Cyber Law & Security Control

Chapter VI
Digital Signature
The Information Technology many legal provisions assume the existence of
paper based records, documents signatures, etc. But these electronic means eliminate the need for
various paper transactions and demand necessary changes in. the legal system. Therefore, certain
have been taken to facilitate e-commerce, to protect the interest of the people using means of
information technology and also to make necessary changes in the Acts to information
technology, the Information Technology Act of 2000 has been passed the provisions of this Act
relating to digital electronic governance, electronic records and certifying authority which have
been prescribed for the examination.

DIGITAL SIGNATURE
The authority person done signatures on different papers, letters, documents, etc.
in to reveal our identity or to authenticate the documents. If the persons are illiterate have to put
their thumb impressions on the documents in order to make the documents by following certain
formalities. Signatures serve certain basic purposes. In the first place, a signature authenticates
the writing by identifying the signer with the material, letter, documents, etc. When a mark in a
distinctive manner is made signer, such Writing becomes attributable to the signer. Further, a
signature on any document often indicates or imparts a sense of clarity and also of finality to
transaction or substance. It also lessens the subsequent need to inquire beyond the face
document. For example, the amounts of cheques are paid to the concerned payee: verification of
signatures of the drawers with their specimen signatures. Secondly, the of signing the documents
also calls to the attention of the signer towards the importance of his or her act and thus, helps to
prevent inconsiderate A signature is required as one of the formal requirements for completing
the transactions according to the provisions of different Acts. A signature on any document
indicates the signer's approval or authorization of the writing on the document or his intention
that it has the legal effect.
The above mentioned are the basic purposes of obtaining signatures on the and
hence, the signer's authentication is considered very essential in the regime of but in the era of
“modern information technology, the traditional methods of and authenticating transactions are
rapidly becoming obsolete. If the Internet becomes widely accepted medium for commerce in
India and e-commerce increase in volume value, importance of digital signature and public key
infrastructure is sure to increase fact, digital signatures have multitude of applications which
include electronic interchange, electronic funds transfer contracts, authentication and certification,
etc. Obviously, the main objective is to enable the recipient to prove the identity of the signer
sender and also to guarantee the integrity of the data being transferred properly.
The provisions relating to the digital signature have been made in the Information
Technology Act of 2000. Section 2 (p) defines the term ‘Digital Signature ‘while Section 3 of the
IT. Act throws light on the authentication of electronic records. Further, Rules 3, 4 and 5 of the
Information Technology (Certifying Authorities) Rules, 2000 also make clear the manner in which
information is authenticated by means of digital signature, creation of digital signature and
verification of digital signature. Let us consider these aspects as per the provisions of the Act.

New Satara College of BCA Pandharpur 1 Prof. Kirpekar R.R.

 Cyber Law & Security Control

Definition of the Digital Signature

"Digital Signature" means authentication of any electronic record by a subscriber
by means of an electronic method or procedure in accordance with the provisions of section 3.

Subscriber means a subscriber is a person in whose name the digital signature certificate is
issued.

Authentication of electronic records, creation and verification of digital

signature, etc.
Section 3 (Chapter II) of the I.T. Act makes clear the conditions subject to which
an electronic record can be authenticated by means of affixing digital signature. While the
Rules 3, 4 and 5 of the Information Technology (Certifying Authorities) Rules of 2000 throw
Light on the manner in which the information is authenticated by means of digital signature,
creation of digital signature and verification of digital signature respectively.
The provisions of section 3 and these rules are given below:
(a) Authentication of Electronic Records [Section 3]:
(1) Subject to the provisions of this section any subscriber may authenticate an
electronic record by affixing his digital signature [Section 3 (1)].
(2) The authentication of the electronic record shall be effected by the use of
asymmetric crypto system and hash function which envelop and transform the initial
electronic record into another electronic record [Section 3 (2)].
For the purposes of this sub-section, "hash function" means an algorithm
mapping or translation of one sequence of bits into another, generally smaller set known as "hash
result" such that an electronic record yields the same hash result every time the algorithm is
executed with the same electronic record as its input making it computationally infeasible -
(a) to derive or reconstruct the original electronic record from the hash result produced
by algorithm;
(b) that two electronic records can produce the same hash result using the algorithm
[Explanation to Section 3 (2)].
(3) Any person by the use of a public key of the subscriber can verify the electronic record
[Section 3 (3)]
(4) The private key and the public key are unique to the subscriber and constitute a functioning
key pair [Section 3 (4)1.

