NEED FOR AUTHENTICATION OF ELECTRONIC DOCUMENTS Traditional laws provide criteria for establishing the legality and validity of transactions in their paper based form. For example, a contract is usually formalized by both parties signing the document containing the contract. The signature serves as a method of identification of the parties to the contract, and therefore, it indicates their assent to the terms of the contract and makes it legally binding on them. Under the law of evidence, the ‘original’ document constitutes primary evidence, while a copy of the ‘original’ document constitutes secondary evidence. The ‘originality’ of paper based documents is usually established with the presence of original handwritten signatures. Can such a formalized version of a contract be made electronically? How would one identify the parties to such a contract? How does one establish the originality of an electronic document? © scanned with OKEN Scannerio the legality and validity of transactions in an elegy, down by the Model Law, h criteria were based," on-iserimination, technological neutrality and fupey, te principles of Nummary. the validity of information cannot be challent equivalence, In. strained in an electronic document!. An electronic docu Paar} vo he original, if, itis in the same form as it was when it was Gs Soe implied that a method was required to guarantee thar ta vument received Was indeed in the same form as when it ve seo ccncrated. Handwritten signatures are a valid means of authenticate soeaiments because they are SO unique and specific to the person. They af ake This mean that an equally unique, specific and inimitable forme Tivheniaton was required for electronic’ transactions. The solution ye! conceived in the form of digital signatures. Fauivalent crite form were laid merely DEFINITIONS UNDER THE IT ACT ‘The method of authentication using digital signatures is prescribed under Chaptey 11 of the IT Act, The relevant definitions under the IT Act with respect to digital signatures are as follows Asymmetric Crypto System ‘The IT Act defines the ‘asymmetric erypto system’ under Section 2(1)(f): Asymmetric Crypto System means a system of a secure key pair consisting ‘of a private hey for creating a digital signature and a public key to verify the digital signature.” The asymmetric crypto system forms the basis of the digital signature system 4s prescribed under the IT Act. It consists of a private key which creates the “Sed inthe asymmetric crypto system are @ scanned with OKEN Scanner~~ privato Key ype IT Act elines a “private key” under Section 2(1) 20): private Rey means the key of whey pair use create digital lant.” the private Key is used 10 create a digital signature, i., to affix the digital Wis inthe possesion of the suber or his agent only. Ihe private wneveated t0 another person, it compromises the security of the digital se el Be oe em public Key aye IT Act defines a public key" under Section 2(1)24): Public Key means the key of key pair used to verify a digital signature and ied ne Digital Sinature Cerf" 8 «aie ‘he public key is used to verify the digital signature. Unlike the private key, ape secrecy of this Key is not required to be maintained. In fat, it is required 10 te given to the person receiving the electronic record, and quite often is also punished so that it can be used by anyone who requires verifying ofa digital signature jtal Signatures ‘ThelT Act defines a ‘digital signature’ under Section 2(1)(p) “pigital Signature means authentication of any electronic record by a subscriber By means of an electronic method or procedure in accordance with the provisions of section 3.” ‘A aital signature isthe electronic method prescribed under Section 3 of the IT Aet used (0 authenticate electronic records. The method currently prescribes combination of asymmetric crypto system with the “hash function’, another tnetbod of verification, to affix a digital signature. A digital signature would be ‘alié only if iis used by a ‘subscriber’, ie, the person holding a valid ‘digital signature certificate™ Sofware companies, for example, extensively use digital signatures to arrest sofware piracy. A private key is used to affix a signature on the software copy before it s shipped to the customer. A public key is provided separately to the ‘usiomer installing the software, The customer can then authenticate the software by applying the public key and use it ‘The use of digital signatures for the purpose of authentication has not been ‘made mandatory under the IT Act, but, has instead been prescribed as the legal mmehod which can be used by those wishing to authenticate electronic records. ‘The use of digital signatures has, however, been made mandatory for certain 4 Se uturber, Page 4 ofthis Chapter 4 Se Dig Signature Cerca, Page 420 this Chapter @ scanned with OKEN Scanneronline transactions, such as for the e-filing of income