a more complex
Importing data with VBA
One can use a Visual Basic for Applications (VBA) macro to gain access to an
external data source. Depending on the data source, we can use either ActiveX
Data Objects or Data Access Objects to retrieve data using VBA. VBA is a
application specific subset of the Visual Basic.
Using IDEA as an Audit Tool
IDEA (Interactive Data Extraction and Analysis) is a popular audit tool, sold by
CaseWare International Inc. In this section, we shall briefly see how data is
imported into IDEA and some of the features of IDEA. Below is an overview of
Figure : IDEA’s Interface

Database Toolbar

File explorer Database Window


Start IDEA and Select a Working Folder and Enter Client Information
z To set the working folder select the following menu command: FILE -> Set
Working Folder. Alternatively, click the “Change working folder from”
button on the File Explorer’toolb.~r. The “Browse for Folder” dialog will
appear. Navigate to and select the following folder:
C:\Program Files\IDEA\Tutorial
Note: This assumes IDEA has been installed in the default installation folder on
the C drive. If not, select the appropriate folder.
z Click the OK button. The Client Properties dialog appears. Enter the Client
name and period of audit. The client properties will be stored in a file called
Client.inf in the working folder. Once a working folder is set, this will remain
the default until changed.
Import the Data
z Point to the “Import Assistant” button on the Operations toolbar and click
this button. The Import Assistant dialog will be displayed.
z Select a data file to import by clicking on the Select File button on the toolbar
and then navigate to and select the following file(for example):
C:\Program Files\lDEA\Tutorial\Master.xls and click the “Open” button.
z Note the five different import methods. Accept the default method, Le.
z New files and standard PC formats” and click “Next”.
z The Import Assistant file type step will be displayed with the “Microsoft
Excel” option correctly selected. Click “Nexf”.
z The Import Assistant will display a list df any worksheets and tables defined
within the selected workbook. Select Sheet1 $ (the first and in this example
the only worksheet). Click “Next”. Note that it is possible to import multiple
worksheets and/or tables at One time. Each workSheet or table will be
imported into a separate database.
z The Import Assistant’s “Change length of character fields” step dialog will
be displayed, warning that all character fields will be imported with a length
of 255 characters unless changed. This is not likely to be the underlying
character field length. Therefore, check the box to Determine the maximum
field length and accept the default to scan 100 records to determine this
length. Click “Next”.
z The final step of the Import Assistant will ask the user to change or confirm
details about the imported database. Select or confirm the option to
“Generate field statistics” on import. This is checked by default. This is


recommended and will be used to reconcile the data back to the host system.
There is also an option to name the database. The option to Import (rather
than Link) the data is selected by default. It is not possible to link to_a MS
Excel worksheet.
Thus we have seen the ways by which data stored in databases can be imported
into the most widely used CAAT tools. In the next section we shall look at some
of the techniques that may be used for Data Analysis.

Data Analysis
In this section, we shall see some illustrative examples of how the data imported
into Excel, ACL and IDEA can be analysed by an auditor.
Auditing with Excel
Having imported the required information into Excel, the auditor can then use
the various features of Excel to assist him in audit. For example, the auditor can
z Sort the data and search for missing or duplicate data, for example missing
cheque number or duplicate invoice number..
z Highlight or extract significant information, like cash expenses over
z Calculate statistics on numeric fields and use this information to carry out
sampling tests.
z Information on using functions and macros in Excel has already been covered
in one of the earlier chapters.
In this’ example, we shall see how, Excel(version 9 and above) can be used to select
a random sample.
1 First import the data as outlined in the earlier chapter.
2 Next Click on Tools-> Data Analysis as shown below. If the Data Analysis
command is not available, you need to load the Analysis ToolPak add-in
program. To load the Analysis ToolPak click Tools -> Add-Ins and make sure
that “Analysis ToolPak” is selected.


Excel’s Data Analysis Command

Excel’s Data

3 Choose “Sampling” from the list of Analysis Tools. At this point the dialog
box shown below should open up.
4 Now we need to specify the Input Range, which should contain numeric data.
In this example, the Column A is a numeric field and we shall specify it as the
Input Range and then enter the number of sample items required. It may be
noted that the number of samples required are calculated as per the formula
given in the earlier chapter. Click OK, when finished.

Specify the input range

Enter the number of
sample required here

5 Excel should now create a separate worksheet containing the required
number of samples.
Analysing the Data with IDEA
We have already seen how to import the data into IDEA in the previous chapter.
Now we look at the ways in which the features of IDEA can be used to analyse
the data. The various features may be summarized as follows.

Chapter - 1

Mechanical Accuracy
One of the first things IDEA should be used for is to total the file and prove the
accuracy of any calculations. Totalling the file is performed by using the field
statistics function (available on File Import). Calculations can be checked either
by adding a calculated field using the Field Manipulation option to create a
calculation of the item or by an exception test of mis-calculations using the
extraction functions.
The accuracy of any management report may involve a wider use of functions to
achieve the result of reproducing the report. In these cases a series of joins and/or
summarizations, or the aging function in the case of aged debt analyses, may be
Analytical Review
IDEA can help with the preparation of figures for an analytical review. In particular,
it can generate analyses which would not otherwise be available. The File
Stratification function (from the Analysis menu) will give a profile of the population
in value bands, groups of codes or dates. This is particularly useful when auditing
assets such as debtors, inventories, loans or for a breakdown of transactions.
Additionally, the information can be Summarized by particular codes or sub-codes.
Figures can also be compared against previous years to determine trends. If
graphical analysis is required, the “Chart Data” command on the Data menu or
graph option within the Results View can be used.
Validity (Exception Testing, Compares and Duplicates)
Exception testing can be used to identify unusual or strange items. These may be
simply large items or where the relationship between two pieces of information on
an item does not correlate (e.g. rate of pay and pay grade). Many fields of information
can also be checked for allowable values (e.g. standard fees).
Statistical sampling is commonly used to test for validity in a manner which then
allows for evaluation across a population. The more sophisticated methods such
as Monetary Unit Sampling are difficult to implement manually. Wherever tests
need to refer to physical documentation or assets rather than computer records
then an appropriate statistical sampling technique should be used.
Duplicates testing can be very effective in certain circumstances such as testing
payments or looking for double input of inventory tags during inventory counts.
It may be necessary to join two files together first to perform a validity test e.g.
transaction file to a master file.
Completeness (Gaps and Matches)
The Gap Detection options (Numeric, Character and Date) can be used to test for
completeness. There must be a sequential number on source documentation for
this to work. Inventory and sales files can be tested for completeness of despatch
note numbers and purchases files for received numbers. It may also be appropriate

to test for gaps on a series of cheque numbers and also for completeness of inventory
tags or bin card numbers. Another effective test for completeness is to cross-check
between a master file (e.g. of maintenance contracts) and transactions (e.g. invoices)
to see if there are any items on the master file for which a transaction has not been
Year end ledger, inventory files or transaction files can be tested for cut-off by
testing for items with dates or sequence numbers above or below the year end cut
off. This is to ensure that the data has been provided is for the correct audit period.
In this example, we shall look at how IDEA can be used to identify exceptional or
unusual transactions. Let us suppose that an auditor wishes to examine all sales
transactions that took place on a Sunday. The file we shall use for the purpose of
this example is “Customer Invoices File.imd” located in the samples folder.
1 First start IDEA. It is possible that that File .Explorer window already shows
“Customer Invoices file”. If so, double click it. If the file is not already open,
use File-> Open, then navigate to the samples folder and open it.
2 Click on Data-> Extractions... This should open the Extract to File(s) dialog
box. Double click the default file name (EXTRACTION1) to change it and
enter “Sunday Sales”. Please see the figure below.
3 Now enter the “Equation Editor” by clicking the Button as shown in the
previous figure. The Equation Editor Dialog Box should open. The “Equation
Editor” allows the user to enter various criteria.

