This article aims at first understanding the crucial elements of digital signature along with its importance in the world of e-commerce. Furthermore, the paper shall focus on the process of generating digital signatures, the algorithm and the public key infrastructure.
This article titled ‘Digital Signatures’ discusses e-authentication to verify electronic transactions using cryptographic techniques such as digital signatures so as to increase reliability, security and non-repudiation of the user’s data.
I. ELECTRONIC DATA INTERCHANGE AND E-COMMERCE
As business became more complex around the world, the competition to be successfully increased. With more brands emerging and the level of competition rising, there was a constant need for faster processing of business transactions. Additionally, there was a need for standardization in the information format among the traders in the market.
The solution to this problem in business was then to have a paperless approach to business transactions. Thus, the emergence of competitive business brought about our current process of business transactions using electronic data interchange (hereinafter referred to as ‘EDI’ for ease).
How Does EDI Work?
Prior to the EDI support system, a customer would create a purchase order if he has the intention of buying a particular good. The purchase order is then sent to the supplier through methods involving fax, post offices or telex. The supplier then receives the purchase order and he interprets the purchase order. On successful interpretation, the order is placed.
With the help of the EDI support system, a customer computer system creates and sends the electronic purchase order. The supplier’s computer system then receives the purchase order and places the order directly in the system. Thus, it completely eliminates the process of physically receiving, interpreting and placing the order that used to be carried out by the supplier prior to the EDI support system.
In 1968, the Transportation Data Coordinating Committee was adopted by a group of railroad companies to standardize EDI and this was later adopted by transportation and food industries. In the early 70s, ORDER NET was brought up to facilitate EDI and was sponsored by the pharmaceutical industry, however, it failed to function with other trade group EDI systems.
The American National Standard Institute in 1979, authorized a committee called the Accredited Standards Committee to develop a standard between trading partners based on the transportation data coordinating committee structure.
This was called the ANSI X-12 and it led to the development of sector-specific standards such as EDI in aerospace, chemicals, textile et cetera. In 1986, the UN Electronic Data Interchange for Administration, Commerce and Transport was internationally approved as the standard structure.
II. DIGITAL SIGNATURE
The emergence of electronic data interchange was nothing but the true and real beginning of e-commerce in the world. Thus, it can be said that e-commerce was fully in force by the 1990s. EDI was very expensive and thus, both small and medium-sized companies couldn’t afford the same.
However, the advent of the internet completely changed the scenario and provided an even playing field for all the companies involved. The EDI propriety system thus gave way to internet-based e-marketplaces.
As the e-market grew, it became increasingly clear that security issues were on the rise for consumers. Therefore, to secure e-commerce within the nation, the digital signature was adopted.
What is a Digital Signature?
The IT Act provides that any subscriber can authenticate an electronic record by affixing his digital signature. A digital signature requires the authenticity of a sender, the message’s integrity and non-repudiation. This led to the acceptance of cryptography or data encryption techniques by providing two different types;
- Symmetric or Private key cryptographic system
- Asymmetric or Public key cryptographic system
In a symmetric encryption system, the encryption and decryption of the message are done with the same. On the other hand, in an asymmetric system, the encryption is done with the public key while the decryption is achieved with a private key.
In India, the public key essentially can be used for public consumption, however, the private key is what remains confidential with the subscriber.
The owner of the key pair guards the private key as the sender’s authenticity and non-repudiation are based on the signers having sole access to the private key. Thus, digital signatures in India are based on the asymmetric or public key cryptographic system. The certifying authority as provided in the IT Act issues the digital signatures in accordance with the sections of the Act.
How is a Digital Signature Created?
The digital signature is not simply a digital image of a handwritten signature. Instead, it is essentially a block of data at the end of an electronic message which then attests to the authenticity of that particular message.
In India, the security to e-commerce is governed by a public key cryptography system. It requires a key pair and a hash function. A key pair involves a public key for encryption and a private key for decryption. The hash function essentially refers to an algorithm which facilitates the digital signature.
The process is two way since it involves a sender or creator of the digital signature and a recipient who acts as the verifier of the digital signature. The process of accepting the digital signature as verified authentication only takes place is the recipient can successfully verify the signature.
To create a digital signature, an email program or any other signing software creates a one-way hash of the electronic data to be signed. The private key is then used to encrypt the hash. The encrypted hash, along with the other information such as the hashing algorithm, is the digital signature.
The reason for encrypting the hash instead of the entire document is that a hash function can convert an arbitrary input into a fixed-length value, which is then much shorter than the entire message. This essentially saves time as hashing is much faster than signing.
The value of a hash is unique to the hashed data only. Any change in the data provided, even if a single character stands changed, it will result in a completely different value. This attribute enables others to validate the integrity of the data by using the signer’s public key to decrypt the hash.
The process of verifying the digital signature is incredibly important as the digital signature becomes valid authentication only after verification by the recipient.
The process includes:
Message -> Hash Function -> Message Digest
Digital Signature -> Signature Function -> Message Digest
wherein the signer’s public key is fed in for the signature function. If the message digests in both cases are identical, the signature stands verified.
