Verification of digital signatures

Verification of a digital signature is accomplished by computing a new hash result of the original message by means of the same hash function used to create the digital signature. Then, using the public key and the new hash result, the verifier checks:




  1. Whether the digital signature was created using the corresponding private key; and

  2. Whether the newly computed hash result matches the original hash result, which was transformed into the digital signature during the signing process.




The verification software will confirm the digital signature as verified if:



  1. The signer’s private key was used to digitally sign the message; and

  2. The message was unaltered, which is known to be the case if the hash result computed by the verifier is identical to the hash result extracted from the digital signature during the verification process.



BOX


Authentication process



  1. Signer authentication: If a public and private key pair is associated with an identified signer, the digital signature attributes the message to the signer. The digital signature cannot be forged, unless the signer loses control of the private key (a compromise of the private key), such as by divulging it or losing the media or device in which it is contained.

  2. Message authentication: The digital signature also identifies the signed message, typically with far greater certainty and precision than paper signatures. Verification reveals any tampering, since the comparison of the hash results (one made at signing and the other made at verifying) shows whether the message is the same as when signed.

  3. Affirmative act: Creating a digital signature requires the signer to use the signer’s private key. This act can perform the ceremonial function of alerting the signer to the fact that the signer is consummating a transaction with legal consequences.



BOX


Penalties and fines


The IT Act 2000 has laid down the following penalties:


For those who is required under this Act or any rules or regulations made thereunder to–

(a) Anyone required to furnish any document, return or report to the controller or the certifying authority fails to furnish the same, he shall be liable to a penalty not exceeding Rs 1, 50,000 for each such failure.


(b) Anyone who has to file any return or furnish any information, books or other documents within the time specified in the regulations fails to do so within the time specified, shall be liable to a penalty not exceeding Rs 5,000 for every day during which such failure continues.

(c) Anyone who has to maintain books of account or records, fails to maintain the same, shall be liable to a penalty not exceeding Rs 10,000 for every day during which the failure continues.


There is a residuary penalty too.


Whoever contravenes any rules or regulations made under the Act, for the contravention of which no penalty has been separately provided, shall be liable to pay a compensation not exceeding Rs 25,000 to the person affected by such contravention or a penalty not exceeding Rs 25,000.





Process And Perils Of Digital Signatures




Signing on a dotted line has never been so easy. Now there is no need for you to sign on a piece of paper to make a document legal. You can do it remotely with just a small, encrypted file. Digital signatures are already prevalent in 12 countries around the world and now India has become the 13th nation to add its name to the list. But what is the process involved in digitization of a signature? How secure is a signature once it is digitized? CI looks at these issues with a magnifying glass.




Digital signature is not a new technology. Researchers have been working on it since the late 1990s. It is only recently that it has generated a lot of interest among business circles because of the potential of e-business.


Already digital signatures are legally admissible in courts within the UK. The US too adopted the digital signature in September this year. In India the digital signature became legally valid in October after the IT Act 2000 had earlier laid down the required rules and regulations. But what is a digital signature?


A digital signature is a digital code that can be attached to an electronically transmitted message and uniquely identifies the sender. It is an electronic rather than a written signature that can be used by someone to authenticate the identity of the sender of a message or of the signer of a document. It can also be used to ensure that the original content of the message or document that has been conveyed is unchanged. Additional benefits to the use of a digital signature are that it is easily transportable, cannot be easily repudiated, cannot be imitated by someone else, and can be automatically time-stamped.


The digitization of signatures employs various asymmetric cryptosystems to create and verify digital signatures using different algorithms and procedures.


Samsung Electronic’s AGM, IT Sales, Vivek Prakash, explains why this mode has been chosen. “To encrypt or decrypt a file, one needs a cryptographic key. In symmetric cryptography, the sender and receiver agree upon one key, and use it to send encrypted messages.


The main problem here is that they must exchange keys in secrecy, and also trust each other to keep it secret. Asymmetric cryptography is more practical. It involves the use of two keys — a public key and a private key. The private key is known only to the sender, while the public key may be freely distributed. Both keys are mathematically related, but it is not easy to calculate one given the other very easily,” he says.