Figure : Extracting Unusual Events with IDEA
4 In the Equation Editor, under “Functions”, choose “Date / Time” and then
choose the “dow” function. “@dow()” appears in the equation box with the

Chapter - 1

cursor between the brackets. At this point double click on “INV_DATE(D)”
in the “Available Fields” list box. Now complete the equation by typing in
“=1 “. The complete equation now reads as follows: @dow(lNV_DATE)=1
Close the “Equation Equation Editor in IDEA
Editor” by clicking on the
“Validate and Exit” button.
See Figure below.
Explanation: The
“@dow()” function is the
day of week function. The
function takes a date as an
argument and returns a
number as the result. This
return number varies from
1 to 7, where 1 refers to
Sunday, 2 refers to
Monday and so on. By
entering “@dow (INV_
DATE)”, we are
instructing the dow()
function to take the field
“INV _DATE” as its
argument. Note that “INV
_DATE” has been specified as a Date field.
The complete equation “@dow(INV_DATE)=1” therefore can be read as “where
the day of week for the date specified in I NV _DATE is a Sunday.”
5 After clicking the ‘’Validate and Exit” button on the “Equation Editor”, we
should be back in the “Extract to Files” dialog box. The criteria column should
now be filled with the equation that we just entered. Click OK on the “Extract
to Files” dialog box.
6 IDEA will now show a new table containing only those sales transactions,
which were dated on a Sunday.
We have seen some examples of how CAAT tools are used to analyse data
files in this chapter. However, it should be remembered that what we have seen
here is the proverbial tip of the iceberg. Further, the utility of CAATs is not limited
to examining accounting and financial data. A systems auditor could use CAATs
to examine firewall and system logs, access control lists, telephone and PBX(Private
Branch Exchange) logs, etc.


1.1 A brief description of Visual Basic
VISUAL BASIC is a high level programming language evolved from the earlier DOS
version called BASIC. BASIC means ‘Beginners’ All-purpose Symbolic Instruction
Code’. It is a fairly easy programming language to learn. The codes look a bit like
English Language. Different software companies produced different version of BASIC,
such as Microsoft QBASIC, QUICKBASIC, GWBASIC, IBM BASICA and so on.
VISUAL BASIC is a VISUAL and events - driven Programming Language. These
are the main divergence from the old BASIC. In BASIC, programming is done in a
text-only environment and the program is executed sequentially. In VISUAL BASIC,
programming is done in a graphical environment. Because users may click on any
object randomly, so each object has to be programmed independently to be able to
respond to those actions (events). Therefore, a VISUAL BASIC Program is made
up of many subprograms, each has its own program codes, and each can be executed
independently and at the same time, each can be linked with others in one way or
1.2 The Visual Basic environment
The Visual Basic environment is made up of several windows. The initial
appearance of the windows on your screen will depend on the way your
environment has been set up.
(a) The tool bar

Figure 1-1

UNIT - 1

The Visual Basic tool bar functions like the tool bar in any other Microsoft
application. It provides shortcuts for many of the common operating commands.
It also shows you the dimensions and location of the form currently being designed.
(b) The tool box

Figure 1.2

The tool box gives you access to the controls that you use on a form.
A control is an object such as a button, label or grid. Each control appears as a

Figure 1.3

button in the tool box. If the control you are looking for is not in the toolbox, select
Components from the Project menu.
(c) The form designer window

This window is where you design the forms that make up your user interface.


If the form designer window is not
displayed on your screen, or if at any
time during the exercises you close
it, choose Object from the View menu.

(d) The properties window
A form, and each control on it, has a
set of properties which control its
characteristics such as size, position
and color. If the properties window
is not displayed on your screen, or if
at any time during the exercises you
close it, choose Properties Window
Figure 1.4 from the View menu.

(e) The project explorer window
A project is a collection of the forms and codes that make up an application.
Each form in your application is represented by a file in the project explorer
window. A form file contains both the
description of the screen layout for the
form and the program code associated
with it. If the project explorer window
is not displayed on your screen, or if
at any time during the exercises you
close it, choose Project Explorer from the
View menu.

Figure 1.5


2.1 Creating Your First Application
First of all, you have to launch Microsoft Visual Basic. To Launch Visual Basic
from the Start menu by choosing Programs/Microsoft Visual Studio 6.0 then the
Microsoft Visual Basic 6.0 and you will get the New Project D
Depending on the environment settings, you may see the New Project dialog box.

Figure 2.1

If the New Project box appears, select Standard.EXE, and then click Open.
Normally, a default form Form1 will be available for you to start your new project.
Now, double click on Form1, the source code window for Form1 as shown in
figure 2.2 will appear. The top of the source code window consists of a list of
objects and their associated events or procedures. In figure 2.2, the object displayed
is Form and the associated procedure is Load.


Figure 2.2 Source Code Windows

When you click on the object box, the drop-down list will display a list of objects
you have inserted into your form as shown in figure 2.3.

Figure 2.3 List of Objects

UNIT - 2

Figure 2.4 List of Procedures
You do not have to worry about the beginning and the end statements (i.e. Private
Sub Form_Load.......End Sub.); Just key in the lines in between the above two
statements exactly as are shown here. When you run the program, you will be
surprise that nothing has shown up .In order to display the output of the program,
you have to add the statement like in Example (a) or you can just use
Form_Activate ( ) event procedure as shown in Example (b). The command Print
does not mean printing using a printer but it means displaying the output on the
computer screen. Now, press F5 or click on the Run button to run the program and
you will get the output as shown in figure 2.5.
Example (a)
Private Sub Form_Load ( )
Print “Welcome to Visual Basic tutorial”
End Sub

Figure 2.5 : The Output of
Example (a)


You can also perform simple arithmetic calculations as shown in Example (b).
VB uses * to denote the multiplication operator and / to denote the division
operator. The output is shown in figure 2.6, where the results are arranged
Example (b)
Private Sub Form_Activate ( )
Print 20 + 10
Print 20 - 10
Print 20 * 10
Print 20 / 10

Figure 2.6 The Output of Example (b)

End Sub
Example (b) can also be written as
Private Sub Form_Activate ( )
Print 20 + 10, 20 – 10, 20 *
10, 20 / 10
End Sub
The numbers will be arranged
in a horizontal line separated by
spaces as shown in figure 2.7.
Example (c) is an improved
version of Example (b) as it
employs two variables x and y
and assigns initial values of 20
and 10 to them respectively.
When you need to change the
values of x and y, just change the
Figure 2.7 : Output in horizontal line
initial values rather than changing every individual value which is more time

UNIT - 2

Example (c)
Private Sub Form_Activate ( )
x = 20
y = 10
Print x + y
Print x - y
Print x * y
Print x / y
End Sub
Besides, you can also use the + or & operator to join two or more texts (string)
together like in example (d) i and (d) ii.
Example (d) i Example (d) ii
Private Sub Form_Activate ( ) Private Sub Form_Activate()
A = “Tom” A = “Tom”
B = “likes” B = “likes”
C = “to” C = “to”
D = “eat” D = “eat”
E = “burger” E = “burger”
Print A + B + C + D + E Print A & B & C & D & E
End Sub End Sub

Figure 2.8 The Output of Example (d) i and ii


The output is as shown in figure 2.8
2.2 Steps in Building a Visual Basic Application
There are three steps for creating an application:
1. Design the forms by drawing controls.
2. Set initial property values for the forms and controls.
3. Write code to perform the required tasks.

