Cyber Laws For CxO
Be Aware... Be Empowered
February 2010
Editor
Naavi
www.naavi.org
Publisher
Ujvala Consultants Pvt Ltd
www.ujvala.com
Contents
Knowledge+
Digital Signature as an IS Tool
Digital Signatures have been available in India since 2002 after Safescrypt launched its services as a licensed Certifying Authority on 4th February 2002. Since then, TCS, n-Code, E-Mudhra, MTNL, NIC and IDRBT have also been licensed as CAs. Department of Commercial Taxes which had been licensed is reportedly withdrawing from the business shortly.
The use of Digital Signatures in India is currently driven mostly by the mandatory requirements for submission of annual MCA returns through submission of online forms. The full potential of the digital signature system has not been used by the Indian Corporate sector. Even the use of digital signatures in the MCA/IT has been largely in a manner that has exposed the user companies to various risks.
On February 17th, news of a major fraud in WIPRO broke out. This fraud involved an employee stealing the password of another colleague and using it to withdraw money from WIPRO’s bank account and transfering the same to the accounts of the employee and his relatives. What strikes a sharp observer in this case is that the Bank was allowing withdrawals based on passwords and not on “Digital Signatures” which made it easy for the fraudster to cheat the Bank and WIPRO.
No doubt every Bank in India allows withdrawals through password authentication. But it defies logic that a major IT company like WIPRO and major Banks in India continue to ignore what is so clearly mentioned in the Indian law that “You cannot legally authenticate an Electronic Document without the use of a Digital Signature backed by a valid Digital Certificate issued by a licensed Certifying Authority”.
Are our Corporate CFOs so ignorant of the law? Or do they simply don't care what is in the law? If this is the attitude of the top executives of a Company, what example are they setting to their employees for compliance of law in general and following ethics in the workplace?
On June 14, 2001, RBI issued a circular DBOD.COMP.BC.No.130/ 07.03.23/ 2000-01 providing “Internet Banking Guidelines”. Under these guidelines RBI clearly indicated that according to ITA 2000, Digital Signature was the only accepted method of authentication of an electronic document. Since at that point of time the Certifying Authorities had not yet set up their services, RBI suggested that until PKI system is established, other alternate systems can be used. RBI made a categorical statement that
“From a legal perspective, security procedure adopted by banks for authenticating users needs to be recognized by law as a substitute for signature. In India, the Information Technology Act, 2000, in Section 3(2) provides for a particular technology (viz., the asymmetric crypto system and hash function) as a means of authenticating electronic record. Any other method used by banks for authentication should be recognized as a source of legal risk. (Para 7.3.1)”.
This left no doubt about the intentions of the Banking regulator that as and when digital signature system becomes available, it should be used for authentication in Internet Banking systems.
Despite this, Banks have continued to avoid use of Digital Signatures and the Chairmen and Directors of Banks are perhaps being misled by IT professionals some of whom have developed and are marketing Banking Software that is not PKI compliant.
The RBI guideline was reinforced on July 20, 2005 through another circular DBOD No . Comp.BC.14/07.03.29/2005-06 by fixing the top management in the Banks responsible for approving the Internet Banking policy. If therefore Banks have been running a “Cyber Law Non Compliant Internet Banking” system, the responsibility for the same lies squarely with the Board and the Chairman. Since the Chairman may also be responsible for SEBI Listing requirements under Clause 49 and provides the necessary Corporate Governance certificates to be published for share holder’s information, we have a dangerous scenario where the Chairmen and the Independent Directors of Banks are exposing themselves to serious charges of “Negligence” and “False Certification”.
Though Cost of incorporating Digital Signatures as a means of authentication of Internet Banking log in requests, is quite low and there are solutions available readily, Banks continue to challenge the law. It may not be long before a WIPRO like incident in a Bank will put some unfortunate Chairman in Jail and wake up the industry from the slumber they have put themselves into.
The PKI based digital signature system is not only capable of being the authentication tool approved by law and more secure than the password based authentication systems, it is also a tool that can be used for “Encryption of Transmission of Electronic Documents”. If two persons communicating through electronic messages have digital signatures, they can use each other’s public keys for encryption of the message so that the communication would have a “Person to Person Security”.
This beneficial use of digital signature for encryption however can be used only when the private key is available for decryption of a document first encrypted with the public key. Unfortunately, this benefit is being lost in the system of “Secured Digital Signature” system that we are now adopting based on hardware tokens. These tokens are equipped to generate the pair of keys at the time of certificate generation and also to pick up the hash values of the documents to be signed and carry out the private key encryption of the hash value within the token. However encrypted documents cannot be imported into the tokens or private keys be exported from the tokens for decrypting the encrypted document outside the hardware token.
This technical issue needs to be recognized by CCA to retain and encourage usage of soft token based digital signatures which are also as secure as the token based systems in terms of judicial value. Presently, the CCA has been considering the introduction of a Dual key pair systems where one pair of public and private keys is used for signing and the other for encryption. It is suggested that the private key meant for encryption is escrowed with the Certifying authority to be available for forced decryptions.
The use of dual key pair systems is practically a difficult solution since the current technologies for issue and use of private and public keys in e-mail clients, web browsers and applications don't support the dual key pair systems and the changes to be brought into the applications are too complicated to be of practical use.
Naavi has suggested use of CEAC-Certified Digital Signature System as an alternative which perhaps can use the advantages of the current soft token based systems and still meet the consumer’s requirement for judicial acceptance on par with the “Secured Digital Signatures”. Once such systems are adopted by the public, the value of digital signature systems would increase and the Netizens may start using digital signatures for their day to day requirements.
Since it may be possible today to provide digital signature certificates and a suitable system for use by Banks for authenticating their clients at a very low per user fee, there is a case for RBI taking the immediate bold step to make the use of digital signatures in Internet Banking mandatory.
RBI should also ensure that “Mobile Banking” transactions are authenticated by the use of “Digital Signatures” so that there is a legal backing to the Mobile Banking transactions.
It may however be necessary for the CCA to undertake a campaign with all the Chairmen of Banks in India to explain the benefits of the use of Digital Signatures and also expose them directly to the available solutions so that Indian Banking System may go “Truly Digital”.
Naavi
Free E Book available for download at Naavi.org
A PDF Copy of the News Letter would be sent by e-mail to all persons who subscribe. Subscription is free.