Making NAD successful

The National Academic Depository Bill requires all educational institutions in India to store their student credentials with SEBI approved depositories (presently limited to NSDL and CDSL). This Bill came about in response to the menace of fake degrees and certificates being presented in order to secure employment / admissions by unscrupulous entities. The Bill seeks to create central repositories where potential employers can verify the authenticity of candidate's educational credentials. This is a laudatory objective, given how rampant the problem of fake credentials and certificates is, in India.

The Govt of India is keen to get this rolled out quickly (see here and here), and the HRD minister seems keen as well.

Some observations:

1) Implementing the NAD is a massive Operational Challenge. Unless an eco-system is put in place, its adoption / implementation is unlikely to happen within a reasonable frame of time. While the depositories are large organizations and they have the backing of the law, it is unrealistic to expect them to have the man-power or the reach to connect with and bring on-board every single educational institution in the country.

2) Most of the initiatives under Digital India have focused on creating 'eco-systems' rather than a single entity becoming responsible for entire implementation. Probably the best example is the UIDAI, which has published Aadhaar 'APIs' or Application Programming Interfaces, that allow third parties to build applications and reach out to end-users. This is the single most important factor in the rapid adoption and success of Aadhaar based programs, and credit is due to the visionary leadership of UIDAI. If UIDAI had taken upon itself the responsibility of building every single application and attending to every single customer, it's unlikely the Aadhaar program would have been as successful as it has been. Another excellent example is the UPI interface, which will allow parties to build payment related applications for specific customer verticals / use-cases.

3) Educational Institutions are likely to require training / hand-holding in the adoption stages as well as on an on-going basis if they are to participate in the NAD. Educational credentials are generated semi-annually (at least), so in addition to initial on-boarding, educational institutions will need to process educational credentials for NAD at least two times annually. A large number of service providers in the education space already work with educational institutions all over India. (Truecopy Credentials is one of them). The Depositories should probably consider leveraging this existing eco-system to quickly enhance the adoption of NAD. Would it not be a win-win for all parties? (Depositories quickly build up their database, Educational Institutions get the on-premise service they need, and service providers earn a business - thereby providing more employment).

To summarize, the Depositories should consider exclusive focus on building out the backend technology and an API (Just like UIDAI). They should publish this API (can be of "paid-subscription" variety) and then train & qualify service providers to work with educational institutions. These service providers would effectively become stake-holders in growth and propagation of the system. With such an ecosystem in place, there is a good chance that most educational institutions in India would become part of the NAD within 2 years. 

Issues with verifying legally valid Digital Signatures in India

When PDF documents with valid Indian Digital Signatures are opened in Acrobat (Adobe) PDF readers, some users may see errors (the digital signatures don't get automatically verified).

Some Acrobat (Adobe) PDF readers need to be configured to be able to validate Indian Digital Signatures.

Detailed explanations of a couple of common issues & how-to resolve them are below:

http://truecopycredentials.blogspot.in/2017/01/how-does-one-verify-digitally-signed.html

http://truecopycredentials.blogspot.in/2017/02/on-esignature-verification-in-adobe.html

More on eSignature verification in Adobe Readers

This post continues an earlier post on Validation of Indian Digital Signatures in the Acrobat PDF reader.

In an earlier post, we discussed about including the Root certificate of Govt of India as a Trusted Certificate. In this post we will talk about another item dealing with Digital Signatures in India.

Aadhaar-based eSignatures are created using a one-time Digital Signing Certificate issued by the competent issuing authority under Govt of India. Not only is this Digital Signing Certificate for one-time use, but its signing validity is restricted to 30 minutes. This means that the document has to be signed within 30 minutes of the issuance of this certificate. (NOTE: Once signed, the signature is valid for ever. Only the signing process has to be completed within 30 mins).

For applications where Aadhaar-based signatures are used, the above works very well. The signed documents when opened in Adobe PDF readers or Acrobat DC will see the usual blue band at the top with a Green tick that says that the signature is valid.

=======

Some users have recently reported that when they open an Aadhaar eSigned file, they do not see the green tick, but a yellow icon as below...

Question: Why does the signature validate correctly in certain readers, and not in others?

To understand this, we dig a bit deeper and find that the Signature doesnt verify because Adobe Reader does not have access to the CRL files for the corresponding certificates. (CRL = Certification Revocation Lists).

Clicking on the "Check revocation" button does not seem to help.

