Digital Signature in India

A Digital Signature is a mathematical scheme for presenting the authenticity of digital messages
or documents. It is an electronic form of a signature. Just as one authenticates a document with
handwritten signature, a digital signature authenticates electronic documents.

Legal Definition

According to section 2(1)(p) of the Information Technology Act, 2000 digital signature means
the authentication of any electronic record by a person who has subscribed for the digital
signature in accordance to the procedure mentioned under section 3 of the same act.

Benefits of Digital Signature

Authenticity: The person who receives the electronic message or document is able to realise
who is the sender of the message. The digital signature makes it possible to verify the name of
the person signing the message digitally.

Non-Repudiation: The sender of the message cannot refute the contents of the electronic
message and cannot deny that he/she had never sent the message.

Message cannot be altered in between the transmission: The receiver of the electronic
message is able to determine whether he/she has received the original document or whether the
document has been altered before the receipt or not.

Authentication Using Digital Signature

The authentication of the electronic record is done by creating a digital signature which is a
mathematical function of the message content. Such signatures are created and verified by
Cryptography, which is a branch of applied mathematics. It is used to secure the confidentiality
and authentication of the data by replacing it with a transformed version that can be reconverted
to reveal the original data only to someone who has the proper key.

 A key is a sequence of symbols that controls the operation of a cryptographic

transformation.
 It involves two processes which are as follows.
 1. Encryption: The process of transforming the plain message into a cipher text.
2. Decryption: The reversal of Cipher text into the original message.

Asymmetric Encryption
Can only be decrypted using a publicly available key known as the ‘Public Key’ provided by the
sender. The procedure has been under Section 2(1) (f) of the Information Technology Act, 2000.
Under this system, there is a pair of keys, a private key known only to the sender and a public
key known only to the receivers.
The message is encrypted by the private key of the sender; on the contrary, decryption can be
done by anyone who is having the public key. It depicts the authenticity of the sender. It is also
known as the ‘principle of irreversibility’ i.e. The public key of the sender is known to many
users, but they do not have access to the private key of the sender which bars them from forging
the digital signature.

Symmetric Encryption
There is only a single key known to both the sender and the receiver. Under this system, the
secret key or the private key is known to the sender and the legitimate user. This secret key is
used for both encryption and decryption of the message.
The only drawback of this symmetric encryption is that as the number of pairs of users increases,
it becomes difficult to keep track of the secret keys used.

Creation of Digital Signature

Firstly a person needs to get a Digital Signature Certificate from the Certifying Authorities. After
that, the following process is followed:

1. The original message of the sender is demarcated in order to get the message digest, with
the help of the hash function.
2. Then the private key is used to encrypt the message digest.
3. The encrypted message digest becomes the digital signature by using the signature
function.
4. The digital signature is then attached to the original data
5. Two things are transmitted to the recipient:
 The Original message
  The digital signature

Rule 4 of the Information Technology (Certifying Authorities) Rules, 2000, explains the
procedure of digital signature as:

 To sign an electronic record or any other item of information, the signer first applies the
hash function in the signer’s software. A hash function is a function which is used to map
data of arbitrary size onto data of a fixed size. The values returned by a hash function are
called hash values, hash codes, digests, or simply hashes
 The hash function computes a hash result of standard length, which is unique to the
electronic record.
 The signer’s software transforms the hash result into a Digital Signature using the
signer’s private key.
 The resulting Digital Signature is unique to both electronic record and private key which
is used to create it.
 The Digital Signature is attached to its electronic record and stored or transmitted with its
electronic record.

Digital Signature Certificate (DSC)

Digital Signature Certificates (DSC) are the digital equivalent (that is electronic format) of
physical or paper certificates. Certificates serve as proof of identity of an individual for a certain
purpose; for example, a driver's license identifies someone who can legally drive in a particular
country. Likewise, a digital certificate can be presented electronically to prove one’s identity, to
access information or services on the Internet or to sign certain documents digitally.

Physical documents are signed manually, similarly, electronic documents, for example e-forms
are required to be signed digitally using a Digital Signature Certificate.

A licensed Certifying Authority (CA) issues the digital signature. Certifying Authority (CA)
means a person who has been granted a license to issue a digital signature certificate under
Section 24 of the Indian IT-Act 2000.

Process of Obtaining DSC

  Digital Signature Certificate (DSC) Applicants can directly approach Certifying
Authorities (CAs) with original supporting documents, and self-attested copies.
 DSCs can also be obtained, wherever offered by CA, using Aadhar e-KYC based
authentication.
 A letter/certificate issued by a Bank containing the DSC applicant’s information as
retained in the Bank database can be accepted. Such letter/certificate should be certified
by the Bank Manager.

The cost of obtaining a digital signature certificate may vary as there are many entities issuing
DSCs and their charges may differ.

