Professional Documents
Culture Documents
Cyber Laws and Ethics, Digital Signature and E-Records
Cyber Laws and Ethics, Digital Signature and E-Records
Cyber Laws and Ethics, Digital Signature and E-Records
Digital signatures are based on public key cryptography, also known as
asymmetric cryptography. Using a public key algorithm, such as RSA,
one can generate two keys that are mathematically linked: one private
and one public.
Digital signatures work because public key cryptography depends on
two mutually authenticating cryptographic keys. The individual who is
creating the digital signature uses their own private key to encrypt
signature-related data; the only way to decrypt that data is with the
signer's public key. This is how digital signatures are authenticated.
Digital signature technology requires all the parties to trust that the
individual creating the signature has been able to keep their own private
key secret. If someone else has access to the signer's private key, that
party could create fraudulent digital signatures in the name of the
private key holder.
How to create a digital signature
To create a digital signature, signing software creates a one-way
hash of the electronic data to be signed. The private key is then
used to encrypt the hash. The encrypted hash, along with other
information, such as the hashing algorithm, is the digital
signature.
The reason for encrypting the hash instead of the entire
message or document is that a hash function can convert an
arbitrary input into a fixed length value, which is usually much
shorter. This saves time as hashing is much faster than signing.
The value of a hash is unique to the hashed data. Any change in
the data, even a change in a single character, will result in a
different value. This attribute enables others to validate the
integrity of the data by using the signer's public key to decrypt
the hash.
If the decrypted hash matches a second computed hash of the
same data, it proves that the data hasn't changed since it was
signed.
If the two hashes don't match, the data has either been
tampered with in some way or the signature was created with
a private key that doesn't correspond to the public key
presented by the signer.
A digital signature can be used with any kind of message,
whether it is encrypted or not, simply so the receiver can be
sure of the sender's identity and that the message arrived
intact. Digital signatures make it difficult for the signer to deny
having signed something, assuming their private key has not
been compromised, as the digital signature is unique to both
the document and the signer and it binds them together. This
property is called nonrepudiation..
Classes of digital signatures
There are three different classes of Digital Signature Certificates:
Government -
Governments publishes electronic versions of budgets, public and
private laws and congressional bills with digital signatures. Digital
signatures are used by governments worldwide for a variety of
uses, including processing tax returns, verifying business-to-
government (B2G) transactions, ratifying laws and managing
contracts. Most government entities must adhere to strict laws,
regulations and standards when using digital signatures.
Healthcare -
Digital signatures are used in the healthcare industry to improve the
efficiency of treatment and administrative processes, to strengthen
data security, for e-prescribing and hospital admissions. The use of
digital signatures in healthcare must comply with the Health
Insurance Portability and Accountability Act of 1996 (HIPAA).
Manufacturing -
Manufacturing companies use digital signatures to speed up
processes, including product design, quality assurance (QA),
manufacturing enhancements, marketing and sales. The use of
digital signatures in manufacturing is governed by the
International Organization for Standardization (ISO) and the
National Institute of Standards and Technology (NIST
) Digital Manufacturing Certificate (DMC).
Financial services -
The financial sector uses digital signatures for contracts,
paperless banking, loan processing, insurance documentation,
mortgages, and more. This heavily regulated sector uses digital
signatures with careful attention to the regulations and guidance
put forth by the Electronic Signatures in Global and National
Commerce Act (E-Sign Act), state UETA regulations, the
Consumer Financial Protection Bureau (CFPB) and the Federal
Financial Institutions Examination Council (FFIEC).
Digital signature security features:-
Security features embedded in digital signatures ensure that a
document is not altered and that signatures are legitimate. Security
features and methods used in digital signatures include:
Authentication:
Although messages may often include information about the entity
sending a message, that information may not be accurate. Digital
signatures can be used to authenticate the source of messages.
When ownership of a digital signature secret key is bound to a
specific user, a valid signature shows that the message was sent
by that user. The importance of high confidence in sender
authenticity is especially obvious in a financial context.
