Download - Digital Signatures NITK 17Oct2015
-
7/24/2019 Digital Signatures NITK 17Oct2015
1/90
Digital Signatures and Public Key
Infrastructure
1
Dr. Balaji Rajendran
Centre for Development of Advanced Computing (C-DAC)Bangalore
17th October 2015
NITK, Surathkal
-
7/24/2019 Digital Signatures NITK 17Oct2015
2/90
Agenda
What & Why: Digital Signature?
What is Digital Signature Certificate?
Achieving Confidentiality
Certifying Authority & Trust Model
Certificate Issuance, Types, Classes
Certificate Life Cycle Management and Validation Methods
Risks and Precautions with DS
Policy and Legal Aspects of PKI
e-Sign An Instant & Online way of Digital Signing in India
PKI Applications in India
2
-
7/24/2019 Digital Signatures NITK 17Oct2015
3/90
Understanding Signature
Hand-written Signature Definition & PurposeA persons name written in a distinctive way as a
form of identification in authorizing a cheque ordocument
A distinctive pattern, product, or characteristic bywhich someone or something can be identified
-
7/24/2019 Digital Signatures NITK 17Oct2015
4/90
Characteristics of Hand Signature
A and S ig nature on a document is a unique pattern dependant on some secret known only to
the signer and
Independent of the content of the message being signed
-
7/24/2019 Digital Signatures NITK 17Oct2015
5/90
Attacks on Hand-written Signatures
Attacks on IntegrityContent Alteration / Corruption !
Attacks on Identity
Impersonation
How is Identity verified?
Authentication Process of verifying who somebody isagainst his claim
Identity is established / proved through Authentication!
-
7/24/2019 Digital Signatures NITK 17Oct2015
6/90
Electronic World
-
7/24/2019 Digital Signatures NITK 17Oct2015
7/90
BankCustomer
Deposit 1,00,000
in Veerus Account
Deposit 1 in Veerus
Account and 99,999 in
Gabbars Account
Breach of Integrity
Attacks on Integrity
-
7/24/2019 Digital Signatures NITK 17Oct2015
8/90
Gabbar
Im VeeruSend Me all Corporate
Correspondence
with abc.
Veeru
Jai
Breach of Authenticity
Attacks on Identity
-
7/24/2019 Digital Signatures NITK 17Oct2015
9/90
Basic Elements of Trust
Privacy (Confidentiality): Ensuring that onlyauthorized persons read the Data/Message/Document
Authenticity: Ensuring that Data/Message/Document
is genuine Integrity : Ensuring that Data/Message/Document are
unaltered by any unauthorized person
Non-Repudiation: Ensuring that one cannot denytheir signature or origination of a message
-
7/24/2019 Digital Signatures NITK 17Oct2015
10/90
Digital Signatures
-
7/24/2019 Digital Signatures NITK 17Oct2015
11/90
What is a Digital Signature ?
A Digital signature of a message is a number (fingerprint)dependent on
a secret known only to the signer and
the content of the message being signed
Properties of Signatures
Verifiable
Provides Authentication
Provides Data Integrity
Provides Non-repudiation
-
7/24/2019 Digital Signatures NITK 17Oct2015
12/90
Creating Digital Signature
Every individual is given a pair of keys
Pu blic key : known to everyone
Private k ey : known only to the owner
To dig i ta l ly s ign an electronic document the signer uses his/her
Private ke y
To verify a digital signature the verifier uses the signers Publ ickey
-
7/24/2019 Digital Signatures NITK 17Oct2015
13/90
Asymmetric Key Cryptography
Keys in a Key pair are mathematically related to eachother
If one of the key in a key pair is used for Encryption (orDecryption) then the other key should be used for decryption
(or Encryption) Also known as Public Key Cryptography
Knowledge of the enc ryption k ey doesnt give youknowledge of the de cryption ke y
13
KnJGdDzGSIHDZuOE iWLI+4jxMqmqVfAKr2E
Public Key Private Key
X Computationally Infeasible
X
-
7/24/2019 Digital Signatures NITK 17Oct2015
14/90
What is a key pair?
