Monday, December 5, 2016
THIS IS AN INTRODUCTION TO DIGITAL SIGNATURES (FOR THOSE WHO ARENT SURE WHAT THEY ARE).
What are Digital Signatures
A Digital Signature is the electronic or digital equivalent of a physical signature. Just as a physical signature on a paper document establishes the origin of that document, a digital signature affixed to a digital document (computer file) establishes the origin of that digital document.
Digital Signatures are much more secure and ‘fool-proof’ compared to physical signatures. Physical signatures are easily replicated or ‘forged’. On the other hand, the technology behind Digital Signatures makes it virtually impossible to forge them.
Because of the higher security associated with Digital Signatures and the many advantages associated with storing documents electronically (as opposed to paper), governments in many countries have passed laws and regulations encouraging (and in some cases mandating) the usage of digitally signed electronic documents rather than paper documents. For example, in India, Income Tax returns, Corporate returns etc are to be digitally signed and uploaded electronically.
A Digital Signature is a sequence of ‘bytes’ or a code that has some special characteristics. A code generated for a particular document by a particular signer is unique. An identical code cannot be generated by another signer for the same document or by the same signer for another document. This means that only the unique combination of that particular document and that particular signer can generate a particular digital signature.
When a person digitally signs a document, he generates this unique code (signature) and attaches it to the document. The receiver can verify that the code has indeed been generated by the Signer (and by no other person). The receiver of the document can also readily verify that the document has not been modified.
In India, the Government, via the Controller of Certifying Authorities has authorized a set of entities to issue Digital Signing Certificates (DSC). A DSC is necessary to be able to digitally sign a document. The process of obtaining a DSC essentially involves submission of paperwork that establishes your identity to the issuer.
Note: A digital signature is NOT a scanned version of a physical signature. Furthermore, it is not possible to sign another document just by looking at the digital signature on one document.
Technical details (Simplified description)
The technology and theory behind Digital Signatures relies on mathematical concepts in the field of Cryptography. What follows is a simplified description of these concepts. For a rigorous, mathematical description, the reader may consult  and .
A Digital Signing Certificate contains what is known as a ‘key-pair’ comprising a private key & a corresponding public key. The private key is to be maintained securely & confidentially (i.e. in private). The public key is shared with receivers of documents.
The process of signing a document involves finding the ‘hash value’ of the document and then using the hash value and the private key to generate the digital signature which is affixed to the document along with the public key of the signer.
The receiver of the document can use the public key of the signer and the digital signature to find out the ‘hash value’ contained in the signature. He can compare this hash value with the hash value directly computed from the received document to determine a match. If there is a match, it means that the received document was indeed signed by the signer as-is. If there is a mismatch, it means that either the document has not actually been signed by the Signer or has been modified in transit.
There are several algorithms which can provide the framework for the implementation that is described above. The most commonly used algorithm is the known as the RSA algorithm. In order that various systems for Digital Signatures are mutually compatible, there are world-wide standards defined for how the key pairs should be generated and encoded, algorithms used for hashing, generating digital signatures, formats of digital signatures, verification processes, etc. The most commonly used set of standards are the PKCS standards. Systems based on these standards are therefore inter-compatible.
In practical systems however, all of this technical complexity is hidden from the end user. The end-user only needs to obtain a Digital Signing Certificate, and use it with the system to sign a document. Similarly, a user can use the system to authenticate a signature and a document that has been received.
The only precaution that the signer needs to take is to keep his/her Digital Signing Certificate securely and not share it with anyone.
Digital Signatures are considered equivalent to physical signatures by law in most countries around the world, including US, European countries and India .
In India, the Information Technology Act 2000 provides the legal sanctity for using Digital Signatures. The entire Act can be found here . However, Section 4 & Section 5 of the IT Act 2000 (India) are quoted below:
4. Legal recognition of electronic records.
Where any law provides that information or any other matter shall be in writing or
in the typewritten or printed form, then, notwithstanding anything contained in such law,
such requirement shall be deemed to have been satisfied if such information or matter
(a) rendered or made available in an electronic form; and
(b) accessible so as to be usable for a subsequent reference.
5. Legal recognition of digital signatures.
Where any law provides that information or any other matter shall be authenticated
by affixing the signature or any document shall be signed or bear the signature of any
person then, notwithstanding anything contained in such law, such requirement shall be
deemed to have been satisfied, if such information or matter is authenticated by means of
digital signature affixed in such manner as may be prescribed by the Central Government.
Explanation.—For the purposes of this section, "signed", with its grammatical
variations and cognate expressions, shall, with reference to a person, mean affixing of his
hand written signature or any mark on any document and the expression "signature" shall
be construed accordingly.
(Kindly consult the entire Act here for details, procedures, specific exceptions, etc).
TRUECOPY systems are based on common-used world-wide standards and implement standard algorithms. In particular, our system works with DSCs issued by any Certifying Authority in India. Further, digital signatures created by our systems can be verified by other third-party systems.