UNIT-3

Signatures

What is Signature?

• A person’s name written as a form of

identification in authorizing a document

• Action of signing a document

 Signature and Law
Evidence: A signature authenticates writing by
identifying the signer with the signed document.

When the signer makes a mark in a distinctive

manner, the writing becomes attributable to the
signer
Approval: In certain contexts defined by law or
custom, a signature expresses the signer’s
approval or authorization of the writing, or the
signer's intention that it has legal effect.
In R vs Kent Justices, [1967] 2 QB 163 , the court

observed that “signature is the name of person

written on a document to signify that the writing
accords with his wishes or intentions”.

This is what is ordinarily meant by speaking of a

person’s signature but the law does not always insist
upon the name of the person being written; initials
or mark intended to be sufficient signature by him.
Difference between Digital
and Electronic Signature
 Authentication

To ensure that the sender & the receiver can

confirm the identity of each other

Integrity

Provides the assurance that the message

is complete and has not been modified
or tampered with during the transmission
 Privacy & Confidentiality

To ensure that the information has not

been intercepted and read by a third party

Non-repudiation

It ensures that either party cannot refuse

having sent or having received their
respective messages
 Electronic signature

What is an e-signature (electronic signature)?

An e-signature (electronic signature) is a digital version

of a conventional handwritten signature. In many
countries, including the United States, an e-signature can
provide the same legal commitment as a handwritten
signature if it meets certain criteria.

The terms e-signature and digital signature are often used

interchangeably, although this is incorrect. A digital
signature is a type of e-signature, but not all e-signatures
An e-signature provides a quick and easy way to
sign electronic documents without the need to
print paper or affix wet ink signatures.
Essentially, it is a process where computers are
used to certify the integrity of a document and to
authenticate the person signing the document
(signer).

E-signatures don't require pen and paper but

allow the parties involved to agree with or
approve a document, just like they would do with
handwritten signatures.
 Digital Signature
Digital signature enhances the ability of
parties to authenticate electronic record

Sophisticated encryption and decryption

technology is used to verify the identity of
the other party to the electronic
transaction.

Digital signature law, necessary for

adjudication of disputes between parties in
e-commerce
 What is Digital Signature?

Sec.2(1)(p)

Means authentication of any electronic

record by a subscriber by means of an
electronic method or procedure in
accordance with the provisions of Sec.3

Section 3 states that digital signature must

follow asymmetric system of technology and
hash function. The private and public key are
unique to each subscriber.
 Sec.3- Authentication of Electronic
Record

Shall be effected by asymmetric

cryptosystem & hash function which
envelop & transform the initial record
into
another electronic record;
Any person by the use of a public key of
the subscriber can verify the electronic
record
The private key and the public key are
unique to the subscriber and constitute a
functioning key pair
 Legal Recognition of Digital Signature

Sec.5

Where any law provides that information or any

other matter shall be authenticated by affixing
the signature or any document shall be signed or
bear the signature of any person then,
notwithstanding anything contained in such law,
such requirement shall be deemed to have been
satisfied, if such information or matter is
authenticated by means of digital signature
affixed in such manner as may be prescribed by
the Central Government.
Section 15- Secure Digital
Signature
■ If by application of a security procedure agreed to
by the parties concerned, it can be verified that a
digital signature, at the time it was affixed, was:
(a) unique to the subscriber affixing it;
(b) capable of identifying such subscriber;
(c) created in a manner or using a means under the
exclusive control of the subscriber and is linked to
the electronic record to which it relates in such a
manner that if the electronic record was altered the
digital signature would be invalidated,
then such digital signature shall be deemed to be a
secure digital signature
 Essential steps of the digital
signature process
■ STEP 1 The signatory is the authorized holder a unique cryptographic
key pair;
■ STEP 2 The signatory prepares a data message (for example, in the
form of an electronic mail message) on a computer;
■ STEP 3 The signatory prepares a “message digest”, using a secure
hash algorithm. Digital signature creation uses a hash result derived
from and unique to the signed message;
■ STEP 4 The signatory encrypts the message digest with the private
key. The private key is applied to the message digest text using a
mathematical algorithm. The digital signature consists of the encrypted
message digest,
■ STEP 5 The signatory typically attaches or appends its digital
signature to the message;
■ STEP 6 The signatory sends the digital signature and the (unencrypted
or encrypted) message to the relying party electronically;
■STEP 7 The relying party uses the signatory’s public key to
verify the signatory’s digital signature. Verification using the
signatory’s public key provides a level of technical assurance that
the message came exclusively from the signatory;
■STEP 8 The relying party also creates a “message digest” of the
message, using the same secure hash algorithm;
■STEP 9 The relying party compares the two message digests. If
they are the same, then the relying party knows that the message
has not been altered after it was signed. Even if one bit in the
message has been altered after the message has been digitally
signed, the message digest created by the relying party will be
different from the message digest created by the signatory;
■STEP 10 Where the certification process is resorted to, the
relying party obtains a certificate from the certification service
provider (including through the signatory or otherwise), which
confirms the digital signature on the signatory’s message. The
certificate contains the public key and name of the signatory (and
possibly additional information), digitally signed by the
certification service provider.
 Cryptography
From Greek word – Krupto (secret) grafh (writing)

