UNIVERSITY OF HYDERABAD

CENTRE FOR DISTANCE AND VIRTUAL LEARNING

PGDCL & IPR

ASSIGNMENT
COURSE CODE : DCL 422
Electronic Records/Digital Signatures & Certificates
2. What is a Digital Certificate? How does digital signature
look like & use of electronic records or digital signature be
valid in Government and its agencies.
Ans:

Digital Signature :

A digital signature is an electronic form of a signature that can be used

to authenticate the identity of the sender of a message or the signer of a
document, and to ensure that the original content of the message or
document that has been sent is unchanged. Digital signatures are easily
transportable and cannot be imitated by someone else and can be
automatically time-stamped. The ability to ensure that the original
signed message arrived means that the sender cannot easily disclaim it
later. A digital signature can be used with any kind of message, whether
it is encrypted or plaintext.

Thus Digital Signatures provide the following three features:

Authentication: Digital signatures are used to authenticate the source of
messages. The ownership of a digital signature key is bound to a specific
user and thus a valid signature shows that the message was sent by that
user.
Integrity : In many scenarios, the sender and receiver of a message need
assurance that the message has not been altered during transmission.
Digital Signatures provide this feature by using cryptographic message
digest functions.
Non Repudiation : Digital signatures ensure that the sender who has
signed the information cannot at a later time deny having signed it.

Digital Certificate :
Digital Certificate is the electronic format of physical or paper certificate
like a driving License, passport etc. Certificates serve as proof of
identity of an individual for a certain purpose;
For example, a Passport identifies someone as a citizen of that country;
who can legally travel to any country. Likewise, a Digital Signature
Certificate can be presented electronically to prove your identity, to
access information or services on the Internet or to sign certain
documents digitally.
Authentication is strengthened by the use of Digital Certificates. In
many ways, Digital certificates are the heart of secure electronic
transactions.
Digital certificate signature is a computer generated record. It contains
the identity of the subscriber, the public key, and is digitally signed by
the certifying authority. The digital Signature certificate shall be
associated with both public key and private key.
Digital Signature Certificates are endorsed by a trusted authority
empowered by law to issue them, known as the Certifying Authority or
CA. The CA is responsible for vetting all applications for Digital
Signature Certificates, and once satisfied, generates a Digital Certificate
by digitally signing the Public key of the individual along with other
information using its own Private key.
Classes of Digital Signature Certificates:
Class 1 : Certificates shall be issued to individuals/private subscribers.
These certificates will confirm that user’s name (or alias) and
E-mail address form an unambiguous subject within the
Certifying Authorities database.
Class 2 : Certificates will be issued for both business personnel and
private individuals use. These certificates will confirm that
the information in the application provided by the subscriber
does not conflict with the information in well recognized
consumer databases.
Class 3 : Certificates will be issued to individuals as well as
organizations. As these are high assurance certificates,
primarily intended for ecommerce applications, they shall
be issued to individuals only on their personal (physical)
appearance before the Certifying Authorities.

Types of Digital Signature Certificates :

1. Individual Digital structure Certificates

2. Server Certificates
3. Encryption Certificates

Digital Signature Look Like and Work :

The Digital Signatures require a key pair (asymmetric key pairs,
mathematically related large numbers) called the Public and Private
Keys.

Just as physical keys are used for locking and unlocking, in

cryptography, the equivalent functions are encryption and decryption.

The private key is kept confidential with the owner usually on a secure
media like crypto smart card or crypto token.
The public key is shared with everyone. Information encrypted by a
private key can only be decrypted using the corresponding public key.

In order to digitally sign an electronic document, the sender uses his/her

Private Key.
In order to verify the digital signature, the recipient uses the sender’s
Public Key.
Validity of use of Electronic Records or Digital Signatures in
Government and its Agencies:

The Indian Information Technology Act-2000 came into effect from

October 17, 2000. One of the primary objectives of the Information
Technology Act of 2000 was to promote the use of Digital Signatures
for authentication in e-commerce & e-Governance.

Towards facilitating this, the office of Controller of Certifying

Authorities (CCA) was set up in 2000.
The CCA licenses Certifying Authorities (CAs) to issue Digital
Signature Certificates (DSC) under the IT Act 2000.

