Laws relating to Digital Signature

While the ICT Act is the primary legislation dealing with electronic signatures in Bangladesh,
also relevant are the Information Technology (Certifying Authority) Rules 2010 (CA Rules);
National Information and Communication Technology Policy 2018; and the Certification
Practice Statement published by the Office of the Controller of Certifying Authorities (CCA). At
this time there is no case law that deals with electronic or certificate-based digital signatures.

The ICT Act uses the terms electronic signature and digital signature interchangeably. In fact, the
Bengali version of the ICT Act refers to “electronic signature” whereas the English version uses
“digital signature”. According to the Act, electronic signatures (or digital signatures, in the
English version) must be able to:

Section- 2 (1) of the ICT Act, 2006, "digital signature" means data in an electronic form, which--

(a) is related with any other electronic data directly or logically; and

(b) is able to satisfy the following conditions for validating the digital signature--

(i) affixing with the signatory uniquely;

(ii) capable to identify the signatory;

(iii) created in safe manner or using a means under the sole control of the signatory; and

(iv) related with the attached data in such a manner that is capable to identify any alteration made
in the data thereafter.

Section- 2 (2) of the ICT Act, 2006, "digital signature certificate" means a certificate issued
under section 361.

Section- 5 of the ICT Act, 2006- Authentication of electronic records by digital signature

Any subscriber may authenticate an electronic record by affixing his digital signature. The
authentication of electronic record shall be effected by the use of technology neutral system or
standard authentic signature generating machine or strategy.

Section- 7. Legal recognition of digital signatures.--Where any law provides that--

Any information or any other matter shall be authenticated by affixing the signature; or any
document shall be authenticated by signature or bear the signature of any person; then,
notwithstanding anything contained in such law, such information or matter is authenticated by
means of digital signature affixed in defined manner or so is the case of any document.

1
36. Issue of certificate.
Section- 8. Use of electronic records and electronic signatures in Government and its
agencies.--(1)

Where any law provides for--

(a) the filing of any form, application or any other document with any office, authority, body or
agency owned or controlled by the appropriate Government in a particular manner;

(b) the issue or grant of any licence, permit, sanction, approval or order by whatever name called
in a particular manner;

(c) the receipt or payment of money in a particular manner; then, notwithstanding anything
contained in such law, filing, issue, grant of the document and receipt and payment of money, as
the case may be, is effected by means of prescribed electronic form.

(2) The manner and format in which such electronic records shall be filed, created or issued and
the manner or methods of payment of any fee or charges for creation and filing shall be fixed by
the rules for fulfilling the purposes of this section.

Section- 17. Secure digital signature.-- (1) If, by application of a security procedure agreed to
by the parties concerned, it can be verified that a digital signature, at the time it was affixed, was-
- (a) unique to the person affixing it;

(b) capable of identifying the person affixing it; and

(c) created in manner or using a means under the sole control of the person affixing; then such
digital signature shall be deemed to be a secure digital signature as per sub-section (2).

(2) Despite the fact of sub-section (1), the digital signature would be invalidated if the electronic
record was altered relating to this very digital signature.

Duties of the subscriber:

Section-41. Application of security procedure.--The subscriber shall apply required security

procedure to ensure the purity of Digital Signature Certificate issued by a Certifying Authority.

Section-42. Acceptance of Digital Signature Certificate.--(1) A subscriber shall be deemed to

have accepted a Digital Signature Certificate if he publishes or authorizes the publication of a
Digital Signature Certificate to one or more persons or in a repository.

(2) By accepting Digital Signature Certificate the subscriber certifies to all who reasonably rely
on the information contained in the Digital Signature Certificate that--

(a) all representations made by the subscriber to the Certifying Authority and all materials
relevant to the information contained in the Digital Certificate are true; and
(b) all information in the Digital Signature Certificate that is within the knowledge of the
subscriber is true.

Section-43. Presumption of represented information of obtaining Digital Signature

Certificate.--

All material representations made by the subscriber to a Certifying Authority for purposes of
obtaining a certificate, including all information known to the subscriber and represented in the
Digital Signature Certificate, shall be accurate and complete to the best of the subscriber's
knowledge and belief, regardless of whether such representations are confirmed by the
Certifying Authority.

Section-44. Control of safety measure of subscriber.--(1) Every subscriber shall exercise

reasonable care to retain control of using of Digital Signature Certificate and take all steps to
prevent its disclosure to a person not authorized to affix the digital signature of the subscriber.

(2) If the security of Digital Signature Certificate has been compromised by disobeying the rules
in sub-section (1) of this section, the subscriber shall communicate the same without any delay to
the Certifying Authority who has issued the Digital Signature Certificate in an agreed manner.