Cryptography is the study of secure

communications techniques that allow only
the sender and intended recipient of a
message to view its contents.

Deals with principles , means and methods of

converting plain information into unintelligible
(encryption) form and reconverting the
unintelligible information back into an intelligible
form (decryption)
Symmetric Key Cryptography

Algorithms that employ the

same key for the encryption
and decryption of the message

Does not support

non-repudiation

Not suitable where number of

parties involved is large
 Asymmetric Cryptography

Unique identification of the sender and the

messages, so that the parties know where the
information is coming from and where it is going
( identification & authentication)

Ensuring that the transmitted information has not

been altered deliberately or inadvertently ( data
integrity)

Establishing the sender’s identity to the

information (non-repudiation)

Protecting information from unauthorized access

(privacy & confidentiality)
 Difference between Symmetric
and Asymmetric Key Encryption
 Asymmetric Cryptosystem
Sec.2(f) of IT Act, 2000

Means a system of a secure key pair consisting of a

private key for creating a digital signature and a public
key to verify the digital signature

The message is encrypted by the private key of the

sender, on the contrary, decryption can be done by
anyone who is having the public key of the sender. It depicts the
authenticity of the sender. It is also known as
the ‘principle of irreversibility’ ie. the public key of
the sender is known to many users, but they do not
have access to the private key of the sender which
bars them from forging the digital signature.
 Hash Function

An algorithm mapping or translation of one

sequence of bits into another, generally smaller,
set known as ‘hash result’ such that an electronic
record yields the same hash result every time
algorithm is executed with the same electronic
record as its input making it computationally
infeasible
 Alice and Bob have a key K (PKI)

• Alice wants to send x, computes y =

hk(x).

• Alice sends (x, y).

Bob receives it and checks hk(x) = y.

If so, great if not, x or y was tampered with.

 Digital Signature

Provides Integrity, Authentication, and

Non-Repudiation by serving as a unique and
highly sensitive data value generated by an
asymmetric algorithm
 Digital Signature- OVERVIEW

Sender:

• Prepares some data (e.g.) Word document

•
Prepares a "hash" (a short, unique,
mathematically-derived summary) of this document
(to save processing power / time)

• Encrypts the hashed document with the sender's

private key. This encrypted hash is the actual
digital signature

• Sends the digital signature and the original data

Public Key Infrastructure
 of
y
or es
ct cat
ire fi s
D erti RL
C C
Subscriber
PKI Hierarchy

CA

Subscriber
CA
CCA

Subscriber
CA

Subscriber
of
y
or es
ct cat
ire fi s
D erti RL
C C
Public key infrastructure or PKI is the
governing body behind issuing digital
certificates. It helps to protect confidential
data and gives unique identities to users and
systems. Thus, it ensures security in
communications.

The public key infrastructure uses a pair of

keys: the public key and the private key to
achieve security. The public keys are prone to
attacks and thus an intact infrastructure is needed
to maintain them.
Working on a PKI:

Let us understand the working of PKI in steps.

