| Information Technology act 2000 | | | | signing, and the signatures leave the card. |
| The Information Technology Act, 2000 is India's mother | | | | The card gives mobility to the key and signing can |
| legislation regulating the use of computers, computer | | | | be done on any system. (Having smart card reader) |
| systems and computer networks as also data and | | | | [Sec 40] |
| information in the electronic format. The said legislation | | | | Subscriber will generate the key pair (public key and |
| has provided for the legality of the electronic format | | | | private key) by certain security process by through the |
| as well as electronic contracts. This legislation has | | | | controller of certifying authorities Public key with hash |
| touched varied aspects pertaining to electronic | | | | algorithm is listed in the digital signature certificate for |
| authentication, digital signatures, cybercrimes and liability | | | | verification process. Private Key is kept secret. |
| of network service providers. | | | | [Sec 35] |
| Information technology act 2000 deals with various | | | | Certifying Authority to issue Digital Signature |
| computer systems like | | | | Certificate. |
| Electronic forms. (online money transfer, online | | | | (1) Any person may make an application to the |
| income tax payment, online application) | | | | Certifying Authority for the issue of a Digital Signature |
| Online transfer of data. | | | | Certificate in such form as may be prescribed by the |
| Online banking | | | | Central Government |
| Storage of data | | | | (2) Every such application shall be accompanied by |
| Computer Virus | | | | such fee not exceeding twenty five thousand rupees |
| Hacking | | | | as may be prescribed by the Central Government, to |
| Emailing. | | | | be paid to the Certifying Authority: |
| Unauthorized access of computer system | | | | Provided that while prescribing fees under sub-section |
| The Act provides for: | | | | (2) different fees may be prescribed for different |
| Legal Recognition of Electronic Documents | | | | classes of applicants'. |
| Legal recognition of Electronic commerce | | | | (3) Every such application shall be accompanied by a |
| Transactions | | | | certification practice statement or where there is no |
| Admissibility of Electronic data/evidence in a Court | | | | such statement, a statement containing such |
| of Law | | | | particulars, as may be specified by regulations. |
| Legal Acceptance of digital signatures | | | | (4) On receipt of an application under sub-section (1), |
| Punishment for Cyber obscenity and crimes | | | | the Certifying Authority may, after consideration of the |
| Establishment of Cyber regulations advisory | | | | certification practice statement or the other statement |
| Committee and the Cyber Regulations Appellate | | | | under subsection (3) and after making such enquiries |
| Tribunal. | | | | as it may deem fit, grant the Digital Signature |
| Facilitation of electronic filing maintenance of | | | | Certificate or for reasons to be recorded in writing, |
| electronic records. | | | | reject the application: Provided that no Digital Signature |
| Before knowing information technology act 2000, one | | | | Certificate shall be granted unless the Certifying |
| need to know some technical terminology related to | | | | Authority is satisfied that— |
| computer systems. | | | | (b) the applicant holds the private key corresponding to |
| Person's signature on the document is necessary to | | | | the public key to be listed in the Digital Signature |
| prove that the document is belonging to him. Signature | | | | Certificate; |
| is the evidence to prove that the document belong to | | | | (c) the applicant holds a private key, which is capable |
| the particular person. | | | | of creating a digital signature; |
| DIGITAL SIGNATURE | | | | (d) the public key to be listed in the certificate can be |
| Definition 1 | | | | used to verify a digital signature affixed by the private |
| A digital signature (not to be confused with a digital | | | | key held by the applicant: Provided further that no |
| certificate) is an electronic signature that can be used | | | | application shall be rejected unless the applicant has |
| to authenticate the identity of the sender of a | | | | been given a reasonable opportunity of showing cause |
| message or the signer of a document, | | | | against the proposed rejection. |
| Definition 2 | | | | ELECTRONIC GOVERNANCE |
| A digital signature is basically a way to ensure that an | | | | (E-Governance or e-gov is broadly defined as an |
| electronic document (e-mail, spreadsheet, text file, etc.) | | | | "application of Information technology to the functioning |