The reason for this is that Adobe Reader does not access the CRLs if the time on the user's computer is outside the Signing Interval. (This is particularly cumbersome for Aadhaar-type certificates whose signing interval is limited to only 30 mins!)

How then do you get a Signature Valid message with a Green Tick?

Here are two possible solutions:

Option 1) You can include the CRL files in the Adobe cache. Here is how you do that:

Download this zip file crl.zip, and copy its contents (4 files) to the following folder:

On Windows 8 & Above:
 C:\Users\<loginusername>\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache

On Windows 7.x & Below:
 C:\Documents And Settings\Adobe\Acrobat\DC\Security\CRLCache

OR

Option 2) You can open one Aadhaar eSigned file within few minutes of it being signed . Then you will be OK even if you open other files after a longer time  😲  (that's because when you open the first file, the Adobe reader fetches the CRLs and also stores them to cache). 

eSigner

More about our mobile app - eSigner.

http://www.prnewswire.co.in/news-releases/truecopy-credentials-launches-aadhaar-based-esigning-solutions-for-documents-610887105.html

Verifying a digitally signed pdf in India

How does one verify a digitally signed pdf has a valid signature in India?

(- This is a frequently asked question.)

A Digitally Signature embedded in a PDF is supposed to be automatically recognized by Acrobat PDF reader. You will see a panel at the top of the page as shown below:

If the signature is not indicated as valid, there may be a couple of reasons for it, and these can be addressed as stated below:

1) The Indian Govt's "Root Certificate" is NOT in the default list of "Trusted Certificates" in Acrobat PDF Reader.

Hence, you may have to add the CCA India Root certificate to your list of trusted Certificates. All you are doing is telling your Acrobat PDF reader that you trust the Root Certificate of Govt of India.

The steps are as follows:

Click on Signature Panel. This opens a panel with information about who has signed the document.

In the information on the Panel, find Signature Details and click on it. The click on Certificate Details.

Then in the dialog that comes up, click the Trust tab and on the left side, click on CCA India root certificate. Then click the button that says Add To Trusted Certificates. You may need to re-open the file. Thereafter, all documents legally signed in India will show in an Adobe reader at the top in the blue band "Signed and All signatures are valid".

But what if someone has impersonated CCI India root certificate (in the pdf you are opening)? That is a good question. To ensure that the CCA India root certificate is genuine, look at its details in the Details tab, and click on Public Key. Make sure this matches the public key that is published on the http://cca.gov.in website for that certificate (with exception of a 24 byte header in the PDF).

If you do not see CCA India in as the root certificate, the document cannot be considered to be legally signed in India as per IT Act 2000.


(Continued in a subsequent post)

SMS OTPs

UIDAI sends an OTP (One time password) for completing an Aadhaar based digital signature. This OTP arrives as an SMS to the Signer's registered mobile phone. Unless this OTP is used, the signature cannot be generated.

It has been observed that there is a significant delay in the arrival of OTPs during times when SMS gateways of mobile operators are likely to be busy (such as during New Years (Dec 31 - Jan 1) - presumably because people are sending a lots of New Year messages.

I wonder if UIDAI can ensure that mobile operators prioritize their SMSes over others. This will ensure that OTPs for Digital Signatures arrive quickly.

(The good news is that most New Years messages that I got this time were on Whatsapp and not SMS).

THIS IS AN INTRODUCTION TO DIGITAL SIGNATURES (FOR THOSE WHO ARENT SURE WHAT THEY ARE).

What are Digital Signatures

A Digital Signature is the electronic or digital equivalent of a physical signature. Just as a physical signature on a paper document establishes the origin of that document, a digital signature affixed to a digital document (computer file) establishes the origin of that digital document.

Digital Signatures are much more secure and ‘fool-proof’ compared to physical signatures. Physical signatures are easily replicated or ‘forged’. On the other hand, the technology behind Digital Signatures makes it virtually impossible to forge them.

Because of the higher security associated with Digital Signatures and the many advantages associated with storing documents electronically (as opposed to paper), governments in many countries have passed laws and regulations encouraging (and in some cases mandating) the usage of digitally signed electronic documents rather than paper documents. For example, in India, Income Tax returns, Corporate returns etc are to be digitally signed and uploaded electronically.