Figure 2.9

In the exercise that follows, you will create a single form as shown below.
The exercise shows you how to add controls to a form and how to set properties
at design time.
Designing the form
The form has three controls on it. There is a label which will display the text
“Hello” and two command buttons. A label control is used to display text. A
command button control enables the user of your application to click on a button
when they require an action to be carried out.
Drawing controls
Drawing controls is a two step process. First you need to add the control you
want by double clicking on it in the tool box. Secondly, you need to position and

UNIT - 2

size the control by clicking and dragging it on the form.
Firstly you will create the label which contains the text “Hello”. Move the mouse
over the controls in the toolbox until the tool tips indicate that you have found

Figure 2.11

Figure 2.10
the label control.
Double click on the label control button and a label will appear in the middle of
the form.
Moving controls
Controls can be moved
around a form by
dragging them with the
mouse. Move the cursor
to the label and depress
the left mouse button.
Keeping the mouse
button depressed, drag
the control to its new
location, as shown in
Figure 2-12 and now release the mouse button.
Figure 2.12
Setting properties


Once the control is positioned correctly on the form, you then need to customize
the properties of the control to suit your requirements.
This application requires you to change the text that is displayed in the label control
from the default “Label1” to “Hello”. You are
also going to change the alignment to Centre
and the font to Arial with font size 16.

To change the properties for a specific control,
you must have the control selected. Check that
the Properties window shows the properties
for the label control.
The Caption property determines what text
is displayed in the label control. Type Hello
in place of Label1. Select the Font property

Figure 2.13

and click the Font Dialog Button (…) to bring up the font window. Set the font
values to Arial, Regular, 16.

Figure 2.14

UNIT - 2

Adding the button controls
You can use the same process to add two buttons to the form.

Figure 2.15
A command button control will appear in the middle of the form. Move the button
so that it is under the label. Repeat the last two steps to add a second button under
the first.
Your form should appear similar to the one
shown in figure 2-16. Select the button with
the caption Command1. Make sure you can see
the handles that indicate that the button is
selected. Using the properties window, change
the caption property to On. Use the same
process to set the caption for the bottom button
to Off. Using the properties window, change
the Name property for the form to Hello.

2.3 Running your application Figure 2.16

Now that the form is complete you can see it in action by running it.
When you have written code for the buttons, running the application will allow
you to activate the code. For now your buttons will not do anything. Click on the
start (play) button on the tool bar.


Figure 2.17

Your form will appear like a window from any other Microsoft application. Click
on the Stop button on the tool bar to return to the Visual Basic design environment
2.4 Saving your application
The last step in this chapter is to save your application so that you can use it for the
exercises later on. Click on the save button on the tool bar.

Figure 2.18

Visual Basic first asks you to save the form and then the project file. Remember
that each represents a separate file. Specify the filename for the form as hello.frm.
The file extension “frm” indicates that the file is a form file.

Figure 2.19

UNIT - 2

Q: Design the interface to calculates the volume of a cylinder.

A program to calculate the Volume of a Cylinder

Q: Design the Below Interface


3.1 The Text Box
The text box is the standard control that is used to receive input from the user as
well as to display the output. It can handle string (text) and numeric data but not
images or pictures. String in a text box can be converted to a numeric data by
using the function Val (text). The following example illustrates a simple program
that processes the inputs from the user.
Example 3.1.1
In this program, two text boxes are inserted into the form together with a label.
The two text boxes are used to accept inputs from the user and the label will be
used to display the sum of two numbers that are entered into the two text boxes.
Besides, a command button is also programmed to calculate the sum of the two
numbers using the plus operator. The program creates a variable sum to accept
the summation of values from text box 1 and text box 2.The procedure to calculate
and to display the output on the label is shown below. The output is shown in
Figure 3.1.
Private Sub Command1_Click ()
‘To add the values in text box 1 and text box 2
Sum = Val (Text1.Text) + Val (Text2.Text)
‘To display the answer on label 1
Label1.Caption = Sum
End Sub

Figure 3.1

UNIT - 3

3.2 The Label

The label is a very useful control for Visual Basic, as it is not only used to provide
instructions and guides to the users, it can also be used to display outputs. One of
its most important properties is Caption. Using the syntax label. Caption, it can
display text and numeric data. You can change its caption in the properties window
and also at runtime. Please refer to Example 3.1.1 and Figure 3.1 for the usage of

3.3 The Command Button
The command button is a very important control as it is used to execute commands.
It displays an illusion that the button is pressed when the user click on it. The most
common event associated with the command button is the Click event, and the
syntax for the procedure is
Private Sub Command1_Click ()
End Sub

3.4 The Picture Box
The Picture Box is one of the controls that is used to handle graphics. You can load
a picture at design phase by clicking on the picture item in the properties window
and select the picture from the selected folder. You can also load the picture at
runtime using the Load Picture method. For example, the statement will load the
picture grape.gif into the picture box.
Picture1.Picture=LoadPicture (“C:\VB program\\atm.gif”)
You will learn more about the picture box in future lessons. The image in the
picture box is not resizable.
3.5 The Image Box
The Image Box is another control that handles images and pictures. It functions
almost identically to the picture box. However, there is one major difference, the
image in an Image Box is stretchable, which means it can be resized. This feature is
not available in the Picture Box. Similar to the Picture Box, it can also use the
LoadPicture method to load the picture. For example, the statement given below
loads the picture grape.gif into the image box.


Image1.Picture=LoadPicture (“C:\VB program\atm.gif”)
3.6 The List Box
The function of the List Box is to present a list of items where the user can click
and select the items from the list. In order to add items to the list, we can use the
AddItem method. For example, if you wish to add a number of items to list box 1,
you can key in the following statements
Example 3.6.1
Private Sub Form_Load ( )
List1.AddItem “C++”
List1.AddItem “JAVA”
List1.AddItem “C#”
List1.AddItem “ASP”
End Sub
The items in the list box can be identified by the ListIndex property, the value of
the ListIndex for the first item is 0, the second item has a ListIndex 1, and the
second item has a ListIndex 2 and so on
3.7 The Combo Box
The function of the Combo Box is also to present a list of items where the user can
click and select the items from the list. However, the user needs to click on the
small arrowhead on the right of the combo box to see the items which are presented
in a drop-down list. In order to add items to the list, you can also use the AddItem
method. For example, if you wish to add a number of items to Combo box 1, you
can key in the following statements
Example 3.7.1
Private Sub Form_Load ( )
Combo1.AddItem “C++”
Combo1.AddItem “Java”
Combo1.AddItem “Dot Net”
Combo1.AddItem “Unix”
End Sub