| is authentic. Authentic means that you know who | | | | of the Government". E-gov relies heavily on the |
| created the document and you know that it has not | | | | effective use of Internet and other emerging |
| been altered in any way since that person created it. | | | | technologies to receive and deliver information and |
| | | | services easily, quickly, efficiently and inexpensively.) |
| Uses of digital signature | | | | Sec 6 |
| 1. Issuing forms and licences | | | | Government can file, create, use of electronic records |
| 2. Filing tax returns online | | | | in certain format for issue license, permits, any |
| 3. Online Government orders/treasury orders | | | | approval, receipt and payment of money. |
| 4. Registration | | | | Sec 7 |
| 5. Online file movement system | | | | Electronic records should be stored in the format |
| 6. Public information records | | | | which they were created and also information in |
| 7. E-voting | | | | electronic records should not be altered. They should |
| 8. Railway reservations & ticketing | | | | be stored for the specific period for the future |
| 9. E-education | | | | reference whenever needed |
| 10. Online money orders | | | | Sec 10 |
| 11. Secured emailing | | | | According to this section central government has |
| How do you get a Digital Signature Certificate | | | | power to make rule in respect of digital signatures |
| The Office of Controller of Certifying Authorities | | | | Type of digital signature |
| (CCA), issues Certificate only to Certifying | | | | Format of digital signature |
| Authorities.CA issue Digital Signature Certificate to | | | | Procedure which facilitate identification of the |
| end-user. You can approach any one of the eight CAs | | | | person affixing the digital signature |
| for getting Digital Signature Certificate. The website | | | | Control on the security and confidentiality of the |
| addresses are given below.a. | | | | electronic records. |
| Different Classes of Digital Signature Certificates | | | | Acknowledge of receipt |
| Class 0 Certificate: This certificate shall be issued only | | | | Sec12 |
| for demonstration/ test purposes. | | | | Addressee should indicate sender on the receipt of |
| Class 1 Certificate: Class 1 certificates shall be issued | | | | the electronic record. If acknowledgement is not |
| to individuals/private subscribers. These certificates will | | | | received by the sender, it is deemed that electronic |
| confirm that user's name (or alias) and E-mail address | | | | record is not send Eg: email |
| form an unambiguous subject within the Certifying | | | | Sec13 |
| Authorities database. | | | | If Addressee has designated the specific computer |
| Class 2 Certificate: These certificates will be issued for | | | | source for the receipt of the electronic record eg: |
| both business personnel and private individuals use. | | | | email address. In such case electronic record is |
| These certificates will confirm that the information in | | | | deemed to be receipt by addressee. If the addressee |
| the application provided by the subscriber does not | | | | has not designated the any specific computer to the |
| conflict with the information in well-recognized | | | | sender eg: email. It is deemed to receipt when the |
| consumer databases. | | | | addressee retrieve the information. Retrieve of |
| Class 3 Certificate: This certificate will be issued to | | | | information can be done from home or at the business |
| individuals as well as organizations. As these are high | | | | place. |
| assurance certificates, primarily intended for | | | | Sec 17 |
| e-commerce applications, they shall be issued to | | | | Central government appoints the controller of certifying |
| individuals only on their personal (physical) appearance | | | | authorities for the purpose of this act, they discharge |
| before the Certifying Authorities. | | | | their function according to this act. |
| [Sec 5] legal recognition of the digital signature | | | | Function of the controller |
| According to this section, signature of the person need | | | | Sec 18 |
| no to be in writing, it can be in the form of the following. | | | | (a) exercising supervision over the activities of the |
| With rubber stamp | | | | Certifying Authorities; |
| With pen | | | | (b) certifying public keys of the Certifying Authorities; |
| With pencil | | | | (c) laying down the standards to be maintained by |
| With thumb impression | | | | the Certifying Authorities; |
| With digital signature which is issued by the | | | | (d) specifying the qualifications and experience which |