A certification authority (CA) manages creation, verification and distribution of these signatures. In India, Reserve Bank of India and Securities and Exchange Board of India have been appointed as CA till date. These entities create the digital certificates that is the crux of the entire process. These certificates include the following details:



  1. The user’s name.

  2. A public key of the user. This is required so that others can verify the user’s digital signature.

  3. The validity period of the certificate.

  4. The specific operations for which the public key is to be used (whether for encrypting data, verifying digital signatures, or both).



Here comes the controller…


Former director of C-DOT, Kailash Nath Gupta has been appointed controller for digital signatures in India by MIT. It is his responsibility to supervise the activities of the CA and lay down the standards, which the authority should maintain.


A CA is an entity who would be granted a license to issue digital signature certificates and would be responsible for secure online transactions. Any person can make an application to the CA for the issue of a digital signature certificate.


However there is one catch here. The IT Act 2000 states that every application shall be accompanied by a fee not exceeding Rs 25,000 as may be prescribed by the Central Government, to be paid to the CA. This prohibitive price could well act as a downer for the success of the digitization.





Role of the CA


The CA’s signature on a certificate ensures that any tampering with the contents of the certificate can be easily detected. As long as the CA’s signature on a certificate can be verified, the certificate has integrity. The way this functions is very simple.


Once the CA has given a user his digital signature, it also gives a specific password that allows access to the material protected by the certificate. Every time the user attempts to access protected material within an electronic document, the password is checked against the CA’s database to validate the user’s signature.


Since the integrity of a certificate can be determined by verification, certificates are inherently secure and can be distributed in a completely public manner (for example, through publicly accessible directory systems).


Users retrieving a public key from a certificate can be assured that the public key is valid. That is, users can trust that the certificate and its associated public key belong to the entity specified by the distinguished name. Users also trust that the public key is still within its defined validity period. In addition, users are assured that the public key may be used safely in the manner for which the CA certified it.





Down with red-tapism


One of the reasons why more and more countries have shown a willingness to embrace digital signatures is to do away with the bureaucratic red tapism. Many a contract has been lost because the bidder was unable to get the signatures of all designated officials within the stipulated time. As against this, the creation and verification processes of digital signatures are capable of complete automation with human interaction required on an exception basis only. Alekhya Talapatra, National Business Manager, Compaq Computer India is confident that there will be certain ease in doing business. The transactional costs too will be cut down which will make doing business easy.


Compared to antiquated paper methods such as checking specimen signature cards, digital signatures yield a high degree of assurance without adding greatly to the resources required for processing. Pavan Sood, MD, ITNation.com likens the benefits of digital signatures over paper-based to the advantages of Internet communication over traditional modes of communication.


Agreeing with Alekhya, he adds, “Digital signatures will facilitate quicker authentication of documents, more efficient usage of corporate time, and carry forward the most critical benefit of the Internet medium – surpassing geographical distances.”


Samsung’s Vivek Prakash is happy that the problem of securing several encrypted messages has boiled down to securing just one private key. He is confident that digital signatures will enable secure and authentic transactions to be carried across open networks.


“These may involve authentication of electronic payments, official and legal communication, sites from which software is downloaded, and in smart cards,” he says. “The good news is that it is very difficult to forge the digital signature. With digital signatures, no one can force you to sign on a ‘blank paper’.”




Sealed with sign of the law


Now that digital signature has also been awarded a legal status, legally binding documents can be transferred electronically. This will allow business houses to conduct transactions and enter into binding contracts entirely by electronic means saving a lot of time.


Concedes B Prasanna Kumar, Chief Manager — IT, Karnataka Bank, one of the first financial institutions in the country, which will implement digitization, "Introduction of the new bill in the parliament has made digital signature legalized. This system will allow customers to transact their business from their office or home on the basis of their digital signatures.”


Chief Technology Officer of Agmoz.com, Praveen Kumbnani is happy about the positive effect the new legislation will have on e-commerce. Says he, “The first advantage that I see is that it will boost e-commerce. Users may not comfortable with parting with their credit card numbers to a travel web site for bookings, as they are not confident about their security measures. However this may not be the case with the advent of digital signatures. This will come as a definite boost for online transactions.”


