DIGITAL SIGNATURES: TECHNICAL AND LEGAL PERSPECTIVE

By Sanchita Bera

Meaning and Definition of some important terms

  1. Digital Signatures: A digital signature is a mathematical technique used to validate, the authenticity and integrity of a message, software, or digital document. It is equivalent to a handwritten signature or stamped seal, but they offer far more inherent security[1]. When a document contains a digital signature on it, the same validates the document and provides surety to the receiver of such document that the same has been generated with by a fact, that the document has been sent by him. Hence, a digital signature provides the origin of the documents, identifies the sender of such documents, and gives evidence about the transaction and status of the documents. Digital signatures are usually used in software distribution financial transactions and in cases where there are risks of forgery. The process where the message or document is transformed using asymmetric cryptosystem and hash function can also be called digital signatures. The digital signatures are mainly founded on public-key encryptions, for which prime numbers like 2,3,5,7,9,11 and so on are used which can either be divided with itself or with 1. Ultimately, the main purpose behind using digital signatures is to secure the document and protect it from being tampered with by the unauthorized public.

  2. Encryption: An encryption algorithm is a method used to transform data into ciphertext. An algorithm will use the encryption key to alter the data predictably so that even though the encrypted data will appear random, it can be turned back into plaintext by using the decryption key[2]. An algorithm usually involves a small procedure that can solve any recurrent problem[3]. In laymen's terms, the encryption process is used to lock a document or a message. The encryptions are usually used to protect several data that are either in movement or at rest. The encryptions shields Wi-Fi networks, mobiles, ATMs, and they also help in securing websites. As discussed earlier, encryptions are used to lock the message or data, now for both locking and unlocking the message we require a 'key'.

  3. Key: In cryptography, a key is a piece of information used in combination with an algorithm (a ‘cipher’) to transform plaintext into ciphertext (encryption) and vice versa (decryption)[4]. Hence, the key can simply mean a virtual key to open and close a document or a data or a message. There are two types of keys: Private Key and Public Key.

  4. Private Key encryption or Symmetric Key: Here, in this encryption, only one key is used, that is the sender will lock or encrypt the message using one key and the receiver will unlock or decrypt the message using the same key. One advantage of having one key to lock and unlock the message is the sender need not maintain two separate keys, but this advantage comes with a disadvantage, that is maintaining a single key creates key management issues, because the sender's private key shall have to be shared with the receiver of the message to unlock the same. Also, the main intention of keeping the key private cannot be perpetuated. This key is called symmetric encryption because it uses only one key.

  5. Public Key encryption or Asymmetric Key: Here, in this encryption, two keys are used, that is the sender will lock or encrypt the message using his private key and the receiver will unlock or decrypt the message using the public key of the sender. Therefore, the Public Key Cryptography (PKC) involves a public key and a private key. The sender preserves with him his private key and shares his public key with those to whom he has sent a message or document containing a digital signature. This key is also called asymmetric encryption because it uses two different keys. Also, the PKC is connected in such a way that the sender’s public key can only be used to lock the message and the sender’s private key can only be used to unlock the message. The advantage of this key is that the sender can keep his private key to himself and share his public key, while the disadvantage is that the holder of the PKC has to maintain both the keys.


Origin of Digital Signatures

For the first time in the history of informational technology, the idea of a digital signature scheme was chronicled by Whitfield Diffie and Martin Hellman in the year 1976. Shafi Goldwasser, Silvio Micali, and Ronald Rivest invented the RSA algorithm which was named after them, this algorithm was one of the main building blocks of Public Key Encryption. Also, the very first attempt to flintily explain the necessary security requirements of digital signature schemes was done in the year 1984 by Shafi Goldwasser, Silvio Micali, and Ronald Rivest. Lotus Notes 1.0 was the first popularly merchandised software package that offered digital signatures. The same was released in the year 1989[5].

Right after the evolution of RSA, other digital signature schemes came to light, for example, Lamport signatures, Merkle signatures, and Robin signatures. Shafi Goldwasser, Silvio Micali, and Ronald Rivest were again the first who invented GMR signatures, that could stave off any subsistent forgery against a selected message. attack[6].


Technical Perspective of Digital Signatures

An example of Public Key Encryption[7]


This is an example of how the hash function works, whenever Bob encrypts or locks the document using his private key, the hash function in the key converts the plain text into the hashed text as shown in the image below. Alice, the girl (receiver) sees the document, not in plain text but as a hashed text when Alice uses the public key of Bob to decrypt the document, then the document converts from hashed text to plain text.




Example of Private Key Encryption[8]


Here only one key is used to both lock and unlock the message.


End of Digital Signatures and the start of Electronic Signatures?

An electronic signature includes any type of signature in an electronic format. The European Union regulations on e-signatures (eIDAS), have defined electronic signature as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign[9].” In a laymen’s term, both digital and electronic signature means the same, and to some extent it does, but the following are the difference[10]:



Legal Perspective of Digital Signature and Electronic Signature


Section 3 of the IT Act, 2000 provides Authentication of electronic records, wherein the subscriber may authenticate an electronic record by affixing his digital signature. While Section 3-A of the IT Act, 2000 provides that the subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which is considered reliable and is specified in Second Schedule. Also, Section 5 gives formal and legal recognition to Electronic Signatures and states that the electronic signature of a person on any document will be considered lawfully as a handwritten signature. Hence, from the above sections, we can clarify one thing, electronic signatures have been considered more reliable than digital signatures under the IT Act, 2000. Here, ‘subscriber’ under Section 2(zg) means a person in whose name the ‘electronic signature certificate’ has been issued. Section 10 authorizes the Central Government to prescribe the type of e-signatures, manner, and format of affixing the same, procedure for identification, and govern the process to ensure that the e-signatures have adequate levels of integrity, security, and confidentiality when placed upon documents or on payments[13].

