eSanad should become eSa-NAD

Recently the HRD ministry along with NIC launched a portal for online verification of educational documents. The initiative is titled eSanad, and CBSE has already joined in.

Read more here:

http://indianexpress.com/article/education/cbse-nic-in-cbse-launches-esanad-for-online-mark-sheet-result-document-verification-4671572/

http://indiatoday.intoday.in/education/story/cbse-nic-in-cbse-esanad-for-online-mark-sheet-result-2017/1/961949.html


The name "eSanad" could be a coincidence but there is no reason why this should not become eSa-NAD. I am of course referring to NAD (National Academic Depository), which is intended to store the educational records of all students. A few thoughts:

1) Government entities have demonstrated the ability to host and manage large amounts of personal confidential information (UIDAI is an example). There is no reason to believe that a Govt entity wont do a good job of managing an Academic Depository (for one, the data will be much lesser, and lot less sensitive).

2) The Govt (HRD / IT Ministries) could frame rules requiring all Depositories under NAD to share / backup the data they gather with eSanad. This will ensure that verifiers have a single location from where this data can be legitimately accessed, rather than having to register with multiple Depositories.

3) CBSE had earlier tried storing their records with the Depositories (NSDL / CDSL). They have now chosen to go with eSanad - a Government initiative hosted by NIC.

4) To reiterate the point made in an earlier post on the topic of NAD, the eSanad authority should publish APIs (just as UIDAI has done) to enable developers to build much needed applications for document verification.

eSanad will hopefully lead to faster realization of an Academic Depository, and put an end to the menace of fake educational credentials.

More on eKYC - an obvious, direct verification mechanism

The earlier post raises an important question: Is there an easier way to perform eKYC without becoming a KUA? 

The answer to that question is thankfully a "YES". But before we get to that, let us ask the question,  What exactly is eKYC?

I find it is useful to view the  UIDAI database as comprising the following groups of information:

1) The Aadhaar number (a unique number for every user)
2) Personal Information of the holder - such as full name, address, gender, date of birth, etc.
3) Biometric Information of the holder - such as Finger-prints, Iris scan, Photograph, etc.
4) Ownership Information of the holder such as Email Address, Phone number, etc.

Performing an eKYC involves ascertaining the following two separate facts, subject to consent of the concerned individual:

A) Ascertaining that the Personal Information & Ownership Information being presented by the holder of an Aadhaar number matches the Personal Information & Ownership Information stored in the UIDAI database against that Aadhaar number.
This is achieved by obtaining the Personal and Ownership Information from UIDAI in an authenticated manner.


B) Ascertaining that the individual presenting the Aadhaar number is who he / she claims to be, i.e., the genuine holder of that Aadhaar number.
This can be achieved in one of two ways. The Biometric-way relies on the assumption that if the individual is able to present biometric (fingerprint / iris) information that matches the Biometric Information stored in the UIDAI database, the individual is who he/she claims to be. The OTP-way relies on the assumption that if the individual can demonstrate ownership of the listed Phone number and Email Address (2 Factor Authentication), the individual is who he/she claims to be.


In the KUA approach, usually the biometric information of the individual is captured and sent to UIDAI along with the presented Aadhaar number. In return UIDAI sends back the Personal Information stored its database against this Aadhaar number.

This KUA approach helps ascertain both A)  and B) above. A) is ascertained because information is provided by UIDAI directly from its own database and B) is ascertained because the individual's biometric is matched with that in the UIDAI database.

Consent is obtained via acceptance of "terms of service", as well as the assumption that the person willingly provided his biometrics.

Following the KUA approach imposes significant contractual obligations, including IT maintenance and audit costs. Thankfully, there also exists an easier way to ascertain A) and B), while ensuring individual consent.

This alternative method is the direct electronic-equivalent of an individual submitting his/her own self-attested paper-based identification documents - something we have been doing for decades for KYC. It requires an individual to simply submit his self-attested eAadhaar document.

The Personal Information of the individual is present in the eAadhaar document that can be freely downloaded from the UIDAI website by any individual. This eAadhaar document is digitally signed by UIDAI. The Personal Information contained in this digitally signed document is therefore authentic, and satisfies the requirement of A) above.

What remains is to be ascertained is B), i.e., that the individual concerned is the genuine owner of that particular Aadhaar number. This can be done by getting the individual to self-attest (digitally sign) the eAadhaar document being submitted. The signature process outlined by UIDAI implicitly ascertains that the person signing is the genuine owner of that Aadhaar number. Further, the receiver can do additional verification by verifying the photograph on the eAadhaar document. Consent is ensured by making it a part of the self-attestation process.


