PROJECT REPORT

“DIGITAL SIGNATURES
UNDER INFORMATION
TECHNOLOGY ACT 2000 “
 INDEX
Sr.No. Topic Page No.
1. Introduction 4.

2. Technology behind Digital Signatures 7.

3. Cryptography 8.

4. Creation of a Digital Signature 10.

5. Role of Certifying Authority 12.

6. Challenges and Opportunities 15.

7. Conclusion 16.

8. Bibliography 17.
Introduction
Since the advent of the Internet and the gradual conversion of paperwork to computer files,
a need has been felt to bring in security and trustworthiness to Internet transactions. The
year 2000 was an important one for India from the point of view of the bringing the law up
to date with modern times. This Act gives legal recognition of electronic records and digital
signatures. Conventional signatures are marks made by persons to authenticate a
document, and assure the receiver that he has signed it personally.

Signature signifies the legal identity of the person and requires authenticating the
documents. The person affixing signature to the document owes legal responsibility oozing
out of it. Thus, a signature is not part of the substance of a transaction, but rather of its
representation or form. Signing writings serve the following general purposes:

 Evidence
 Ceremony
 Approval
 Efficiency and Logistics

Digital signatures are also referred to as electronic signatures, or e-signatures. Digital

signatures are often used to implement electronic signatures in a broader term that
refers to any electronic data that carries the intent of a signature, but not all electronic
signatures use digital signatures. Practically speaking, each term refers to an electronic
form of consent that authenticates a signer’s identity. A digital signature can be thought
of as a digitized mark of approval, and is equivalent to a signature made with pen and
paper. Digital signature software gives businesses the ability to collect these legally-
recognized signatures with more speed and efficiency.

Digital signatures are easily transportable, cannot be imitated by someone else, and can be
automatically time-stamped. Furthermore, the ability to ensure that the original signed
message arrived means that the sender cannot easily repudiate it later. It is commonly used
for software distribution, financial transactions, and in other cases where it is important to
detect forgery or tampering. Digital signatures play a vital role in the organizations since
this technology enables the businesses to reduce the human errors, ultimately minimizes
the paper work.

Digital signatures enable the businesses to manage their monetary subsidiary and cost of
paper work. Also, these signatures help the companies in proving that they are utilizing the
green policies and eco friendly procedures by cutting back the use of paper. This vast
technology even reduces the time consumed in sending numerous emails and documents,
since the entire work is entitled in few moments. The corporations prove their sharp time
management skills through this technology. As organizations move away from paper
documents with ink signatures or authenticity stamps, digital signatures can provide added
assurances of the evidence to provenance, identity, and status of an electronic document as
well as acknowledging informed consent and approval by a signatory.

Basically Digital Signature is a secure method of binding the identity of the signer with
electronic record or message. This method uses a public key crypto system commonly
known as asymmetric crypto system to generate digital signature. Digital signature is
defined as a short unit of data that bears a mathematical relationship to the data(electronic
record or message) in the documents context and provides assurance to the recipient that
the data is authentic. A digital signature or digital signature scheme is a mathematical
scheme for demonstrating the authenticity of a digital message or document. A valid digital
signature gives a recipient reason to believe that the message was created by a known
sender, and that it was not altered in transit. Digital signatures are based on public key
encryption. 1

The arrival of digital signatures, and their legalization by Governments all over the world,
has marked a new revolution in the world of electronic transactions. Digital Signatures will
make business transactions over the Internet easier, and more reliable for businesses and
consumers. Digital signatures are used to present any type of digital data, message or file in
the form of numbers or mathematical format. It is a technique which is used for verifying
the authenticity of the message and the user. It tells the receiver of the message that it has
1
It uses prime numbers like 2,3.5.7,9,11 and so on which can be divided only by itself or by 1 and is incapable of
division by other numbers.
been sent by the known source and it also confirms that file is secure to be explored. They
are most often used for the financial dealings and transactions and also in some scenarios
where the delivery of information is required to be confidential.

ADVANTAGES -

In addition to improved security, digital signatures provide the following advantages:

1. No need to print out documents for signing;

2. Reduced storage of paper copies;

3. Improved management and access (anytime/anywhere) of electronic versus paper

documents;

4. Elimination of need for faxing or overnight mailing—reduction of cycle time;

5. Improved security of document transmission; and

6. Enhanced management processes outside the ‘‘final signature’’ step.

Technology behind Digital Signatures :A Digital Signature is not a digitized

image of a handwritten signature .It is a block of data at the end of an electronic message
that attests to the authenticity of the message using public key cryptography. 2It requires a
key pair (private key for cryption and public key for decryption) and a hash function
(algorithm).It is a two way process that involves two parties :

 Signer – creator of a digital signature.