Certifying authority can issue a Digital certificate to a subscriber. Sec 35

of the act and the Certifying Authority Rules framed under the Act
stipulates the methods for issuance of a Digital Certificate.
The standards and practices to be followed were defined in the Rules
and Regulations under the Act and the Guidelines that are issued by
CCA from time to time.
The Root Certifying Authority of India (RCAI) was set up by the CCA
to serve as the root of trust in the hierarchical Public Key Infrastructure
(PKI) model that has been set up in the country.
The RCAI with its self-signed Root Certificate issues Public Key
Certificates to the licensed CAs and these licensed CAs in turn issue
DSCs to end users.

Section 5 of the Act gives legal recognition to digital signatures based

on asymmetric cryptosystems. The digital signatures are now accepted at
par with the handwritten signatures and the electronic documents that
have been digitally signed are treated at par with the paper based
documents.
An Amendment to IT Act in 2008 has introduced the term electronic
signatures. The implication of this Amendment is that it has helped to
broaden the scope of the IT Act to include other techniques for signing
electronic records as and when technology becomes available.
The filing of forms, applications etc. in electronic form will be valid in
Government and its agencies.
Sec 6(1) of the IT Act states that where any law provides for the filing of
any form, application or any other document with any office,authority,
body, or agency owned or controlled by the appropriate Government in
a particular manner;
The issue or grant of any licence, permit, sanction approval by whatever
name called in particular manner;
The receipt or payment of money in a particular manner, then ,
notwithstanding anything contained in any other law for time being in
force , such requirement shall be deemed to have been satisfied if such
filing, issue, grant, receipt or document, as the case may be , is effected
by means of such electronic form as may be prescribed by the
appropriate Government.
Controller of CA may give recognition to foreign certifying authorities
and the digital signature certificate issued by them will be valid.
Section 19 of the IT Act has made provision for this.

PKI is the acronym for Public Key Infrastructure. The technology is

called Public Key cryptography because unlike earlier forms of
cryptography it works with a pair of keys one of which is made public
and the other is kept secret. One of the two keys may be used to encrypt
information which can only be decrypted with the other key.
The secret key is usually called the private key. Since anyone may
obtain the public key, users may initiate secure communications without
having to previously share a secret through some other medium with
their correspondent. PKI is thus the underlying system needed to issue
keys and certificates and to publish the public information. PKI is a
combination of software, encryption technologies, and services that
enable enterprises to protect the security of their communications and
business transactions over networks by attaching so-called “digital
signatures” to them.
The Office of the Controller of Certifying Authorities (CCA), has been
established under the Information Technology (IT) Act 2000 for
promoting trust in the electronic environment of India.

The current PKI organization structure in India consists of the Controller

of Certifying Authority as the apex body and as the Root Certifying
Authority of India (RCAI).

The CCA is entrusted with the following responsibilities : -

 Licensing Certifying Authorities (CAs) under section 21 of the IT
Act and exercising supervision over their activities.
 Controller of Certifying Authorities as the “Root” Authority
certifies the technologies and practices of all the Certifying
Authorities licensed to issue Digital Signature Certificates
 Certifying the public keys of the CAs, as Public Key Certificates
(PKCs).
 Laying down the standards to be maintained by the CAs.
 Conflict resolution between the CAs
 Addressing the issues related to the licensing process including:
a) Approving the Certification Practice Statement (CPS);
b) Auditing the physical and technical infrastructure of the
applicants through a panel of auditors maintained by the CCA.
4. Distinguish between Electronic and Digital Signatures.
Explain in detail the functioning of the Public Key
Infrastructure (PKI).
Explain how transactions done with PKI have Legal
Sanction in India.
Ans:

Distinguish between Electronic Signature and Digital Signature :

A Digital signature is a kind of Electronic signature, but are distinct.

Digital Signature is more secure and tamper-evident,
which encrypt the document and permanently embed the information in
it if a user tries to commit any changes in the document then the digital
signature will be invalidated. On the other hand, an Electronic Signature
is similar to digitalized handwritten signature verified with the signer’s
identity such as email, corporate ID’s, phone PIN etcetera.