However, if there is any difference in any possible way between the two registered message digests, the signature doesn’t get verified as valid. Thus, if the decrypted hash matches a second computed hash of the same data, it proves that the data hasn’t changed since it was signed.
III. PUBLIC KEY INFRASTRUCTURE
The biggest difficulty in the digital signature regime is proving the authenticity of the message. This is an issue that is constantly raised because it questions whether the message is actually sent by the sender or by some other person.
Thus, the process requires the participation of a trusted third party to certify for the subscribers’ or individuals’ identities and their relation to their public keys. This trusted third party is referred to as the Certifying Authority (hereinafter referred to as ‘CA’) and they borrow their powers and functions from the IT Act.
The Certifying Authority verifies and authenticates the identity of a subscriber or the person on whose name the digital signatures is issued. A digital signature certificate securely binds the identity of the subscriber because it contains personal information such as the name of the subscriber, their public key information, the name of the CA who issued it, the CA’s public key information and the validity period of the digital signature certificate.
These certificates are stored online and are publicly accessible through the repository maintained by the Controller of Certifying Authorities or a general repository maintained by the CA. Every CA has to maintain its operation as per its certificate practice statement. This statement specifies the practices that each CA employs in issuing a digital signature certificate.
The Entire Process
The following is an example of the entire functioning process of digital signature. The example has been provided to further understand how the concepts explained above, fall into place in a practical setting.
For the purpose of this example, consider the case of two users, Jolene and Tyler. Jolene wishes to send a secure message to Tyler.
First, Jolene must sign her message. She uses a hashing algorithm so as to create a fixed-size hash or a message direct of the message being sent. This process is a one-way process as the original message cannot be recreated from the hash. Once the hash is created, Jolene uses her private signing key to sign the message.
This creates a unique signature for the message being sent. This stage essentially ensures integrity. If the message is altered at any point, the hash will change and not validate the signature at its verification stage.
While in an asymmetric system, the encryption is done via a public key, we see other systems wherein the message may be encrypted with a onetime symmetric session key. A one-time symmetric session key is sometimes used to encrypt the message as a symmetric key encryption is a lot faster than asymmetric key encryption.
This stage ensures confidentiality as the message is now encrypted. The onetime symmetric session key is essentially encrypted with Tyler’s public key and thus, it ensures that Tyler is the only person who can decrypt and use the onetime key. This ensures access control and thus, the signature, encrypted message and the encrypted session key are sent to Tyler.
Tyler would first decrypt the onetime symmetrical session key by using his private decryption key to obtain the onetime key. He would then use this onetime session key to decrypt the message and performs a fresh hash on the message to obtain a message digest. This message digest will be used later on to check whether the message has been altered in time of transit.
The last step is the verification of Jolene’s signed document. The signature and Jolene’s public key are used to obtain the original hash. This hash is then compared to the fresh hash that was created by Tyler. If these two matches, the message is valid and has been sent by Jolene. This stage ensures authentication integrity and non-repudiation of the message.
The digital signature has thus, become a significant tool in international commerce. Additional businesses now use digital signatures in an increasing percentage of their commercial transactions.
The digital signature provides the legal elements of a traditional handwritten signature but has the features of upgraded security, uprightness and legitimacy and thus, provides for a secure and paperless electronic commerce platform to conduct business.
This signature is thus, an ideal tool for people who are heavily involved in running and managing a business. It helps everyone involved in either e-banking, e-tendering, e-procurement or e-approvals. It further helps in reducing costs, saving time and utilizes resources more efficiently. As it continues to develop in the nation, it will prove to be a milestone for people involved in the world of international business transactions.
- Nikhilesh Barik and Sunil Karforma, A Study on Efficient Digital Signature Scheme for E-Governance Security, Global Journal of Computer Science and Technology, 2012
- Vishal Pancholi and Bhadresh Patel, A Study on Importance of Digital Signature for E-Governance Schemes, International Journal for Innovative Research in Science and Technology, 2018
- Himanshi Chaudhary, Process, Application and Authenticity of Digital Signature, International Journal of Scientific Research Engineering and Technology, 2017
- Shaikh Imtiyaj, Ratan Kumar Agrawal and A.K. Hota, Digital Signature Certificate: A Great Scientific Knowledge for Nation Development, IOSR Journal of Computer Engineering, 2017
- Payel Saha, A Comprehensive Study on Digital Signature for Internet Security, ACCENTS Transactions on Information Security, 2016
- Jayakumar Thangavel, Digital Signature, Dept. of Information Systems at Uppsala University, 2017
- Hardik Gohel and Alpana Upadhyay, Study of Cyber Security with Advance Concept of Digital Signature, International Journal of Advanced Research in Computer Science, 2015
- Aishwarya Mali, Chinmay Mahalle, Mihir Kulkarni, Tejas Nangude and Geeta Navale, Digital Signature Authentication and Verification, International Research Journal of Engineering and Technology, 2017
- Mamoor Dewan, An Idiots Guide to Public Key Infrastructure, Global Information Assurance Certification Paper, 2002