• PKI and Encryption: The root of PKI involves the

use of cryptography and encryption techniques.
Both symmetric and asymmetric encryption uses a
public key. The challenge here is – “how do you know
that the public key belongs to the right person or to the
person you think it belongs to?”. There is always a risk
of MITM(Man in the middle). This issue is resolved
by a PKI using digital certificates. It gives identities to
keys in order to make the verification of owners easy
and accurate.
• The Certification Authority (CA) stores the
public key of a user along with other
information about the client in the digital
certificate. The information is signed and a
digital signature is also included in the
certificate.

• The affirmation for the public key then thus

be retrieved by validating the signature using
the public key of the Certification Authority.
• Certifying Authorities: A CA issues and verifies certificates. This authority
makes sure that the information in a certificate is real and correct and it also
digitally signs the certificate. A CA or Certifying Authority performs these
basic roles:

• Generates the key pairs – This key pair generated by the CA can be either
independent or in collaboration with the client.

• Issuing of the digital certificates – When the client successfully provides

the right details about his identity, the CA issues a certificate to the client.
Then CA further signs this certificate digitally so that no changes can be
made to the information.

• Publishing of certificates – The CA publishes the certificates so that the

users can find them. They can do this by either publishing them in an
electronic telephone directory or by sending them out to other people.

• Verification of certificate – CA gives a public key that helps in verifying if

the access attempt is authorized or not.

• Revocation – In case of suspicious behavior of a client or loss of trust in

them, the CA has the power to revoke the digital certificate.
Certified Authorities
 Regulation of Certifying Authorities
[Chapter IV]
• The Central Government may appoint a Controller of
Certifying Authority who shall exercise supervision over
the activities of Certifying Authorities.

• Certifying Authority means a person who has been

granted a license to issue a Digital Signature Certificate.
The Controller of Certifying Authority shall have powers
to lay down rules, regulations, duties, responsibilities
and functions of the Certifying Authority issuing Digital
Signature Certificates.

• The Certifying Authority empowered to issue a Digital

Signature Certificate shall have to procure a license from
the Controller of Certifying Authority to issue Digital
Signature Certificates. The Controller of Certifying
Authority has prescribed detailed rules and regulations
in the Act, as to the application for license, suspension of
license and procedure for grant or rejection of license.
17. Appointment of Controller and other officers.-

(1)The Central Government may, by notification in the Official Gazette, appoint a

Controller of Certifying Authorities for the purposes of this Act and may also by the
same or subsequent notification, appoint such number of Deputy
ControllersAssistant Controllers, other officers and employees as it deems fit.

(2)The Controller shall discharge his functions under this Act subject to the general
control and directions of the Central Government.

(3)The Deputy Controllers and Assistant Controllers shall perform the functions
assigned to them by the Controller under the general superintendence and control of
the Controller.

(4)The qualifications, experience and terms and conditions of service of Controller,

Deputy Controllers Assistant Controllers, other officers and employees shall be such
as may be prescribed by the Central Government.

(5)The Head Office and Branch Office of the office of the Controller shall be at such
places as the Central Government may specify, and these may be established at such
places as the Central Government may think fit.
18. Functions of Controller. -

The Controller may perform all or any of the following functions, namely:-

(a)exercising supervision over the activities of the Certifying Authorities;

(b)certifying public keys of the Certifying Authorities;

(c)laying down the standards to be maintained by the Certifying Authorities;

(d)specifying the qualifications and experience which employees of the Certifying

Authority should possess;

(e)specifying the conditions subject to which the Certifying Authorities shall conduct
their business;

(f)specifying the contents of written, printed or visual materials and advertisements

that may be distributed or used in respect of a Electronic Signature Certificate and
the public key;

(g)specifying the form and content of a Electronic Signature Certificate and the key;
(h)specifying the form and manner in which accounts shall be maintained by the
Certifying Authorities;

(i)specifying the terms and conditions subject to which auditors may be appointed and
the remuneration to be paid to them;