  1. Who is a Certifying Authority (CA)? Under Section 2(g): it is a person who is empowered to grant the license of Electronic Signature Certificate under section 24[14].

  2. Duties of Certifying Authority: Under Section 30: CA shall follow few procedures, use such hardware, software, and procedures that cannot be hacked or misuses, furnish adequate levels of security in its services, maintain secrecy and privacy of the electronic signatures, become the archive of Electronic Signature Certificate, publish information and status about the same[15].

  3. Issuance of Electronic Signature Certificate: Under Section 35: The Certifying Authority will issue the Electronic Signature Certificate on an application made to them by any person in the form as prescribed by the Central Government. The application must be given along with a fee of Rs, 25, 000, and a certification practice statement. The CA will after taking into consideration many factors and examining the application will in writing a granted license to the applicant[16].

  4. Issuance of Digital Signature Certificate: Under Section 36: The Certifying Authority will issue the Digital Signature Certificate and certify that the holder shall follow the rules and regulations of the Act, the holder (here subscriber) will carry the public key listed in the certificate, the holder has the private key which can generate the digital signature, and the holders public and private key is a part of a ‘key pair’ as defined under Section 2(x)[17].

  5. Digital Signature being suspended: Under Section 37: the Certifying Authority who issues the certificate can also suspend if, the holder requests so, any person requesting on behalf of the holder. The CA will suspend the certificate within 15 days, and shall not exceed the same unless the holder is given a chance to be heard[18].

  6. Digital Signatures being revoked: Under Section 38: The Certifying Authority will revoke the certificate if, the holder requests so, death of the holder, and where the holder is a firm or company and the same is dissolved or winded-up[19].


Conclusion


In today’s world when everything is fast-paced, then why not documents/messages/text. People all around the world are using various social media platforms to send in their documents/messages/text to people living in different countries, but what about the security of the same. Hence, digital signatures were invented to secure such documents/messages/text, which would incur that the said documents/messages/text would remain intact and be received by the receiver without being tampered with. Now, with the digital signatures in place, people are at ease and can send their most important documents with high security, because the signatures not only identify the sender but also authenticates the fact that the document has not been tampered with. The authentication procedure of the digital signatures looks into data security, confidentiality, and data integrity. Also, now that the Certifying Authorities are in place, they hold the entire burden to issuing genuine certificates to such digital signatures.

[1] Ben Lutkevich, Vicki-Lynn Brunskill, and Peter Loshin, Definition of digital signature, SEARCHSECURITY, (June 04, 2021, 08:27 PM), https://searchsecurity.techtarget.com/definition/digital-signature [2] What is encryption? Types of encryption, CLOUDFLARE, (June 04, 2021, 08:45 PM), https://www.cloudflare.com/en-in/learning/ssl/what-is-encryption/ [3] TechTarget Contributor, Definition of algorithm, TECHTARGET, (June 04, 2021, 08:49 PM), https://whatis.techtarget.com/definition/algorithm#:~:text=An%20algorithm%20(pronounced%20AL%2Dgo,that%20solves%20a%20recurrent%20problem. [4] Dominic Fraser, What are encryption Keys, and How do they work? CODECLAN (June 04, 09:02 PM), https://medium.com/codeclan/what-are-encryption-keys-and-how-do-they-work-cc48c3053bd6 [5] Ankita Singh, Digital Signatures/DSC/History/Work/Creation/Need/Security/Comparison/Example, MSATECHNOSOFT, (June 04, 2021, 10:02 PM), https://msatechnosoft.in/blog/digital-signature-dsc-history-working-need-security-create-example/ [6] Digital Signature, WIKIPEDIA, (June 04, 2021, 11:48 PM), https://en.wikipedia.org/wiki/Digital_signature#History [7] Source: Google Images [8] Google Images [9] What is an electronic signature?, CRYPTOMATHIC, (June 05, 2021, 10:42 AM), https://www.cryptomathic.com/products/authentication-signing/digital-signatures-faqs/what-is-an-electronic-signature [10] Difference Between Digital Signatures and Electronic Signatures, DIFFERENCE BETWEEN. NET, (June 05, 2021, 11:29 AM), http://www.differencebetween.net/technology/difference-between-digital-signature-and-electronic-signature/ [11] Information Technology Act, 2000, No. 27, Acts of Parliament, 2000 (India), http://www.bareactslive.com/ACA/ACT632.HTM [12] Information Technology Act, 2000, No. 27, Acts of Parliament, 2000 (India), http://www.bareactslive.com/ACA/ACT632.HTM [13] Information Technology Act, 2000, No. 27, Acts of Parliament, 2000 (India), http://www.bareactslive.com/ACA/ACT632.HTM [14] Ibid. [15] Ibid. [16] Ibid. [17] Ibid. [18] Ibid. [19] Ibid.

Author- Sanchita Bera

LLM- II

The Maharaja Sayajirao University of Baroda, Faculty of Law, Vadodara

11 views0 comments