UNIT - 3

3.8 The Check Box

The Check Box control lets the user to select or unselect an option. When the Check
Box is checked, its value is set to 1 and when it is unchecked, the value is set to 0.
You can include the statements Check1.Value=1 to mark the Check Box and
Check1.Value=0 to unmark the Check Box, and use them to initiate certain actions.
For example, the program will change the background color of the form to red
when the check box is unchecked and it will change to blue when the check box is
checked. You will learn about the conditional statement If….Then….Elesif in later
lesson. VbRed and vbBlue are color constants and BackColor is the background
color property of the form.
Example 3.8.1
Private Sub Check1_Click ()
If Check1.Value = 0 Then
Form1.BackColor = vbRed
ElseIf Check1.Value = 1 Then
Form1.BackColor = vbBlue
End If
End Sub

3.9 The Option Box

The Option Box control also lets the user selects one of the choices. However, two
or more Option Boxes must work together because as one of the Option Boxes is
selected, the other Option Boxes will be unselected. In fact, only one Option Box
can be selected at one time. When an option box is selected, its value is set to
“True” and when it is unselected; its value is set to “False”. In the following
example, the shape control is placed in the form together with six Option Boxes.
When the user clicks on different option boxes, different shapes will appear. The
values of the shape control are 0, 1, and 2, 3, 4, 5 which will make it appear as a
rectangle, a square, an oval shape, a rounded rectangle and a rounded square


Example 3.9.1

Private Sub Option1_Click ( )
Shape1.Shape = 0
End Sub

Private Sub Option2_Click()
Shape1.Shape = 1
End Sub

Private Sub Option3_Click()
Shape1.Shape = 2
End Sub

Private Sub Option4_Click()
Shape1.Shape = 3
End Sub

Private Sub Option5_Click()
Shape1.Shape = 4
End Sub

Private Sub Option6_Click()
Shape1.Shape = 5
End Sub

3.10 The Drive List Box
The Drive ListBox is used to display a list of drives available in your computer.
When you place this control into the form and run the program, you will be able to
select different drives from your computer as shown in Figure 3.2

UNIT - 3

Figure 3.2 The Drive List Box

3.11 The Directory List Box
The Directory List Box is used to display the list of directories or folders in a selected
drive. When you place this control into the form and run the program, you will be
able to select different directories from a selected drive in your computer as shown
in Figure 3.3

Figure 3.3 The Directory List Box


3.12 The File List Box

The File List Box is used to display the list of files in a selected directory or folder.
When you place this control into the form and run the program, you will be able to
a list of files in a selected directory as shown in Figure 3.4

Figure 3.4

You can coordinate the Drive List Box, the Directory List Box and the File List Box
to search for the files you want. The procedure will be discussed in subequent


There are many types of data we come across in our daily life. For example, we need
to handle data such as names, addresses, money, date, stock quotes, and statistics
etc everyday. Similarly in Visual Basic, we are also going to deal with these kinds of
data. However, to be more systematic, VB divides data into different types.
4.1 Types of Visual Basic Data
(A) Numeric Data
Numeric data are data that consist of number, which can be computed
mathematically with various standard operators such as add, minus, multiply,
divide and so on. In Visual Basic, the numeric data are divided into 7 types, they
are summarized in Table 4.1
Table 4.1: Numeric Data Types

Type Storage
Byte 1 byte
Integer 2 bytes
Long 4 bytes
Single 4 bytes
Double 8 bytes
Currency 8 bytes
Decimal 12 bytes

(B) Non-numeric Data Types
The nonnumeric data types are summarized in Table 4.2
Table 4.2: Nonnumeric Data Types

Data Type Storage
String(fixed Length of
length) string
String(variable Length + 10
length) bytes
Date 8 bytes


Boolean 2 bytes
Object 4 bytes
Variant 16 bytes
Variant(text) Length +
22 bytes

(C) Suffixes for Literals
Literals are values that you assign to a data. In some cases, we need to add a suffix
behind a literal so that VB can handle the calculation more accurately. For example,
we can use num=1.3089# for a Double type data. Some of the suffixes are displayed
in Table 4.3.

Table 4.3

Suffix Data Type
& Long
! Single
# Double
@ Currency

In addition, we need to enclose string literals within two quotations and date and
time literals within two # sign. Strings can contain any characters, including
numbers. The following are few examples:
memberName=”Turban, John.”
ExpTime=#12:00 am#
4.2 Managing Variables
Variables are like mail boxes in the post office. The contents of the variables change
every now and then, just like the mail boxes. In term of VB, variables are areas allocated
by the computer memory to hold data. Like the mail boxes, each variable must be
given a name. To name a variable in Visual Basic, you have to follow a set of rules.

UNIT - 4

(A) Variable Names
The following are the rules when naming the variables in Visual Basic
z It must be less than 255 characters
z No spacing is allowed
z It must not begin with a number
z Period is not permitted
Examples of valid and invalid variable names are displayed in Table 4.4
Table 4.4

Valid Name Invalid Name
My_ZenCar My.Car
this year 1Newtoy
Long_Name_Can_beUSE He&HisShirt *& is not acceptable

(B) Declaring Variables
In Visual Basic, one needs to declare the variables before using them by assigning
names and data types. They are normally declared in the general section of the
codes’ windows using the Dim statement.
The format is as follows:
Dim variableName as DataType
Example 4.1
Dim password As String
Dim urName As String
Dim fnum As Integer
Dim snum As Integer
Dim total As Integer
Dim doDate As Date
(C) Assigning Values to Variables
After declaring various variables using the Dim statements, we can assign values
to those variables. The general format of an assignment is
The variable can be a declared variable or a control property value. The expression
could be a mathematical expression, a number, a string, a Boolean value (true or
false) and etc. The following are some examples:
Label1.Visible = True


4.3 Operators in Visual Basic
In order to compute inputs from users and to generate results, we need to use
various mathematical operators. In Visual Basic, except for + and -, the symbols
for the operators are different from normal mathematical operators, as shown in
Table 4.5.

Table 4.5 : Arithmetic Operators

Operator Mathematical function
^ Exponential
* Multiplication
/ Division
Mod Modulus(return the
remainder from an integer
\ Integer Division(discards
the decimal places)
+ or & String concatenation
Example 4.2
Dim firstName As String
Dim secondName As String
Dim yourName As String
Private Sub Command1_Click()
firstName = Text1.Text
secondName = Text2.Text
yourName = secondName + “ “ + firstName
Label1.Caption = yourName
End Sub
In this example, three variables are declared as string. For variables firstName
and second Name data will be received from the user’s input into textbox1 and
textbox2, and the variable yourName will be assigned the data by combining the
first two variables. Finally, yourName is displayed on Label1.