Private Key3082 010a 0282 0101 00b1 d311 e079 5543 0708 4ccb 0542 00e2 0d83463d e493 bab6 06d3 0d59 bd3e c1ce 4367 018a 21a8 ef bc ccd0 a2cc
b055 9653 8466 0500 da44 4980 d854 0aa5 2586 94ed 6356 f f 70 6ca3
a119 d278 be68 2a44 5e2f cf cc 185e 47bc 3ab1 463d 1ef 0 b92c 345f
8c7c 4c08 299d 4055 eb3c 7d83 deb5 f 0f 7 8a83 0ea1 4cb4 3aa5 b35f
5a22 97ec 199b c105 68f d e6b7 a991 942c e478 4824 1a25 193a eb95
9c39 0a8a cf 42 b2f 0 1cd5 5f f b 6bed 6856 7b39 2c72 38b0 ee93 a9d3
7b77 3ceb 7103 a938 4a16 6c89 2aca da33 1379 c255 8ced 9cbb f 2cb5b10 f 82e 6135 c629 4c2a d02a 63d1 6559 b4f 8 cdf 9 f 400 84b6 5742
859d 32a8 f 92a 54f b f f 78 41bc bd71 28f 4 bb90 bcf f 9634 04e3 459e
a146 2840 8102 0301 0001
Public Key3082 01e4 f 267 0142 0f 61 dd12 e089 5547 0f 08 4ccb 0542 00e2 0d83 463d
e493 bab6 0673 0d59 bf 3e c1ce 4367 012a 11a8 ef bc ccd0 a2cc b055 9653
8466 0500 da44 4980 d8b4 0aa5 2586 94ed 6356 f f 70 6ca3 a119 d278 be682a44 5e2f cf cc 185e 47bc 3ab1 463d 1df 0 b92c 345f 8c7c 4c08 299d 4055
eb3c 7d83 deb5 f 0f 7 8a83 0ea1 4cb4 3aa5 b35f 5a22 97ec 199b c105 68f d
e6b7 a991 942c e478 4824 1a25 193a eb95 9c39 0a8a cf 42 b250 1cd5 5f f b
6bed 6856 7b39 2c72 38b0 ee93 a9d3 7b77 3ceb 7103 a938 4a16 6c89 2aca
da33 1379 c255 8ced 9cbb f 2cb 5b10 f 82e 6135 c629 4c2a d02a 63d1 6559
b4f 8 cdf 9 f 400 84b6 5742 859d 32a8 f 92a 54f b f f 78 41bc bd71 28f 4 bb90
bcf f 9634 04de 45de af 46 2240 8410 02f 1 0001
-
7/24/2019 Digital Signatures NITK 17Oct2015
15/90
RSA Algorithm in brief
Key Generation Steps Choose two large prime numbers p and q
Compute n and z such that n=p*q and z=(p-1)*(q-1)
Choose a number d relatively prime to z Compute e such that (e*d )= 1 mod z
Public Key (n, e)Private Key (n, d)
-
7/24/2019 Digital Signatures NITK 17Oct2015
16/90
RSA Algorithm in brief
Encryption Message m, cipher c
C= me
mod n
where (n,e)receivers public key
Decryption
m=c d mod n
where (n,d) receivers private key
-
7/24/2019 Digital Signatures NITK 17Oct2015
17/90
Public Key - Structure
HEADER
MODULUS
SEPERATOR
PUBLIC EXPONENT
-
7/24/2019 Digital Signatures NITK 17Oct2015
18/90
Private Key - Structure
MODULUS
HEADER ALGORITHM VERSION PUBLIC EXPONENT
PRIVATECOMPONENT
PRIME 1
PRIME 2
EXPONENT 1
COEFFICIENT
EXPONENT 2
SEPERATOR
-
7/24/2019 Digital Signatures NITK 17Oct2015
19/90
-
7/24/2019 Digital Signatures NITK 17Oct2015
20/90
Digital Signing Step 1
This is an example of
how to create a
message digest and
how to digitally sign adocument using
Public Key
cryptography
Hash MessageDigest
-
7/24/2019 Digital Signatures NITK 17Oct2015
21/90
Hash Function
A hash function is a cryptographic mechanism that
operates as one-way function
Creates a digital representation or "fingerprint
(Message Digest)
Fixed size output
Change to a message produces different digest
Examples : MD5 , Secure Hashing Algorithm (SHA)
21 21
-
7/24/2019 Digital Signatures NITK 17Oct2015
22/90
Hash - Example
22
Hi Jai,I will be in the park at
3 pm
Veeru
B5EA1EC376E61DB2680D0312FC26D3773F384E43
Message
Hash Algorithm
Message Digest
Hi Jai,I will be in the park at
3 pm.
