THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

1/26

THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

Chapter-1

OBJECTIVE AND DEFINITION OF DIGITAL SIGNATURES

Electronic transactions are fast emerging as an alternative means of carrying out

transactions instead of paper based transactions. However with the increase in the

transactions taking place on the internet the issue of authenticity and veracity was

looming large. Contracts worth huge sum of money were being entered into

without ensuring the validity and authenticity of the parties.

Traditionally hand written signatures were used for the following purposes;

a) To identify a person, by signing the signatory marks the text in his/her ownunique way and makes it attributable to him/her.

b) To validate the personal involvement of the person in the act of signing.c) To associate the signer with the content of the document , or as a proof the

signers intention that it has legal effect.

d) To attest to the intent of a party to be bound by the signed contract.e) To show the intent of a person to endorse authorship of a text.f) To show intent of the person to associate himself with the content of a

document written by someone else;

g) As a matter of ceremony signing calls to the signer attention the legalsignificance of his act;

h) To provide efficiency and logistics along with clarity.

Similarly a need was felt to incorporate an instrument that would validate online

transactions. using the technology of cryptography, the concept of Digital


2/26

Signatures was introduced. The UNCITRAL Model Law on E-Commerce is based

on the recognition of the functions of a signature in the paper form. It focuses on

the 2 basic functions of a digital signature namely;

a) Identifying the author of a document

b) Confirming the approval of the content by the author.

In the electronic environment basic legal functions of a signature are performed by

way of a method that identifies the originator of a data message and confirms that

the originator approved the content of the data message. This method uses the

techniques of cryptography and encryption. Public key cryptography is an

asymmetric scheme that uses a pairof keys for encryption: a public key, which

encrypts data, and a corresponding private, orsecret key for decryption. You

publish your public key to the world while keeping your private key secret.

Anyone with a copy of your public key can then encrypt information that only you

can read.

The primary benefit of public key cryptography is that it allows people who have

no pre existing security arrangement to exchange messages securely. The need for

sender and receiver to share secret keys via some secure channel is eliminated; all

communications involve only public keys, and no private key is ever transmitted or

shared. The use of public key cryptography is made in digital signatures. They are

signatures used for marking or signing an electronic document. The process is

analogous to the paper based signatures and it is a digital code that can be attached

to an electronically attached message that uniquely identifies the sender and

ensures that the document has not been altered.


3/26

As is the case with Electronic Data Interchange (EDI), the process of creating and

verifying digital signatures can be completely automated with minimal human

interaction. Compared to the tedious and labour-intensive paper methods such as

checking specimen signature cards, digital signatures yield a high degree of

assurance without adding greatly to the resources required for processing

documents.

The following representation gives an illustration as to how digital signatures are

created and verified;

CREATION OF DIGITAL SIGNATURES

Message

Message Hash Function Hash Result Signing function Digital Signature--

To verifier

Private Key

VERIFICATION OF DIGITAL SIGNATURES

Message Hash Function Hash Result

FROM SIGNERDigital Signature verify function

VALID YES/NO?Public key


4/26

A digital signature serves the same purpose as a handwritten signature. However, a

handwritten signature is easy to counterfeit. A digital signature is superior to a

handwritten signature as it is nearly impossible to counterfeit, plus it attests to the

contents of the information as well as to the identity of the signer.

The advantages of digital signatures are;

a) Uniqueness

b) Inability to forge

c) Ease of authentication

d) Impossibility of denial

e) Economy of generation

f) Ease of generation

Digital Signature means the authentication of any electronic record by a subscriber

by means of electronic method or procedure in accordance with the provisions of

section 3, which provides that any subscriber may authenticate an electronic record

by affixing his digital signature. The authentication of an electronic record shall be

affected by the use of asymmetric cryptosystem and hash function which transform

the initial electronic record into another electronic record. It further states that any

person by the use of the public key of the subscriber can verify the electronic

record. The private and the public key are unique to the subscriber and constitute a

functioning key pair. The American Bar Association defines Digital Signatures as

an electronic signature created and verified by means of cryptography, the branch

of applied Mathematics that concerns itself with transforming messages into

seemingly unintelligible forms and back again. In the United States at least 36

states have enacted or are in the process of enacting a legislation

legitimizing digital signatures.