Therefore, Digital Signature is an electronic signature based on cryptographic methods for

binding the identity of the signer with electronic record or message. This method uses a public
key crypto system commonly known as ‘asymmetric crypto system’ to generate digital signature.
And, a digital signature is impossible to forge since it is encrypted and only the recipient can
decrypt it.

Any type of electronic signature will be treated as ineffective if the electronic record related to it
is tampered with or amended.

Special considerations

In Bangladesh, several use cases require a traditional signature. In others, such as dealing with
public sector entities, the requirements will vary from case to case.

Transacting with public sector entities

Bangladesh has no fixed requirements or restrictions for using digital or electronic signatures
when dealing with Government entities. However, restrictions may apply depending on the
particular department’s terms of engagement. Also, under the ICT Act, the Government and its
agencies have no obligation to accept documents in an electronic form.

Use cases that generally require a traditional signature

There are certain types of documents or agreements that cannot by law be signed or executed
electronically in Bangladesh. Such documents generally require the person executing them to be
physically present before the Government office in question, or to provide a thumb impression
along with a “wet signature”. Examples of these documents may include:

1. Will;

2. Power of Attorney;

3. Deed of Sale in relation to immovable property;

4. Agreements where stamp duty is payable;

5. Documents which need to be signed before the notary public and/or witnessed.

6. Documents relating to legal proceedings which need to be sworn before an affidavit

commissioner.

Why would you use a digital signature?

Digital signatures increase the transparency of online interactions and develop trust between
customers, business partners, and vendors.

Digital Signature in Cryptography

A digital signature is equivalent to a handwritten signature. It is an electronic verification of the

sender. Digital signatures are commonly used for software distribution, financial transactions.
The digital signature serves three purposes:

1. Authentication: The process or action of proving the sender in cryptography

2. Non-repudiation: The assurance that someone cannot deny the validity

3. Integrity: The quality of the message sent and received as it is

How do digital signatures work?

Familiarize yourself with the following terms to better understand how digital signatures work:

• Hash function – A hash function (also called a “hash”) is a fixed-length string of

numbers and letters generated from a mathematical algorithm and an arbitrarily sized file
 such as an email, document, picture, or other type of data. This generated string is unique
to the file being hashed and is a one-way function— a computed hash cannot be reversed
to find other files that may generate the same hash value. Some of the more popular
hashing algorithms in use today are Secure Hash Algorithm-1 (SHA-1), the Secure
Hashing Algorithm-2 family (SHA-2 and SHA-256), and Message Digest 5 (MD5).

• Public key cryptography – Public key cryptography (also known as asymmetric

encryption) is a cryptographic method that uses a key pair system. One key, called the
public key, encrypts the data. The other key, called the private key, decrypts the data.
Public key cryptography can be used several ways to ensure confidentiality, integrity, and
authenticity. Public key cryptography can

o Ensure integrity by creating a digital signature of the message using the sender’s
private key. This is done by hashing the message and encrypting the hash value
with their private key. By doing this, any changes to the message will result in a
different hash value.

o Ensure confidentiality by encrypting the entire message with the recipient’s public
key. This means that only the recipient, who is in possession of the corresponding
private key, can read the message.

o Verify the user’s identity using the public key and checking it against a certificate
authority.

• Public key infrastructure (PKI) – PKI consists of the policies, standards, people, and
systems that support the distribution of public keys and the identity validation of
individuals or entities with digital certificates and a certificate authority.

• Certificate authority (CA) – A CA is a trusted third party that validates a person’s

identity and either generates a public/private key pair on their behalf or associates an
existing public key provided by the person to that person. Once a CA validates
someone’s identity, they issue a digital certificate that is digitally signed by the CA. The
digital certificate can then be used to verify a person associated with a public key when
requested.

• Digital certificates – Digital certificates are analogous to driver licenses in that their
purpose is to identify the holder of a certificate. Digital certificates contain the public key
of the individual or organization and are digitally signed by a CA. Other information
about the organization, individual, and CA can be included in the certificate as well.

• Pretty Good Privacy (PGP)/Open PGP – PGP/Open PGP is an alternative to PKI. With
PGP/Open PGP, users “trust” other users by signing certificates of people with verifiable
 identities. The more interconnected these signatures are, the higher the likelihood of
verifying a particular user on the internet. This concept is called the “Web of Trust.”

Digital signatures work by proving that a digital message or document was not modified—
intentionally or unintentionally—from the time it was signed. Digital signatures do this by
generating a unique hash of the message or document and encrypting it using the sender’s private
key. The hash generated is unique to the message or document, and changing any part of it will
completely change the hash.