Integrity:
In many scenarios, the sender and receiver of a message may
have a need for confidence that the message has not been
altered during transmission. Although encryption hides the
contents of a message, it may be possible to change an encrypted
message without understanding it.
However, if a message is digitally signed, any change in the
message after signature invalidates the signature. Furthermore,
there is no efficient way to modify a message and its signature
to produce a new message with a valid signature, because this
is still considered to be computationally infeasible by most
cryptographic hash functions.
Non-repudiation:
Non-repudiation of origin, is an important aspect of digital
signatures. By this property, an entity that has signed some
information cannot at a later time deny having signed it.
Similarly, access to the public key only does not enable a
fraudulent party to fake a valid signature.
Note that these authentication, non-repudiation etc. properties
rely on the secret key not having been revoked prior to its
usage. Public revocation of a key-pair is a required ability, else
leaked secret keys would continue to implicate the claimed
owner of the key-pair.
Crime on digital signature
Digital Signatures are being considered by the Apex Court, to sign off the
Judgments and orders passed by them and uploaded on its official website. But is a
Digital Signature as infallibly reliable as thought to be?
It seems the answer is no.
The Hon’ble Bombay High Court, whilst granting ad-interim reliefs in a couple of
Suits before it, discovered the possible manner in which a Digital Signature could
be misused and scorned at the plausible impact that such misuse of Digital
Signature could cause.
The Suits in reference were filed by two companies situated in Mumbai,
namely DDPL Global Infrastructure Private Limited and Unicorn Infra Projects &
Estates Private Limited. A group of 4 individuals are Directors on the Board of both
of these companies (the "Existing Directors").
One fine morning, the Directors realized that the MCA portal shows the names of
two unknown persons as the Directors of the Companies instead of themselves. On
probing a little further, the Existing Directors fathomed the entire gamut of fraud
played to oust them as the Directors of the Companies from the MCA portal.
The whole fraudulent act of removing the names of the Existing Directors from
the MCA portal was initiated by fraudulently obtaining a digital signature of one
of the Directors on basis of forged photo identity and address proof of the
concerned Director. Using the said Digital Signature of one unknown persons
name was uploaded on the MCA Portal as the Director of the Company, who then
not only uploaded forms to oust the Directors and himself from the MCA portal,
but also to upload requisite forms to upload the other two unknown persons as the
Director of the Companies.
The Court has referred to the entire aforesaid act by the unknown persons as being
“nothing short of a wholesale Corporate Hijack". The extent of threat it poses to
the reputation of any corporate is unfathomable as there is room for misuse of the
private key. The primary purpose behind adopting Digital Signature is to encrypt
the information.
Quite contrary to serving its purpose, the present case exhibits how the digital
signatures if used unwarranted, can sabotage the working of its users.
The whole case has brought to light the possible mischief that can be committed
on a company by merely procuring a fraudulent Digital Signature of one of the
Directors of the Company.
Digital signatures versus ink on paper signatures
Issue 1: Obsolescence
Obsolescence is a concern with both electronic hardware and
software. For instance, the prevalence of videotapes is currently
being threatened by the emergence of DVDs; floppy disks have
changed radically in terms of physical size and capacity in the past
decade and have now been outstripped by zip disks and the various
types of compact discs that are on the market; the functionality of
computer software changes rapidly as new versions come on-
stream.
Issue 2: Security
Measures should be implemented to ensure that records stored
electronically are secure. Records should be inviolate or
tamperproof; secure from unauthorised access and accidental or
deliberate removal and alteration. This is particularly important if
records are tendered as evidence in a legal case. (Incidentally, an
observation that merits mention is that many databases do not
fulfil the definition of records, and instead are mere information.
Issue 3: Technical expertise
In order that the benefits of technology and electronic records are
fully exploited, and effectively managed, expertise should be
readily available.
Issue 6: Authenticity:
Because electronic records may be amended at the touch of a
button, for example, overwritten, deleted or altered, it is difficult to
prove what the original or authentic record comprised. Alteration of
records may have serious legal consequences.