Electronic Transaction Act 2063

Rajesh Kumar Shakya

Chairman, Hitechvalley iNet Pvt. Ltd.
Executive Member, IT Professional Forum (ITPF)
Reengineering Specialist (e-Governance), ADB

NITC/Ministry of Environment, Science and

Technology)
March 15, 2007
Introduction
z Electronic document
z produced by a computer, stored in digital form. so
easy to copy, distribute, retrieve and archive. Ideal
for e-commerce and e-governance
• But…
z It can be deleted, modified and rewritten without
leaving a mark
z Integrity of an electronic document is “genetically”
impossible to verify
z A copy is indistinguishable from the original
z It can’t be sealed in the traditional way, where the
author affixes his signature 2
Creating Trust in Electronic World

Requirements:
z Confidentiality
z Integrity
z Authenticity
z Non-Repudiability

Threat to Authenticity
z Masquerading

Counter Measures
z Digital Signature - Cryptographically generated credentials.

3
 Creating Trust in Electronic World

Enablers:
¾Cryptographic technologies
¾Supporting Infrastructure:
ƒProcesses & Systems
ƒLegal Frameworks
ƒStandards

4
Electronic Transaction Act 2063 - Role of
Comptroller of Certification (CCA) Authority for
secure e-Commerce and e-Governance

z Authentication of entities in cyberspace

z Prevention of deliberate or accidental Disclosure
and/or Amendment/Deletion of data
z Licensing of CAs and establishment of PKI

5
 Encryption:
z Transformation of data to Prevent information being read by
unauthorized parties.
z Sender and Receiver have to know the rules which have
been used to encrypt the data.
z Based on Algorithms which are mathematical functions for
combining the data with a string of digits called the Key. The
result is the encrypted text.

Eg of Symmetric Encryption: Adding a fixed number of

characters, say 5, to each character in the message that is being
encrypted.
The word SECURITY then becomes the encrypted text XJHZWNYD

6
Public key cryptography
(Asymmetric Cryptography)

z Each party is assigned a pair of keys –

private - known only by the owner
public - known by everyone
z Information encrypted with the private key can only
be decrypted by the corresponding public key & vice
versa
z Fulfils requirements of confidentiality, integrity,
authenticity and non-repudiability

z No need to communicate private keys

7
Digital Signature

™The message is encrypted with the sender’s private key

™ Recipient decrypts using the sender’s public key

Public
PKA
Document
Document
Document Document
Document
Document
Document
Document
CONFIRMED
CONFIRMED
Digital
Digital Digital
Digital Digital
Digital
Private Signature
Signature Signature
Signature Signature
Signature
SKA 8
 Message Integrity
1. Generating the “Digest” or “Hash” of a message
through well-known hash algorithms
z one-way hash functions

z original data cannot be generated from hash

output
z No two messages will generate the same hash.

2. Any change in message results in a changed

“Hash”

4. SIGN the HASH NOT the entire Message

9
Maintaining Message Integrity

No
Message
Message Message
Message Hash
Hash Message
Message Hash
Hash Reject
Message

Check
Check
Hash
Hash

Yes
Hash
Hash Accept
Hash
Hash generation Hash
Hash
Hash generation Hash Message
generation
generation function
function
function
function

10
SENDER RECEIVER
Digital Signature
z Hash value of a message when encrypted
with the private key of a person is his digital
signature on that e-Document
z Digital Signature of a person therefore varies
from document to document thus ensuring
authenticity of each word of that document.
z As the public key of the signer is known, anybody
can verify the message and the digital signature

11
 Signed Confidential Messages
Message
Message Sent through Internet Hash
Hash
Encrypted Using Hash function
Message on the message
Message
Message ENCRYPT
ENCRYPT DECRYPT
DECRYPT
Message Message
Message
++ Message ++ Message
Message ++ ++
signature
signature signature
signature signature
signature
with Signature
Signature
withReceiver’s
Receiver’s with
withReceiver’s
Receiver’s
Public
PublicKey
Key Private
PrivateKey
Key COMPARE
COMPARE
Hash
Hash Sign
ed
Using Hash Function Confidential
M essa
ge