(j)facilitating the establishment of any electronic system by a Certifying Authority

either solely or jointly with other Certifying Authorities and regulation of such
systems;

(k)specifying the manner in which the Certifying Authorities shall conduct their
dealings with the subscribers;

(l)resolving any conflict of interests between the Certifying Authorities and the
subscribers;

(m)laying down the duties of the Certifying Authorities;

(n)maintaining a database containing the disclosure record of every Certifying

Authority containing such particulars as may be specified by regulations, which shall
be accessible to public.
19. Recognition of foreign Certifying Authorities.-

(1)Subject to such conditions and restrictions as may be specified, by

regulations, the Controller may, with the previous approval of the
Central Government, and by notification in the Official Gazette,
recognise any foreign Certifying Authority as a Certifying Authority
for the purposes of this Act.

(2)Where any Certifying Authority is recognised under sub-section

(1), the Electronic Signature Certificate issued by such Certifying
Authority shall be valid for the purposes of this Act.

(3)The Controller may, if he is satisfied that any Certifying Authority

has contravened any of the conditions and restrictions subject to
which it was granted recognition under sub-section (1) he may, for
reasons to be recorded in writing, by notification in the Official
Gazette, revoke such recognition.
21. License to issue Electronic Signature Certificates.-

(1)Subject to the provisions of sub-section (2), any person may make an

application to the Controller for a license to issue Electronic Signature
Certificates.

(2)No license shall be issued under sub-section (1), unless the applicant
fulfills such requirements with respect to qualification, expertise, manpower,
financial resources and other infrastructure facilities, which are necessary to
issue Electronic Signature Certificates as may be prescribed by the Central
Government.

(3)A license granted under this section shall-

(a)be valid for such period as may be prescribed by the Central Government;

(b)not be transferable or heritable;

(c)be subject to such terms and conditions as may be specified by the

 for license -

ation for issue of a license shall be in such form as may be prescribed by the Centra

ation for issue of a license shall be accompanied by-

n practice statement;

ncluding the procedures with respect to identification of the applicant;

uch fees, not exceeding twenty-five thousand rupees as may be prescribed by the Ce

ocuments, as may be prescribed by the Central Government.

23. Renewal of license.-

An application for renewal of a license shall be-

(a)in such form;

(b)accompanied by such fees, not exceeding five thousand

rupees, as may be prescribed by the Central Government and
shall be made not less than forty-five days before the date of
expiry of the period of validity of the license.
24. Procedure for grant or rejection of license.-

The Controller may, on receipt of an application under

sub-section

(1) of section 21, after considering the documents

accompanying the application and such other factors, as
he deems fit, grant the license or reject the application:

Provided that no application shall be rejected under this

section unless the applicant has been given a reasonable
opportunity of presenting his case.
25. Suspension of license.-

(1)The Controller may, if he is satisfied after making such inquiry, as

he may think fit, that a Certifying Authority has-

(a)made a statement in, or in relation to, the application for the issue
or renewal of the license, which is incorrect or false in material
particulars;

(b)failed to comply with the terms and conditions subject to which

the license was granted;

(c)failed to maintain the procedures and standards specified in

section 30;

(d)contravened any provisions of this Act, rule, regulation or order

made thereunder; revoke the license:

Provided that no license shall be revoked unless the Certifying

Authority has been given a reasonable opportunity of showing cause
(2)The Controller may, if he has reasonable cause to
believe that there is any ground for revoking a license
under sub-section (1), by order, suspend such license
pending the completion of any enquiry ordered by
him:Provided that no license shall be suspended for a
period exceeding ten days unless the Certifying
Authority has been given a reasonable opportunity of
showing cause against the proposed suspension.
(3)No Certifying Authority whose license has been
suspended shall issue any Digital Signature
Certificate during such suspension.
26. Notice of suspension or revocation of license.-

(1)Where the license of the Certifying Authority is suspended or

revoked, the Controller shall publish notice of such suspension or
revocation, as the case may be, in the data base maintained by him.

