Cyber Laws For CxO

Be Aware... Be Empowered

February  2010

Editor

 Naavi 

www.naavi.org

 Publisher

 Ujvala Consultants Pvt Ltd 

www.ujvala.com

 

 Contents

Editorial

Knowledge+

News Snippets

Interviews:

Dr N Vijayaditya

Ravi Jagannathan

Questions and Answers

Disclosure

Download Issue in PDF Format

Request Subscription

Home

Questions and Answers

We intend using this section of the news letter to answer the Cyber Law related queries raised by our readers. This being an inaugural issue, we don’t have any questions to be answered.

We hope that this would be one of the most vibrant sections of this news letter which may generate illuminating debates which would be of use to one and all.

We appreciate if queries are raised by persons indicating their Name, Occupation and Contact details. We however don’t want to restrain the readers from raising questions without revealing their identity. Such readers may therefore send the questions as “Anonymous” in which case even their e-mail ID would not be provided on the news letter.

All questions may however be sent by e-mail to naavi@in.com by e-mail with the subject line containing “Cyber Laws for CxOs”.

Editor

What is a Digital Signature?

 Digital signature is a method of authentication of an electronic document as per Indian Law (ITA 2000) recognized as equivalent to the written signature on a paper document.

The system is defined under Section 3 of ITA 2000 and its effect is provided legal recognition under Section 5 of ITA 2000.

 A derived definition of digital signature as per ITA 2000 is

 “Digital Signature of a person, of a document is the hash value of the document encrypted with the private key of the person”…. Naavi

 ITA 2008 has also introduced the concept of “Electronic Signature” which could be any other form of authentication that may be approved by the Government under ITA 2000

which could be developed in future by using any technology other than the hash value and asymmetric encryption based Digital Signature.

How Does a Digital Signature Work?

 Step 1: Use the standard hash algorithm on the document to be signed to calculate the hash code.

Step 2: Use the private key to encrypt the hash code.

 Encrypted Hash code is the digital signature. This can be embedded into/attached to the document.

 In practice, the above steps are carried out automatically by an application which picks up the private key from where it is stored using the prescribed pass word if any.

 

In case the private key is stored in an external token (cryptographic key or smart card), the token has to be attached to the computer so that the application can pick up the key.

What is the Technology Behind Digital Signatures

 Digital Signature uses two sub technologies namely the “Hashing” and “Asymmetric Crypto System”. “Hashing” is a process where the electronic document is taken as a numerical input into a hashing  algorithm producing a hash result which is unique to the document and consistent. If the document undergoes any change, the hash value changes. Asymmetric cryptosystem is an encryption system based on a pair of keys so that encryption can be done by either of the keys but once encrypted with one of the keys of the pair, decryption is possible only with the other member of the key pair. A successful decryption with one key of a pair can therefore be accepted as evidence that the encryption was done only with the other member of the pair.

 For being used in the digital signature system, one of the two keys of the pair is designated as the private key and is held confidential with the signatory and used for encryption of the hash value of a document for the purpose of signature. The other key is called the public key, is widely distributed and used for verification of the signature by a decryption process.

 India presently uses SHA1 and SHA2 standard hash algorithms, RSA Encryption algorithm and issue of digital certificates under a hierarchy in which the Controller of Certifying Authorities (CCA) is the root Certifying authority of India appointed as a statutory authority. CCA licenses other agencies as “Certifying Authorities” (CA) and CAs interact with the public and enroll them as “Subscribers” to issue Digital Certificates on application.

 CAs verify the identity of the applicants before digital certificates are issued, provide the technology for issuing the key pair and for maintaining the repository of certificates issued and revoked. Based on the strength of verification and other parameters, CAs issue different classes of digital certificates at different  prices. Details would be made available to the public through a Certification Practice Statement available at the websites of individual CAs. The URLs of different CAs may be obtained from the CCA website http://www.cca.gov.in 

In the Indian legal system only a digital signature affixed with the use of a digital certificate issued by a licensed CA is valid.

Has there been any Cyber Crimes Committed with Digital Signatures?

 There is one reported case where a digital signature of a deceased Company Director was fraudulently  used by other directors causing wrongful harm to the legal heirs.

 The problem could have occurred because of the prevailing insecure practice adopted by many Company Directors to leave the private key tokens with the chartered accountants, secretaries or other assistants and let them use them on their behalf.

 It is necessary for Company Directors to ensure that they are not dependent on any other person to either generate their certificate in the first place or to use it subsequently.

Who is a Certifying Authority?

 Certifying Authorities are those who are licensed by the Controller of Certifying Authorities (CA) authorized to issue digital certificates to applicants as per the as per the provisions of ITA 2000.

 They issue digital certificates after due verification of the applicant’s identity. Some of the CA s also provide applications for the use of Digital Signatures and provide other services to the users.

Only companies which are sound, have adequate networth, maintain security systems are provided the necessary license. Foreign Certifying authorities need to obtain separate license to operate in India.

 All CAs are governed under the supervision of the CCA.

List of Certifying Authorities in India and their Websites

1. Safescrypt :http://www.safescrypt.com

2. TCS :http://www.tcs-ca.tcs.co.in

3. GNFC: http://www.ncodesolutions.com

4. E-Mudhra:http://www.e-Mudhra.com

5. NIC : https://nicca.nic.in

6. IDRBT: http://idrbtca.org.in

7. MTNL: http://www.mtnltrustline.com

Department of Customs and Central Excise which was one of the licensed CAs ceased its operations from 8th December 2009.