5.1 Conditional Operators
To control the VB program flow, we can use various conditional operators. Basically,
they resemble mathematical operators. Conditional operators are very powerful
tools, they let the VB program compare data values and then decide what action to
take, whether to execute a program or terminate the program and etc. These
operators are shown in Table 5.1.
Table 5.1: Conditional Operators

Operator Meaning
= Equal to
> More than
< Less Than
>= More than and equal
<= Less than and equal
<> Not Equal to

* You can also compare strings with the above operators. However, there are certain
rules to follows: Upper case letters are less than lowercase letters,
“A”<“B”<“C”<“D”.......<“Z” and number are less than letters.
5.2 Logical Operators
In addition to conditional operators, there are a few logical operators which offer
added power to the VB programs. These are shown in Table 5.2.
Table 5.2
Operator Meaning
And Both sides must be true
or One side or other must
be true
Xor One side or other must
be true but not both
Not Negates truth


5.3 Using If.....Then.....Else Statements with Operators
To effectively control the VB program flow, we shall use If...Then...Else statement
together with the conditional operators and logical operators.
The general format for the if...then...else statement is
If conditions Then
VB expressions
VB expressions
End If
* any If..Then..Else statement must end with End If. Sometime it is not necessary
to use Else.
Private Sub OK_Click()
firstnum = Val(usernum1.Text)
secondnum = Val(usernum2.Text)
total = Val(sum.Text)
If total = firstnum + secondnum And Val(sum.Text) <> 0 Then
correct.Visible = True
wrong.Visible = False
correct.Visible = False
wrong.Visible = True
End If
End Sub

5.4 Select Case
If you have a lot of conditional statements, using If..Then..Else could be very messy.
For multiple conditional statements, it is better to use Select Case

UNIT - 5

The format is :
Select Case expression
Case value1
Block of one or more VB statements
Case value2
Block of one or more VB Statements
Case value3
Block of one or more VB statements
Case value4
Case Else
Block of one or more VB Statements
End Select
* The data type specified in expression must match that of Case values.
Example 5.1
‘ Examination Grades
Dim grade As String
Private Sub Compute_Click( )
Select Case grade
Case “A”
result.Caption=”High Distinction”
Case “A-”
Case “B”
Case “C”


Case Else
End Select
*Please note that grade is a string, so all the case values such as “A” are of String
data type.
Example 5.2
Dim mark As Single
Private Sub Compute_Click()
’Examination Marks
mark = mrk.Text
Select Case mark
Case Is >= 85
comment.Caption = “Excellence”
Case Is >= 70
comment.Caption = “Good”
Case Is >= 60
comment.Caption = “Above Average”
Case Is >= 50
comment.Caption = “Average”
Case Else
comment.Caption = “Need to work harder”
End Select
End Sub
z Note we used the keyword Is here to impose the conditions. This is generally
used for numeric data.
Example 5.3
Example 5.2 could be rewritten as follows:
Dim mark As Single
Private Sub Compute_Click()

UNIT - 5

’Examination Marks
mark = mrk.Text
Select Case mark
Case 0 to 49
comment.Caption = “Need to work harder”
Case 50 to 59
comment.Caption = “Average”
Case 60 to 69
comment.Caption = “Above Average”
Case 70 to 84
comment.Caption = “Good”
Case Else
comment.Caption = “Excellence”
End Select
End Sub
Visual Basic allows a procedure to be repeated as many times as the processor
could support. This is generally called looping .
5.5 Do Loop
The format are
a) Do While condition
Block of one or more VB statements
b) Do
Block of one or more VB statements
Loop While condition
c) Do Until condition
Block of one or more VB statements
d) Do
Block of one or more VB statements


Loop Until condition
Example 5.4
Do while counter <=1000
counter =counter+1
* The above example will keep on adding until counter >1000.
The above example can be rewritten as
Loop until counter>1000

5.6 For....Next Loop
The format is:
For counter=startNumber to endNumber (Step increment)
One or more VB statements
Example 5.5
(a) For counter=1 to 10
(b) For counter=1 to 1000 step 10
(c) For counter=1000 to 5 step -5


Functions are similar to normal procedures but the main purpose of the functions
is to accept certain inputs and pass them on to the main program to finish the
execution. There are two types of functions, the built-in functions (or internal
functions) and the functions created by the programmers.
The general format of a function is functionName(arguments)
where arguments are values that are passed on to the functions.
In this lesson, we are going to learn two very basic but useful internal functions,
i.e. the MsgBox( ) and InputBox ( ) functions.
6.1 MsgBox ( ) Function
The objective of MsgBox is to produce a pop-up message box and prompt the user
to click on a command button before he /she can continue. This message box format
is as follows:
yourMsg=MsgBox(Prompt, Style Value, Title)
The first argument, Prompt, will display the message in the message box. The
Style Value will determine what type of command buttons appear on the message
box, please refer Table 6.1 for types of command button displayed. The Title
argument will display the title of the message board.
Table 6.1: Style Values

Style Value Named Constant Buttons Displayed
0 vbOkOnly Ok button
1 vbOkCancel Ok and Cancel buttons
2 vbAbortRetryIgnore Abort, Retry and Ignore buttons.
3 vbYesNoCancel Yes, No and Cancel buttons
4 vbYesNo Yes and No buttons
5 vbRetryCancel Retry and Cancel buttons

We can use named constant in place of integers for the second argument to make
the programs more readable. In fact, VB6 will automatically shows up a list of
names constant where you can select one of them.


Example: yourMsg=MsgBox( “Click OK to Proceed”, 1, “Startup Menu”)
And yourMsg=Msg(“Click OK to Proceed”, vbOkCancel,”Startup Menu”)
are the same.
your Msg is a variable that holds values that are returned by the MsgBox ( ) function.
The values are determined by the type of buttons being clicked by the users. It has
to be declared as Integer data type in the procedure or in the general declaration
section. Table 6.2 shows the values, the corresponding named constant and buttons.

Table 6.2 : Return Values and Command Buttons

Value Named Constant Button Clicked
1 vbOk Ok button
2 vbCancel Cancel button
3 vbAbort Abort button
4 vbRetry Retry button
5 vbIgnore Ignore button
6 vbYes Yes button
7 vbNo No button

Example 6.1
(i) The Interface:
You draw three command buttons and a label as shown in Figure 6.1

Figure 6.1

UNIT - 6

(ii) The procedure for the test button:
Private Sub Test_Click()
Dim testmsg As Integer
testmsg = MsgBox(“Click to test”, 1, “Test message”)
If testmsg = 1 Then
Display.Caption = “Testing Successful”
Display.Caption = “Testing fail”
End If
End Sub
When a user clicks on the test button, the image like the one shown in Figure 6.2
will appear. As the user clicks on the OK button, the message “Testing successful”
will be displayed and when he/she clicks on the Cancel button, the message
“Testing fail” will be displayed.

Figure 6.2

To make the message box looks more sophisticated, you can add an icon besides
the message. There are four types of icons available in VB as shown in Table 6.3
Table 6.3
Value Named Constant Icon

16 vbCritical

32 vbQuestion

48 vbExclamation

64 vbInformation


Example 6.2
In this example, the following message box will be displayed:

Figure 6.3
You could draw the same Interface as in example 6.1 but modify the codes as
Private Sub test2_Click()
Dim testMsg2 As Integer
testMsg2 = MsgBox(“Click to Test”, vbYesNoCancel + vbExclamation, “Test
If testMsg2 = 6 Then
display2.Caption = “Testing successful”
ElseIf testMsg2 = 7 Then
display2.Caption = “Are you sure?”
display2.Caption = “Testing fail”
End If
End Sub
6.2 The InputBox( ) Function
An InputBox( ) function will display a message box where the user can enter a
value or a message in the form of text. The format is
myMessage=InputBox(Prompt, Title, default_text, x-position, y-position)
myMessage is a variant data type but typically it is declared as string, which accepts
the message input by the users. The arguments are explained as follows:
z Prompt - The message displayed normally as a question asked.
z Title - The title of the Input Box.
z default-text - The default text that appears in the input field where users can
use it as his intended input or he may change to the message he wish to key in.
z x-position and y-position - the position or the coordinates of the input box.