| certifying authority (government body) and stored in | | | | employees of the Certifying Authorities should |
| the computer in the file format | | | | possess; |
| Digital signature is not like hand writing signature. It is not | | | | (e) specifying the conditions subject to which the |
| normally readable. Not like general hand writing | | | | Certifying Authorities shall conduct their business; |
| signature. Digital signatures have equal legal recognition | | | | (f) specifying the contents of written, printed or visual |
| compared with non-digital signatures. Digital signature | | | | materials and advertisements that may be distributed |
| will be different for each e document. Digital signature | | | | or used in respect of a Digital Signature Certificate and |
| is issued by the certifying authority. | | | | the public key; |
| Sec 15 | | | | (g) Specifying the form and content of a Digital |
| According to this section | | | | Signature Certificate and the key, |
| digital signature is secure | | | | (h) Specifying the form and manner in which accounts |
| Digital signature will be used as identification of the | | | | shall be maintained by the Certifying Authorities; |
| subscriber. | | | | (i) Specifying the terms and conditions subject to which |
| License procedure of the digital signature certificate | | | | auditors may be appointed and the remuneration to be |
| Section 2 (q) "Digital Signature Certificate" means a | | | | paid to them; |
| Digital Signature Certificate issued under subsection (4) | | | | (j) Facilitating the establishment of any electronic |
| of section 35; | | | | system by a Certifying Authority either solely or jointly |
| Sec21 | | | | with other Certifying Authorities and regulation of such |
| Any person can apply for the digital signature | | | | systems; |
| certification having certain qualification prescribed by | | | | (k) Specifying the manner in which the Certifying |
| government under the act. | | | | Authorities shall conduct their dealings with the |
| Sec22 application | | | | subscribers; |
| Any person can apply for digital signature with filling | | | | (l) Resolving any conflict of interests between the |
| of application. | | | | Certifying Authorities and the subscribers; |
| Any other documents attached if needed, should | | | | (m) Laying down the duties of the Certifying |
| be genuine | | | | Authorities; |
| Fee of rupees 2500/- | | | | (n) Maintaining a data base containing the disclosure |
| [Sec23] | | | | record of every Certifying Authority containing such |
| License can be renewed before the 45 days of | | | | particulars as may be specified by regulations, which |
| expiry date of 5 years. Renewal fees is 5000/-. After | | | | shall be accessible to public. |
| the expiry of the date, late fee will be collected in | | | | Sec 19 |
| addition to the renewal fee. | | | | According to this section Digital signatures by foreign |
| [Sec25] | | | | certifying authorities is not valid in the our country |
| According to this section license will be cancelled if the | | | | Sec 20 |
| applicant provides any false information | | | | Controller will be the custodian of all the digital |
| DIGITAL SIGNATURE | | | | signatures certificates issued under this act. He has to |
| Section 2 (p) "digital signature" means authentication of | | | | store and retrieve certificates and other Information in |
| any electronic record by a subscriber by means of an | | | | need. |
| electronic method or procedure in accordance with the | | | | Sec 28 |
| provisions of section 3; | | | | Controller has power to investigate in any person and |
| Authentication of electronic records. [Sec 3] | | | | things go opposite to the act. He can inspect records |
| According to this section any person can use and affix | | | | of company and seize. |
| his digital signature to the electronic record (message | | | | Sec 28 |
| or data on computer) to prove/ confirm (authenticate) | | | | If the controller is under the doubt and have suspect, |
| such electronic is created by himonly and belong to him | | | | he can check the computer system, computer |
| only. Affixing digital signature to the electronic record | | | | networks, data, apparatus and other material |
| will be a proof that belongs to a specific person. | | | | connected to the computer system. |
| "Electronic record" means data, record or data | | | | Duties of subscriber |
| generated, image or sound stored, received or sent in | | | | [Sec 40] |
| an electronic form or micro film or computer generated | | | | Subscriber should generate key pair, private key |
| micro fiche; [Sec 2(t)] | | | | and public key. |
| [sec3 (2)] | | | | Subscriber should hold the private key |
