In this article, Pratyusha Kar pursuing a Diploma in Entrepreneurship Administration and Business Laws from NUJS, Kolkata, elaborates on how to obtain Digital Signature.

Gone are the days when paper contracts were validated by putting handwritten signatures and then sent through couriers for approval, only to learn after a long interval that the entire contract was nullified for misplaced signature. Same is true for procurement of goods through tenders, trademark/patent filing, income tax filing and so many other applications. Presently digital signature solves these problems by getting legally valid signatures in an instant and virtually full proof manner by just few clicks from a desktop, laptop or even mobile phones.

What is Digital Signature?

Digital signature is a mathematical process which authenticates that the contents of a digital message or document have not altered in transit. Just like ink on paper signature attests a paper document, digital signature which is an electronic form of signature validates electronic documents. A digital signature scheme is based on three algorithms[1].

• A randomised key generation algorithm that generates a pair of public key and the matching private key from a set of possible secret keys.
• A signing algorithm returns a signature on the inputs of private key and a message. This pair of message and signature is now the validated version of the document.
• A verification algorithm verifies the authenticity of the signature based on the inputs of public key, message and the signature.

Thus digital signing of a document on the server causes encryption of the message, content using the public and private key pair. This generates a signature that can only be decrypted by the server’s public key and the client using the public key can validate the sender and the message. The messages may be e-mail, online order, watermark photograph, contract documents, online software etc. If the message arrives but the digital signature mismatch with the public key on the digital certificate, it may be concluded that the message has been altered.

The digital signature assures the authenticity (sender is confirmed as the signer), integrity (the digital information such as email messages, macros, or electronic documents are not changed or altered in transit since it is digitally signed), non-repudiation (singer cannot deny his association with the signed message) and notarization (digitally signed Microsoft office documents are having notarization validity when they are time stamped through a secured time-stamp server) of the digital information received.

To know more about Digital Signature please visit 

Digital Signature Certificate (DSC)

In order to generate digital signature, a signing certificate or digital signature certificate (DSC) is needed to prove the identity of the signer. DSC is the “electronic document that binds a public key using digital signature to an individual or a person, a computer or a network device”[2]. When a digitally signed message is sent, the DSC and the public key are also sent. In fact, the DSC contains the information like public key of the certificate owner, name, pin code, country & email address of the owner, validity dates, name of the certifying authority, certificate serial number, digital signature of the certifying authority, digital signature algorithm and any other custom information.

How DSCs are issued?

To build up trust in the electronic environment in India as per Information Technology (IT) Act 2000, Office of the Controller of Certifying Authorities (CCA) has been set up as the apex body of the Public Key Infrastructure (PKI). PKI, through aggregation of software, encryption technology and services, ensures security in network transactions and communications by attaching “digital signatures”. CCA is the Root Certifying Authority of India (RCAI) and under Section 21 of the IT Act is having the functions of licencing the Certifying Authorities (CA), monitoring and supervision of the activities of the CAs including issuance of digital certificates by the CAs for end use, issuance of Public Key Certificates (PKC) to the CAs, conflict resolution among CAs, Certification Practice Statement (CPS) approval, and auditing of the physical and technical infrastructure of the CAs[3]. Thus RCAI issues PKCs to the CAs and the CAs issue DSCs to the end users. However, CAs may create sub-CA to issue end certificate except code signing and time stamping certificate, which must be issued only by the CA. The DSCs are interoperable i.e. DSC issued by one CA can be used for different e-Governance applications.

Different Classes of DSCs

Based on the application and the assurance level needed, DSC may be of following three classes[4]:

Class 1 Certificate: Class 1 DSCs are issued to individuals or private subscribers mainly employed in banks and financial institutions. The employers while communicating with the employees can use DSC 1. It validates the user’s name and email address of the user from an explicit subject name within the certifying authority repository. During issuance of Class 1 Certificates a basic level of assurance applicable to electronic environment is maintained and it is considered that the users are not likely to be vicious while accessing private information.

Class 2 Certificate: Class 2 DSCs are issued to private individuals as well as business personnel where there are moderate risks and incidences of data compromise. DSC 2 can be used for e-filing of sales tax, income tax etc. The application with supporting documents is to be submitted both online and offline but no physical appearance before the registering authority is required to prove identity. These certificates validate applicant’s identity using well-accepted consumer databases.

Class 3 Certificate: Class 3 DSCs are issued to organizations, individuals and servers where high level of security is needed. It is a high assurance certificate and physical appearance of the subscriber before the certifying authority is needed to prove identity. It is issued where fraud risk, failure of security services and data threats are high. These certificates are mainly designed for e-commerce applications like e-tendering, e-auctions etc. As per application requirements the private key and the matching public key incorporated in the Class 3 certificate must be generated and preserved in a secured manner. For server certification registered domain name along with other documents need to be provided.

Types of DSCs

DSCs may be for individuals, servers and for encryption purposes. Individual DSCs are used to identify a person, Server DSCs are required to identify a server and the Encryption DScs are applicable to encrypt the message.

Procurement of DSCs

Six CAs in India are authorised by the CCA to issue DSCs[5]. Among them NIC (National Informatics Centre) issues certificates to the Government, PSUs and statutory bodies, IDRBT (Institute for Development of Research in Banking Technology) issues certificates to the banks and financial institutions and the other four namely Safescrypt, TCS, n(code) Solutions and eMudhra issue certificates to all other end users across all domains.

The DSC enrolment system requires four steps to follow[6].

1. Filling up of Application Form

First of all the applicant must have to fill up an application form available in the website of the CA for generating own key pair.

2. Submission

In the second step, the applicant will send the filled in form along with the required supporting documents and necessary fees to the Registering Authority (RA) to receive physically by the CA for verification. For Class 3 Certificates the applicant must physically appear before the RA during submission of application.

The application form is different for Indian individual, Indian organisation, bank, DGFT, Government, foreign individual and foreign organisation. The applicant must put the valid e-mail ID and its password must be remembered to retrieve the PIN.

After submission of the application form no changes in the form is entertained and the digital certificate user account must not be shared for security purposes as it permits to suspend, revoke, and to change password of the account.

After submission of the form the RA Administrator will verify all information from the supporting documents and then the DSC will be approved. Verification process may include verification of the attested documents submitted, verification of the identity credentials appearing on the Certificate, mobile verification etc.

3. Request Status

In the third step the request status can be viewed to know whether the certificate is generated, pending or rejected by the RA. If the status is pending then one has to wait until the RA process the request. In this case it is better to contact with the RA Administrator to confirm that all the documents have been received. If there is any lacking, it needs to be fulfilled.

4. Downloading of Digital Signature Certificate

The fourth step of downloading the Digital Certificate starts when the status shows ‘Certificate Generated’. It is to be kept in mind that for downloading the digital certificate in the computer, the same machine used to generate certificate request, the same browser (such as Netscape, Internet Explorer etc.), and the same computer account (such as Administrator, Guest etc.) are to be used.  To download, the Request Number hyperlink is to be clicked which in turn will display a new page showing Digital Certificate Information. On this page “Get Authentication PIN” button is to be clicked to enter the PIN available in the email. Now the Download button is to be clicked and the Certificate is to be installed. Once the Certificate is downloaded the following confirmation is displayed – ‘Certificate downloaded successfully’.

The Certificate is to be downloaded in the same machine (when USB token is not used) as cryptographic keys are generated and stored in the computer during enrolment which forms the technical basis for creation and use of digital certificate. If the computer is formatted and/or the reinstallation/up-gradation of the Internet Explorer (IE) occurs cryptographic keys and the DSCs are permanently lost.

This PIN is a unique code sent to the email ID at the time of Digital Certificate enrolment. If the email ID is not valid no PIN will be received. The email also gets the message that the certificate has been generated.

For downloading the certificate the following browser setting on the computer is needed to enable Active-X controls in the IE browser.

Open IE widow à go to Tools à Internet Options à Security à Custom Levelà Enable all five settings under ‘ActiveX controls and plug-ins’.

USB eToken

If option is given to procure USB eToken or Smart Card during enrolment of the Certificate, the DSC Enrolment Kit containing USB Token/Smart Cards and the Installation CD are to be collected from the RA for storing the private key. Hence, the device drivers need to be installed in the machine; for Smart Cards, a smartcard reader is to be installed and for crypto token, user computer is connected through USB interface.

If Smart Card or USB Token is used one can download the certificate in any computer where the USB Token is connected or the compatible smartcard reader is installed. The computer should have the following system requirements:

• Operating system should be windows 2000, XP or higher
• Browser should be Internet Explorer 5.5 or above

For installation of the eToken the following protocol should be adopted:

• Running of the Installation CD
• Install eToken driver after accepting License Agreement
• Insert USB token as soon as windows prompted
• Restart computer
• eToken properties can be seen from the start menu by clicking on ProgramsàeTokenàeToken Properties
• Now the eToken Password can be changed and the eToken can be renamed

Exporting and Importing of the Certificate

The Certificate may get deleted from the browser or from the token. Therefore, it is essential to keep its backup and for this DSC is exported from the IE Browser onto the Desktop or in a suitable storage as a ‘.pfx’ file using the following path:

ToolsàInternet OptionsàContentàCertificateàPersonal

The Certificate can then be imported from the backup file as and when necessary.

Conclusion

Digital signature is used to confirm the genuineness of a digital message and Digital Signature Certificate (DSC) uses digital signature to link public key with a specific individual or body. To generate digital signature we need DSC as it encrypts digital information and proves the identity of the user. Thus DSC is a tool to use digital signature authenticating digital information. Applicant for DSC generates key pair and sends the public key to the CCA licensed CA. CA signs on public key after checking applicant’s identification and issue certificate. Digital signatures are widely used to provide genuineness, integrity, and non-repudiation of digital communications and transactions.

References

[1] ^{Mihir Bellare & Phillip Rogaway, Introduction to Modern Cryptography, Chapter 12 Digital Signatures, p. 237 (Dec. 27, 2016), http://digidownload.libero.it/persiahp/crittografia/2005_Introduction_to_Modern_Cryptography.pdf.}

[2] ^{Certificate Tiger, Difference Between Digital Certificate And Digital Signature,  (Dec. 27, 2016), http://www.certificatetiger.com/News/difference-between-digital-certificate-and-digital-signature.htm.}

[3] ^{Department of Information Technology, Ministry of Communications and Information Technology, Government of India, Guidelines for Usage of Digital Signatures in e-Governance – v1.0,  (Dec. 27, 2016), www.daman.nic.in/downloads/2015/Guideline-for-digital-signature.pdf.}

[4] ^{Id, at 3.}

[5] ^{Government of India, Ministry of Electronics & Information Technology, Controller of Certifying Authorities, FAQ, (Dec. 27, 2016), www.cca.gov.in/cca.}

[6] ^{Procedure for issuance of Digital Signature Certificate – NSDL, (Dec. 27, 2016), https://nsdl.co.in/business/cirRec_18Mar08.doc.}