SIGN
SIGNhash
hash Hash
Hash
With Sender’s
With Sender’s
Private
Privatekey
key
VERIFY
VERIFY
Signature
Signature
With
WithSender’s
Sender’s
Sender Receiver Public
PublicKey
Key

12
Authenticity and Confidentiality

z A signs message with his own private key

z A then encodes the resulting message with B’s Public key
z B decodes the message with his own Private key
z B applies A’s Public key on the digital signature

13
Authenticity and Confidentiality

z When A uses his own private key, it demonstrates that

z he wants to sign the document

z he wants to reveal his identity

z he shows his will to conclude that agreement

z The encoded message travels on the Net, but nobody can read it :
confidentiality

14
 Authenticity and Integrity

z B needs to know that A and only A sent the message

z B uses A’s public key on the signature

z Only A’s public key can decode the message

z A cannot repudiate his signature

z Digital signature cannot be reproduced from the message

z No one can alter a ciphered message : INTEGRITY

15
Putting it all together

z Digital signatures provide a means of

identification that can not be repudiated.
z If I encrypt with your public key, only you with
your private key can read it
encryption = confidentiality
z If I encrypt with my private key, anyone with my
public key can tell it was only me that could have
sent it and it has not changed.
digital signature = identity and integrity

16
Issues in Public key Cryptosystems

z How will recipient get senders public key?

z How will recipient authenticate sender's
public key ?
z How will the sender be prevented from
repudiating his/her public key?

17
Certifying Authority
z An organization which issues public key certificates.
z Must be widely known and trusted
z Must have well defined methods of assuring the identity of
the parties to whom it issues certificates.
z Must confirm the attribution of a public key to an identified
physical person by means of a public key certificate.
z Always maintains online access to the public key certificates
issued.

18
 Public-Key Certification
User Certificate Certificate
User
User
Name
Name & & User
User
Database
other
other Name
Name
credentials
credentials
Signed
Signed
by
by using
using User’s
User’s
Certificate
Request CA’s
CA’s Public
Public Publish User
User 11 certificate
private
private Key
Key
certificate

User’s
User’s key
key User
User 22 certificate
certificate
Public
Public CA’s
CA’s ..
key
key
Name
Name

Validation
Validation
period
period

Signature
Signature
of
of CA
19
CA
Contents of a Public Key Certificate
z Issued by a CA as a data message and always available
online
z S.No of the Certificate

z Applicant’s name, Place and Date of Birth, Company

Name
z Applicant’s legal domicile and virtual domicile

z Validity period of the certificate and the signature

z CA’s name, legal domicile and virtual domicile

z User’s public key

z Information indicating how the recipient of a digitally

signed document can verify the sender’s public key
z CA’s digital signature

20
Example
Certificate[1]:
Owner: CN=hitechvalley.com, OU=D&AI, O=Hi-tech Valley iNet
Pvt. Ltd., ST=Kathmandu, C=NP
Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class
3, OU="VeriSign, Inc.", O=VeriSign Trust Network
Serial number: 50daa4e88174ea478f4cfa312d51887a
Valid from: Fri Feb 13 19:00:00 EST 2004 until: Tue Feb 12
18:59:59 EST 2005
Certificate fingerprints:
MD5: 38:37:ED:EF:41:2C:DD:12:A6:AB:9B:F9:90:B0:82:37
SHA1: 0:F8:70:7A:8D:66:71:D1:BC:11:D2:41:82:5C:8A:84:91:BE:87:96