| This section deals with the computer online process of | | | | Subscriber should take care about the private key |
| sending data or message securely and safely from | | | | which he holds |
| sender to the receiver. And also deals with the | | | | Private Key hold with him should have relationship |
| assuring of message or data to receiver and sender. | | | | with the public key affix in the digital signature |
| Section 2 (f) "asymmetric crypto system" means a | | | | certificate. |
| system of a secure key pair consisting of a private | | | | Subscriber only should affix the digital signature |
| key for creating a digital signature and a public key to | | | | [Sec 43] |
| verify the digital signature; | | | | Any person without the permission of the owner |
| Cryptographic system | | | | should not do the following activities |
| Cryptographic mechanism process done by the | | | | (a) Should access the computer system or computer |
| computer system. | | | | network. |
| The message or data send out will be encrypt by a | | | | (b) Should not download the data or make copies of it. |
| cryptographic mechanism. (the procedures and | | | | (c) Should not introduce virus in to the computer |
| methods of making and using secret languages, as | | | | system |
| codes) | | | | (d) Should damage the computer system or network |
| Cryptographic mechanism includes private key | | | | or nay computer program. |
| and public key which are cryptographic methods | | | | (e) Should not cause disruption to computer system or |
| provided certifying authorities. (Private Key encryption | | | | its network. |
| is essentially the same as a secret code that the two | | | | (f) hacking |
| computers must each know in order to decode the | | | | (g) Should not help/ assist any person to affect the |
| information. The code would provide the key to | | | | computer system or computer networks. |
| decoding the message) | | | | (h) Should not manipulate the computer system or |
| (To decode an encrypted message, a computer must | | | | computer network. |
| use the public key provided by the originating computer | | | | Penalties |
| and its own private key.) | | | | Sec 44 penalties |
| Public key and private key or both mathematically | | | | Any person who ever fails to provide required |
| related to each other. | | | | document by the certifying authorities, such person is |
| Therefore private key is being used to encode the | | | | liable for penalty up to 150000/-. |
| data/message and a public key is being used to | | | | Any person who ever fails to provide required |
| decode the data/ message. | | | | information by the certifying authorities, such person is |
| Private key will be with sender only | | | | liable for penalty up to 5000/-. |
| Private Key with public will be with sender. | | | | Any person who ever fails to maintain records and |
| Public will be with receiver of data or message. | | | | account books, such person is liable for penalty up to |
| Hash function=checksum/message digest | | | | 10000/-. |
| Hash function process is done by the computer | | | | [Sec45] Any person who disobey or be oppose to this |
| system | | | | law or act shall be liable for penalty of 25000/-. |
| Hash function which mean algorithm is a mathematical | | | | Adjudication officer |
| function/formula that converts a large, possibly | | | | [Sec 46] |
| variable-sized amount of data into a small datum. This | | | | Deals with appointment of adjudication officer by |
| is called as hash result and message digest. | | | | central government, who have experience in field of |
| To sign a document, sender by software will crunch | | | | information technology, for the purpose of holding |
| down the data or message into just a few lines by a | | | | enquiry on the matters like violation of rules of the act, |
| process called "hashing algorithm/ hash function". | | | | etc. he can impose penalty or award compensation. |
| These few lines are called a message digest/ hash | | | | Cyber regulation appellate tribunal |
| result. | | | | [Sec48] |
| Any modification in message or data changes the | | | | Deals with the establishment of cyber regulation |
| hash result. | | | | appellate tribunal for the purpose of supervising the |
| With the hash result we cannot construct the | | | | adjudicating officer |
| original message or data. | | | | [Sec 49] |
| Digital signature verification. | | | | Appellate tribunal consists of one presiding officer who |
| Sender by software then encrypts the message | | | | is having technical knowledge and legal back ground |
| digest with his private key. The result is the digital | | | | [Sec 50] |