 Recipient-verifier of a digital signature.

A digital signature is complete only if the recipient successfully verifies it. The
complementary keys of an asymmetric cryptosystem for digital signatures are arbitrarily
2
Cryptography is a method of storing and transmitting data in a particular form so that only those for whom it is
intended can read and process it. The term is most often associated with scrambling plaintext (ordinary text,
sometimes referred to as cleartext) into ciphertext (a process called encryption), then back again (known as
decryption).
termed the private key which is known only to the signer and used to create the digital
signature and the public key which is ordinarily more widely known and is used by the
relying party to verify the digital signature. If many people need to verify the signer’s
digital signatures the public key must be available or distributed to all of them perhaps by
publication in an online repository or directory where it is easily accessible. However since
this system is implemented securely it is computationally infeasible to derive the private
key by the public key i.e although many people may know the public key they cannot
discover the signer’s private key and forge digital signatures since this system is based on
the principle of ‘irreversibility’.

Another fundamental function is the ‘hash’ function which is used in both creation as well
as verification of the Digital signatures. It is basically an algorithm which creates a digital
representation or ‘fingerprint’ in the form of a ‘hash value’/’hash result’ of a standard
length which is usually much smaller than the message but nevertheless substantially
unique to it. Any change in the message invariably produces a different hash result when
the same hash function is used. In the case of a secure hash function it is computationally
infeasible to derive the original message from knowledge of its hash value since its termed
as a ‘one-way-hash-function’.

Cryptography: Electronic signatures are created and verified by using cryptography.

It is a process or a branch of applied mathematics that transform message into
unintelligible form and then back into its original form. This process of conversion of plain
text into cipher text is known as encryption and the process of conversion of cipher text
into plain text is called as decryption. The purpose of encryption is to ensure
confidentiality, secrecy and privacy by keeping this information hidden from anyone.
Therefore Cryptography is a technique to protect message or an electronic record and it
allows secure communication of such message or a electronic record over the insecure
method.
 Sender’s private key used by the sender

Plain Text(Sender/ Encryption Cipher

Text(Sender) INTERNET
Subscriber)

Plain Text (Reciever)

Decryption Cipher Text
(Reciever)

Sender’s public key used by

the Reciever

Types of Cryptography : It is basically of two types –

1.Symmetric Cryptography (Private key cryptographic system) –In symmetric
cryptography there is a single secret key used for both encryption and decryption of a
message eg Automatic Teller Machine (ATM) at a bank. When a person uses an ATM he
gains access to his account by entering a personal identification number(PIN).The PIN is a
secret number which is shared between the bank and the client. 3

2.Asymmetric Cryptographic (Public key cryptographic system)-In asymmetric

cryptography there is a key pair i.e public key and private key .A private key is a secret key

3
Sharma Vakul ‘Information Technology and Practice’ p.30(2010)
 used by the signer to create digital signature whereas public key is known to public and
used by the other party(receiver of the record) to verify digital signature and the private
key cannot be violated or compromised just by knowing the public key. 4
 Encryption algorithm RSA- Most widely used public key encryption algorithm is
RSA named after it’s inventor Ron Rivert,Adi Shamir and Len Adleman which was
invented in 1977 and is patented .

Creation of a Digital Signature- Following steps are followed in creating a digital

signature-
STEP I – Signer selects data or electronic record to be signed.Such selected data is known
as message to which a hash function is applied to create a hash result which is also known
as hash value or digital fingerprint that is unique to the message.
STEP II- Signer uses his private key to transform hash result into digital signature and this
transformation is known as encryption.
STEP III- Now the digital signature is attached to its message and it is transmitted with its
message to the recipient

Signer /Private key

Message Hash Result Digital
4
Principle of Irreversibility. Signature
 Encryption
Hash function

Both are sent to the recipient

Message

Digital
Signature

Rule 3 of the Information Technology(Certifying Authorities) Rules 2000: -The manner in

which information be authenticated by means of Digital Signature.-A Digital Signature
shall,

(a)be created and verified by cryptography that concerns itself with transforming
electronic record into seemingly unintelligible forms and back again;

(b)use what is known as “Public Key Cryptography”, which employs an algorithm using two
different but mathematical related “keys” – one for creating a Digital Signature or
transforming data into a seemingly unintelligible form, and another key for verifying a
Digital Signature or returning the electronic record to original form,

the process termed as hash function shall be used in both creating and verifying a Digital
Signature. Explanation: Computer equipment and software utilizing two such keys are
often termed as “asymmetric cryptography”.