(2)Where one or more repositories are specified, the Controller

shall publish notices of such suspension or revocation, as the case
may be, in all such repositories:

Provided that the data base containing the notice of such

suspension or revocation, as the case may be, shall be made
available through a web site which shall be accessible round the
clock:Provided further that the Controller may, if he considers
necessary, publicize the contents of data base in such electronic or
other media, as he may consider appropriate.
27. Power to delegate.-

The Controller may, in writing, authorize the Deputy

Controller, Assistant Controller or any officer to
exercise any of the powers of the Controller under
this Chapter.
28. Power to investigate contraventions. -

(1)The Controller or any officer authorized by him in this

behalf shall take up for investigation any contravention of the
provisions of this Act, rules or regulations made thereunder.

(2)The Controller or any officer authorised by him in this

behalf shall exercise the like powers which are conferred on
Income-tax authorities under Chapter XIII of the Income-tax
Act, 1961 (43 of 1961), and shall exercise such powers, subject
30. Certifying Authority to follow certain procedures. -

Every Certifying Authority shall,-

(a)make use of hardware, software, and procedures that are secure from
intrusion and misuse;

(b)provide a reasonable level of reliability in its services which are

reasonably suited to the performance of intended functions;

(c)adhere to security procedures to ensure that the secrecy and privacy of

the electronic signatures are assured;

(ca)be the repository of all Electronic Signature Certificates issues under

this Act;

(cb)publish information regarding its practices, Electronic Signature

Certificates and current status of such certificate; and
35. Certifying authority to issue [electronic signature] Certificate.—(1)
Any person may make an application to the Certifying Authority for the issue
of a 1 [electronic signature] Certificate in such form as may be prescribed by
the Central Government. (2) Every such application shall be accompanied by
such fee not exceeding twenty-five thousand rupees as may be prescribed by
the Central Government, to be paid to the Certifying Authority: Provided that
while prescribing fees under sub-section (2) different fees may be prescribed
for different classes of applicants. (3) Every such application shall be
accompanied by a certification practice statement or where there is no such
statement, a statement containing such particulars, as may be specified by
regulations. (4) On receipt of an application under sub-section (1), the
Certifying Authority may, after consideration of the certification practice
statement or the other statement under sub-section (3) and after making such
enquiries as it may deem fit, grant the 1 [electronic signature] Certificate or for
reasons to be recorded in writing, reject the application: 3 * * * * * 4
[Provided] that no application shall be rejected unless the applicant has been
given a reasonable opportunity of showing cause against the proposed
37. Suspension of Digital Signature Certificate.-

(1)Subject to the provisions of sub-section (2), the Certifying Authority which

has issued a Digital Signature Certificate may suspend such Digital Signature
Certificate,-

(a)on receipt of a request to that effect from-

(i)the subscriber listed in the Digital Signature Certificate; or

(ii)any person duly authorised to act on behalf of that subscriber;

(b)if it is of opinion that the Digital Signature Certificate should be suspended

in public interest.

(2)A Digital Signature Certificate shall not be suspended for a period exceeding
fifteen days unless the subscriber has been given an opportunity of being heard
in the matter.

(3)On suspension of a Digital Signature Certificate under this section, the

Certifying Authority shall communicate the same to the subscriber.
38. Revocation of Digital Signature Certificate.-
(1)A Certifying Authority may revoke a Digital
Signature Certificate issued by it-
(a)where the subscriber or any other person authorised
by him makes a request to that effect; or
(b)upon the death of the subscriber; or
(c)upon the dissolution of the firm or winding up of the
company where the subscriber is a firm or a company.
(2)Subject to the provisions of sub-section (3) and without prejudice
to the provisions of sub-section (1), a Certifying Authority may
revoke a Digital Signature Certificate which has been issued by it at
any time, if it is of opinion that-

(a)a material fact represented in the Digital Signature Certificate is

false or has been concealed;

(b)a requirement for issuance of the Digital Signature Certificate was

not satisfied;

(c)the Certifying Authority's private key or security system was

compromised in a manner materially affecting the Digital Signature
Certificate's reliability;

(d)the subscriber has been declared insolvent or dead or where a

subscriber is a firm or a company, which has been dissolved, wound-
up or otherwise ceased to exist.