Since the advent of the Internet and the gradual conversion of paperwork to computer files, a need has been felt to bring in security and trustworthiness to Internet transactions. The year 2000 was an important one for India from the point of view of the bringing the law up to date with modern times. I speak of the enactment of the Information Technology Act, 2000. This Act gives legal recognition to the threats faced by us on the vast cyberspace better known as the Internet.
Conventional signatures are marks made by persons to authenticate a document, and assure the receiver that he has signed it personally. But in case of emails, merely typing out one’s name at the end of a document is hardly any reassurance for the receiver. In this age where crooks are adequately equipped to hack into systems, and acquire any data they wish to, the Internet is not a safe medium for secure communication. Hence the concept of “Digital Signatures” has come up.
What is a Digital Signature?
Section 2(1)(p) of the Information Technology Act, 2000 (or the IT Act) defines it as “authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3”
Before going into “the provisions of section 3”, it is pertinent to explain a few basics of cryptography. Public key cryptography is the method recognized by the IT Act for the safeguarding of computer documents.
Public key cryptography is a form of cryptography, which generally allows users to communicate securely without having prior access to a shared secret key. This is done by using a pair of cryptographic keys designated as public key and private key. A public key is essentially like an email address, and a private key, like the email address password. The public key is sent to the receiver, while the private key is not disclosed to anybody. They are related mathematically. What has been encrypted by the first key can only be decrypted by the second - and vice versa. Hence, if A wants to send a secure email to B, A must encrypt it with B’s public key, so that when B receives the encrypted email, he can decrypt it using his own private key.
When we say, “A encrypts the document”, what A actually does is runs this document through a hash function software. The hash function software produces a fixed length of alphabets, numbers and symbols for any document. This is known as the hash result. The hash result is never the same for two different documents. Any small alteration in the document will generate an entirely different hash result. The hash function software will always produce the same hash result for a particular message. Thus, if there is any doubt about the message being intercepted, all one must do is to compare the hash functions at both ends.
Section 3 of the IT Act allows a user to authenticate an electronic record by affixing his digital signature on it. Authentication of the electronic record shall be effected by the use of asymmetric crypto system (which is nothing but the public key cryptography system explained above) and hash function, which envelope and transform the initial electronic record into another electronic record.
So, if one desires to communicate securely, he must make sure he uses a digital signature. But how does the receiver know that the digital signature used by the sender truly does belong to the sender?
The IT Act has provided for “Certifying Authorities”, who are authorised to issue Digital Signature Certificates. A Controller of Certifying Authorities is appointed by the Central Government to regulate the conduct of Certifying Authorities, under Section 17 of the Act. Any interested party may apply to the Controller to be appointed as a Certifying Authority. The Controller is empowered to frame rules to be followed by Certifying Authorities while issuing Digital Signature Certificates. The Controller also certifies the Digital Signatures of the Certifying Authorities.
A Digital Signature Certificate essentially contains the public key of the person who holds it, along with other details such as contact details, and the most important part, that is the digital signature of the Certifying Authority. The main purpose of such a certificate is to show that a trustable authority appointed and regulated by the Government, has attested the information contained in the Certificate.
Strict regulations have been prescribed for Controllers and Certifying Authorities; for example, they have to utilise secure hardware and software while executing their functions. Certifying Authorities have to submit Certification Practice Statements, which contain all the details pertinent to their functioning, such as audit, security requirements, procedures for application etc. A record of all licenses and certificates issued has to be maintained. The Act also provide for suspension of licenses and certificates on contravention of the provisions of the Act. Certifying Authorities are also subject to the provisions of the Information Technology (Certifying Authority) Rules, 2000.
There are 7 licensed Certifying Authorities currently in India –
National Informatics Centre (NIC)
Institute for Development & Research in Banking Technology (IDRBT)
Tata Consultancy Services (TCS)
Mahanagar Telephone Nigam Limited (MTNL)
Customs & Central Excise
(n) Code Solutions CA (GNFC)
The website of the Controller of Certifying Authorities (http://www.cca.gov.in/ ) contains detailed information regarding the above organizations and their Digital Signature Certificates.
The Act has also provided its own mechanism for resolution of disputes. The Act authorises the Central Government to appoint an office known as the Adjudicating Officer for every state. At present, the respective IT Secretaries of the States have been appointed as Adjudicating Officers. A Cyber Regulations Appellate Tribunal (CRAT) has been constituted under the Act. Any person aggrieved by the orders or decisions of the Adjudicating Officers, or the Controller, may appeal to this Tribunal. A further appeal shall lie to the High court.
Subscribers are also bound to observe certain duties under the Act. They are expected to exercise reasonable care in guarding their private keys, and must immediately notify the Certifying Authority if the private key has been compromised. Hence it has been seen that the IT Act has gone a long way to ensure security in Internet communication.
The author can be reached at: email@example.com