Veeru
86D19C25294FB0D3E4CF8A026823439064598009
Digests are Different
-
7/24/2019 Digital Signatures NITK 17Oct2015
23/90
Hash One-way
23
Hi Jai,
I will be in the park at
3 pm
Veeru
B5EA1EC376E61DB2680D0312FC26D3773F384E43
X
-
7/24/2019 Digital Signatures NITK 17Oct2015
24/90
MD5 and SHA
Hi Jai,
I will be in the
park at 3 pm
Veeru
cfa2ce53017030315f
de705b9382d9f4
Message
Message Digest
Hi Jai,
I will be in the
park at 3 pm
Veeru
1f695127f210144329ef98e6da4f4adb92c5f18
2
128 Bits 160 Bits
MD5 SHA-1
Hi Jai,
I will be in the
park at 3 pm
Veeru
2g5487f56r4etert654tr
c5d5e8d5ex5gttahy55e
224/256/384/512
SHA-2
-
7/24/2019 Digital Signatures NITK 17Oct2015
25/90
A peep into the Hash Algo SHA
SHA-512 isword-oriented
Aword is defined as 64-bits
Each blockof message consists of sixteen 64-bit words
The message digest is only eight words of 64 bit each
64 Bits = Word; 16 Words = Block;
-
7/24/2019 Digital Signatures NITK 17Oct2015
26/90
A peep into SHA-512
A B C D E F G H
16 words , each of 64 bits= 1024
bits8 words, each of 64 bits= 512 bitsMessage block
Message digest
-
7/24/2019 Digital Signatures NITK 17Oct2015
27/90
SHA-512 Iterating over and over
-
7/24/2019 Digital Signatures NITK 17Oct2015
28/90
SHA-512: Structure of One Round
-
7/24/2019 Digital Signatures NITK 17Oct2015
29/90
Digital Signing Step 2
Encrypt with
private key
Digital
Signature
Message
Digest
-
7/24/2019 Digital Signatures NITK 17Oct2015
30/90
Digital Signing Step 3
Append
This is an example of
how to create a
message digest and
how to digitally sign adocument using
Public Key
cryptography
Digital
Signature
DigitalSignature
-
7/24/2019 Digital Signatures NITK 17Oct2015
31/90
Digital Signing Process
-
7/24/2019 Digital Signatures NITK 17Oct2015
32/90
Digital Signature Verification
Hash
Decrypt withpublic key
MessageDigest
This is an example of
how to create a
message digest andhow to digitally sign a
document using
Public Key
cryptography
Message
Digest
Digital
Signature
-
7/24/2019 Digital Signatures NITK 17Oct2015
33/90
Digital Signature Verification
-
7/24/2019 Digital Signatures NITK 17Oct2015
34/90
Digital Signatures - Examples
Digital Signatures are numbers
They are content and signer dependent
I agreeefcc61c1c03db8d8ea8569545c073c814a0ed755
My place of birth is Gwalior.
fe1188eecd44ee23e13c4b6655edc8cd5cdb6f25
I am 62 years old.