5/26

A digital signature must ensure that it accomplishes the following purposes;

Signer authentication: If a public and a private key pair are associated with an

identified signer, the digital signature attributes the message to the signer. The

signature must indicate by whom the document or message is signed and shall be

difficult for any other person to produce without authorization.

Document/message authentication: The digital signature identifies the signed

message with much greater certainty and precision than paper signatures. The

signature must comprise of a non repudiation service, which provides proof of the

origin or delivery of data in order to protect the sender against false denial by the

recipient or the sender that the data has been received or sent.

Affirmative Act: Serving the ceremonial and approval functions of the signature, a

person should be able to create a signature to mark the event, indicate approval and

authorization and establishing legal consequences.

Efficiency: Generally a signature must be able to provide the best possible

authenticity and validity with the least possible expenses.

From the above discussion we can conclude that Digital signatures are signatures

which are used to authentic and validate electronic transactions on the internet

through the use of technology.

To give legality to the use of digital signatures in India, the Information

Technology Act, 2000 recently amended in 2008 has incorporated provisions

recognizing digital signature, one of the forms of electronic signatures as a means

to authenticate electronic transactions which shall be discussed in detail in the

subsequent chapterChapter-2

TECHNOLOGY BEHIND DIGITAL SIGNATURES


6/26

Digital signatures are signatures which make use of a technology which is very

specific in nature and requires expertise and understanding of various technologies

required to obtain digital signatures. One such technology as introduced briefly in

the previous chapters is cryptography; it is the practice and study of hiding

information. The application of cryptography can be had in ATM cards, computer

passwords and Ecommerce. A cryptographic algorithm, or cipher, is a

mathematical function used in the encryption and decryption process. A

cryptographic algorithm works in combination with a keya word, number, or

phraseto encrypt the plaintext.

The same plaintext encrypts to different cipher text with different keys. The

security of encrypted data is entirely dependent on two things: the strength of the

cryptographic algorithm and the secrecy of the key. The science of cryptography

further includes Encryption and decryption techniques. In these two keys are

involved, a public key and a private key. Each user has a pair of keys of which the

private key is kept secret and the public key is made open to all. If X wants to send

a message to Y, Y shall encrypt the message with Ys Public Key and send it to Y.

The message shall be seen only by Y. This ensures the following purposes;

a) it protects the information contentb) establishes the authenticity of the sending partyc) preventing undetected modification of the messaged) preventing repudiatione) preventing unauthorized use

Cryptography can be symmetric as well as asymmetric, in case of a symmetric

cryptography, only one key is used to encrypt as well as decrypt a message


7/26

whereas in case of asymmetric cryptography a pair key is used to encrypt as well

as decrypt a message. Cryptography can be traced back to a paper published by

Whitfield Diffie and Martin Hellman proposed the notion ofpublic-key (also, more

generally, called asymmetric key) cryptography in which two different but

mathematically related keys are used a public key and a private key.

In 1977, a year after the publication of the Diffie-Hellman paper, three researchers

at MIT developed a practical method using the suggested ideas. This became

known as RSA, after the initials of the three developers -- Ron Rivest, Adi Shamir,

and Leonard Adelman -- and is probably the most widely-used public key

cryptosystem. It was b patented in the US in 1983, duly adopted as a standard, and

has always been widely available outside the US in implementations developed

locally even though, until recently, its export was restricted. In addition to being

the first publicly known examples of high quality public-key algorithms, have been

among the most widely used. Others include the Cramer-Shoup cryptosystem,

ElGamal encryption. A digital signature is a two way process involving the signer

i.e a creator of the digital signature and the recipient i.e the verifier of the digital

signature.

Creating a digital signature involves the following steps;

a) The signer demarcates what is to be signed which is termed as the message.b) A HASH function computes a hash result unique to the message.c) The signers software encrypts the hash result into a digital signature using

the signers private key. The resulting digital signature is thus unique to both

the message and the private key used to create it.

d) The digital signature is attached to the message and stored or transmittedwith its message.


8/26

Verifying a digital signature involves the following steps;

a) The recipient receives the digital signature and the message.b) The recipient applies the signers public key on the digital signaturec) Recipient recovers the hash result or the message digest from the digital

signature

d) The recipient creates a new hash result with the same hash function used bythe signer to create the digital signature.

e) The two hash results are compared and if the same are identical then itimplies that the

message is unaltered.