UNIT - 6

Example 6.3
(i) The Interface

Figure 6.4
(ii) The procedure for the OK button
Private Sub OK_Click()
Dim userMsg As String
userMsg = InputBox(“What is your message?”, “Message Entry Form”, “Enter
your messge here”, 500, 700)
If userMsg <> “” Then
message.Caption = userMsg
message.Caption = “No Message”
End If
End Sub
When a user clicks the OK button, the input box as shown in Figure 6.5 will appear.
After user enters the message and clicks OK, the message will be displayed on the
caption, if he clicks Cancel, “No message” will be displayed.

Figure 6.5


7.1 Introduction to Arrays

By definition, an array is a list of variables, all with the same data type and name.
When we work with a single item, we only need to use one variable. However, if
we have a list of items which are of similar type to deal with, we need to declare an
array of variables instead of using a variable for each item. For example, if we
need to enter one hundred names, instead of declaring one hundred different
variables, we need to declare only one array. We differentiate each item in the
array by using subscript, the index value of each item, for example name(1),
name(2),name(3) .......etc.

7.2 Declaring Arrays
We could use Public or Dim statement to declare an array just as the way we
declare a single variable. The Public statement declares an array that can be used
throughout an application while the Dim statement declares an array that could
be used only in a local procedure.
The general format to declare an array is as follow:

Dim arrayName(subs) as dataType
where subs indicates the last subscript in the array.
Example 7.1

Dim CusName(10) as String
will declare an array that consists of 10 elements if the statement Option Base 1
appears in the declaration area, starting from CusName(1) to CusName(10).
Otherwise, there will be 11 elements in the array starting from CusName(0) through
to CusName(10)
Example 7.2

Dim Count(100 to 500) as Integer
declares an array that consists of the first element starting from Count(100) and
ends at Count(500)

UNIT - 7

7.3 Sample Programs
(i) The Interface

Figure 7.1
(ii) The codes
Dim studentName(10) As String
Dim num As Integer
Private Sub addName()
For num = 1 To 10
studentName(num) = InputBox(“Enter the student name”, “Enter Name”,
“”,1500, 4500)
If studentName(num) <> “” Then
Form1.Print studentName(num)
End If
End Sub
Private Sub Exit_Click()
End Sub
Private Sub Start_Click()
End Sub
The above program accepts data entry through an input box and displays the entries
in the form itself. As you can see, this program will only allow a user to enter 10
names each time he clicks on the start button.


In today’s commercial environment, establishing a framework for the
authentication of computer-based information requires a familiarity with concepts
and professional skills from both the legal and computer security fields. Combining
these two disciplines is not an easy task. Concepts from the information security
field often correspond only loosely to concepts from the legal field, even in
situations where the terminology is similar. For example, from the information
security point of view, “digital signature” means the result of applying to specific
information certain specific technical processes described below. The historical
legal concept of “signature” is broader. It recognizes any mark made with the
intention of authenticating the marked document. In a digital setting, today’s broad
legal concept of “signature” may well include markings as diverse as digitized
images of paper signatures, typed notations such as “/s/ Rakesh Singh,” or even
addressing notations, such as electronic mail origination headers.
From an information security viewpoint, these simple “electronic signatures” are
distinct from the “digital signatures” described in this chapter and in the technical
literature, although “digital signature” is sometimes used to mean any form of
computer- based signature. These Guidelines use “digital signature” only as it is
used in information security terminology, as meaning the result of applying the
technical processes described in this chapter.
To explain the value of digital signatures in legal applications, this chapter begins
with an overview of the legal significance of signatures. It then sets forth the basics
of digital signature technology, and examines how, with some legal and
institutional infrastructure, digital signature technology can be applied as a robust
computer-based alternative to traditional signatures.
Signatures and the Law
A signature is not part of the substance of a transaction, but rather of its
representation or form. Signing writings serve the following general purposes:
z Evidence: A signature authenticates writing by identifying the signer with
the signed document. When the signer makes a mark in a distinctive manner,
the writing becomes attributable to the signer.
z Ceremony: The act of signing a document calls to the signer’s attention the
legal significance of the signer’s act, and thereby helps prevent “inconsiderate
z Approval: In certain contexts defined by law or custom, a signature expresses
the signer’s approval or authorization of the writing, or the signer’s intention
that it have legal effect.

*Source : Website of American Bar Association


z Efficiency and logistics: A signature on a written document often imparts a
sense of clarity and finality to the transaction and may lessen the subsequent
need to inquire beyond the face of a document. Negotiable instruments, for
example, rely upon formal requirements, including a signature, for their ability
to change hands with ease, rapidity, and minimal interruption.
The formal requirements for legal transactions, including the need for signatures,
vary in different legal systems, and also vary with the passage of time. There is
also variance in the legal consequences of failure to cast the transaction in a required
form. The statute of frauds of the common law tradition, for example, does not
render a transaction invalid for lack of a “writing signed by the party to be charged,”
but rather makes it unenforceable in court, a distinction which has caused the
practical application of the statute to be greatly limited in case law.
During this century, most legal systems have reduced formal requirements, or at
least have minimized the consequences of failure to satisfy formal requirements.
Nevertheless, sound practice still calls for transactions to be formalized in a manner
which assures the parties of their validity and enforceability. In current practice,
formalization usually involves documenting the transaction on paper and signing
or authenticating the paper. Traditional methods, however, are undergoing
fundamental change. Documents continue to be written on paper, but sometimes
merely to satisfy the need for a legally recognized form. In many instances, the
information exchanged to effect a transaction never takes paper form. Computer-
based information can also be utilized differently than its paper counterpart. For
example, computers can “read” digital information and transform the information
or take programmable actions based on the information. Information stored as
bits rather than as atoms of ink and paper can travel near the speed of light, may
be duplicated without limit and with insignificant cost.
Although the basic nature of transactions has not changed, the law has only begun
to adapt to advances in technology. The legal and business communities must
develop rules and practices, which use new technology to achieve and surpass the
effects historically expected from paper forms.
To achieve the basic purposes of signatures outlined above, a signature must have
the following attributes:
z Signer authentication: A signature should indicate who signed a document,
message or record, and should be difficult for another person to produce
without authorization.
z Document authentication: A signature should identify what is signed, making
it impracticable to falsify or alter either the signed matter or the signature
without detection.