A Digital Signature is a sequence of ‘bytes’ or a code that has some special characteristics. A code generated for a particular document by a particular signer is unique. An identical code cannot be generated by another signer for the same document or by the same signer for another document. This means that only the unique combination of that particular document and that particular signer can generate a particular digital signature. 

When a person digitally signs a document, he generates this unique code (signature) and attaches it to the document. The receiver can verify that the code has indeed been generated by the Signer (and by no other person). The receiver of the document can also readily verify that the document has not been modified.

In India, the Government, via the Controller of Certifying Authorities has authorized a set of entities to issue Digital Signing Certificates (DSC). A DSC is necessary to be able to digitally sign a document. The process of obtaining a DSC essentially involves submission of paperwork that establishes your identity to the issuer.

Note: A digital signature is NOT a scanned version of a physical signature. Furthermore, it is not possible to sign another document just by looking at the digital signature on one document.

Technical details (Simplified description)

The technology and theory behind Digital Signatures relies on mathematical concepts in the field of Cryptography. What follows is a simplified description of these concepts. For a rigorous, mathematical description, the reader may consult [1] and [2].

A Digital Signing Certificate contains what is known as a ‘key-pair’ comprising a private key & a corresponding public key. The private key is to be maintained securely & confidentially (i.e. in private). The public key is shared with receivers of documents.

The process of signing a document involves finding the ‘hash value’ of the document and then using the hash value and the private key to generate the digital signature which is affixed to the document along with the public key of the signer.

The receiver of the document can use the public key of the signer and the digital signature to find out the ‘hash value’ contained in the signature. He can compare this hash value with the hash value directly computed from the received document to determine a match. If there is a match, it means that the received document was indeed signed by the signer as-is. If there is a mismatch, it means that either the document has not actually been signed by the Signer or has been modified in transit.

There are several algorithms which can provide the framework for the implementation that is described above. The most commonly used algorithm is the known as the RSA algorithm. In order that various systems for Digital Signatures are mutually compatible, there are world-wide standards defined for how the key pairs should be generated and encoded, algorithms used for hashing, generating digital signatures, formats of digital signatures, verification processes, etc. The most commonly used set of standards are the PKCS standards. Systems based on these standards are therefore inter-compatible.

In practical systems however, all of this technical complexity is hidden from the end user. The end-user only needs to obtain a Digital Signing Certificate, and use it with the system to sign a document. Similarly, a user can use the system to authenticate a signature and a document that has been received.

The only precaution that the signer needs to take is to keep his/her Digital Signing Certificate securely and not share it with anyone.

Law

Digital Signatures are considered equivalent to physical signatures by law in most countries around the world, including US, European countries and India [3].

In India, the Information Technology Act 2000 provides the legal sanctity for using Digital Signatures. The entire Act can be found here [4]. However, Section 4 & Section 5 of the IT Act 2000 (India) are quoted below:

4. Legal recognition of electronic records.

Where any law provides that information or any other matter shall be in writing or

in the typewritten or printed form, then, notwithstanding anything contained in such law,

such requirement shall be deemed to have been satisfied if such information or matter

is—

(a) rendered or made available in an electronic form; and

(b) accessible so as to be usable for a subsequent reference.

5. Legal recognition of digital signatures.

Where any law provides that information or any other matter shall be authenticated

by affixing the signature or any document shall be signed or bear the signature of any

person then, notwithstanding anything contained in such law, such requirement shall be

deemed to have been satisfied, if such information or matter is authenticated by means of

digital signature affixed in such manner as may be prescribed by the Central Government.

Explanation.—For the purposes of this section, "signed", with its grammatical

variations and cognate expressions, shall, with reference to a person, mean affixing of his

hand written signature or any mark on any document and the expression "signature" shall

be construed accordingly.

(Kindly consult the entire Act here for details, procedures, specific exceptions, etc).

TRUECOPY Systems

TRUECOPY systems are based on common-used world-wide standards and implement standard algorithms. In particular, our system works with DSCs issued by any Certifying Authority in India. Further, digital signatures created by our systems can be verified by other third-party systems.

References:

[1] http://www.schneier.com/book-applied.html

[2] http://www.cs.bris.ac.uk/~nigel/Crypto_Book/

[3] http://www.cca.gov.in

[4] http://deity.gov.in/content/information-technology-act-2000

Govt of India has permitted use of Digital Signatures for most document types (barring a handful). Truecopy Credentials Pvt Ltd (www.truecopy.in) makes it easy for users to sign and manage documents electronically.