9/26

Chapter-3

DIGITAL SIGNATURE CERTIFICATES; PROCEDURE AND

AUTHORITIES

Digital signatures are a means to ensure validity of electronic transactions however

who guarantees about the authenticity that such signatures are indeed valid or not

false. In order that the keys are secure the parties must have a high degree of

confidence in the public and private keys issued. The user must have confidence in

the skill, knowledge and security arrangements of the parties issuing the public and

private keys. This brings in the role of TTPs or CAs, TTPs or CAs help in

establishing what is known as a public key infrastructure. A public key

infrastructure helps to provide confidence that;

a) A users public key has not been tampered with and it corresponds to theusers private key.

b) The entities issuing cryptographic keys can be trusted to retain or recreatethe public and private keys that may be used for confidentiality encryption

where the use of such a technique is authorized.

There is often a possibility of what is referred to as the man in middle attacks,

these are instances wherein a person uses a false key and intercepts a message

between two individuals, obtains the key of anyone through the false key and can

alter the message. In a public key environment, it is vital that you are assured that

the public key to which you are encrypting data is in fact the public key of the

intended recipient and not a forgery. One can encrypt only to those keys which

have been physically handed to him. However in case a person is completely

unknown or has never met then in such cases it is essential for a trustworthy

authority to step in. The purpose of a trusted third party is that with the help of a

certificate the prospective signer is associated with a key pair. This certificate that


10/26

binds the key with a particular holder is referred to as the digital signature

certificate. Certifying authorities issue certificates based on classes, class I

certificates are issued to individuals, business and government organizations,

primarily used for web browsing and personal e-mails. Class II certificates may be

issued to individuals belonging to business and government organizations that are

ready to assume the responsibility of verifying the accuracy of information

submitted to the individual. It is used primarily for organizations functional and

administrative needs. Class III certificates may be issued for both individuals and

organizations, are used primarily for e-commerce applications such as electronic

banking, EDI and membership based on-line services.

A recipient of the certificate desiring to rely upon an electronic signature created

by the holder named in the certificate can use the public key listed in the certificate

to verify that the electronic signature was created with the corresponding private

key. The digital signature certificates are issued by the certifying authorities who

are recognized by the controller of certifying authority which is a root certifying

authority in India. The Information Technology Act, 2000 defines a certifying

authority as one which has been granted a license to issue an electronic signature

certificate under section. It is important to note here that the term digital signatures

has been replaced with the term electronic signatures apparently to make the use

more technology neutral as earlier digital signatures was being referred to as much

more technology specific, however since the provisions of the Act are yet to be

notified therefore the amendment cannot be utilized at present.

Chapter VI of the Act provides for regulation of certifying authorities17 Section 17

provides for the appointment of controller by the central government by

notification in the official gazette. The controller shall perform such functions as


11/26

the central government may direct. The qualifications, experience and terms and

conditions of service of controller shall be prescribed by the central government.

There shall be a seal of the office of the controller and the head office as well as

the branch office of the controller shall be at such places as the central government

may specify.

Section 18 provides for the functions that the controller may perform. There have

been many foreign certifying authorities that issue digital signature certificates in

India. Section 19 of the Act provides for the recognition of foreign certifying

authorities, the section further prescribes that in case the authority contravenes any

of the conditions and restrictions subject to which it is granted recognition then the

controller may revoke such a recognition.

The controller of certifying authorities has established the Root Certifying

Authority. It is established under section 18(b) of the Information Technology Act,

2000 to certify public keys of all certifying authorities in India. Root certificate is a

self signed certificate that identifies the Root Certification Authority. A certificate

authority can issue multiple certificates in the form of a tree structure. A root

certificate is the top most certificate in the tree, the private key of which is used to

sign all other certificates. A root certificate helps the certificates to inherit the

trustworthiness.

Section 21 of the Act provides for license to issue electronic signature certificates

before the Controller of certifying authority. The license once granted shall be non

transferable and non heritable. Every application for issue of a license shall be in

the prescribed form as may be directed by the government. Section 22(2) provides

that every application for the issue of license shall be accompanied by


12/26

a) A certification practice statementb) A statement including the procedures with respect to identification of the

applicant

c) Payment of such fee not exceeding 25000 as may be prescribed by thecentral government.

The Act also lays down the provisions for the procedure of grant or rejection of

license as well as the renewal of license.