0e6d7d56c4520756f59235b6ae981cdb5f9820a0
I am an Engineer.
ea0ae29b3b2c20fc018aaca45c3746a057b893e7
I am a Engineer.
01f1d8abd9c2e6130870842055d97d315dff1ea3
These are digital signatures of same person on different documents
-
7/24/2019 Digital Signatures NITK 17Oct2015
35/90
Digital Signatures - Recap
EstablishesIdentity and Authenticity of the Signer
Integrity of the document
Non-Repudiation (inability to deny being signed)to a certain extent
General Conventions
Signing Private Key of the Signer
VerificationPublic Key of the Signer
-
7/24/2019 Digital Signatures NITK 17Oct2015
36/90
Digital Signature Certificate(DSC)
-
7/24/2019 Digital Signatures NITK 17Oct2015
37/90
Why do we need DSC?
To firmly establish the ownership of public key
To certify and provide a strong mechanism fornon-repudiation (to inability to deny)
-
7/24/2019 Digital Signatures NITK 17Oct2015
38/90
What is Digital Signature Certificate(DSC)?
DSC is an electronic document used to prove ownership ofa public key. The certificate includes
Information about its owner's identity,
Information about the key,
The Digital Signature of an entity that has verified thecertificate's contents are correct.
Veeru Info:Name: Veeru
Department: AMD
Certificate Info:Serial No: 93 15 H0
Exp Date: dd mm yy
Veerus Public Key
Sign
-
7/24/2019 Digital Signatures NITK 17Oct2015
39/90
Certifying Authority (CA) ?
-
7/24/2019 Digital Signatures NITK 17Oct2015
40/90
Certifying Authority (CA)
Certifying authority is an entity which issues Digital Signature Certificate (DSC)
It is a trusted third party
CAs are the important components of Public Key Infrastructure (PKI)
Responsibilities of CA
Verify the credentials of the person requesting for the certificate (RAs
responsibility)
Issue certificates
Revoke certificate
Generate and upload CRL
-
7/24/2019 Digital Signatures NITK 17Oct2015
41/90
Sample Certificate
-
7/24/2019 Digital Signatures NITK 17Oct2015
42/90
Trust Model
-
7/24/2019 Digital Signatures NITK 17Oct2015
43/90
Hierarchical Trust Model
For a Digital Signature to have legal validity in India, it mustderive its trust from the Root CA certificate
National Root CA (RCAI)
Licensed CA (Eg. NIC) Licensed CA (Eg. IDRBT) Licensed CA (Eg. nCode)
Subscribers
. . .
. . .SubscribersSubscribers
-
7/24/2019 Digital Signatures NITK 17Oct2015
44/90
Licensed CAs in India
National Root CA (RCAI) operated by CCA Only issues CA certificates for licensed CAs
CAs licensed under the National Root CA
National Informatics Centre (https://nicca.nic.in)
eMudhra (www.e-mudhra.com)TCS (www.tcs-ca.tcs.co.in)
nCode Solutions CA(www.ncodesolutions.com)
SafeScrypt (www.safescrypt.com)
IDRBT CA (www.idbrtca.org.in)
C-DAC (http://esign.cdac.in) Only e-Sign
As of Jan, 2015 approx. 9 Million+ DSCs have been issued
-
7/24/2019 Digital Signatures NITK 17Oct2015
45/90
Certificate Issuance Process
-
7/24/2019 Digital Signatures NITK 17Oct2015
46/90
Make Online
Payment
Issue Crypto
Token
OtherIdentity
Information
X.509 v3 Cert
Certificate Issuance Process
-
7/24/2019 Digital Signatures NITK 17Oct2015
47/90
Crypto Tokens
Contain a Cryptographic co-processorwith a USB interface
Key is generated inside the token.