In this alternative mechanism of eKYC, the UIDAI-signed eAadhaar document (including photo) is submitted by the individual aadhaar-holder directly to the recipient. It therefore represents a clear & direct method to perform eKYC. There is no need to go through AUA / KUA approval processes, and one can get started immediately.

Needless to say, care must be taken to securely maintain all eAadhaar documents submitted by users.

Sharing eKYC Data - NOT to be done!

UIDAI has on several occasions reiterated the need for eKYC data to be kept confidential. Our own reading is that eKYC data should never be shared between two separate corporate entities, no matter what the relationship between them.

When sensitive data is 'shared' between two entities, it is theoretically no longer secure. This is because each of the two entities can now claim that any data-leakage happened from the other entity.(i.e., It provides each of them an avenue to repudiate any possible data leakage).

Any entity, large or small that wants eKYC data of residents should therefore obtain it from UIDAI directly, submit itself to the rules and regulations of UIDAI, and maintain all data securely. (This seems to be the view of several large companies as well - which encourage entities to directly work with UIDAI rather than go via them.)

Here is a blog link that makes for an interesting read & has some more relevant information on the topic:

http://blog.finahub.com/2015/12/can-you-get-ekyc-data-without-kua.html

Making NAD successful

The National Academic Depository Bill requires all educational institutions in India to store their student credentials with SEBI approved depositories (presently limited to NSDL and CDSL). This Bill came about in response to the menace of fake degrees and certificates being presented in order to secure employment / admissions by unscrupulous entities. The Bill seeks to create central repositories where potential employers can verify the authenticity of candidate's educational credentials. This is a laudatory objective, given how rampant the problem of fake credentials and certificates is, in India.

The Govt of India is keen to get this rolled out quickly (see here and here), and the HRD minister seems keen as well.

Some observations:

1) Implementing the NAD is a massive Operational Challenge. Unless an eco-system is put in place, its adoption / implementation is unlikely to happen within a reasonable frame of time. While the depositories are large organizations and they have the backing of the law, it is unrealistic to expect them to have the man-power or the reach to connect with and bring on-board every single educational institution in the country.

2) Most of the initiatives under Digital India have focused on creating 'eco-systems' rather than a single entity becoming responsible for entire implementation. Probably the best example is the UIDAI, which has published Aadhaar 'APIs' or Application Programming Interfaces, that allow third parties to build applications and reach out to end-users. This is the single most important factor in the rapid adoption and success of Aadhaar based programs, and credit is due to the visionary leadership of UIDAI. If UIDAI had taken upon itself the responsibility of building every single application and attending to every single customer, it's unlikely the Aadhaar program would have been as successful as it has been. Another excellent example is the UPI interface, which will allow parties to build payment related applications for specific customer verticals / use-cases.

3) Educational Institutions are likely to require training / hand-holding in the adoption stages as well as on an on-going basis if they are to participate in the NAD. Educational credentials are generated semi-annually (at least), so in addition to initial on-boarding, educational institutions will need to process educational credentials for NAD at least two times annually. A large number of service providers in the education space already work with educational institutions all over India. (Truecopy Credentials is one of them). The Depositories should probably consider leveraging this existing eco-system to quickly enhance the adoption of NAD. Would it not be a win-win for all parties? (Depositories quickly build up their database, Educational Institutions get the on-premise service they need, and service providers earn a business - thereby providing more employment).

To summarize, the Depositories should consider exclusive focus on building out the backend technology and an API (Just like UIDAI). They should publish this API (can be of "paid-subscription" variety) and then train & qualify service providers to work with educational institutions. These service providers would effectively become stake-holders in growth and propagation of the system. With such an ecosystem in place, there is a good chance that most educational institutions in India would become part of the NAD within 2 years. 

Issues with verifying legally valid Digital Signatures in India

When PDF documents with valid Indian Digital Signatures are opened in Acrobat (Adobe) PDF readers, some users may see errors (the digital signatures don't get automatically verified).

Some Acrobat (Adobe) PDF readers need to be configured to be able to validate Indian Digital Signatures.

Detailed explanations of a couple of common issues & how-to resolve them are below:

http://truecopycredentials.blogspot.in/2017/01/how-does-one-verify-digitally-signed.html

http://truecopycredentials.blogspot.in/2017/02/on-esignature-verification-in-adobe.html

More on eSignature verification in Adobe Readers

This post continues an earlier post on Validation of Indian Digital Signatures in the Acrobat PDF reader.

In an earlier post, we discussed about including the Root certificate of Govt of India as a Trusted Certificate. In this post we will talk about another item dealing with Digital Signatures in India.

