Information security - 1

In the wake of the Mumbai terror tragedy, people in India have become very conscious of their safety. Safety, however, is important also when it comes to your personal information. Besides obvious threats to life and health, when safety and security are not taken seriously, violation of personal information can occur, which poses its own unique hazards. Let us look at a few of these in brief.

Hidden dangers

Phishing: A dreaded term in the online world is phishing. Just like the fish that cannot see the fishing net coming into the water to trap them, the internet surfer does not know that he is clicking his way to a phoney website that asks him for confidential information like username, password, account number etc. Beware of emails that lure you to an unknown website or an email from an address that reads like one of the banks you have an account with. Clicking may lead you onto a similar-looking, but phoney website.

Hacking: This is different from phishing in that here, a person uses a special software or device that gives him access to your computer. He can then use your computer to suit his needs. E.g. the hacker may use a program that can read your keystrokes when you type your password while logging you’re your net banking account. Techies with constructive motives have designed the "virtual keyboard" where you click on the onscreen keyboard and the characters fill up the password field. Hackers cannot ead the clicks. So your password is safe. But as with phishing, the choice to exercise caution is yours.

Further in this series, you will learn about real dangers as opposed to virtual ones. We will also give you tips on how to exercise caution and be two steps ahead of potential cyber criminals. Technology can be abused. But abuse leads to R & D and new discoveries.

So stay tuned-in for more!

Why Digital Signatures ??

Designing new systems to authenticate users has proven to be costly and cumbersome, requiring too many technical skills for users. Most consumers don't want to take on commitments without physically signing a document in person. A range of techniques for authentication have been developed and tested. But none of them has been efficient and effective enough. Thus, nowadays its Digital Signature that is trying to provide answers to all.

Digital signatures are a form of electronic signature. The term electronic signature is used to describe the full range of electronic means to confirm the sender of the message. They range from a file including a graphical image of the sender's handwritten signature (simple but unreliable) to biometric techniques, such as iris scans (complex but reliable).

Digital signatures are based on public key technology, a special form of encryption invented in the 1970s, which uses two different keys (because two different keys are used, this form of encryption is also known as asymmetric cryptography). One key is kept secret (the private key), whereas the other key is made publicly available (the public key). The two keys are generated simultaneously and collectively are known as a "key pair." Once a message has been encrypted using one of the two keys, it can only be decrypted by the other key.

Digital signatures in daily life

Life is getting more digitalised by the day. Sometimes technology can complicate matters; at other times it can relieve you of many avoidable tasks. Digital signature is one such technological application that simplifies life greatly. Yet many of us aren't aware as to how useful it can get. So let us look at some day-to-day uses of digital signatures.

For Individuals:

Bill payment: Your private key will confirm that the payment has indeed come from you and that the details like card number, expiry date etc. are true. In a physical transaction, you need to sign on the transaction slip, but how do you sign online? Going forward, you will be able to identify yourself digitally while paying your bills.

eCommerce: This includes online shopping for tangible products as well as services like travel packages, online courses, consultancy services, podcasts etc.

Insurance: You can apply for an insurance policy and give details online as well as correspond online for policy servicing. Not only this, you can also put in a claim online. Say you are recovering from an ailment and cannot visit the insurance company's branch or courier relevant documents. But if you have a computer with an internet connection and a scanner, you can speed up your case by submitting a claim online or email a scanned copy of the claim form and other documents.

ECS mandates: Utility payments are often made by giving your bank and service providers standing instructions on debiting your account every time a payment is due. Now if these transactions are going to happen electronically, you can issue instructions online too. And you can sign your mandate digitally, to reassure your bank and service providers that it is indeed you who has issued the instructions.

E-file your return: You can file your income tax return online in 2 ways. Either you can file a soft copy and follow it up with a personal visit to the tax office to submit a copy of the ITR-V and get the acknowledged copy back. Or you can simply attach your digital signature to your electronic return form and get an acknowledgement via email, without getting up from your seat! Who wouldn't choose the latter?

Using digital signatures will place the common man in a powerful position. As you play your part in ensuring safety, confidentiality and speed by using digital signatures, you can expect your service providers and product sellers to guarantee at least the same level of efficiency, if not higher.