Key is highly secured as it doesnt leave
the token
Highly portable and Machine-
independent
FIPS 140-2 compliant; Tamper-resistant;
-
7/24/2019 Digital Signatures NITK 17Oct2015
48/90
Certificate Classes
-
7/24/2019 Digital Signatures NITK 17Oct2015
49/90
Classes of Certificates
3 Classes of CertificatesClass 1 Certificate Issued to Individuals
Assurance Level: Certificate will confirm Users nameand Email address
Suggested Usage: Signing certificate primarily be usedfor signing personal emails and encryption certificate isto be used for encrypting digital emails andSSL certificate to establish secure communication
through SSL
-
7/24/2019 Digital Signatures NITK 17Oct2015
50/90
Classes of Certificates
Class 2 Certificate Issued for both business personnel and private
individuals use
Assurance Level: Conforms the details submitted inthe form including photograph and documentary
proof
Suggested Usage: Signing certificate may also be usedfor digital signing, code signing, authentication for VPNclient, Web form signing, user authentication, Smart Card
Logon, Single sign-on and signing involved in e-procurement / e-governance applications, in addition toClass-I usage
-
7/24/2019 Digital Signatures NITK 17Oct2015
51/90
Classes of Certificates
Class 3 Certificate
Issued to Individuals and Organizations
Assurance Level: Highest level of Assurance; Provesexistence of name of the organization, and assures
applicants identity authorized to act on behalf of the
organization.
Suggested Usage: Signing certificate may also be used fordigital signing for discharging his/her duties as per official
designation and encryption certificate to be used forencryption requirement as per his/her official capacity
-
7/24/2019 Digital Signatures NITK 17Oct2015
52/90
Types of Certificates
-
7/24/2019 Digital Signatures NITK 17Oct2015
53/90
Types of Certificates
Signing Certificate (DSC)
Issued to a person for signing of electronicdocuments
Encryption Certificate
Issued to a person for the purpose of Encryption;
SSL Certificate
Issued to a Internet domain name (Web Servers,
Email Servers etc)
-
7/24/2019 Digital Signatures NITK 17Oct2015
54/90
Achieving Secrecy
-
7/24/2019 Digital Signatures NITK 17Oct2015
55/90
Message Public key
Encrypted Message
Eavesdropper
A
Message
BEncrypt Decrypt
Private key
Achieving Secrecy through Asymmetric
Key Encryption
A t i E ti & D ti
-
7/24/2019 Digital Signatures NITK 17Oct2015
56/90
Asymmetric Encryption & Decryption
Hi Veeru
I am Jai
Hi VeeruI am Jai
Encryptor Decryptor
Jai
Veerus Public
KeyVeerus
Private Key
#$23R*7e
Encrypted Message
Veeru
Message MessageGabbar
-
7/24/2019 Digital Signatures NITK 17Oct2015
57/90
Achieving PAIN !
How to achieve Privacy, Authenticity, Integrityand Non-repudiation all together in atransaction
-
7/24/2019 Digital Signatures NITK 17Oct2015
58/90
Signcryption
Why do you need Signcryption ?
The intended receiver alone should know thecontents of the message
Secrecy / Confidentiality / Privacy
The receiver should be sure that The message has come from the claimed sender only
Authentication
The message has not been tampered
Integrity
Signer has used a valid and trustable certificate
Non-Repudiation
-
7/24/2019 Digital Signatures NITK 17Oct2015
59/90
General Conventions
Encryption Public Key of the Receiver
Decryption Private Key of the Receiver
Signing Private Key of the Signer
Verification Public key of the Signer
-
7/24/2019 Digital Signatures NITK 17Oct2015
60/90
File Formats with Extensions Description
.CER Contains only Public Key
.CRT Contains only Public Key
.DER Contains only Public Key
.P12 Contains Public and Private Key
.PFX Contains Public and Private Key
.PEM, .KEY, .JKS Contains Public and Private Key
.CSR Certificate Signing Request
.CRL Certificate Revocation List
Certificate Extensions
-
7/24/2019 Digital Signatures NITK 17Oct2015
61/90
Certificate Lifecycle Management
A Digital Signature Certificate cannot be used for ever!