Creation and Verification of a Digital Signature- Rules 4 & 5 of the Information

Technology(Certifying Authorities) Rules 2000:

(i) Creation of a Digital Signature- Rule 4-To sign an electronic record or any other item
of information, the signer shall first apply the hash function in the signer’s software; the
hash function shall compute a hash result of standard length which is unique (for all
practical purposes) to the electronic record; the signer’s software transforming the hash
result into a Digital Signature using signer’s private key; the resulting Digital Signature
shall be unique to both electronic record and private key used to create it; and the Digital
Signature shall be attached to its electronic record and stored or transmitted with its
electronic record.
(ii)Verification of a Digital Signature-Rule 5-The verification of a Digital Signature shall
be accomplished by computing a new hash result of the original electronic record by means
of the hash function used to create a Digital Signature and by using the public key and the
new hash result, the verifier shall check
(i) if the Digital Signature was created using the corresponding private key; and
(ii)if the newly computed hash result matches the original result which was transformed
into Digital Signature during the signing process. The verification software will confirm the
Digital Signature as verified if:
(a)the signer’s private key was used to digitally sign the electronic record, which is known
to be the case if the signer’s public key was used to verify the signature because the signer’s
public key will verify only a Digital Signature created with the signer’s private key; and
(b) the electronic record was unaltered, which is known to be the case if the hash result
computed by the verifier is identical to the hash result extracted from the Digital Signature
during the verification process.
Certifying Authority to issue Digital Signature Certificate- 5 A Certifying Authority is a
body either public or private which grants Digital Signature Certificates to subscribers after
proper identification and verification.
No Digital Signature Certificate can be granted unless the Certifying Officer is satisfied that-

 The applicant holds the private key corresponding to the public key to be listed in
the Digital Signature Certificate.
 The applicant holds a private key which is capable of creating a digital signature.
 The public key to be listed in the certificate can be used to verify a digital signature
affixed by the private key held by the applicant.

5
Sections 35,36,37,38,39 IT ACT 2000.
No application for issuance of Digital Signature Certificate can be rejected unless the
applicant is given a reasonable opportunity of showing cause against the proposed
rejection.Before the issuance of a Digital Signature Certificate the certifying authority must-

(i)Confirm that the user’s name does not appear in its list of compromised users.

(ii)Comply with the procedure as defined in his Certificating Practice Statement including
verification of identification and/or employment.

(iii)Comply with all privacy requirements.

(iv)Obtain a consent of the person requesting the Digital Signature Certificate that the
details of such Digital Signature Certificate can be published on a directory service.

A subscriber shall be deemed to have accepted a Digital Signature Certificate if he

published or authorizes the publication of the same –

 To one or more persons.

 In a repository or
 If he otherwise demonstrates his approval to the Digital Signature Certificate in any
manner.
The consequences of the acceptance of a Digital Signature Certificate by the
subscriber amounts to certifying to all those who reasonably rely on the information
contained in the Digital Signature Certificate that-
(a)The subscriber holds the private key corresponding to the public key listed in the
DS certificate and is entitled to hold the same.
(b)All representations made by the subscriber to the Certifying Authority and all
material relevant to the information contained in the DS certificate.
(c) All information in the DS certificate that is within the knowledge of the
subscriber is true.

Suspension of a DS certificate- In the following situations the Certifying Authority may

suspend the same-
(a)On receipt of a request to that effect from-
(i)the subscriber listed in the DS certificate;or
(ii)Any person duly authorized to act on behalf of that subscriber;
(iii)If it is of opinion that the DS certificate should be suspended in ‘public interest’.
A DS certificate cannot be supended for a period exceeding 15 days unless the subscriber
has been given an opportunity of being heard in that matter.The suspension of a DS
certificate is required to be communicated to the subscriber by the Certifying Authority.

Revocation of a DS certificate: by the given Certifying Authority-

(a)Where the subscriber or any other person authorized by him makes a request to that
effect.
(b)Upon the death of the subscriber.
(c)Upon the dissolution of the firm or winding up of the company where the subscriber is a
firm/company.
Without prejudice to the aforesaid, a Certifying Authority may revoke a Digital Signature
Certificate which has been issued by it at any time, if it is of opinion that -
1. A material fact represented in the Digital Signature Certificate is false or has been
concealed.
2. A requirement for issuance of the Digital Signature Certificate was not satisfied.
3. The Certifying Authority's private key or security system was compromised in a
manner materially affecting the Digital Signature Certificate's reliability.
4. The subscriber has been declared insolvent or dead or where a subscriber is a firm
or a company, which has been dissolved, wound-up or otherwise ceased to exist.
A Digital Signature Certificate shall not be revoked unless the subscriber has been given an
opportunity of being heard in the matter. On revocation of a Digital Signature Certificate
under this section, the Certifying Authority shall communicate the same to the subscriber.