Himanshu Goyal, Business Development Manager, Adobe Systems however is a bit cautious and says, “The Internet has become a new medium to do business through and the basic need here is authentication. That has to be solved. The advantages will then begin to roll in.”





Are we ready?


Firstly what is important is to find out just how many takers are there for this. To start with the price tag of Rs 25,000 for procuring a digital certificate has not won much favor. The second question that arises is whether the Indian public is ready to accept digitization of signatures? Alekhya feels that apart from MNCs and a few big Indian corporates the market as a whole is immature and adoption of this may not be smooth.


One of the biggest security hazards of the advent of digital signs is identity theft. The other problem is tracing of the document to the recipient leading to loss of privacy. Praveen Kumbnani Chief Technology Officer Agmoz.com agrees with the latter contention. Says he, “The major pitfall that I see is the issue of privacy. Here I do not mean the commercial use of personal information. We will have something similar to cookies and there is a potential that software will get written that will invade your computer and will then have access to all the information that is there in it. This is more of a misuse than commercial use of private information. This is an undesirable aspect that could accompany digital signatures.” However the upside is that like the OS has evolved from DOS to Windows, there is bound to be evolution here too and this is what will move things forward which will safeguard user privacy.


Already Adobe has made provisions for privacy protection in its software. Adobe Acrobat uses the 1024 bit RSA algorithm to actually embed the signature in the file. The text may be replicated, but the signature cannot be.


But it must be remembered that since the private key is the essence of digitization, it loss could very well cause many problems to the user. It is very easy to lose the private key – by divulging it to someone else or by losing the media on which it may be stored. Hence most industry players advocate that the private key should be safeguarded properly and kept at a secure location on the network.





Government can battle fraud


As in manual signatures, there are chances that new frauds will arise with the implementation of the digital signatures. However monitoring them will not be as easy Alekhya says. “The frauds will not be all that prominent, because there is always a provision of bad debts,” he says. “And I foresee the magnitude of bad debts going down.”


Though the onus of the security rests largely on the government, it is important for the corporates to be proactive too. Alekhya points out that the encouraging factor is the positive outlook adopted by the government as new portfolios are being created increasing the pace.


Talking about frauds, Praveen says, “The prime concern is monetary loss. A right mix of online and offline infrastructure to support the entire process will lead to minimizing the element of fraud. It can begin with a simple telephonic call to authenticate and verify. The offline support will help to build confidence in users faster. And there is no short cut to a learning curve.”


Another aspect will be the introduction of e-currency. This will prevent fraud beyond a particular value. Praveen adds that increased B2B business is the insurance of e-transactions. “Insurance companies with due support from the government will have to work on this, as there is no defined method to assess and measure risk. We conduct business with a bank, because of its legacy, however there is no such legacy when we talk about digital signatures. And the most appropriate party to do this is the government.”




Setting up the system


So we have the technology and the right attitude towards it. But when will we see wide spread use of digitization. Says Alekhya of Compaq, ” The time frame that I look at for major transactions to start happening is about a year, though smaller transactions will happen sooner.”


Praveen says, “The issue here is not time frame, but implementation. With a lot of hype about the whole thing, smart ways to put everything in place have to be figured out.”


Himanshu Goyal lauds the effort of the government and states, “With the government accepting digital signatures in principle, it is not before long that the whole thing is in place. Technology will adapt to needs that come with the digital signature and tools to enable the same will also soon be available.”


Pavan Sood too is optimistic the way things are going. “Until recently, Indian courts did not recognize faxes and Internet documents as evidence in litigation procedures,” he says. “But with the IT Act in place and legalization of digital signatures, we can expect a boost in trade and business being conducted on the electronic exchanges.”


There is no doubt that adoption of the digital signatures might take some time. But this time will help security experts to untangle the security implications involved. Who in the end will be responsible for the security issues, will it be the CA or the user? Right now no answers seem to be forthcoming, but it won’t be long before the CA makes it move.


Vinita Suvarna with inputs from Sunila Paul in Bangalore and our Senior Reporter in Delhi


Leave a Reply

Your email address will not be published. Required fields are marked *