Once completed, the message or digital document is digitally signed and sent to the recipient.
The recipient then generates their own hash of the message or digital document and decrypts the
sender’s hash (included in the original message) using the sender’s public key. The recipient
compares the hash they generate against the sender’s decrypted hash; if they match, the message
or digital document has not been modified and the sender is authenticated.

Why should you use PKI or PGP with digital signatures?

Using digital signatures in conjunction with PKI or PGP strengthens them and reduces the
possible security issues connected to transmitting public keys by validating that the key belongs
to the sender, and verifying the identity of the sender. The security of a digital signature is almost
entirely dependent on how well the private key is protected. Without PGP or PKI, proving
someone’s identity or revoking a compromised key is impossible; this could allow malicious
actors to impersonate someone without any method of confirmation.

Through the use of a trusted third party, digital signatures can be used to identify and verify
individuals and ensure the integrity of the message.

As paperless, online interactions are used more widely, digital signatures can help you secure
and safeguard the integrity of your data. By understanding and using digital signatures, you can
better protect your information, documents, and transactions.

What is Cryptography?

Cryptography is the method of transmitting secured data and communications via few codes so
that only the destined person knows about the actual information that is transmitted. This form of
process intercepts unauthorized accessibility for the data. So, in clear the name itself indicates
that “crypt” refers to “hidden” to “writing”. Encoding of information in cryptography follows
mathematical hypotheses and few calculations described as algorithms. The encoded data is
transmitted so that it makes it difficult to find the original data. These sets of rules are utilized in
the procedures of digital signing, authentication to secure data, cryptographic key development
and to safeguard all your financial transactions. Mostly, cryptography is followed by the
organizations to go with the objectives of:

Privacy – The transmitted data should not be known by external parties except for the intended
individual.

Reliability – the data cannot be modified in storage or transfer between the sender and the
destined receiver having no kind of modification.

Non-repudiation – Once the data is transmitted, the sender has no chance to deny it in the later
phases.

Authentication – Both the sender and receiver need to circumstantiate their own identities about
the transmitted and received data.

Let’s look at an example of cryptography to see what it is:

Samuel wishes to communicate with his colleague Yary, who is currently residing in another
country. The message contains trade secrets that should not be accessed or seen by any third
party. He sends the message via a public platform such as Skype or WhatsApp. The foremost
aim is to create a secure connection.

Assume Evy, a hacker who has obtained access to the message. Evy can now change or corrupt
the message before it reaches Yary. Evy alters the message that Yary receives. Neither Samuel
nor Yary are aware of the underground work. The outcomes are dreadful.

Now, cryptography can help. It can aid in the security of the connection between Samuel and
Yary.

Now that we understand what cryptography is, let us learn how cryptography aids in the security
of messages.

Samuel first converts a readable message or Plain text into a series of digits using various
cryptographic algorithms to protect the message. He then encrypts the message with a key. The
ciphertext is a term used in cryptography. Samuel uses the internet to send an encrypted message
to Yary. If Evy gains access to it and modifies the message before it reaches Yary. Yary now
requires a key to decrypt Samuel’s message. The message can be converted from cipher text to
plain text using the decryption key.

Because Evy altered the plain text, the result of the decryption will be the original plain text as
an error.
The error indicates that the message has been changed and is no longer the original message. As
a result, encryption is critical for secure communication.

Plain text is simply a human-readable message, text, or information.

Cipher text- It is the output of the input plain text that gets converted after the encryption
process. Basically, Cipher text is a type of plain text that is unreadable.

Cryptography Types

In cryptography, encryption of the information is classified as three types where those are
discussed below:

Symmetric Key Cryptography – This is also termed as Private or Secret key cryptography.
Here, both the information receiver and the sender make use of a single key to encrypt and
decrypt the message. The frequent kind of cryptography used in this method is AES (Advanced
Encryption System). The approaches implemented through this type are completely streamlined
and quicker too.

Also known as Secret Key Cryptography, private key encryption encrypts data using a single key
that only the sender and receiver know. The secret key must be known by both the sender and the
receiver, but should not be sent across the channel; however, if the hacker obtains the key,
deciphering the message will be easier. When the sender and the receiver meet on the handset,
the key should be addressed. Although this is not an ideal method. Because the key remains the
same, it is simpler to deliver a message to a certain receiver. The data encryption framework
(DES Algorithm) is the most widely used symmetric key system.