Certification Practice Statement (CPS) of each of the CAs is available on the respective websites and describes the detailed terms and conditions under which Digital Certificates are issued by them.

What are the Responsibilities of a Digital Signature user?

 ITA 2000 prescribes certain obligations on the subscribers and non compliance of such obligations may result in Civil and Criminal liabilities. Every subscriber is expected to ensure that the digital certificate is not used for fraudulent purpose, does not contain any false particulars about the holder (eg e-mail address, name etc) and does not involve any misrepresentation while obtaining the digital certificate. Criminal consequences can be imprisonment upto 2 years.

 The subscriber has to generate the keys using the recommended security process, keep confidential custody of the private key and in the event of an accidental compromise of the private key, should inform the CA and revoke the certificate.

How To Get a Digital Certificate

Step 1:  Identify a suitable CA.

Step 2 : Visit the website of the CA, download CPS and understand the different types or

classes of Digital Certificates issued and  obtain the price list.

Step3: Make an online application or request the company representative to call on you.

Step 4: Submit your application along with necessary documents of identity etc as may

be required along with the payment of fees.

Step 5: On approval, CA will send the instructions how to pick up the Certificate. Follow

the procedure and install the certificate in your system.

Precautions to be Observed While obtaining the Digital Certificate

 

  1. Ensure correct particulars about you are furnished to the CA. Misrepresenting any information may be considered as a punishable offence.
  2. Use an e-mail address for which you have POP access (ability to send an e-mail using an e-mail client application such as Outlook, Outlook express or Mozilla Thunderbird) as your e-mail ID during registration. Otherwise you may be unable to send digitally signed e-mails.
  3. Allocate strong password to protect your private key whether stored as a soft token in the Computer or in the hard ware token such as the Cryptographic key or Smart Card.
  4. Ensure that you alone sit before the computer and pick up the certificate. Delegation of the Certificate pick up process to any person including the agent of the CA is improper and renders the Certificate invalid.
  5. If you suspect that the private key details or password to the folder containing the private key might have come to the knowledge of any other person, the certificate needs to be immediately “revoked.” Check the procedure for revocation with the CA.
  6. Before installation of the Digital Certificate, it may be necessary to also download the digital certificate of the issuing CA which will be available on the CA’s website and also the digital certificate of CCA which will be available either on the CA’s website or the CCA website. (www.cca.gov.in)
  7. If you are buying a “Secured Digital Certificate” with hardware token, the token may have to be first installed using the CD provided by the CA. Complete this before starting the process of picking up of the certificate.
  8. During the process of picking up of the certificate carefully follow all the instructions and in particular chose to store the private key in a “Secure” manner allocating a password.
  9. After the Digital Certificate is received, check if the name and e-mail address is correctly noted in the certificate. If not ask for correction immediately. Using a digital certificate with false particulars is an offence.
  10. If using a hardware token, store it in a safe place under your custody. Never deposit it with any body else including your Chartered Accountant or Company Secretary or a Colleague.

How Does a Digital Signature Look like? 

Digital Signature does not look like normal written signature. Since it is an encrypted digital file, if we try to read the digital signature in a text editor, it may look like the following:

 IQB1AwUBMVSiA5QYCuMfgNYjAQFAKgL/ZkBfbeNEsbthba4BlrcnjaqbcKgNv+a5kr4537y8RCd+RHm75yYh5xxA1ojELw

Nhhb7cltrp2V7LlOnAelws4S87UX80cLBtBcN6AACf11qymC2h+Rb2j5SU+rmXWru+=QFMx

 Applications only verify the signature and indicate whether the digital signature is valid or not.

What is an Electronic Signature?

 Electronic Signature is a system suggested by ITA 2008 to supplement the PKI based digital signature system presently in vogue. As of now no such system has been identified and licensed.

Use of Digital Signatures in Companies and Banks

 Companies and Banks need to use digital signatures for authenticating any electronic document if they need to be compliant with ITA 2008. For this purpose all Companies and Banks need to put in process a compliance programme which includes the following. 

  1. Issue digital signatures from a licensed CA to all senior employees who require to authenticate documents particularly for outside recipients.
  2. Make suitable modifications in the document flow systems so that wherever authentication is required, the system asks for digital signature and provides for verification of signature at any point of time.
  3. Introduce suitable changes to the document flow software to incorporate sequential signing by multiple persons at different points of time in the life cycle of a document.
  4. Use encryption using the public key of the recipient whenever electronic documents are transmitted, using a soft token based digital signature system.
  5. In order to enhance the evidentiary value of  soft token based digital signatures use “Certified digital Signature Systems”.
  6. Establish a suitable system of custody for private keys of executives ensuring that the “non repudiable” nature of digital signatures.
  7. In Internet Banking, upgrade the access systems to accept digitally signed access requests instead of password based messages. 

Is Banking without Digital Signature Safe?

Banking with the use of password based authentication systems instead of digital signature systems is not compliant with ITA 2000/2008 or the Internet Banking Guidelines of RBI. Legal Risk arising out of non usage of digital signatures lies with the Bank.

For a Free Trial Version of Digital Certificate

 Contact: naavi@vsnl.com

 For Consultancy regarding the use of Digital Signature in your business or for development of customized applications using Digital Signatures

 Contact: Ujvala Consultants Pvt Ltd: ujvala@md2.vsnl.net.in

A PDF Copy of the News Letter would be sent by e-mail to all persons who subscribe. Subscription is free.

For Subscription Click here