(b) The manner in which information be authenticated by means of digital signature

[Rule 3] :
A Digital Signature shall -
(a) be created and verified by cryptography that concerns itself with transforming
electronic record into seemingly unintelligible forms and back again; '.
(b) use What is known as "Public Key Cryptography", which employs an
algorithm using two different but mathematical related "keys" — one for creating a Digital
Signature or transforming data into a seemingly unintelligible form, and another key for

New Satara College of BCA Pandharpur 2 Prof. Kirpekar R.R.

 Cyber Law & Security Control

verifying a Digital Signature or returning the electronic record to original form, the process
termed as hash function shall be used in both creating and verifying a Digital Signature.

Explanation: Computer equipment and software utilizing two such keys are often termed as
"asymmetric cryptography".
(c) Creation of Digital Signature [Rule 4]:
To sign an electronic record or any other item of information, the signer shall first
apply the hash function in the signer's software; the hash function shall compute a hash result of
standard length which is unique (for all practical purposes) to the electronic record; the signer's
software transforming the hash result into a Digital Signature using signer's private key; the
resulting Digital Signature shall be unique to both electronic record and private key used to
create it; and the Digital Signature shall be attached to its electronic record and stored or
transmitted with its electronic record.
(d) Verification of Digital Signature [Rule 5]:
The verification of a Digital Signature shall be accomplished by computing a
new hash result of the original electronic record by means of the hash function used to create a
Digital Signature and by using the public key and the new hash result, the verifier shall check —
(i) if the Digital Signature was created using the corresponding private key; and
(ii) if the newly computed hash result matches the original result which was transformed
into Digital Signature during the signing process. The verification software will confirm the
Digital Signature as verified if —
(a) the signer's private key was used to digitally sign the electronic record, which
is known to be the case if the signer's public key was used to verify the signature because, the
signer's public key will verify only a Digital Signature created with the signer's private key; and
(b) the electronic record was unaltered, which is known to be the case if the hash
result computed by the verifier is identical to the hash result extracted from the Digital Signature
during the verification process.
(e) Meaning of important terms used in the above mentioned provisions:
There are various technical terms used in the Act. The meaning of these terms are
given, in the Schedule V appended to the Information Technology (Certifying Authorities)Rules
of 2000 under the heading "Glossary". The meanings of certain technical terms used in the above
mentioned provisions are given below for your ready reference.
(1) Electronic Record: ‘Electronic Record’ means data, record or data generated image or sound
stored, received or sent in an electronic form or microfilm or computer generated micro-fiche. .,
(2) Electronic Form: Electronic form with reference to information means any information
generated, sent, received or stored in media, magnetic, optical, computer memory, microfilm,
computer generated micro-fiche or similar device.
(3) Asymmetric Crypto System: A system of a secure key pair consisting of a private key for
creating a digital signature and a public key to verify the digital signature.
(4) Hash [Hash Function]: An algorithm that maps or translates one set of bits into another
(generally smaller) set in such a way that —
(i) A message yields the same result every time the algorithm is executed using the
same message as input.

New Satara College of BCA Pandharpur 3 Prof. Kirpekar R.R.

 Cyber Law & Security Control

(ii) It is computationally infeasible for a message to be derived or reconstituted from

the result produced by the algorithm.
(iii) It is computationally unfeasible to find two different messages that produce the
same hash result using the same algorithm.
(5) Key: A sequence of symbols that controls the operation of a cryptographic information e.g.
encipherment, decipherment, cryptographic check function computation, signature generation or
signature verification.
(6) Public Key: The key of a key pair used to verify a digital signature and listed in the Digital
Signature Certificate.
(7)Private Key : The key of a key pair used to create a digital signature.
(8) Cryptography:
(I) The mathematical science used to secure the confidentiality and authentication of
data by replacing it with a transformed version that can be reconverted to reveal the original data
only by someone holding the proper cryptographic algorithm and key.
(II) A discipline that embodies the principles, means, and methods for transforming
data in order to hide its information content, prevent its undetected modification, and/or prevent
its unauthorized uses.
(9) Public Key Cryptography : A type of cryptography that uses a key pair of mathematically
related cryptographic keys. The public key can be made available to anyone who wishes to use it
and can encrypt information or verify a digital signature, the private key is kept secret by its
holder and can decrypt information or generate a digital signature.
(10) Public Key Infrastructure [PKI] / PKI Server: A set of policies, processes, server
platforms, software and workstations used for the purpose of administering Digital Signature
Certificates and public-private key pairs, including the ability to generate, issue, maintain and
revoke public key certificates is PKI server.
From the definition of digital signature [Section 2 (p)], provisions of section 3, the
Rules 3 and 4 and the meanings of technical terms used and mentioned above, we come to know
various aspects relating to the digital signature, its creation, verification, etc. In that
context, we can summarise the same in the following way.
(a) A digital signature is the result of computations involving the message to be
signed and the signer's private key.
Digital signatures are created and verified by cryptography which is the branch of applied
mathematics that concerns itself with transforming messages into seemingly unintelligible forms
and back again.
The use of digital signatures usually involves two important processes, one performed by
the signer and the other by the receiver of the digital signature.
(b)First the electronic record is converted into a message digest by using a mathematical
function i.e. hash function which digitally freezes the electronic record which ensures
the integrity of the contents of the intended communication contained in the electronic
record. If any tampering is done with the contents of the electronic records that will
immediately invalidate the digital signature.
(c) The identity of the person affixing the digital structure is authenticated through
the use of a private key which attaches itself to the message digest and which can
be verified by anyone who has the public key corresponding to such private key.
(d) As the electronic record is fixed with the digital signature, it becomes possible to