tax return’, e-filing 9 forms for participation in e-tenders floated by various Government websites, Digital Signature Certificate ‘The IT Act defines a ‘digital signature certificate” under Section 2(1)(q): “Digital Signature Certificate means a Digital Signature Certificate issued under subsection (4) of section 35." A digital signature certificate (a “DSC”) has been defined with reference to Section 35 of the IT Act, which gives a ‘Certifying Authority” the power to issue a DSC. A DSC certifies that the public key being used for the purpose of ‘erification of the digital signature belongs to the person whose name is mentioned in the digital signature, i.e., the subscriber. Therefore, the main purpose of the DSC is to identify the subscriber ofa particular public key. Electronic Signature ‘The IT Act defines an ‘electronic signature’ under Section 2(1)(ta): “Electronic Signature means authentication of any electronic record by a subscriber by means of the electronic technique specified in the second schedule and includes digital signature.” As per this definition, any mode of electronic authentication as prescribed by the Government from time to time will be valid. Digital signatures have been included as a type of electronic signature. Electronic signatures, like digital signatures, are legal only if they are issued under an Electronic Signature Centificate” ‘The concept of digital signatures under the IT Act was contradictory to one important principle of the UNCITRAL Model Law on Electronic Commerce (the “Model Law”) - technological neutrality. Section 3 of the IT Act lays down a technology-specific form of electronic authentication, which meant that with evolving technology, the IT Act would soon become redundant. This led to its amendment and the introduction of electronic signatures. The need for amendment also arose in order to bring the IT Act in line with the Model Law, and in order to establish uniformity with the authentication procedure in laws in force in other countries. One example is the United States Federal Electronic Signatures in Global and National Commerce Act’, which provides a generalized Jaw for the use of electronic records, electronic contract formation and electronid igpatures. t provides the following definition of electronic signature: © scanned with OKEN Scannerveg tern eletronie IQUE MeCN a let i ta are cn gb er ay heme cd seen that while the US definition refers to any method which is used canbe rcan be Sof signing the record, the Indian definition of eleeeone signa forthe POP phass on the legal ‘ Ne er enphass 0 te Legality of he signature ase, making it mandatory i ec essed under the IT At, and tha the signature be used by Peaster Only tectronic Signature Certificate rrr act defines an ‘tonic senate crea’ under Secon 2) remo signe Cerf means an Election Signature Cerificate an Blcronic Signature Certificate is the certificate isued bythe Cerifyng nr for the purpose of identification of the subseiber of an electronic er Carvey, the DSC is the only valid form of Electronic Signature ‘Centficate that can be issued. “affixing Electronic Signature"? “The Act defines an “electronic signature’ under Section 21): nature with ts grammatical variations and cognate ‘any methodology or procedure by a person ‘avon record by means of Electronic “Aging digital sign capressions means adoption of Jor the purpose of eutenticaing an le signanre.” ‘The tem ‘affix’ refers (0 the application of an electronic signature to an clecnanie record using any procedure for the purpose of authenticating such Sleewonic reord. Once ‘affixed’, the electronic signature will serve the same fuses vith respect to an electronic document, a5 a handwriten signature, Fingerprint, seal or stamp will with respect to a paper based document Subscriber ‘The IT Act defines a ‘subscriber’ under Section 2(1)(z8): “Subscriber means a person in whose name the Electron Certfcare is issu “The “subscriber” is the person whose name appears in an Electronic Signath™ Ceritcte Therefore subscriber refers to 0 person who is authorized By ae signature. Wit reference £0 nic Signature 8. 15 USC 706 (9 it i 1M, Se Elecrone Signature, Page 42 of his Chater @ scanned with OKEN Scanner— 4 AUTHENTICATION OF ELECTRONIC RECORDS USING DIGITAL StonaTuRe, Se IT Act pr cl (Fixation of digital signay P Act prescribes a method of affixation of ™ Section 3 of the ET Act prescribes a me ital es tne fa proces, the asymmeti erypt system and the hash Fung Asymmetric Crypto System and Encryption Asymmetic eryplo system consists of « public key sot + ig together form a key pair The private key is held by the sb er andi wed affix the digital signature on the electronic record. The pul a oy is listed on DSC ands sent tothe person receiving the electronic record for him to very ny : i) Publishing Public Key certificates of lice: nsed CAs. (ii) Publishing CRLs. i © scanned with OKEN Scanner