Aadhaar-based eSignatures are created using a one-time Digital Signing Certificate issued by the competent issuing authority under Govt of India. Not only is this Digital Signing Certificate for one-time use, but its signing validity is restricted to 30 minutes. This means that the document has to be signed within 30 minutes of the issuance of this certificate. (NOTE: Once signed, the signature is valid for ever. Only the signing process has to be completed within 30 mins).

For applications where Aadhaar-based signatures are used, the above works very well. The signed documents when opened in Adobe PDF readers or Acrobat DC will see the usual blue band at the top with a Green tick that says that the signature is valid.

=======

Some users have recently reported that when they open an Aadhaar eSigned file, they do not see the green tick, but a yellow icon as below...

Question: Why does the signature validate correctly in certain readers, and not in others?

To understand this, we dig a bit deeper and find that the Signature doesnt verify because Adobe Reader does not have access to the CRL files for the corresponding certificates. (CRL = Certification Revocation Lists).

Clicking on the "Check revocation" button does not seem to help.

The reason for this is that Adobe Reader does not access the CRLs if the time on the user's computer is outside the Signing Interval. (This is particularly cumbersome for Aadhaar-type certificates whose signing interval is limited to only 30 mins!)

How then do you get a Signature Valid message with a Green Tick?

Here are two possible solutions:

Option 1) You can include the CRL files in the Adobe cache. Here is how you do that:

Download this zip file crl.zip, and copy its contents (4 files) to the following folder:

On Windows 8 & Above:
 C:\Users\<loginusername>\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache

On Windows 7.x & Below:
 C:\Documents And Settings\Adobe\Acrobat\DC\Security\CRLCache

OR

Option 2) You can open one Aadhaar eSigned file within few minutes of it being signed . Then you will be OK even if you open other files after a longer time  😲  (that's because when you open the first file, the Adobe reader fetches the CRLs and also stores them to cache). 

eSigner

More about our mobile app - eSigner.

http://www.prnewswire.co.in/news-releases/truecopy-credentials-launches-aadhaar-based-esigning-solutions-for-documents-610887105.html

Verifying a digitally signed pdf in India

How does one verify a digitally signed pdf has a valid signature in India?

(- This is a frequently asked question.)

A Digitally Signature embedded in a PDF is supposed to be automatically recognized by Acrobat PDF reader. You will see a panel at the top of the page as shown below:

If the signature is not indicated as valid, there may be a couple of reasons for it, and these can be addressed as stated below:

1) The Indian Govt's "Root Certificate" is NOT in the default list of "Trusted Certificates" in Acrobat PDF Reader.

Hence, you may have to add the CCA India Root certificate to your list of trusted Certificates. All you are doing is telling your Acrobat PDF reader that you trust the Root Certificate of Govt of India.

The steps are as follows:

Click on Signature Panel. This opens a panel with information about who has signed the document.

In the information on the Panel, find Signature Details and click on it. The click on Certificate Details.

Then in the dialog that comes up, click the Trust tab and on the left side, click on CCA India root certificate. Then click the button that says Add To Trusted Certificates. You may need to re-open the file. Thereafter, all documents legally signed in India will show in an Adobe reader at the top in the blue band "Signed and All signatures are valid".

But what if someone has impersonated CCI India root certificate (in the pdf you are opening)? That is a good question. To ensure that the CCA India root certificate is genuine, look at its details in the Details tab, and click on Public Key. Make sure this matches the public key that is published on the http://cca.gov.in website for that certificate (with exception of a 24 byte header in the PDF).

If you do not see CCA India in as the root certificate, the document cannot be considered to be legally signed in India as per IT Act 2000.


(Continued in a subsequent post)

SMS OTPs

UIDAI sends an OTP (One time password) for completing an Aadhaar based digital signature. This OTP arrives as an SMS to the Signer's registered mobile phone. Unless this OTP is used, the signature cannot be generated.

It has been observed that there is a significant delay in the arrival of OTPs during times when SMS gateways of mobile operators are likely to be busy (such as during New Years (Dec 31 - Jan 1) - presumably because people are sending a lots of New Year messages.

I wonder if UIDAI can ensure that mobile operators prioritize their SMSes over others. This will ensure that OTPs for Digital Signatures arrive quickly.

(The good news is that most New Years messages that I got this time were on Whatsapp and not SMS).

THIS IS AN INTRODUCTION TO DIGITAL SIGNATURES (FOR THOSE WHO ARENT SURE WHAT THEY ARE).

What are Digital Signatures

A Digital Signature is the electronic or digital equivalent of a physical signature. Just as a physical signature on a paper document establishes the origin of that document, a digital signature affixed to a digital document (computer file) establishes the origin of that digital document.

Digital Signatures are much more secure and ‘fool-proof’ compared to physical signatures. Physical signatures are easily replicated or ‘forged’. On the other hand, the technology behind Digital Signatures makes it virtually impossible to forge them.