Typical Life cycle scenario of Digital Certificates
Use until renewal
Certificates are to be reissued regularly on expiry of validity (typically
2 years) Use until re-keying
If keys had to be changed
Use until revocation
If Certificate was revoked, typically when keys are compromised orCA discovers that certificate was issued improperly based on falsedocuments
-
7/24/2019 Digital Signatures NITK 17Oct2015
62/90
CRL Certification Revocation List
A list containing the serial number of thosecertificates that have been revoked
Why they have been revoked?
If keys are compromised and users reports to theCA
If CA discovers, false information being used toobtain the certificate
Who maintains CRLs ?
Typically the CAs maintain the CRL
-
7/24/2019 Digital Signatures NITK 17Oct2015
63/90
CRL Certification Revocation List
How frequently the CRL is updated ?
Generally twice a day; based on CAs policies
Is there any automated system in place foraccessing the CRL?
OCSP
-
7/24/2019 Digital Signatures NITK 17Oct2015
64/90
Certificate Validation Methods
Validating a certificate is typically carried out by PKIenabled application
The validation process performs following checks
Digital signature of the issuer (CA)
Trust (Public Key verification) till root levelTime (Validity of the certificate)
Revocation (CRL verification)
Format
d f C !
-
7/24/2019 Digital Signatures NITK 17Oct2015
65/90
A word of Caution!
Keep your Digital Security Tokens Safe!
Report loss of tokens immediately and seek forrevocation from the CA
If you have any doubts that private key has been
compromised, inform the CARemember that risks are inherent in any system!
Any Security system is only as safe as the weakest link inthe security chain!
Di i f PKI
-
7/24/2019 Digital Signatures NITK 17Oct2015
66/90
Dimensions of PKI
PKI Public Key Infrastructure ecosystem is an intersection of: Cryptography (Math) Cryptographers/Researchers Technology & Implementation PKI System Developer Policy & Law PKI System & Users
-
7/24/2019 Digital Signatures NITK 17Oct2015
67/90
e-Sign / e-Hastakshar : An OnlineElectronic Signature Service
Si / H k h
-
7/24/2019 Digital Signatures NITK 17Oct2015
68/90
e-Sign/e-Hastakshar
e-Hastakshar offers on-line platform to citizens for instant signing of their
documents securely in a legally acceptable form, under the Indian IT Act
C-DAC through its e-Sign/e-Hastakshar initiative enables citizens with
valid Aadhaar ID and registered mobile number to carryout digital signing of
their documents on-line. DSC offered by C-DAC CA through eSign service to the applicant is for one-
time signing usage and shall be of class Aadhaar-eKYC OTP.
C-DAC utilizes the service of Unique Identification Authority of India (UIDAI)
for on-line e-authentication and Aadhaar eKYC Service.
As a provider of DSC and eSign services, C-DAC plays the role of a Certifying
Authority (CA) under the Controller of Certifying Authorities (CCA)
Si A hi
-
7/24/2019 Digital Signatures NITK 17Oct2015
69/90
e-Sign Architecture
S k h ld i Si S i
-
7/24/2019 Digital Signatures NITK 17Oct2015
70/90
Stakeholders in e-Sign Service
Si O i
-
7/24/2019 Digital Signatures NITK 17Oct2015
71/90
e-Sign Overview
Si A h i i E
-
7/24/2019 Digital Signatures NITK 17Oct2015
72/90
e-Sign Authentication Ecosystem
Si O ti l S i
-
7/24/2019 Digital Signatures NITK 17Oct2015
73/90
e-Sign Operational Scenario
Two Options forOperating e-Sign Services1) Directly Connecting
to ESP
2) Using a Gateway Service Provider
C tifi t A L l
-
7/24/2019 Digital Signatures NITK 17Oct2015
74/90
Certificate Assurance Levels
Following classes of Certificates are issued.Aadhaar-eKYC OTP:
This class of certificates shall be issued for individualsuse based on OTP authentication of subscriber through
Aadhaar e-KYC.