Proof as to verification of digital signature- Special legal status has been granted to secure
digital signature under Section 15 of the I.T Act 2000.In order to ascertain whether a DS is
that of a person by whom it purports to have been affixed ,The Court mayv direct-
(a)that person or the Controller or the Certifying Authority to produce the DS certificate;
(b)any other person to apply the public key listed in the Digital Signature Certificate and
verify the DS purported to have been affixed by the person.
When the court has to form an opinion as to the DS of any person,the opinion of the
Certifying Authority which has issued the DS certificate is a relevant fact.
Special legal status has been granted to secure D under Section 15 of the IT Act 2000.

Where a secure DS is involved the Court shall presume unless the contrary is proved that it
has been affixed with the intention of signing or approving the electronic record.Whether a
DS is secure or not is a question of fact to be proved by evidence upon which it shall be
presumed unless the contrary is proved.

CHALLENGES AND OPPORTUNITIES: The prospect of fully implementing digital

signatures in general commerce presents both benefits and costs. The costs consist mainly
of:
 Institutional overhead: The cost of establishing and utilizing certification
authorities, repositories, and other important services, as well as assuring quality in
the performance of their functions.
 Subscriber and Relying Party Costs: A digital signer will require software, and will
probably have to pay a certification authority some price to issue a certificate.
 Hardware to secure the subscriber's private key may also be advisable. Persons
relying on digital signatures will incur expenses for verification software and
perhaps for access to certificates and certificate revocation lists (CRL) in a
repository.
Digital signatures offer a wide range of advantages for business processes. However,
organizations need to carefully consider what features are best suited to their individual
business needs and then work towards implementing a complete digital signature solution
rather than buying different products in a piecemeal manner to address various issues. A
complete solution should address application interoperability, browser independence and
ease of use.
Digital signatures if properly implemented and utilized offer promising solutions to the
problems of: Imposters, by minimizing the risk of dealing with imposters or persons who
attempt to escape responsibility by claiming to have been impersonated; Message
integrity, by minimizing the risk of undetected message tampering and forgery, and of
false claims that a message was altered after it was sent; Formal legal requirements, by
strengthening the view that legal requirements of form, such as writing, signature, and an
original document, are satisfied, since digital signatures are functionally on a par with, or
superior to paper forms; and Open systems, by retaining a high degree of information
security, even for information sent over open, insecure, but inexpensive and widely used
channels. Further, Digital signature, possible now only through computers in India, will
soon be provided through mobile phones. The biggest beneficiary of mobile digital
signatures would be m-Governance services, as all government services need signatures by
citizens while sending their applications to any government department.

CONCLUSION- Digital signatures are a valuable technology for every major corporation. As
digital data are not reliable, there are areas where they are not used. Most of all, contracts,
receipts, approvals and similar data are almost worthless in a digital form, as they can
easily be altered. Hand-made signatures don’t change this situation, because it is easy to
transfer a signature from one document to another or to modify a document that is signed.
The solution for these issues has been around for two decades: digital signatures. Many
traditional and newer businesses and applications have recently been carrying out
enormous amounts of electronic transactions, which have led to a critical need for
protecting the information from being maliciously altered, for ensuring the authenticity,
and for supporting non-repudiation. The digital signature is here to stay and it should. The
next challenge, however, is making it easier to get one.
 Bibliography
Books Referred :
 Vakul Sharma ('Information Technology' Law & Practice), Universal Law Publishing
Co.,New Delhi,3rd edn.
 Dr.Jyoti Rattan(‘Cyber Laws’) ,Bharat Law House Pvt.Ltd.,New Delhi,2011 edn.
 Dr Farooq Ahemed,(‘Cyber Law in India’), New Era Law Publishers, 3rd edn.,2008.
 D.P. Mittal,(‘Law of Information Technology (Cyber Law)’), Taxmann, 2000
 Information Technology Act 2000 (Bare Act).

Weblinks:
 http://www.abhinavjournal.com/images/Management_&_Technology/Mar13/13.p
df
 http://www.legalserviceindia.com/article/l212-Digital-Signatures.html
 http://www.certificatetiger.com/News/law-of-digital-signature.htm
 http://deity.gov.in/content/digital-signature-certificates
 http://www.wipo.int/wipolex/en/text.jsp?file_id=196537#LinkTarget_323