Types and Usages of Digital Signature Certificates:

1. Sign Digital Signature Certificate: It is only used to sign the documents. The most liked
use is signing of PDF file for Tax Returns, MCA and other websites. Get assurity of
signer's and data's integrity by signing via DSC as it is an evidence of unharmed and
unchanged data.
2. Encrypt Digital Signature Certificate: It only used for document encryption. To assist
the companies in encrypting the documents and uploading them, it is largely used in the
portal for tender. You could also use the certificate to encrypt and send classified
information. Encrypt DSC is appropriate for documents related to e-Commerce, for legal
documentation and sharing documents that are strictly classified and holds all that
information that needs protection.
3. Sign & Encrypt Digital Signature Certificate: It is used for signing and encrypting
both. It is fit for all those users who wish to validate and retain the secrecy of the
information that is shared. It is used in filing government form and application.

Three types of Digital Signature certificates are there that are issued by the certifying authorities
depending upon the type of applicant and the purpose for which DSC is required.

Class 1 certificate
The Class 1 Digital Signature certificates are issued for both business personnel and private
individuals use. Such certificates assure that the information in the application given by the
subscriber does not conflict with the information in well-recognized consumer databases. The
verification requirements for these certificates include:
(i) Aadhar e-KYC Biometric,
(ii) paper based application form and supporting documents or,
(iii) Aadhar e-KYC OTP + Video Verification. The Private Key generation and storage could be
in software.

Class 2 certificate
The DSC form class 2 certificates are issued for both business personnel and private individuals
use. This level is applicable to environments where risks and consequences pertaining to data
compromise are moderate. The verification requirements for Class 2 Digital Signature form
include:
(i) Aadhar e-KYC Biometric,
(ii) paper based application form and supporting documents or,
(iii) Aadhar e-KYC OTP + Video Verification. Private Key generation and storage must be in
Hardware cryptographic device validated to, FIPS 140-2 level 2.

Class 3 certificate
This certificate is issued to individuals and organizations. Unlike Class 1 certificates, both class 2
and class 3 digital signatures certificates are applicable in environments with significant risks.
However, Class 3 Digital Signature Certificate is applicable to environments where threats to
data and consequences of failure of security services are high, for instance, high value
transactions or high levels of fraud risk.
The verification requirements for class 3 certificate are:
(i) Aadhar e-KYC Biometric,
(ii) Paper based application form and supporting documents and (physical personal appearance
before CA or Video verification) or
(iii) Aadhar e-KYC OTP + Video Verification. The Aadhar e-KYC OTP and Aadhar e-KYC
Biometric are the verification requirements.

Legal Recognition to Digital Signatures

Section 5 of the Information Technology Act, 2000 gives legal recognition to digital
signatures.

Rule 5 of the Information Technology (Certifying Authorities) Rules, 2000, explains the
method of verification of digital signature as:
The verification of a Digital Signature shall be accomplished by computing a new hash result of
the original electronic record by means of a hash function which is used to create a Digital
Signature and by using the public key and the new hash result.

Electronic Signature V. Digital Signature

Electronic Signature Digital Signature

It has been defined under Section 2(1) (ta) of It has been defined under Section 2(1) (p) of
the Information Technology Act, 2000. the Information Technology Act, 2000.

Leverage an audit trail to demonstrate the Bind each signature to the document via
validity and legality of a signed document. encryption to demonstrate the validity and
legality of a signed document.

Use a wide array of methods – including Leverage certificate-based IDs to authenticate

email, employee ID, or phone verification – signer identity.
to authenticate signer identity.

Used for verifying document authenticity. Used for securing document integrity.

It has no expiration or validity period. It is valid up to a maximum of three years.

Conclusion

With the advancement in technology, there is a switch in the use of digital signature over
conventional signature. Therefore, there is a need to secure the law related to digital signature
which is well performed by I.T. Act, 2000. The use of Digital Signature being more secured and
encrypted makes it convenient and preferable.
Frequently Asked Questions

What is the legal status of a Digital Signature?

Digital Signatures are legally admissible in a Court of Law, as provided under the provisions of
IT Act, 2000.

Where can I use Digital Signature Certificate (DSC)?

 For sending and receiving digitally signed and encrypted emails/ documents.
 For carrying out secure web-based transactions.
 In e-Tendering, e-Procurement, for Registrar of Companies e-filing, Income Tax for e-
filing income tax returns and also in many other applications.
 For signing documents like MS Word, MS Excel and PDFs.

Can digital signature certificates be used in wireless network?

Yes, digital signature certificates can be employed in wireless networks.

Can a person have two digital signatures say one for official use and other one for personal
use?
Yes

Are digital signatures safe? Can someone falsify mine?

Digital signatures are secure, and it is complicated to falsify one.
Because, being based on asymmetric cryptography, they have a private key, which only the
signatory knows, and a public key, which is available to everyone; both are generated through a
public key algorithm. In this way, when the user wants to sign a document, he uses his private
key, which is unique and non-transferable, and which is exclusively in his possession; no one
else can have access to it.