It must be noted here that the application for licensed certifying authority shall be

made in the prescribed format provided under Rule 10 of the Information

Technology (certifying Authorities) rules, 2000. The application for grant of a

license shall be accompanied by a non refundable fee of 25000, provided under

Rule 11 of the Rules.

The Act prescribes that every certifying Authority must follow certain procedures;

a) Make use of hardware, software and procedures that are secure fromintrusion or misuse.

b) Provide a reasonable level of reliabilityc) Adhering to security provisions to ensure that secrecy and privacy of digital

signatures is assured.

d) Become the repository of all electronic signature certificate issued under theAct

e) Publish information regarding its practices, electronic signature certificatesand current status of such certificate.


13/26

Section 35 prescribes the certifying authority to issue electronic signature

certificates. A certifying authority while issuing digital signatures shall certify

amongst other factors that the subscriber holds the private key corresponding to the

public key listed in the Digital signature certificate. The subscriber holds a private

key which is capable of creating a digital signature. The public key to be listed in

the certificate can be used to verify a digital signature affixed by the private key

held by the subscriber. The subscribers public key and private key constitute a

functioning pair. The information contained in the certificate is accurate.

Section 37 and section 38 prescribe for the conditions when the digital signature

may be revoked or suspended. Section 39 provides that where a digital signature

certificate has to be revoked or suspended a notice of suspension or revocation

shall be given.

Chapter VIII provides for the duties of subscribers which include the generation of

a key pair(section 40), acceptance of digital signature certificate(Section 40),

exercising reasonable care to retain control over private key corresponding to the

public key listed in the digital signature certificate and to take steps to prevent its

disclosure and in case the private key corresponding to the public key listed in the

digital signature certificate has been compromised the same shall be communicated

to the certifying authority without delay.

The central government under section 87 of the Act has the powers to make rules

and consequently the Information Technology Certifying Authority Rules (2000)

were framed. Rule 3 provides that a digital signature shall be created and verified

by cryptography that concerns itself with transforming electronic record into

seemingly unintelligible forms and back and again. It shall also use public key


14/26

cryptography and hash function necessary for creating and verifying a digital

signature. Rule 4 provides for the procedure of creation of digital signature, the

signer shall apply the hash function in the signers software, thereafter the hash

function shall compute a hash result of standard length which is unique to the

electronic record, the signers software shall transform the hash result into digital

signature using signers private key and the resulting digital signature shall be

unique to both the electronic record and private key used to create it and the digital

signature shall be attached to its electronic record and stored or transmitted with its

electronic record.

Rule 5 provides for the verification of the digital signature, the process being same

as discussed previously. Rule 8 prescribes for the persons who may apply for grant

of license to issue digital signature certificates. Rule 13 to 17 provide for validity,

suspension, renewal, issuance and refusal of license. Rule 23 provides for

compliances by the certifying authorities in addition to the requirements under

section 35 of the Act;

(a) The Digital Signature Certificate shall be issued only after a Digital Signature

Certificate application in the form provided by the Certifying Authority has been

submitted by the subscriber to the Certifying Authority and the same has been

approved by it:

Provided that the application Form contains the particulars given in the Form given

in

Schedule-IV;

(b) No interim Digital Signature Certificate shall be issued;

(c) The Digital Signature Certificate shall be generated by the Certifying Authority

upon receipt of an authorised and validated request for:-

a. New Digital Signature Certificates;


15/26

b. Digital Signature Certificates renewal;(d) The Digital Signature Certificate must contain or incorporate, by reference such

information, as is sufficient to locate or identify one or more repositories in which

revocation or suspension of the Digital Signature Certificate will be listed, if the

Digital Signature Certificate is suspended or revoked;

(e) The subscriber identity verification method employed for issuance of Digital

Signature Certificate shall be specified in the Certification Practice Statement and

shall be subject to the approval of the Controller during the application for a

licence;

(f)Where the Digital Signature Certificate is issued to a person (referred to in this

clause as a New Digital Signature Certificate) on the basis of another valid Digital

Signature Certificate held by the said person (referred in this clause as an

Originating Digital Signature Certificate) and subsequently the originating Digital

Signature Certificate has been suspended or revoked, the Certifying Authority that

issued the new Digital Signature Certificate shall conduct investigations to

determine whether it is necessary to suspend or revoke the new Digital Signature

Certificate;

(g) The Certifying Authority shall provide a reasonable opportunity for the

subscriber to verify the contents of the Digital Signature Certificate before it is

accepted;

(h) If the subscriber accepts the issued Digital Signature Certificate, the Certifying

Authority shall publish a signed copy of the Digital Signature Certificate in a

repository;

(i) Where the Digital Signature Certificate has been issued by the licensed

Certifying Authority and accepted by the subscriber, and the Certifying Authority

comes to know of any fact, or otherwise, that affects the validity or reliability of


16/26

such Digital Signature Certificate, it shall notify the same to the subscriber

immediately;

(j) All Digital Signature Certificates shall be issued with a designated expiry date.