Definition of Digital Signature :

The Digital Signature is a type of electronic signature and follows the

particular standards. It imparts independent verification and tamper
evidence. The verification of digital signatures is done by the trusted
third party commonly referred to a Certificate Authority.

Certificate authorities bind the user’s identity to a PKI-based digital

certificate which allows the user to apply digital signatures to the
document and the cloud-based signing platforms. When a digital
signature is employed to a document, a cryptographic
operation attaches digital certificate with the data into one unique
fingerprint.

The message is signed by the private key of the sender which is only
known to him/her; this ensures authentication of the message source.
The message and its signature cannot be changed thenceforth signing a
message. Sender and receiver do not have to worry about transit
alteration without the private key, the message and its signature could
never be altered. The sender of the message cannot refuse having signed
a signature if it is valid. Digital signature distinctively correlates with the
corresponding message and renders integrity.

Digital signatures need not separate from a message or document for

using it in another document. These types of signatures depend on the
document as well as on the signer.

Digital signature scheme steps:

 Key generation: The public key and its correlated private key of the user is
computed in this step.
 Signing: The corresponding message is signed by the user with his/her
private key.
 Verification: In this step, the signature for a provided message against the
public key is verified.

Definition of Electronic Signature

Electronic Signatures use a technology that binds the signature to the

signer’s identity and the time it was signed. An electronic signature
could be a process attached, electronic symbol or sound to a message,
contract or document which can be used to get consent or approval on
electronic documents or forms. Electronic signatures are a substitute for
handwritten signatures in practically each personal or business process.

It uses general electronic authentication technique to justify signer

identity, such as email, corporate ID etc. When security needed to be
enhanced multifactor authentication can also be used. The efficient e-
signature solutions indicate proof of signing by utilizing a secure process
of audit trail along with the final document. It does not use encryption
and is not secure enough to find the tampering like digital signature.
Key Differences Between Digital Signature and Electronic Signature

1. Digital signatures are consistently time-stamped while in electronic

signature date and time can be associated with it but placed
separately.

2. Digital Signatures comply the standards and enhance security by

using cryptographic encryption methods. As against, electronic
signatures does not depend on standards and tend to be less secure
comparatively.

3. Authentication mechanism used in the electronic signature is not

defined and uses signer’s email, phone PIN, etc. In contrast, digital
signature involves certificate-based digital ID authentication
method.

4. Digital signature ensures the security of the digital document

whereas electronic signature is used for verifying the digital
document.

5. In the digital signature, the signature validation is performed by the

trusted certificate authorities while it is not the case in electronic
signature.

6. Electronic signatures are prone to tampering. On the contrary,

digital signatures are highly secured and offer tamper evidence.

Functioning of the Public Key Infrastructure (PKI) :

PKI Components:
There are three core functional components to a PKI:
• The Certificate Authority (CA) , an entity which issues certificates.
One or more in-house servers, or a trusted third party such as VeriSign
 or GTE, can provide the CA function.
• The repository for keys, certificates and Certificate Revocation Lists
(CRLs) is usually based on an Lightweight Directory Access Protocol
(LDAP)-enabled directory service.
• A management function, typically implemented via a management
console.

If the PKI provides automated key recovery, there may also be a key
recovery service. Key recovery is an advanced function required to
recover data or messages when a key is lost.
In addition, there may be a separate Registration Authority (RA), an
entity dedicated to user registration and accepting requests for
certificates. User registration is the process of collecting user
information and verifying user identity, which is then used to register a
user according to a policy. This is distinct from the process of creating,
signing, and issuing a certificate. The Human Resources department may
manage the RA function, for instance, while Information Technology
manages the CA. A separate RA also makes it harder for any single
department to subvert the security system. Organizations can choose to
have registration handled by a separate RA, or included as a function of
the CA.
Note that the CA, RA and so on are functional components that may be
implemented in various ways in hardware and software. In particular,
the CA can be implemented on one or more servers, as can the RA.
Systems performing CA and RA functions are often referred to as
Certificate Servers and Registration Servers respectively.