Who regulates digital signature use in India?

The Information Technology Act, 2000 was enacted to give a legal backing and a regulatory framework for the promotion of e-Governance and e-Commerce in India.

 Digital Signatures and Certificates are central to ensuring security and confidentiality of e-Governance and e-Commerce transactions. They cannot be sold in the way that you sell goods on online stores. You need a proper organizational setup to issue the certificates. The IT Act provides for the setting up of Certifying Authorities (CAs) who issue digital signatures in India. And to ensure that these CAs function smoothly and in tandem, the Controller of Certifying Authorities (CCA) was set up. In fact, it is the CCA that issues the CA a licence to in turn issue digital certificates.

 The CCA maintains the National Repository of Digital Certificates (NRDC) ^$ that contains all digital certificates issued by all certifying authorities in India to date. This is a mandatory requirement under the IT Act, 2000. In fact, even the licences issued to the CAs are digitally signed by the CCA. This is done in an environment that conforms to the same strict guidelines that are applicable to CAs. The certifying authorities in India can cross-certify each other as well as other CAs across the globe. This helps them recognise each other’s certificates and enables governments; businesses as well as individuals operate in the global internet space in a seamless way.

 ^$ Source: CCA brochure

Why should I sign my electronic documents?

Let us say you are an independent researcher who has developed a scientific formula and prepared a paper on the subject. You need to get the formula patented with the Indian Patents Office. You will need to sign the document for it to be considered an authentic work and also to prove that it was indeed created by you.

What if you don’t take it seriously and simply mail your paper to the Patents Office without signing it? Of course, the Patents Office will simply dismiss your work and get on with other applications. Worse, if the research paper accidentally lands into wrong hands before it reaches the intended recipient and there is no signature, this person might sign it and claim credit, putting to naught all your hard work and creativity. 

Now if you had to send the same piece of work electronically, but you didn’t have access to email, how would you send it? May be you would save it to a pen drive and courier the pen drive through a recognised courier company, wouldn’t you? Does that still prove that you had developed the formula or prepared the research paper? To conclusively establish that you are the one you claim to be, you must sign the electronic document digitally. And that does not mean scanning the physically signed research paper. You actually need to procure a digital signature from a Certifying Authority and apply it to the relevant document within the validity period. How you mail the document to the recipient is secondary.

Digital Signatures and Indian Law

The biggest hurdle in implementing any technological breakthrough on a mass scale is getting its use legalized. The Indian government has shown a progressive attitude in this regard by bringing into effect The Indian Information Technology Act, 2000, to facilitate and popularize the use of digital signatures in the country.

Important provisions explained^$ 

• Electronic records in business and other fields have been given a legal standing now.
• Digital Signatures have been given legal recognition, so that these records can be attributed to a specific person while, at the same time, ensuring security of the records.
• Certifying Authorities have been licensed to issue digital signatures.
•  The activities of Certifying Authorities are monitored by a Controller of Certifying Authorities appointed by the Central Government.

 ^$Source: Network Magazine India website

Are digital signatures error-proof?

 Digital signatures are a way to make sure that the sender's identity is not mistaken. The sender is confirmed to be who he claims to be. The content signed by the sender too is automatically linked to his identity and he cannot deny that he sent it, because his digital signature appears on it. But if you have never used a digital signature, you may have your own apprehensions.

 As long as the message is hashed and then signed, there is no scope at all for a case of mistaken identity. For example, if you have created a hashed message and then signed it digitally and the document is altered (by anyone, including yourself) in any way, the recipient will fail to match the public key with your private key. This shows that digital signatures by themselves are error-proof not only with respect to identity but also content. Of course, when the verification process fails, you would not be able to know if it was just a transmission error or a forgery attempt. 

Validity of Digital Signatures

How long a digital signature remains valid depends on who has issued it. Usually the validity ranges from 1-2 years. Every issuing company has its own product specification that varies according to its target market. The good news though is that digitally signed documents can be time-stamped digitally, so that even after the key expires, the signature can be validated.

 This comes in handy when you have digitally signed a contract or agreement that will stay in force beyond the validity period of the signature, e.g. long-term leases. All parties to the contract must retain the time-stamp copy.  If the document is time-stamped, then even if the signer’s key is compromised later on, the contract’s validity can be proved by this time-stamp.