Aadhaar-eKYC Biometric (FP/Iris):
This class of certificate shall be issued based on biometricauthentication of subscriber through Aadhaar e-KYC
service.
B fit f Si
-
7/24/2019 Digital Signatures NITK 17Oct2015
75/90
Benefits of e-Sign
No need of Hardware Tokens
No Physical Verification of user is required Instead of manual verification process, eSign utilizes Aadhaar
based e-Authentication (an online service)
Multiple ways to authenticate a user eSign facilitates authentication based on One-Time Password
(through registered mobile as in Aadhaar database) orBiometric (fingerprint or iris-scan). C-DAC currently uses Aadhaar-OTP based service for Authentication
Privacy is preservedAs only the thumbprint (i.e. hash) of the document is
obtained for digital signature, instead of whole document
U C f Si n S i
-
7/24/2019 Digital Signatures NITK 17Oct2015
76/90
Use Case of e-Sign Services
-
7/24/2019 Digital Signatures NITK 17Oct2015
77/90
Indian IT Act From the perspectiveof Digital Signatures and PKI
Objectives of Indian IT Act
-
7/24/2019 Digital Signatures NITK 17Oct2015
78/90
Objectives of Indian IT Act
To grant legal recognition to records maintainedin electronic form
To prescribe methods for authenticatingelectronic records
To establish a hierarchical trust model with aroot CA at the top - CCA to regulate the CAs
To define computer system and computer
network misuse and make it legally actionable
IT Act 2000
-
7/24/2019 Digital Signatures NITK 17Oct2015
79/90
IT Act 2000
IT Act 2000 made changes in the Law ofEvidence, and providesLegal recognition for electronic records and
electronic signatures, which paves the way for
Legal recognition for transactions carried out byelectronic communication Acceptance of electronic filing of documents with the
government agencies Changes in the IPC and the Indian Evidence Act 1872
were made accordingly IT Act 2000 has extra-territorial jurisdiction to cover any
offense or contravention committed outside India
Reg lation of Certif ing A thorities
-
7/24/2019 Digital Signatures NITK 17Oct2015
80/90
Regulation of Certifying Authorities
Under the Indian Law, section 35 of the IT(Amendment) Act, 2000 deals with certificationand certifying authorities
The IT act mandates a hierarchical Trust Model
The IT Act provides the Controller forCertifying Authorities (CCA) to license andregulate the working of CA.
The CCA operates RCAI for certifying (signing)the public keys of CAs using it private key
Legal Validity of e Sign
-
7/24/2019 Digital Signatures NITK 17Oct2015
81/90
Legal Validity of e-Sign
eSign process involves consumer consent, DSC generation,
Digital Signature creation and affixing and DSC acceptance in
accordance with provisions of Information Technology Act.
The Electronic Signatures facilitated through e-Sign Service are
legally valid provided the e-Sign signature framework is operatedunder the provisions of Second Schedule of the Information
Technology Act and Guidelines issued by the CCA.
Please referElectronic Signature or Electronic Authentication Techniqueand Procedure Rules, 2015 e-Authentication technique using Aadhaar e-
KYC services.