For instance, Tom is sending a message to Mary that he does not want anyone else to see. He’d
like to encrypt his message. That is simply because Tom and Mary exchange the same key. They
will use the same key for encrypting and decrypting. Here’s how it works: First, Tom encrypts
his signal with his key. His message has now been encrypted and scrambled. It can’t be read by
anyone. When Mary receives the encrypted message, she decrypts it with the same key so she
can read it in plaintext.

Few types of Symmetric key cryptography are

• Block

• Block cipher

• DES (Data Encryption System)

• RC2
 • IDEA

• Blowfish

• Stream cipher

Asymmetric Key Cryptography

This is also termed as Public-key cryptography. It follows a varied and protected method in the
transmission of information. Using a couple of keys, both the sender and receiver go with
encryption and decryption processes. A private key is stored with each person and the public key
is shared across the network so that a message can be transmitted through public keys. The
frequent kind of cryptography used in this method is RSA. The public key method is more secure
than that of a private key. Asymmetric key cryptography, also known as public-key cryptography,
consists of two keys, a private key, which is used by the receiver, and a public key, which is announced
to the public. Two different keys are used in this method to encrypt and decrypt the data. These two
distinct keys are mathematically linked. They are sold in pairs. The public key is accessible to anyone,
whereas the private key is only accessible to the person who generates these two keys.

For example, Bob wants to send an encrypted message to Alice, and they agree to encrypt his
message using public-key encryption. The receiver initiates public key encryption to encrypt the
sender’s message. The receiver, not the sender, initiates the public key method to encrypt the
sender’s message. Everyone has access to the public key. The receiver, Alice, is the only one
who has access to the private key. The following is how it works:

Step 1: Alice generates two keys: one public and one private. Alice stores the public key on a
public key server that anyone can access.

Step 2: Alice informs Bob of the location of her public key.

Step 3: Bob obtains Alice’s public key by following Alice’s instructions.

Step 4: Bob composes a message and encrypts it with Alice’s public key. Bob sends Alice the
encrypted message via the network.

Step 5: Alice decrypts Bob’s message using her private key.

Although Alice’s private key can confirm that no one read or changed the document while it was
in transit, it cannot confirm the sender. Because Alice’s public key is available to the public,
anyone can use it to encrypt his document and send it to Alice while posing as Bob. Digital
signature is another technique that is required to prove the sender.

Few of the kinds of Asymmetric key cryptography are:

• RSA

• DSA

• PKCs

• Elliptic curve techniques

Hash Function

Taking the arbitrary length of the message as input and delivering a fixed length of the output is
the algorithm followed by a hash function. It is also termed as a mathematical equation by taking
numerical values as input and produce the hash message. This method will not need any kind of
key as it functions in a one-way scenario. There are various rounds of hashing operations and
every round considers input as an array of the recent block and generates last round activity as
output. Few of the functionalities of the hash are:

• Message Digest 5 (MD5)

• RIPEMD

• Whirlpool

• SHA (Secure hash Algorithm)

Certifying Authority

Certifying authorities (CA) are important entity in the Public Key Infrastructure. An example can
be given to explain the role of CA. If A (the sender) and B (the receiver) are attempting to
engage in an online transaction, B needs an independent affirmation that A's message is actually
from A before B can have faith that A's public key actually belongs to A. It is possible that a
perpetrator could have sent B the public key, contending that it belongs to A when in fact it does
not.

Accordingly, a reliable third party- the CA - must be available to register the public keys of the
parties and to guarantee the accuracy of the identification of the parties

Certifying Authorities Controller

The government may appoint Controller, Deputy Controller and Assistant Controller of
Certifying Authorities. The Controller is the highest authority to supervise and validate the CAs.
The Controller is responsible to specify the rules and methods under which CAs will function.
It will establish databases of disclosure issued by Certifying

Authorities and perform all other functions in order to ascertain the system of Public Key
Infrastructure work properly.

The Controller has authority to recognize foreign CAs by following rules established under the
Act. It will act as repository of all Certificates issued.

License for Certifying Authorities

Certifying Authorities are generally private entities. They have to obtain license and must
comply with strict requirements set by law. The Controller issues such silences after scrutinizing
application for silences. The license is subject to suspension and revocation. The application
should accompany a certificate practice statement, a statement including the procedures with
respect to identification of the applicant, requisite fees and other documents.

Procedures to be followed by Certifying Authority

Every CA must maintain the following standards-

a. They will make sure the hardware and software they use is safe from intrusion and misuse.

b. They will provide the reasonable level of liability in their service.

c. They will adhere to security procedures to ensure that the secrecy and privacy of the digital
signature are assured.

d. They observe other standard set by rules.

e. They will make sure that every employee and otherwise engaged by it complies the rules and
regulations.

f. They will disclose certain information specified in the Act.