Because of the higher security associated with Digital Signatures and the many advantages associated with storing documents electronically (as opposed to paper), governments in many countries have passed laws and regulations encouraging (and in some cases mandating) the usage of digitally signed electronic documents rather than paper documents. For example, in India, Income Tax returns, Corporate returns etc are to be digitally signed and uploaded electronically.

A Digital Signature is a sequence of ‘bytes’ or a code that has some special characteristics. A code generated for a particular document by a particular signer is unique. An identical code cannot be generated by another signer for the same document or by the same signer for another document. This means that only the unique combination of that particular document and that particular signer can generate a particular digital signature. 

When a person digitally signs a document, he generates this unique code (signature) and attaches it to the document. The receiver can verify that the code has indeed been generated by the Signer (and by no other person). The receiver of the document can also readily verify that the document has not been modified.

In India, the Government, via the Controller of Certifying Authorities has authorized a set of entities to issue Digital Signing Certificates (DSC). A DSC is necessary to be able to digitally sign a document. The process of obtaining a DSC essentially involves submission of paperwork that establishes your identity to the issuer.

Note: A digital signature is NOT a scanned version of a physical signature. Furthermore, it is not possible to sign another document just by looking at the digital signature on one document.

Technical details (Simplified description)

The technology and theory behind Digital Signatures relies on mathematical concepts in the field of Cryptography. What follows is a simplified description of these concepts. For a rigorous, mathematical description, the reader may consult [1] and [2].

A Digital Signing Certificate contains what is known as a ‘key-pair’ comprising a private key & a corresponding public key. The private key is to be maintained securely & confidentially (i.e. in private). The public key is shared with receivers of documents.

The process of signing a document involves finding the ‘hash value’ of the document and then using the hash value and the private key to generate the digital signature which is affixed to the document along with the public key of the signer.

The receiver of the document can use the public key of the signer and the digital signature to find out the ‘hash value’ contained in the signature. He can compare this hash value with the hash value directly computed from the received document to determine a match. If there is a match, it means that the received document was indeed signed by the signer as-is. If there is a mismatch, it means that either the document has not actually been signed by the Signer or has been modified in transit.

There are several algorithms which can provide the framework for the implementation that is described above. The most commonly used algorithm is the known as the RSA algorithm. In order that various systems for Digital Signatures are mutually compatible, there are world-wide standards defined for how the key pairs should be generated and encoded, algorithms used for hashing, generating digital signatures, formats of digital signatures, verification processes, etc. The most commonly used set of standards are the PKCS standards. Systems based on these standards are therefore inter-compatible.

In practical systems however, all of this technical complexity is hidden from the end user. The end-user only needs to obtain a Digital Signing Certificate, and use it with the system to sign a document. Similarly, a user can use the system to authenticate a signature and a document that has been received.

The only precaution that the signer needs to take is to keep his/her Digital Signing Certificate securely and not share it with anyone.

Law

Digital Signatures are considered equivalent to physical signatures by law in most countries around the world, including US, European countries and India [3].

In India, the Information Technology Act 2000 provides the legal sanctity for using Digital Signatures. The entire Act can be found here [4]. However, Section 4 & Section 5 of the IT Act 2000 (India) are quoted below:

4. Legal recognition of electronic records.

Where any law provides that information or any other matter shall be in writing or

in the typewritten or printed form, then, notwithstanding anything contained in such law,

such requirement shall be deemed to have been satisfied if such information or matter

is—

(a) rendered or made available in an electronic form; and

(b) accessible so as to be usable for a subsequent reference.

5. Legal recognition of digital signatures.

Where any law provides that information or any other matter shall be authenticated

by affixing the signature or any document shall be signed or bear the signature of any

person then, notwithstanding anything contained in such law, such requirement shall be

deemed to have been satisfied, if such information or matter is authenticated by means of

digital signature affixed in such manner as may be prescribed by the Central Government.

Explanation.—For the purposes of this section, "signed", with its grammatical

variations and cognate expressions, shall, with reference to a person, mean affixing of his

hand written signature or any mark on any document and the expression "signature" shall

be construed accordingly.

(Kindly consult the entire Act here for details, procedures, specific exceptions, etc).

TRUECOPY Systems

TRUECOPY systems are based on common-used world-wide standards and implement standard algorithms. In particular, our system works with DSCs issued by any Certifying Authority in India. Further, digital signatures created by our systems can be verified by other third-party systems.

References:

[1] http://www.schneier.com/book-applied.html

[2] http://www.cs.bris.ac.uk/~nigel/Crypto_Book/

[3] http://www.cca.gov.in

[4] http://deity.gov.in/content/information-technology-act-2000