PKI Functions:
The most common PKI functions are issuing certificates, revoking
certificates, creating and publishing CRLs, storing and retrieving
certificates and CRLs, and key lifecycle management. Enhanced or
emerging functions include time-stamping and policy-based certificate
validation.
Issuing certificates :
The CA signs the certificate, thereby authenticating the identity of the
requestor, in the same way that a notary public vouches for the signature
and identity of an individual. In addition, the CA “stamps” the certificate
with an expiration date. The CA may return the certificate to the
requesting system and/or post it in a repository.

Revoking certificates :
A certificate may become invalid before the normal expiration of its
validity period. For instance, an employee may quit or change names, or
a private key may be compromised. Under such circumstances, the CA
revokes the certificate by including the certificate’s serial number on the
next scheduled CRL.
Storing and retrieving certificates and CRLs :
The most common means of storing and retrieving certificates and CRLs
is via a directory service, with access via LDAP. Other options include
X.500 compatible directories, HTTP, FTP, and e-mail.
Providing trust :
Each public key user must have at least one public key from a CA that
the user trusts implicitly. Organizations can establish and maintain trust
within a single security management domain through a thorough audit of
the CA’s policies and procedures, repeated at regular intervals.
However, organizations need to evaluate (and accept or reject)
certificates from CAs not under their direct control, such as CAs of other
business units or partners. This can be accomplished through
hierarchical certification path processing or direct cross-certification.

Certification Path Processing :

The best known hierarchical certification path processing architectures
are those maintained by PKI service organizations such as VeriSign.
Typically, in such a hierarchy:
1. There is a single root at the top.
2. The root certifies public primary certification authorities
 (PCAs), which issue, suspend, and revoke certificates for all CAs
within the hierarchy.
3. PCAs certify CAs. PCAs may also cross-certify with
PCA-like entities in other vendors’ PKIs.
4. CAs authorize subordinate CAs, which belong to the PKI
service company or the customer.
5. At the bottom of the hierarchy can be local registration
authorities (LRAs) that evaluate certificate applications
on behalf of the root, PCA, or CA that issues the
certificates.
If a user does not already trust the CA that signed a certificate, the user
searches upward through the hierarchy for a trusted CA that has certified
the public key of the CA in question.
Cross-Certification :
One CA can issue another CA a certificate that allows the other CA to
issue certificates which will be recognized by the first CA. Cross-
certification works directly, without a third party.
Hierarchical and Cross-Certification Can Be Combined :
It can make sense to implement both hierarchical and crosscertification
in a single security domain, for different purposes or at different times.
For instance, a hierarchical system based on a trusted third party may be
necessary when setting up or expanding a PKI, but the bulk of day-to-
day interoperability may be accomplished via cross-certification.
Time-Stamping :
In addition to the content and authenticity of a transaction, the exact time
of the transaction can be important. For instance, a transaction may have
to be submitted by a certain time to be valid. The solution to having
trusted transactions is to combine digital signatures with time-stamps.
This can be accomplished by augmenting a PKI with a time-stamping
service.
Policy-based certificate path validation:
Evaluating a certificate may require searching through a long chain of
CAs. Ideally, every CA in the path would support any policy
requirements associated with the validation. Such policy-based
certificate path validation is not yet a standard part of CA functionality.
However, some vendors are beginning to support it, and work is
proceeding to define standards in this area.
Policy mapping matches one CA’s policy to another, allowing CAs to
interoperate if they support similar but not necessarily identical policies.
It may be desirable to prohibit policy mapping, so that the path will be
validated only if the CAs have identical policies.

Key lifecycle management :

The PKI performs some functions, such as issuing a certificate and
listing a certificate on a CRL, in response to a current request. In
contrast, key lifecycle functions, such as updating, backing up, and
archiving keys, are performed routinely.

Each user is likely to have a number of keys that require lifecycle

management. For instance, users typically have at least one key pair for
each secure application (e.g. e-mail, desktop file encryption, VPN).
Some applications use several key pairs for different purposes, such as
digital signatures, bulk encryption, and authentication.