Uses of Digital Signatures

Digital Signatures are an answer to security and confidentiality issues in electronic communication. They come in handy in several ways…

 With the advent of electronic filing of income tax returns, digital signatures are becoming objects of curiosity. For Corporates, e-filing is mandatory and the quickest way to sign the return would be using a digital signature. In fact, even individuals have begun signing their tax returns digitally. Certain service providers are authorised by the government to use bulk digital signatures. In such cases, Corporates may have a tie-up with the service provider for hundreds of their employees. Authorised e-return intermediaries apply a single digital signature to hundreds of returns and file the returns electronically. This saves money both for the Corporate and its employees. It also saves precious processing time for the service provider by eliminating the need to verify physical or separate digital signatures for every individual employee.

 

Another use of digital signatures is to authenticate email communication. Reports, documents, employees’ Form 16 and other such official documentation may need to be signed for these to be used for business purposes or to be enforceable at law. They can then be emailed to the intended recipients. For instance, if your employer gave you a salary slip via MS Outlook but did not physically stamp and sign it, you may not be able to submit it to your next employer as part of your joining formalities. But if the salary slip was signed digitally, you would not need a physical stamp and signature of the authorised signatory. The digital signature would prove that the salary slip has been sent from the sender’s email address and its contents were not changed since the time it was created. If you forwarded the same to your new company, they would know that the document is authentic.

 As technology evolves and the way people do business gets more sophisticated, digital signatures are likely to be used in more creative ways, thereby maintaining integrity of electronic communication.

How do Digital Signatures work?

Being a technological concept, digital signatures are best explained (and understood) using examples.

Let’s say Bill needs to mail across a confidential report to Steve. To ensure that data security is not compromised with, Bill compresses the lengthy report into just a few lines using special software and then encrypts it using his private key. As the name suggests, it’s private—known only to Bill. Applying his private key to the encrypted document is what digital signature really is. He then sends it across to Steve, along with the public key.

Steve, in order to read the document’s contents, must first open the document in its compressed form. He uses the public key to do this and if he succeeds, it means that Bill had signed it, that the document contents have not been changed since the time of digitally signing it and that now Bill cannot claim that the document did not originate from him. Using special software, Steve decrypts the document contents in readable form, completing the process.

Digital Signature vs Digital Certificate

A Digital Signature is a signature that authenticates documents in electronic form the same way as a physical signature or thumb impression authenticates documents in hard copy (e.g. paper). The authentication is two-fold:

• Who the sender of the message or the signer of the document is, and
• That the message or document content has not been tampered with and that it has reached the intended recipient in the same form that it was sent.

A Digital Certificate, on the other hand, is like an electronic prepaid voucher. It contains the certificate holder’s name, a serial number, expiration dates, a copy of the certificate holder’s public key (used for encrypting messages and digital signatures) and the Certifying Authority (CA)’s digital signature, to help the recipient verify that the certificate is genuine.

So while a Digital Signature is what confirms the document’s authenticity, a Digital Certificate contains this digital signature, among other components, and carries the signature’s validity period. To understand the difference better, when you purchase a digital signature from a Certifying Authority, what you get is the digital certificate. And when you want to sign an electronic document, you use the digital signature from this certificate and attach the public key. The recipient then uses this public key to check the veracity of the document.

What are Digital Signatures?

Digital Signatures are signatures in a cryptographic form which helps the sender and the receiver to be assured of a tamper proof document exchange. There are two components to it namely a"Private Key" and a "Public Key". The sender signs the document using his private key ensuring the safety of the document as the text are in an encrypted form. The receiver on the other hand uses the public key sent by the sender along with the document to decrypt it into a readable text format. This ensures the authenticity of the origination of the signature and the signor and assures that the document has not been tampered en-route.

Digital signature addresses the P.A.I.N areas i.e

P - Privacy

A - Authenticity

I - Integrity

N - Non Repudiation

In India, the Indian IT Act 2000 authorises the Controller of Certifying Authority(CCA) to license & regulate the working of the Certifying Authority (CA) who in turn issues the Digital Signature Certificate(DSC) for electronic authentication of users.