Rule 25 provides that before issuing digital signature certificates the certifying

authority shall confirm that the users name does not appear in the list of

compromised users, comply with all privacy statements, obtain consent of the

person requesting the digital signature certificate that the details of such digital

signature certificate can be published on a directory service. Rule 26 prescribes for

all digital signature certificates to have a designated expiry date after which the

certificate shall expire and shall not be re-used.


17/26

Chapter-4

RECENT AMENDMENTS IN VARIOUS ENACTMENTS PERTAINING

TO DIGITAL SIGNATURES

The primary legislation that deals with Digital Signatures is the Information

Technology

Act, 2000, the Act has been recently amended in the year 2008 but is yet to be

notified, at many places the words Digital Signatures have been replaced with

electronic signatures primarily to make the system more technology neutral in

contrast to technology specific. The shortcoming which was prevalent in the

unamended act and which was widely criticized was that asymmetric cryptography

system was made with specific reference to digital signatures and any other means

of authentication that did not use this technology were not recognized under the

Act.

Section 73 of the Act provides for penalty in case of publication of false electronic

signature certificates. no person shall publish an electronic signature certificate or

make it available to any person if the certifying authority listed in the certificate

has not issued it, or the subscriber listed in the certificate has not accepted it or the

certificate has been revoked or suspended, unless such publication is for the

purpose of verifying an electronic signature created prior to such suspension or

revocation. Any contravention of the provisions under this section shall entail a

punishment of 2 years and a fine of Rs 1 lakh.

Section 74 deals with the case where publication, creation or making available of

the electronic signature certificate for any fraudulent purpose has been made shall


18/26

be punished with imprisonment up to 2 years or fine up to 1 lakh rupees or both.

After the introduction of Digital Signatures there have been various amendments to

give legal validity to these instruments however amongst all the Indian Evidence

Act, 1872 has witnessed the most significant amendments.

Section 3 of the Act, which consisted of only documents was substituted with

electronic records produced for the inspection of the courts, implying that all

audio, video, data text or multimedia files generated, stored, received or sent in

electronic form or microfilm or computer generated micro film could be produced

for inspection of the court and such electronic records shall be treated as

documentary evidence under the Indian Evidence Act, 1872.

Section 17 of the Indian Evidence Act reads that an admission is a statement, oral

or documentary contained in an electronic form, which suggests any inference as to

any fact in issue or relevant fact and which is made by any of the persons and

under the circumstances, hereinafter mentioned. This has led the admissibility of

evidences made through the electronic media, video conferences etc.

Section 22A assumes great importance with respect to digital signatures, the

section provides that oral admissions as to the contents of the electronic records are

not relevant, unless the genuineness of the electronic record is produced in

question. The genuineness and the authenticity of the e-record shall be made out

when the same has been electronically signed. A digitally signed e-record is a

relevant fact and oral admissions as to the contents of the record are relevant.

Further sections 34, 35 and 39 and 59 have been amended to include electronic

records thus giving authenticity to electronic documents as evidence in courts.


19/26

Section 47A prescribes that where the opinion of the certifying authority which

issues a digital signature certificate shall be a relevant fact when the court has to

form an opinion as to the digital signature of any person.

Section 65A prescribes for relevancy of electronic records which confirm to

section 65B, which provides that any information contained in an electronic record

in any form printed on paper, stored, recorded or copied in optical or magnetic

media produced by a computer shall be deemed to be a document. The conditions

under sub section (2) are necessary to identify whether the computer in question

has properly processed, stored and reproduced whatever information it received.

Sub-Section (4) of the Act provides for certifying a statement given in an e- record

for the purpose of admissibility in any proceedings and the same shall be signed by

a person occupying a position of responsibility.

