THIS IS AN INTRODUCTION TO DIGITAL SIGNATURES (FOR THOSE WHO ARENT SURE WHAT THEY ARE).
What are Digital Signatures
A Digital Signature is the electronic
or digital equivalent of a physical signature. Just as a physical signature on
a paper document establishes the origin of that document, a digital signature
affixed to a digital document (computer file) establishes the origin of that digital
document.
Digital Signatures are much more
secure and ‘fool-proof’ compared to physical signatures. Physical signatures
are easily replicated or ‘forged’. On the other hand, the technology behind
Digital Signatures makes it virtually impossible to forge them.
Because of the higher security
associated with Digital Signatures and the many advantages associated with
storing documents electronically (as opposed to paper), governments in many
countries have passed laws and regulations encouraging (and in some cases
mandating) the usage of digitally signed electronic documents rather than paper
documents. For example, in India, Income Tax returns, Corporate returns etc are
to be digitally signed and uploaded electronically.
A Digital Signature is a sequence of
‘bytes’ or a code that has some special characteristics. A code generated for a
particular document by a particular signer is unique. An identical code cannot
be generated by another signer for the same document or by the same signer for
another document. This means that only the unique combination of that
particular document and that particular signer can generate a particular
digital signature.
When a person digitally signs a document,
he generates this unique code (signature) and attaches it to the document. The
receiver can verify that the code has indeed been generated by the Signer (and
by no other person). The receiver of the document can also readily verify that
the document has not been modified.
In India, the Government, via the
Controller of Certifying Authorities has authorized a set of entities to issue
Digital Signing Certificates (DSC). A DSC is necessary to be able to digitally
sign a document. The process of obtaining a DSC essentially involves submission
of paperwork that establishes your identity to the issuer.
Note: A digital signature is NOT a scanned
version of a physical signature. Furthermore, it is not possible to sign
another document just by looking at the digital signature on one document.
Technical details (Simplified description)
The technology and theory behind
Digital Signatures relies on mathematical concepts in the field of
Cryptography. What follows is a simplified description of these concepts. For a
rigorous, mathematical description, the reader may consult [1] and [2].
A Digital Signing Certificate contains
what is known as a ‘key-pair’ comprising a private key & a corresponding
public key. The private key is to be maintained securely & confidentially
(i.e. in private). The public key is shared with receivers of documents.
The process of signing a document
involves finding the ‘hash value’ of the document and then using the hash value
and the private key to generate the digital signature which is affixed to the
document along with the public key of the signer.
The receiver of the document can use
the public key of the signer and the digital signature to find out the ‘hash
value’ contained in the signature. He can compare this hash value with the hash
value directly computed from the received document to determine a match. If
there is a match, it means that the received document was indeed signed by the
signer as-is. If there is a mismatch, it means that either the document has not
actually been signed by the Signer or has been modified in transit.
There are several algorithms which can
provide the framework for the implementation that is described above. The most
commonly used algorithm is the known as the RSA algorithm. In order that
various systems for Digital Signatures are mutually compatible, there are
world-wide standards defined for how the key pairs should be generated and
encoded, algorithms used for hashing, generating digital signatures, formats of
digital signatures, verification processes, etc. The most commonly used set of
standards are the PKCS standards. Systems based on these standards are
therefore inter-compatible.
In practical systems however, all of
this technical complexity is hidden from the end user. The end-user only needs
to obtain a Digital Signing Certificate, and use it with the system to sign a
document. Similarly, a user can use the system to authenticate a signature and
a document that has been received.
The only precaution that the signer
needs to take is to keep his/her Digital Signing Certificate securely and not
share it with anyone.
Law
Digital Signatures are considered
equivalent to physical signatures by law in most countries around the world,
including US, European countries and India [3].
In India, the Information Technology
Act 2000 provides the legal sanctity for using Digital Signatures. The entire
Act can be found here [4]. However, Section 4 & Section 5 of the IT Act
2000 (India) are quoted below:
4. Legal recognition of electronic
records.
Where any law provides that information or any other matter shall
be in writing or
in the typewritten or printed form, then, notwithstanding anything
contained in such law,
such requirement shall be deemed to have been satisfied if such
information or matter
is—
(a) rendered or made available in an electronic form; and
(b)
accessible so as
to be usable for a subsequent reference.
5. Legal recognition of digital
signatures.
Where any law provides that information or any other matter shall
be authenticated
by affixing the signature or any document shall be signed or bear
the signature of any
person then, notwithstanding anything contained in such law, such
requirement shall be
deemed to have been satisfied, if such information or matter is
authenticated by means of
digital signature affixed in such manner as may be prescribed by
the Central Government.
Explanation.—For the purposes of this section,
"signed", with its grammatical
variations and cognate expressions, shall, with reference to a
person, mean affixing of his
hand written signature or any mark on any document and the
expression "signature" shall
be construed accordingly.
(Kindly consult the entire Act here
for details, procedures, specific exceptions, etc).
TRUECOPY Systems
TRUECOPY systems are based on common-used
world-wide standards and implement standard algorithms. In particular, our
system works with DSCs issued by any Certifying Authority in India. Further,
digital signatures created by our systems can be verified by other third-party
systems.
References:
