Digital Signatures are considered to be more secure than the traditional ink signatures we all are used to. This is because ink signatures can be copied manually and exact duplicates can also be created through various ways. However, digital signatures can not be extracted, copied, or even stored. This immutability of digital signatures accords them a more secure status than all prevalent modes.
In this article we will see what is a digital signature, how it is generated and verified, and what are the concerning legalities.
What constitutes a signature?
Anything which ascertains the identity of an individual is a signature. The prime application of signature is to authenticate and bind parties into an agreement. The signature is also a major component which enables honor of an agreement at a future date. Signatures can link documents to their authors, proving helpful in ascertaining legal liability.
For long the handwritten signatures of an individual were considered to be unique and irreproducible, however, we all know nothing creates more disputes than a dead man’s will.
What is a digital signature?
Many of us still think that taking a photo of our handwritten signature and pasting it on a word document will suffice as a digital signature. This is totally wrong. This keeps happening with computer terminologies as almost all of them are loanwords from English.
To understand how digital signatures work we would need to revisit my previous articles on:
- What is digital information and how does the computer work? For a lawyer
- What is digital fingerprint and hashing? And how is it generated?
- Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm
in the given order. These are very short and focused articles which may help you in understanding the technological and mathematical background.
Digital signatures are digital codes which are generated and verified using hashing and asymmetric cryptography. It is attached to an electronically transmitted document to ascertain its contents and the sender’s identity. While the document is being transferred a certificate authority can verify the codes and link it with the legal identity of the owner. Just for the idea you need to know what it looks like.
This is what one actually looks like: 7t418gpx7ms74j9g6kf0xbvyka4n17qz
This code will be transmitted along with the document. Once it reaches the recipient, he will use a software which will read it and validate it. On validation by the software the document file will show an image and some text (like the one above, with details of location, day and time).
Digital Signatures are never constant, they keep changing with every document signed. Digital Signatures are therefore meaningless if they are copied or stored for later use. They can prove useful to verify only the document with which they are linked.
Generating a Digital Signature
Please go ahead only if you are in terms with asymmetric cryptography.
Once you are done with asymmetric cryptography there is a small but very important difference you need to know. You just need to remember that the public key as given in the RSA algorithm shall be referred to as the encryption key here, and the private key shall be referred to as the decryption key.
The document can be anything it can be a video file, a word or PDF document, or it can be also just a series of numbers.
Every document undergoes a transformation through which it is rendered into a series of alphanumeric characters. This is done to store the data in the computer memory.
The Signing requires asymmetric generation of two cryptographic keys, viz. an encryption key and a decryption key.1 The RSA algorithm can be used to generate both the keys.
Hashing of the document
A digital fingerprint or hash of the document2 being transmitted shall be required.
The hash of the document will then be encrypted with the encryption key of the sender3 This encrypted hash of the document is called the digital signature.
Broadcasted or Stored
The digital signature can now be transmitted to the intended recipient or stored for later reference along with the document. The digital signature would also be accompanied by the decryption key while being presented for verification. In this method the private key is actually published and public key is kept safely.
The validity of the signature can be verified by decrypting the digital signature using the decryption key. The hash of the document revealed from the decryption shall be compared against the hash of the file, if the hashes match it proves a lot of things.
Firstly, only the sender of the document could encrypt it using the encryption key of the key pair. This is simple to understand as anything decryptable with the decryption key needs to be mathematically linked with the encryption key. And the mathematical link gives it an assurance on which governments and banks are ready to bet millions of dollars in insurance.
Food for thought an SSL certificate bought at 175 USD carries an insurance of 1.75 Million USD. 4
Secondly, if the decrypted hash matches with the hash of the received document it would mean that the document has not been tampered with during storage or transmission. It would therefore mean that the clauses in the document have not been changed. This irrefutable form of agreement gives electronic contracts an advantage over traditional forms, called non-repudiation.
Digital Certificate Authority (“DCA”)
Digital Signatures are and can be used in secret dealings without any involvement of a third party. However, in order to provide for a legal sanction the encryption and decryption key need to be owned by a person against whom the signature and all legal liabilities may be executed. The necessity of a third party then comes into picture.
The job of a public notary is to verify and attest that a signature on a piece of paper has been made by the same person as is claimed. Similarly, the DCA acts just like a notary attesting the validity of a digital signature.
While the decryption and the encryption keys are pure alphanumeric characters it is very difficult to assign a human name to it unless the signatory himself acknowledges. Thus it was pertinent to maintain a record of all encryption and decryption keys and their respective owners. This record of keys is maintained by an entity called the Digital Certificate Authority. DCAs need heightened security and enjoy government protection in multiple cases.
These DCAs ascertain the validity of a signature and testify ownership of a signature. The institution, management and modalities of a DCA are provided by the law. DCAs issue certificates called Digital Signature Certificate (“DSC”) which is a proof of having a registered pair of encryption and decryption key.
Digital Signatures are necessary to sign digital documents. Digital Documents mostly in use and in popular business parlance are different e-filing documents required by the Ministry of Corporate Affairs and other ministries.
To be able to sign a document with your digital signature you will need to install a software given by the DCA on a USB thumbdrive. This software will merge with your Microsoft Office and Adobe Reader and will enable an option to digitally sign. This thumbdrive contains your pre-generated key pair.5
In your lifetime you will neither want to or get to know your encryption and decryption key, both your keys will remain secret in your USB Thumbdrive. Yet, every time you would plug the USB Thumbdrive in to digitally sign a document, the same key pair will be used to mathematically generate a digital signature specific to that document and append it to the document.
On reception of the same document the signature will require validation of ownership as much as the mathematical computation to find the link between the decryption key and the hash, as discussed earlier. Once the file is opened it would automatically verify the document and show a small representative image of verification (mostly a green tick or the signatory’s manual signature) on any part of the document.
Financial Transactions can be authorised over the internet using digital signature. Electronic wallets can use digital signature in future to go cashless (BitCoin).
World War III
Digital signatures will be used to authorise nuclear warfare.
The ESIGN Act of the United States6 and a similar directive in the European Union7 along with other legislations in most developed nations support the validity of digital signatures and regulate them.
The IT Act of India quite comprehensively covers the legalities of DSCs and DCAs. Section 5 of the IT Act gives digital signatures their legal character.8 It is therefore that digital signatures are lawful and binding in nature. Section 15, of the Act describes digital signatures by their usage.
Certifying Authority as provided in Section (2(1)(g)). “Means a person who has been granted a licence to issue a Digital Signature Certificate under Section 24 (issuance of certificates by Controller).”
The Ministry of Corporate Affairs launched the MCA-21 programme leading to a large scale increase in usage of digital signatures. It made E-filing mandatory for most of the documents required to be filed under the Companies Act and under the Limited Liability Partnership Act 2008.
Soon after this electronic filing of IT returns was made compulsory by the Income tax department. The Central Excise Act and Finance Act 1994 (dealing with service tax) also provides schemes for E-filing. Similarly, under the Foreign Contribution Regulations Act, application for registration is to made electronically.
Department of Commercial Taxes in Kerala has mandated e-filing of returns using digital signatures under the Kerala Value Added Tax Act 2003. C forms and F forms available on the website of the Department of Commercial Taxes can be filed using digital signatures. Other states are also following suit in amending VAT laws to make E-filing mandatory.
The Partnership Act 1932 provides that registration application for a new firm is to be filed electronically.
The Evidence Act was amended to include “electronic records” in definition of “evidence”.9 The opinion of a DCA as to the electronic signature of any person is a relevant fact10 and the court may also refer to the relevant DCA for forming an opinion.11
Section 67A waives the burden of proof of establishing ownership of a specific digital signature (secure electronic signature).