21
Example of Key
-----BEGIN CERTIFICATE-----
MIIFQjCCBCqgAwIBAgIQN5iSoDU+h+o0+TRta6MUfjANBgkqhkiG9w0BAQUFADCB
sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA2MDMwNjAwMDAw
MFoXDTA3MDIyODIzNTk1OVowgbYxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRVdGFo
MQ8wDQYDVQQHFAZUb29lbGUxJzAlBgNVBAoUHlVuaWZpZWQgU29mdHdhcmUgU29s
dXRpb25zIExMQzELMAkGA1UECxQCSVQxMzAxBgNVBAsUKlRlcm1zIG9mIHVzZSBh
dCB3d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEcMBoGA1UEAxQTd3d3LnVuaWFw
cHN0b3JlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAznYmJlqmRgcl
POWG4rJgXz5kpkQQWP7049Btr55t5mXtj+6CO9kzdOHHEoTcROCYCl03Gn/1llD5
qtmK629wsDFn8xnHF9DTvxAIakgpPgaLeeU3QVU1PTqz04/3uyPlnVY/84Qbqms7
Nd/YuIKwXBGQO0JSraVCtZCV2eMATgsCAwEAAaOCAdIwggHOMAkGA1UdEwQCMAAw
CwYDVR0PBAQDAgWgMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9TVlJTZWN1cmUt
Y3JsLnZlcmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LmNybDBEBgNVHSAEPTA7MDkG
C2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWdu
LmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQY
MBaAFG/sr6DdiqTv9SoQZy0/VYK81+8lMHkGCCsGAQUFBwEBBG0wazAkBggrBgEF
BQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEMGCCsGAQUFBzAChjdodHRw
Oi8vU1ZSU2VjdXJlLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlMjAwNS1haWEu
Y2VyMG0GCCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYF
Kw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlz
aWduLmNvbS92c2xvZ28uZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQB8f3fSFwNljaDG
CrlO7Xnc6lvYoDETF4YNMOWSVIx65xdfeth/ZqBbRpRzgUlo4t50Hyt1m13+HVRy
LnGQAN2Bh30Knc5L+br9ALZhrpsggX1FYb0ba4JEsHWvdN+nbmRAqk0c9sSSkLrV
zmhZOnCwW+57ake2M5Vvy25Qj7BCjqMoCPiJ5yRXvf3s8MgAz3y0AoRmp1dfbcFz
v0jDRCK0ApYDLWZTrK6AW9laY+yoQdotHoGZu0p0ewrA+PDqn/WHhsJFd9oMTFwg
3RN9p3M4V+9FNek1yVcmytOOx8LbSu8sKnxVy7ThSQdlvR56HofWipWbhmVEMb22
SqbPsESt
-----END CERTIFICATE----- 22
Certificate Revocation List

A list of all known Certificates that have been

revoked and declared invalid

23
Public Key Infrastructure & the Electronic
Transaction Act 2063
Controller of Certifying Authorities as the “Root” Authority
certifies the technologies and practices of all the
Certifying Authorities licensed to issue Digital Signature
Certificates

24
CCA has to regulate the functioning of
CAs in the country by-

z Licensing Certifying Authorities (CAs) and exercising

supervision over their activities.
z Certifying the public keys of the CAs, i.e. their Digital
Signature Certificates more commonly known as
Public Key Certificates (PKCs).
z Laying down the standards to be maintained by the
CAs,
z Addressing the issues related to the licensing
process
25
The licensing process

z Examining the application and accompanying

documents as provided in The Act, and all the Rules
and Regulations there- under;
z Auditing the physical and technical infrastructure of
the applicants through a panel of auditors
maintained by the CCA.

26
 Audit Process

z Adequacy of security policies and implementation thereof;

z Existence of adequate physical security;
z Evaluation of functionalities in technology as it supports CA
operations;
z CA’s services administration processes and procedures;
z Compliance to relevant process as approved and provided by
the Controller;
z Adequacy to contracts/agreements for all outsourced CA
operations;
z Adherence to Electronic Transaction Act 2063, the rules and
regulations thereunder, and guidelines issued by the
Controller from time-to-time.

27
Auditors Panel
z To be nominated by CCA

28
 Thank you
rajesh.shakya@gmail.com