-
7/24/2019 Digital Signatures NITK 17Oct2015
82/90
Present Digital Signature
& PKI Implementations
in India
PKI bl d A li i
-
7/24/2019 Digital Signatures NITK 17Oct2015
83/90
PKI enabled Applications1 e-Invoice
(B2C)
2 e-Tax Filing(G2C)
3 e-Customs (G2B)
4 e-Passport (G2C) - Presently in India, the Ministry of External Affairs hasstarted issuing e-Passports in Karnataka state with thefingerprints and the digital photo of applicant
5 e-Governance Bhoomi (G2C)a PKI enabled registration and Land Records Services offered byGovt. of Karnataka to the people. All the land records and
certificates issued are digitally signed by the respective officer6 e-Payment (B2B) - In India, currently between banks fund transfers are
done using PKI enabled applications whereas between customersand vendors such as online shopping vendor the payment is donethrough SSL thereby requiring the vendor to hold DSC )
PKI bl d A li i
-
7/24/2019 Digital Signatures NITK 17Oct2015
84/90
PKI enabled Applications
7 e-Billing (B2C) -The electronic delivery and presentation of financial
statement, bills, invoices, and related information sent by a
company to its customers)
8 e-Procurement G2B , B2B
9 e-Insurance
Service
(B2C) - Presently the users are getting the E-Premium
Receipts etc. which is digitally signed by the provider
10 Treasury
Operations
(G2C) Kh a ja na e II of Govt. of Karnataka uses Digital
Signatures to automate and speed up the treasury operations
Other Implementations
-
7/24/2019 Digital Signatures NITK 17Oct2015
85/90
Other Implementations
DGFT - Clearance of goods are now initiatedby exporters through push of a button and intheir offices;
Previously it used to take days; and requests are now
cleared within 6 hours Indian Patent office has implemented e-filing of
patents and allows only use of Class-3Certificates
Around 30% of e-filing of patents is happening now,among the total filings.
Summary
-
7/24/2019 Digital Signatures NITK 17Oct2015
86/90
Summary
PKI is an ecosystem comprising of Technology, Policyand Implementations
Digital Signatures provideAuthenticity, Integrity, and Non-Repudiation for electronic documents & transactions
Asymmetric Key system enables Confidentiality
General Conventions
Signing Private Key of the Signer
Verification Public Key of the Signer
Encryption Public Key of the Receiver
Decryption Private Key of the Receiver
C l i
-
7/24/2019 Digital Signatures NITK 17Oct2015
87/90
Conclusion
PKI and Digital Signatures have beentransforming the way traditional transactionshappen
PKI Ecosystem has the potential to usher
Transparency
Accountability
Time, Cost & Effort-savings
Speed of execution and to be an integral part of
Digital India and bring in Digital Identity
R f
-
7/24/2019 Digital Signatures NITK 17Oct2015
88/90
References
Cryptography and Network security Principles and Practice by William Stallings Applied Cryptography: Protocols, Algorithms, and Source Code in C by Bruce Schneier
Handbook of Applied Cryptography, by Alfred Menezes and Paul Van Oorschot
Ryder, Rodney D, Guide to Cyber Laws, 3rd Edition, Wadhwa & Company, New Delhi
Digital Certificates: What are they?: http://campustechnology.com/articles/39190_2 Digital Signature & Encryption: http://www.productivity501.com/digital-signatures-
encryption/4710/
FAQ on Digital Signatures and PKI in India - http://www.cca.gov.in/cca/?q=faq-page
Controller of Certifying Authorities www.cca.gov.in
e-Sign: http://www.cca.gov.in/cca/?q=eSign.html
88
C DAC A i i i i PKI D i
http://www.cca.gov.in/http://www.cca.gov.in/ -
7/24/2019 Digital Signatures NITK 17Oct2015
89/90
C-DAC Activities in PKI Domain
PKI Knowledge Dissemination ProgramAn effort to spread awareness and build
competencies in the domain across the country
PKI Body of Knowledge
To develop a BoK with inputs from various sectionsof users
Researchers Algorithms and new directions in PKI
Developers PKI Administration and implementationissues
Policy Makers - Laws
End Users and Applications
-
7/24/2019 Digital Signatures NITK 17Oct2015
90/90
Thank [email protected]