Updating Keys:
New keys are usually issued at regular intervals, such as every year or
two, to reduce the exposure from keys that have been unknowingly
compromised.
Backing Up Keys :
Users frequently forget the passwords that protect their private keys; or
they may “lose” the keys, for example, through a disk crash or virus
attack. The company should be able to restore the keys to the user.
Archiving Keys:
When employees leave the company, the network manager invalidates
their encryption keys for future use, while retaining the keys in order to
access previously encrypted files and email messages. Keys used for
digital signatures may be retained for as long as the signed documents,
so signatures can be verified. Note that many organizations archive
encryption keys but not signing keys, since the availability of archived
signing keys could invite abuse via identity impersonation.
Automated Key Lifecycle Management: A Critical PKI Function
The effort required to manage keys manually can limit the scalability of
the PKI. Automated key management is a critical function for a large
PKI.

PUBLIC KEY INFRASTRUCTURE IN INDIA

PKI is the acronym for Public Key Infrastructure. The technology is

called Public Key cryptography because unlike earlier forms of
cryptography it works with a pair of keys one of which is made public
and the other is kept secret. One of the two keys may be used to encrypt
information which can only be decrypted with the other key.
The secret key is usually called the private key. Since anyone may
obtain the public key, users may initiate secure communications without
having to previously share a secret through some other medium with
their correspondent. PKI is thus the underlying system needed to issue
keys and certificates and to publish the public information. PKI is a
combination of software, encryption technologies, and services that
enable enterprises to protect the security of their communications and
business transactions over networks by attaching so-called “digital
signatures” to them.
The Office of the Controller of Certifying Authorities (CCA), has been
established under the Information Technology (IT) Act 2000 for
promoting trust in the electronic environment of India.

The current PKI organization structure in India consists of the Controller

of Certifying Authority as the apex body and as the Root Certifying
Authority of India (RCAI).

The CCA is entrusted with the following responsibilities : -

 Licensing Certifying Authorities (CAs) under section 21 of the IT
Act and exercising supervision over their activities.
 Controller of Certifying Authorities as the “Root” Authority
certifies the technologies and practices of all the Certifying
 Authorities licensed to issue Digital Signature Certificates
 Certifying the public keys of the CAs, as Public Key Certificates
(PKCs).
 Laying down the standards to be maintained by the CAs.
 Conflict resolution between the CAs
 Addressing the issues related to the licensing process including:
a) Aproving the Certification Practice Statement (CPS);
b) Auditing the physical and technical infrastructure of the
applicants through a panel of auditors maintained by the CCA.

The RCAI is responsible for issuing Public Key Certificates to Licensed

Certifying Authorities (henceforth referred to as Certifying Authorities
or CA). The CAs in turn are responsible for issuing Digital Signature
Certificates to the end users. In order to facilitate greater flexibility to
Certifying Authorities, the CCA has allowed the creation of sub-CAs.
As per this model, a Certifying Authority can create a sub-CA to meet
its business branding requirement. However the sub-CA will be part of
the same legal entity as the CA.
The sub-CA model will be based on the following principles:
 The CAs must not have more than one level of sub-CA
 A sub-CA certificate issued by the CA is used for issuing end
entity certificates
 A CA with sub-CA must necessarily issue end entity certificates
only through its sub-CA. The only Exception will be for code
signing and time stamping certificates, which may directly be
issued by the CA.

A Registration Authority (RA) acts as the verifier for the Certifying

Authority before a Digital Signature Certificate is issued to a requestor.
The Registration Authorities (RAs) process user requests, confirm their
identities, and induct them into the user database.

The PKI structure in India is the foundation for secure Internet

applications which ensure authentic and private transactions that cannot
be repudiated at a later time. Thus the CCA certifies the public keys of
CAs using its own private key, which enables users in the cyberspace to
verify that a given certificate is issued by a licensed CA. For this
purpose it operates as the Root Certifying Authority of India
(RCAI). CCA is the Root of the trust chain in India.

In order to ensure interoperability between the Digital Signature

Certificates issued by different CAs’ in India, the CCA has come out
with the “Interoperability Guidelines for Digital Signature Certificates
issued under the Information Technology Act”. With these guidelines ,
the Digital Signature Certificate issued by one CA can be used across
various e-Governance applications as the Interoperability guidelines
have prescribed the formats, field and other aspects that will ensure
interoperability.