Signer authentication and document authentication are tools used to exclude
impersonators and forgers and are essential ingredients of what is often called a
“nonrepudiation service” in the terminology of the information security profession.
A nonrepudiation service provides assurance of the origin or delivery of data in
order to protect the sender against false denial by the recipient that the data has
been received, or to protect the recipient against false denial by the sender that the
data has been sent. Thus, a nonrepudiation service provides evidence to prevent a
person from unilaterally modifying or terminating legal obligations arising out of
a transaction effected by computer-based means.
z Affirmative act: The affixing of the signature should be an affirmative act
which serves the ceremonial and approval functions of a signature and
establishes the sense of having legally consummated a transaction.
z Efficiency: Optimally, a signature and its creation and verification processes
should provide the greatest possible assurance of both signer authenticity
and document authenticy, with the least possible expenditure of resources.
Digital signature technology generally surpasses paper technology in all these
attributes. To understand why, one must first understand how digital signature
technology works.
How Digital Signature Technology Works
Digital signatures are created and verified by cryptography, the branch of applied
mathematics that concerns itself with transforming messages into seemingly
unintelligible forms and back again. Digital signatures use what is known as
“public key cryptography,” which employs an algorithm using two different but
mathematically related “keys;” one for creating a digital signature or transforming
data into a seemingly unintelligible form, and another key for verifying a digital
signature or returning the message to its original form. Computer equipment and
software utilizing two such keys are often collectively termed an “asymmetric
The complementary keys of an asymmetric cryptosystem for digital signatures
are arbitrarily termed the private key, which is known only to the signer and used
to create the digital signature, and the public key, which is ordinarily more widely
known and is used by a relying party to verify the digital signature. If many people
need to verify the signer’s digital signatures, the public key must be available or
distributed to all of them, perhaps by publication in an on-line repository or
directory where it is easily accessible. Although the keys of the pair are
mathematically related, if the asymmetric cryptosystem has been designed and
implemented securely it is “computationally infeasible to derive the private key
from knowledge of the public key. Thus, although many people may know the


public key of a given signer and use it to verify that signer’s signatures, they cannot
discover that signer’s private key and use it to forge digital signatures. This is
sometimes referred to as the principle of “irreversibility.”
Another fundamental process, termed a “hash function,” is used in both creating
and verifying a digital signature. A hash function is an algorithm which creates a
digital representation or “fingerprint” in the form of a “hash value” or “hash result”
of a standard length which is usually much smaller than the message but
nevertheless substantially unique to it. Any change to the message invariably
produces a different hash result when the same hash function is used. In the case
of a secure hash function, sometimes termed a “one-way hash function,” it is
computationally infeasible to derive the original message from knowledge of its
hash value. Hash functions therefore enable the software for creating digital
signatures to operate on smaller and predictable amounts of data, while still
providing robust evidentiary correlation to the original message content, thereby
efficiently providing assurance that there has been no modification of the message
since it was digitally signed.
Thus, use of digital signatures usually involves two processes, one performed by
the signer and the other by the receiver of the digital signature:
z Digital signature creation uses a hash result derived from and unique to both
the signed message and a given private key. For the hash result to be secure,
there must be only a negligible possibility that the same digital signature
could be created by the combination of any other message or private key.
z Digital signature verification is the process of checking the digital signature
by reference to the original message and a given public key, thereby
determining whether the digital signature was created for that same message
using the private key that corresponds to the referenced public key.
To sign a document or any other item of information, the signer first delimits
precisely the borders of what is to be signed. The delimited information to be
signed is termed the “message” in these chapter. Then a hash function in the signer’s
software computes a hash result unique (for all practical purposes) to the message.
The signer’s software then transforms the hash result into a digital signature using
the signer’s private key. The resulting digital signature is thus unique to both the
message and the private key used to create it.
Typically, a digital signature (a digitally signed hash result of the message) is
attached to its message and stored or transmitted with its message. However, it
may also be sent or stored as a separate data element, so long as it maintains a
reliable association with its message. Since a digital signature is unique to its
message, it is useless if wholly disassociated from its message.


Verification of a digital signature is accomplished by computing a new hash result
of the original message by means of the same hash function used to create the
digital signature. Then, using the public key and the new hash result, the verifier
(1) whether the digital signature was created using the corresponding private
key; and
(2) whether the newly computed hash result matches the original hash result
which was transformed into the digital signature during the signing process.
The verification software will confirm the digital signature as “verified” if:
(1) the signer’s private key was used to digitally sign the message, which is known
to be the case if the signer’s public key was used to verify the signature because
the signer’s public key will verify only a digital signature created with the
signer’s private key; and
(2) the message was unaltered, which is known to be the case if the hash result
computed by the verifier is identical to the hash result extracted from the
digital signature during the verification process.
Various asymmetric cryptosystems create and verify digital signatures using
different algorithms and procedures, but share this overall operational pattern.
The processes of creating a digital signature and verifying it accomplish the essential
effects desired of a signature for many legal purposes:
z Signer authentication: If a public and private key pair is associated with an
identified signer, the digital signature attributes the message to the signer.
The digital signature cannot be forged, unless the signer loses control of the
private key (a “compromise” of the private key), such as by divulging it or
losing the media or device in which it is contained.
z Message authentication: The digital signature also identifies the signed
message, typically with far greater certainty and precision than paper
signatures. Verification reveals any tampering, since the comparison of the
hash results (one made at signing and the other made at verifying) shows
whether the message is the same as when signed.
z Affirmative act: Creating a digital signature requires the signer to use the
signer’s private key. This act can perform the “ceremonial” function of alerting
the signer to the fact that the signer is consummating a transaction with legal
z Efficiency: The processes of creating and verifying a digital signature provide
a high level of assurance that the digital signature is genuinely the signer’s.


As with the case of modern electronic data interchange (“EDI”) the creation
and verification processes are capable of complete automation (sometimes
referred to as “machinable”), with human interaction required on an exception
basis only. Compared to paper methods such as checking specimen signature
cards — methods so tedious and labor-intensive that they are rarely actually
used in practice — digital signatures yield a high degree of assurance without
adding greatly to the resources required for processing.
The processes used for digital signatures have undergone thorough technological
peer review for over a decade. Digital signatures have been accepted in several
national and international standards developed in cooperation with and accepted
by many corporations, banks, and government agencies. The likelihood of
malfunction or a security problem in a digital signature cryptosystem designed
and implemented as prescribed in the industry standards is extremely remote,
and is far less than the risk of undetected forgery or alteration on paper or of using
other less secure electronic signature techniques.
Public Key Certificates
To verify a digital signature, the verifier must have access to the signer’s public
key and have assurance that it corresponds to the signer’s private key. However, a
public and private key pair has no intrinsic association with any person; it is simply
a pair of numbers. Some convincing strategy is necessary to reliably associate a
particular person or entity to the key pair.
In a transaction involving only two parties, each party can simply communicate
(by a relatively secure “out-of-band” channel such as a courier or a secure voice
telephone) the public key of the key pair each party will use. Such an identification
strategy is no small task, especially when the parties are geographically distant
from each other, normally conduct communication over a convenient but insecure
channel such as the Internet, are not natural persons but rather corporations or
similar artificial entities, and act through agents whose authority must be
ascertained. As electronic commerce increasingly moves from a bilateral setting to
the many-on-many architecture of the World Wide Web on the Internet, where
significant transactions will occur among strangers who have no prior contractual
relationship and will never deal with each other again, the problem of
authentication/nonrepudiation becomes not merely one of efficiency, but also of
reliability. An open system of communication such as the Internet needs a system
of identity authentication to handle this scenario.
To that end, a prospective signer might issue a public statement, such as:
“Signatures verifiable by the following public key are mine.” However, others
doing business with the signer may for good reason be unwilling to accept the
statement, especially where there is no prior contract establishing the legal effect