Section 67A provides for the proof as to Digital Signatures, if the digital signature

of the subscriber is alleged to have been affixed to an electronic record the fact that

the signature is that of the subscriber must be proved. This section mandates that

proving that the digital signature is indeed of the subscriber and merely admitting

the execution of ere cord by affixing digital signature is not sufficient. When a

matter is pending before the court, it may wish to ascertain whether the digital

signature which has been affixed is the same as that of the person to whom it is

attributed.

Section 73 A provides for the proof as to digital signatures, the court in such cases

can direct the Certifying Authority or the person in question to produce the Digital

Signature Certificate. It may also ask any person to apply the public key listed in


20/26

the digital signature certificate and verify the digital signature purported to have

been affixed by that person.

Section 85A prescribes for presumption as to electronic agreements; the court shall

presume execution of an electronic agreement if the digital signatures of the parties

to the electronic agreement have authenticated it.

Section 85B prescribes that it shall be presumed that an electronic record is secure

from the time where any security procedure, in the present situation a digital

signature, has been applied to the time of verification unless anything contrary to it

is proved. The court shall also presume that a secure electronic signature is affixed

by the subscriber with the intention of signing or approving the electronic record.

Section 85C provides that the court shall presume that the digital signature

certificate is authentic and the information thus contained is valid and correct and

to the extent of only the information that has been verified and not beyond that.

Section 90A provides that where an electronic record is five years old and it is

produced from the custody which is proper18 it may be presumed that the digital

signature which purports to be the digital signature of any particular person was

affixed by him or any person authorised by him in this behalf. As science and

technology has developed enormously, there has been a need felt to improve the

way transactions and contracts are conducted. The internet is considered as the best

medium in the modern world to carry out transactions in an effective, cheaper and

fast manner. In India Patent and Trademark filing manually is a cumbersome

process; in order to make it more efficacious e-filing of patents and trademarks has

been allowed. Through the use of digital signatures one can file for patent as well


21/26

as trademarks online. The benefits of e-filing of patents are that one receives a

Patent application number immediately. Secondly, On-line verification to assure

error-free filing and obtain your filing date. Thirdly, one can speed up the

registration process. The Controller General of Patents, Designs and Trade Marks

(CGPDTM) has stipulated a Class-III category certificate for e-Filing of Patent and

Trade Marks applications in India. A person who already has a specified Digital

Signature Certificate (DSC) for any other application can use the same for e-filing

of a patent application and is not required to obtain a fresh DSC.

The procedure for e-filing involves the use of a class-3 digital signature from any

of the licensed certifying authorities.

1. Thereafter one can login to the user name and password by applying foronline registration.

2. Download the Client Software for preparing Patent Application Offline withrequired documents and Digitally Sign it for uploading on IPO Server.

3. Fill Patent Application offline and generate an XML file using ClientSoftware.

4. After creating application(XML) file offline, Digitally Sign the XMLfile(Max. file size permitted 5MB) for uploading on to the IPO Server.

5. Login into e-Patent portal(http://ipindia.gov.in) for uploading ApplicationXML file on IPO Server.

6. Upload & Submit Digitally Signed XML file to IPO Server.7. Process Application for EFT (Electronic Fund Transfer) using State Bank of

India (SBI) & Axis Bank Payment Gateways.

8. Review Application Status on e-Patent Portal.9. On successful EFT acknowledgement details would be displayed/

generated.

10.Print Acknowledgement


22/26

Banking in India has never been so trouble free after the introduction of e-banking.

With the help of electronic banking transactions which generally took days to

complete now are just a click away. The Negotiable Instruments Act, 1881, under

section 6 explains that a cheque in the electronic form means a cheque which

contains the exact mirror image of a paper cheque, and is generated, written and

signed by a secure system ensuring the minimum safety standards with the use of

digital signature (with or without biometrics signature) and asymmetric crypto

system.

The government of India in order to encourage electronic governance has

introduced the MCA 21 program which is a flagship program of the ministry of

corporate affairs. MCA-21 envisages electronic filing of these documents,

including registration and records of a company, adaptation of all statutory forms

for electronic filing, scanning and digitization of permanent records, annual returns

and balance sheets. This necessitated an amendment to the Act, the Ministry said.