| signature. | | | | Presiding officer should have certain qualification like |
| Finally, sender software attaches / affixes the | | | | Qualified to be the high court judge |
| digital signature to data or message. All of the data | | | | Or has been member of Indian legal services hold |
| that was hashed has been signed. | | | | post in grade 1 for at least 3 years. |
| Receiver by software will decrypts the signature | | | | [Sec 51] |
| (using sender public key) changing it back into a | | | | Presiding officer term of office is 5 years or until he |
| message digest. | | | | attains age of 65 years. Whichever is earlier. |
| If this worked, then it proves that sender has only | | | | Sec 56 |
| signed the document, because only sender has his | | | | There shall be necessary employees in cyber |
| relating private key. | | | | appellate tribunal appoint by the central government. |
| Receiver by software then hashes the data or | | | | [Sec 57] |
| message into a message digest/ hash result. If the | | | | Any person aggrieved by controller or adjudicating |
| message digest/ hash result is the same as the | | | | office can appeal to the cyber regulation appellate |
| message digest created when the signature was | | | | tribunal in reasonable time/period. |
| decrypted, then receiver knows that the signed data | | | | [Sec 58] |
| has not been changed. | | | | Cyber appellate tribunal shall have certain power like |
| [A digital signature is another means to ensure integrity, | | | | Summoning the person |
| authenticity, and non-repudiation. A digital signature is | | | | Examining the witness |
| derived by applying a mathematical function to | | | | Receiving the evidence |
| compute the message digest of an electronic | | | | Examining the documents and the electronic |
| message or document, and then encrypt the result of | | | | records, etc. |
| the computation with the signer's private key. | | | | [Sec 62] appeal to high court |
| Recipients can verify the digital signature with the use | | | | Any person aggrieved with cyber appellate tribunal |
| of the sender's public key.] | | | | can appeal to the high court with in sixty days or in |
| | | | case of delay, by showing sufficient case. |
| How It Works | | | | Offences like hacking, publish prone or immoral |
| Assume you were going to send the draft of a | | | | websites |
| contract to your lawyer in another town. You want to | | | | [Sec 65] |
| give your lawyer the assurance that it was unchanged | | | | Any person intentionally destroys or disturbs the |
| from what you sent and that it is really from you. | | | | computer source code (computer program), computer |
| 1. You copy-and-paste the contract (it's a short one!) | | | | system computer network and unethical hacking of |
| into an e-mail note. | | | | computer. |
| 2. Using special software, you obtain a message hash | | | | Shall be punishable up to 3 years of imprisonment. |
| (mathematical summary) of the contract. | | | | Or fine up to 2 lakhs |
| 3. You then use a private key that you have | | | | Or with both |
| previously obtained from a public-private key authority | | | | [Sec 65] |
| to encrypt the hash. | | | | Any person who ever publishing prone websites in |
| 4. The encrypted hash becomes your digital signature | | | | photos format or in text format or immoral websites , |
| of the message. (Note that it will be different each | | | | shall be liable for punishment of 5 years of |
| time you send a message.) | | | | imprisonment and with fine of 1 lakh rupees. If it is |
| At the other end, your lawyer receives the message. | | | | repeated for second time punishment 10 years of |
| 1. To make sure it's intact and from you, your lawyer | | | | imprisonment and fine with 2 lakhs rupees. |
| makes a hash of the received message. | | | | [Secs 73, 74, 75] |
| 2. Your lawyer then uses your public key to decrypt | | | | Any person illegally creates, publish or misuse digital |
| the message hash or summary. | | | | signature certificate, shall be punished with 2 years of |
| 3. If the hashes match, the received message is valid. | | | | imprisonment or with fine of 1 lakh, or both. |
| ATM CARDS | | | | Power police office and officer and other officer |
| The Private Key is generated in the crypto module | | | | [Sec 80] |
| residing in the smart card. | | | | Police officer above the rank of deputy superintendent |
| The key is kept in the memory of the smart card. | | | | of police has power to search suspicious places. And |
| The key is highly secured as it doesn't leave the | | | | can arrest suspected persons. |
| card, the message digest is sent inside the card for | | | | |