of that published statement with certainty. A party relying upon such an
unsupported published statement in an open system would run a great risk of
trusting a phantom or an imposter, or of attempting to disprove a false denial of a
digital signature (“nonrepudiation”) if a transaction should turn out to prove
disadvantageous for the purported signer.
The solution to these problems is the use of one or more trusted third parties to associate
an identified signer with a specific public key. That trusted third party is referred to as
a “certification authority” in most technical standards and in this chapter.
To associate a key pair with a prospective signer, a certification authority issues a
Digital Certificate.
What is a Digital Certificate?
Digital Certificates are the electronic counterparts to driver licenses, passports and
membership cards. You can present a Digital Certificate electronically to prove
your identity or your right to access information or services online.
Digital Certificates, bind an identity to a pair of electronic keys that can be used to
encrypt and sign digital information. A Digital Certificate makes it possible to
verify someone’s claim that they have the right to use a given key, helping to
prevent people from using phony keys to impersonate other users. Used in
conjunction with encryption, Digital Certificates provide a more complete security
solution, assuring the identity of all parties involved in a transaction.
A Digital Certificate is issued by a Certification Authority (CA) and signed with
the CA’s private key.
A Digital Certificate typically contains the:
z Owner’s public key
z Owner’s name
z Expiration date of the public key
z Name of the issuer (the CA that issued the Digital Certificate
z Serial number of the Digital Certificate
z Digital signature of the issuer
The most widely accepted format for Digital Certificates is defined by the CCITT
X.509 international standard; thus certificates can be read or written by any
application complying with X.509. Further refinements are found in the PKCS
standards and the PEM standard.


What are Digital Certificates used for?
Digital Certificates can be used for a variety of electronic transactions including e-
mail, electronic commerce, groupware and electronic funds transfers. Netscape’s
popular Enterprise Server requires a Digital Certificate for each secure server.
For example, a customer shopping at an electronic mall run by Netscape’s server
software requests the Digital Certificate of the server to authenticate the identity
of the mall operator and the content provided by the merchant. Without
authenticating the server, the shopper should not trust the operator or merchant
with sensitive information like a credit card number. The Digital Certificate is
instrumental in establishing a secure channel for communicating any sensitive
information back to the mall operator.
Need for a Digital Certificate?
Virtual malls, electronic banking, and other electronic services are becoming more
commonplace, offering the convenience and flexibility of round-the-clock service
direct from your home. However, your concerns about privacy and security might
be preventing you from taking advantage of this new medium for your personal
business. Encryption alone is not enough, as it provides no proof of the identity of
the sender of the encrypted information. Without special safeguards, you risk being
impersonated online. Digital Certificates address this problem, providing an
electronic means of verifying someone’s identity. Used in conjunction with
encryption, Digital Certificates provide a more complete security solution, assuring
the identity of all parties involved in a transaction.
Similarly, a secure server must have its own Digital Certificate to assure users that
the server is run by the organisation it claims to be affiliated with and that the
content provided is legitimate
Types and Status services for Digital Certificate
Certifying Authorities provide issuing, revocation, and status services for three
types of Digital Certificates — Server Certificates, Developer Certificates for
software publishers, and personal Digital Certificates for use with Web Browsers
and S/MIME applications.
z Server Certificates enable web servers to operate in a secure mode. A Server
Certificate unambiguously identifies and authenticates your server and
encrypts any information passed between the server and a web browser.
z Developer Certificates are used in conjunction with Microsoft AuthenticodeTM
Technology (software validation) provide customers with the information and
assurance they need when downloading software from the Internet.
z Personal Digital Certificates are used by individuals when they exchange
messages with other users or online services.


Certain Certifying Authorities such as VeriSign of Australia offer all three classes
of Digital Certificates. The classes are differentiated by their assurance level—the
level of confidence that can be placed in the Digital Certificate based on knowledge
of the process used to verify the owner’s identity. The identification requirements
are greater for higher numbered classes—for example, a Class 1 Digital Certificate
verifies the owner’s e-mail address, while a Class 2 Digital Certificate offers the
additional assurance of verification of the owner’s personal identity.
An mentioned earlier, digital certificates is electronic record, which lists a public
key as the “subject” of the certificate, and confirms that the prospective signer
identified in the certificate holds the corresponding private key. The prospective
signer is termed the “subscriber. A certificate’s principal function is to bind a key
pair with a particular subscriber. A “recipient” of the certificate desiring to rely
upon a digital signature created by the subscriber named in the certificate
(whereupon the recipient becomes a “relying party”) can use the public key listed
in the certificate to verify that the digital signature was created with the
corresponding private key. If such verification is successful, this chain of reasoning
provides assurance that the corresponding private key is held by the subscriber
named in the certificate, and that the digital signature was created by that particular
To assure both message and identity authenticity of the certificate, the certification
authority digitally signs it. The issuing certification authority’s digital signature
on the certificate can be verified by using the public key of the certification authority
listed in another certificate by another certificate authority (which may but need
not be on a higher level in a hierarchy) ,and that other certificate can in turn be
authenticated by the public key listed in yet another certificate, and so on, until
the person relying on the digital signature is adequately assured of its genuineness.
In each case, the issuing certification authority must digitally sign its own certificate
during the operational period of the other certificate used to verify the certification
authority’s digital signature.
A digital signature, whether created by a subscriber to authenticate a message or
by a certification authority to authenticate its certificate (in effect a specialized
message) should be reliably time-stamped to allow the verifier to determine reliably
whether the digital signature was created during the “operational period” stated
in the certificate, which is a condition upon verifiability of a digital signature under
this chapter.
To make a public key and its identification with a specific subscriber readily
available for use in verification, the certificate may be published in a repository or
made available by other means. Repositories are on-line databases of certificates
and other information available for retrieval and use in verifying digital signatures.


Retrieval can be accomplished automatically by having the verification program
directly inquire of the repository to obtain certificates as needed.
Once issued, a certificate may prove to be unreliable, such as in situations where
the subscriber misrepresents his identity to the certification authority. In other
situations, a certificate may be reliable enough when issued but come to be
unreliable sometime thereafter. If the subscriber loses control of the private key
(“compromise” of the private key), the certificate has become unreliable, and the
certification authority (either with or without the subscriber’s request depending
on the circumstances) may suspend (temporarily invalidate) or revoke
(permanently invalidate) the certificate. Immediately upon suspending or revoking
a certificate, the certification authority must publish notice of the revocation or
suspension or notify persons who inquire or who are known to have received a
digital signature verifiable by reference to the unreliable certificate.
Challenges and Opportunities
The prospect of fully implementing digital signatures in general commerce presents
both benefits and costs. The costs consist mainly of:
z Institutional overhead: The cost of establishing and utilizing certification
authorities, repositories, and other important services, as well as assuring
quality in the performance of their functions.
z Subscriber and Relying Party Costs: A digital signer will require software,
and will probably have to pay a certification authority some price to issue a
certificate. Hardware to secure the subscriber’s private key may also be
advisable. Persons relying on digital signatures will incur expenses for
verification software and perhaps for access to certificates and certificate
revocation lists (CRL) in a repository.
On the plus side, the principal advantage to be gained is more reliable
authentication of messages. Digital signatures, if properly implemented and
utilized offer promising solutions to the problems of:
z Imposters, by minimizing the risk of dealing with imposters or persons who
attempt to escape responsibility by claiming to have been impersonated;
z Message integrity, by minimizing the risk of undetected message tampering
and forgery, and of false claims that a message was altered after it was sent;
z Formal legal requirements, by strengthening the view that legal requirements of
form, such as writing, signature, and an original document, are satisfied, since
digital signatures are functionally on a par with, or superior to paper forms; and
z Open systems, by retaining a high degree of information security, even for
information sent over open, insecure, but inexpensive and widely used channels.