New Satara College of BCA Pandharpur 4 Prof. Kirpekar R.R.

 Cyber Law & Security Control

verify whether the electronic record is retained intact or has been tampered.
Further, it enables a person who has a public key to identify the originator of the
message.
Digital signatures are well suited for wireless Internet-enabled devices. ‘Digital
signatures are definitely complementary to automation bringing various –benefits including
faster, more efficient processing and reduced error rates and administrative costs.

Digital Signature Certificates

Now-a-days, in India, the use of Internet is increasing even in the field of business
commerce. In the information technology age, more and more organizations are joining the
revolution through B2B [business to business] and B2C [Business to consumers] sites in order to
expand the business and to generate more revenues. But for this purpose and so far as the Internet
transactions are concerned, a lot of trust is required. In our regular transactions, it is easy to verify
someone's identity by using his or her signature or identification card if required. But, on Internet
or in Internet transactions, the opportunity for face-to-face verification is just impossible or very
rare. Hence, there felt the need to develop some technique which can develop a feeling of trust
between the merchants and consumers doing business on the Internet. Digital Signature Certificate
Technology is developed for that purpose. A digital signature certificate, in a simple language,
consist of basic information about one's digital identity such as individual‘s or his company’s
name, e-mail address, digital signature, etc.
Digital signature is nothing more than a series of numbers called a public key which
forms the basis of all encryption algorithms. A digital signature authenticates the legal identity of
the concerned party or person. Secure communication demands five key elements to work and they
are, confidentiality authorization, authentication, integrity and non-repudiation. From this point of
view the Cyber law i.e. the I.T. Act, 2000 has been passed and the provisions have been made in
the Act to issue digital signature certificates in Chapter VII under Sections from 35 to 39. A
digital signature certificate is issued by the Certificate or Certifying Authority according to the
provisions of the I.T. Act, 2000 basically for the purpose of the promotion of safe and service
e-commerce transactions over the Internet. The Certifying Authority, as we have already studied,
is a trusted third party entity whose important responsibility is the authenticity of the user. A
passport is the identity of a citizen or a college student can be identified on the basis of his identity
card issued by the principal of the college. Similarly a network user's electronic identity is the
proof that the person or organization as the case may be, is certified by the Certifying Authority.
Now, let us consider the provisions of the I.T. Act included in Chapter VII relating to the Digital
Signature Certificates.

Certifying Authority to Issue Digital Signature Certificate [Section 35]

A certifying authority is empowered under this Act to issue digital signature certificates. Section
35 deals with the form in which digital signature certificate may be issued by the Certifying
Authority. A person can make an application in the prescribed form to the Certifying Authority for
the issue of a digital signature certificate by paying the prescribed fee. The form for an application
for issue of Digital Signature Certificate is given in Schedule IV of the I.T. (Certifying Authorities)
Rules, 2000. Such application is required to be accompanied by a certification practice statement
or a statement containing specified particulars. The provisions of Section 35 are given below

New Satara College of BCA Pandharpur 5 Prof. Kirpekar R.R.

 Cyber Law & Security Control

(1) Any person may make an application to the Certifying Authority for the issue of a
Digital Signature Certificate in such form as may be prescribed by the Central Government
[Section 35 (1)]
(2) Every such application shall be accompanied by such fee not exceeding twenty five
thousand rupees as may be prescribed by the Central Government, to be paid to the Certifying
Authority [Section 35 (2)]
It is provided that while prescribing fees under sub-section (2) different fees may be
prescribed for different classes of applicants [Proviso to Section 35 (2)].

New Satara College of BCA Pandharpur 6 Prof. Kirpekar R.R.