The project commenced in March 2005 with the signing of a contract agreement

with the operator Tata Consultancy Services Ltd. The project cost is estimated at

Rs 345 crore22. The project would enable corporates to register a company and file

statutory documents easily. It would also make it easy for the public to access

relevant records and get quicker redressal of their grievances. The Companies

(Electronic Filing and Authentication of Documents) Rules, 2006, provides for

provisions concerning electronic filing, Rule 3 prescribes that every e-form or

application or document or declaration required to be filed or delivered under the

Act and rules made, shall be filed in computer readable electronic form, in portable

document format (pdf) and authenticated by a managing director, director or

secretary or person specified in the Act for such purpose by the use of a valid


23/26

digital signature. Every managing director, director or secretary or person specified

in the Act for authentication of e-form, documents or application etc., which are

required to be filed or delivered under the Act or rules made there under, shall

obtain a digital signature certificate from the Certifying Authority for the purpose

of such authentication and such certificate shall not be valid unless it is of Class II

or Class III specification under the Information Technology Act, 2000 Act. The

use of internet has been so vast that the government of India is now considering

including the use of signatures on the mobile phone. We often use the internet for

carrying out transaction on the mobile phone, such as mobile payment of bills,

mobile banking etc. However, these transactions are neither authenticated nor

secure. These transactions dont follow basic requirements of security and thus the

need of mobile signatures is being felt. In the wake of increasing transactions over

the mobile phone, The Department of Payments and Settlement of Reserve Bank

of India has on September 19, 2008 issued Draft Operating Guidelines on Mobile

Banking Transactions in India.

The present procedure for Mobile Banking transactions in India is as follows:-

A customer needs to purchase an item worth Rs 200. The customer asks for the outlet owners bank account number. The customer sends a message from the mobile phone with the

following code -*543*123*(the outlets bank account

number)*200*(Amount) Customers 10- digit Pin code#

The SMS is sent to the bank. Instantly the amount is debited from the customers account. In order to confirm the transaction the bank sends an SMS to

the Customer stating that Rs. 200 has been debited from the

account.


24/26

The given scenario doesnt ensure authenticity, confidentiality, integrity or non

repudiation and hence is not secure at all. If the device gets stolen anyone can

misuse the facility and hence there is a need to secure these transactions . The

mobile signature is created by typing a secret code (i.e. your signing PIN) into the

signing device (for example: your mobile phone). This secret code in combination

with your key storage token (for example: SIM card) and a chosen text triggers a

cryptographic algorithm to generate the (digital) signature. The Indian Government

has come up with a discussion paper which discusses Mobile signatures, its

applicability in India and the position in different countries.


25/26

CONCLUSION

With the growth of technology the use of internet has gone through serious

changes. All transactions are carried on the internet and it is being used as the most

efficient and trouble free mode of conducting business, be it tax returns, patent

filing, electronic banking and almost all transactions which took hours to complete

manually can just be completed with the help of a click in minimal time. However

as the online transactions increase the issue of authenticity has also been a factor to

consider. Keeping this in mind the concept of digital signatures was introduced in

India. The concept though initially was not very well accepted in the industry

however with the increase in the amount of transactions that are being performedon the internet the laws have been liberalized a little bit to include these

instruments for almost all kind of transactions. Though a welcome step to

encourage electronic commerce and at the same time ensure authenticity, presents

in front of us certain issues which are as follows;

1. Digital signature essentially is a technology specific instrument which hasbecause of its technical complexities not been received well in the

industry. The recent amendments in the Information Technology Act have

substituted the words electronic signatures in place of digital signatures.

The attempt is to make it more technology neutral and stating that digital

signatures are one class of electronic signatures. However the absurdity in

the Act can be viewed from the instance that the words electronic

signatures have not been substituted evenly throughout the Act.

2. As there has been an increase in the use of digital signatures the need ofthe hour is to educate and impart awareness to people regarding the use of

digital signatures.


26/26

3. Verification of digital signatures is an important procedure forestablishing evidence in the court of law. The procedure again is very

complex technically and it is required that a process which is more

flexible and easily understood should be adopted.

4. A concern that may creep up with the passage of time is the overdependence on digital signatures as a means to authenticate and validate

electronic transactions and the question if we have any other means of

authentication of electronic transactions. The reason for this concern apart

from digital signatures being technology specific is that they are

expensive in terms of establishing and utilizing certifying authorities.

As has always been the case with technology, it is extremely difficult to prepare a

regulatory framework that aptly corresponds to the changes in technology. In case

of digital signatures the recent amendments must be lauded for making changes

that lessen the technical complexities and encourage the use of digital signatures in

carrying out electronic transactions.