Under the provisions of IT Act 2000, digital signature may be used by any subscriber for the purpose of authentication of an electronic record. The electronic record is authenticated with the help of โasymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record. (Section 2(1)(p) of the Information Technology Act, 2000).โ
The signature by an individual on any document helps in authentication of the document and provides an assurance to the receiver regarding its trustworthiness. This is possible in case of a paper-based document, but in case of electronic document, just mentioning the name at the end of document or email provides almost no reassurance regarding its authenticity. The IT Act, 2000 recognizes public key cryptography for the safeguarding of electronic documents. The Information Technology Act, 2000 (IT Act, 2000) distinguishes between digital signatures and electronic signatures, providing a legal framework for their use and recognition in electronic transactions.
Basic Functions of Signatures:
- Identify a person
- Associate that person with the content of a document
- Attest to signatoryโs intent to o to be bound by the content of a signed contract o to endorse authorship of a text
- Prove the signatoryโs presence at a given place and time
Need of Digital and Electronic Signature:
The need for digital and electronic signatures arises from the growing reliance on electronic communications and transactions in various sectors. They offer numerous benefits, including security, efficiency, and legal validity, which are essential in today’s digital world. Here are key reasons for the need for digital and electronic signatures:
- Security and Integrity: Digital signatures authenticate the identity of the signer, ensuring that the person signing the document is who they claim to be. While, electronic signatures provide a means to verify the signerโs identity and the documentโs authenticity, although the security level can vary depending on the method used. They ensure that the document has not been altered after it was signed. Any changes to the document after signing are detectable. Digital signatures provide proof of the origin and integrity of the document, preventing the signer from denying their signature.
- Legal Validity and Compliance: Digital signatures are legally recognized under laws like the Information Technology Act, 2000, ensuring that electronically signed documents are enforceable in a court of law. They comply with regulatory requirements for certain types of transactions, such as financial agreements, government forms, and legal contracts. Electronic signatures are accepted in many legal systems, provided they meet specific criteria, ensuring their use in a wide range of legal and business contexts.
- Efficiency and Convenience: Digital signatures enable faster document signing and processing, reducing the time required for transactions. They facilitate automated workflows in document management systems, enhancing operational efficiency. They eliminate the need for printing, mailing, and storing paper documents, resulting in significant cost savings.
- Environmental Benefits: By enabling digital transactions, they significantly reduce the need for paper, contributing to environmental conservation and sustainable practices.
- Business and Economic Growth: High-security digital signatures build trust and confidence in electronic transactions, promoting e-commerce and online services. They facilitate secure international transactions, supporting global business operations and trade. Their versatility and ease of use encourage the adoption of digital processes in various industries, fostering innovation and growth.
- Enhanced Customer Experience: They provide a seamless and user-friendly experience for customers, improving satisfaction and engagement. Customers can complete transactions remotely, enhancing convenience and accessibility.
Digital and electronic signatures are essential tools in the modern digital economy, providing security, legal validity, efficiency, and environmental benefits. They support the growing need for secure electronic transactions and communications, facilitating business operations, regulatory compliance, and customer interactions. As technology continues to evolve, the importance of digital and electronic signatures will only increase, driving further innovation and adoption in various sectors.
Digital Signature
A digital signature is a type of electronic signature that uses cryptographic methods to authenticate the identity of the signer and ensure the integrity of the signed document. The Information Technology Act 2000 includes provisions that legally introduce the use of digital signatures for submitting crucial documents online, ensuring their security and authenticity. The Act further mandates all companies/LLPs under the MCA21 e-Governance programme to utilise digital signatures for document filing.
According to Section 2(1) (p), digital signature means โauthentication of any electronic record using an electronic method or procedure in accordance with the provisions of Section 3โ.
A digital signature differs from a handwritten/physical signature. It is unique and different every time it is created, and is related to the electronic document it is signing. It is created by using a mathematical process on the electronic document that is being signed that produces a unique numerical value. Numeric value generated by way of mathematical process is encrypted using a private key of the sender (Originator) and the result linked to the electronic documents that were signed. So to create a digital signature, signer is required to generate or buy a key pair. The intention was to use a trustworthy technology that makes digital transactions legally binding.
For digital signature a person has to obtain the digital signature certificate from the certifying authorities. The person in whose name digital signature certificate is issued is known as subscriber. The main uses of affixing of โDigital Signatureโ are:
- Authentication: Digital signatures verify the identity of the signer using a pair of cryptographic keys (public key and private key).
- Integrity: They ensure that the content of the document has not been altered after it was signed.
- Non-repudiation: Digital signatures provide proof of the origin and integrity of the signed document, making it difficult for the signer to deny having signed the document.
Authentication of Legal Document:
The IT Act has provided the legal recognition to digital signature based on asymmetric crypto system. This system consists of key pair: a Private Key and a Public Key. Private key and public key are integral parts of asymmetric encryption, also known as public-key cryptography. This method uses a pair of keys โ a public key and a private key โ to encrypt and decrypt data.
Difference between Public Key and Private Key:
Public Key | Private Key |
A public key is a cryptographic key that can be shared openly without compromising security. | A private key is a cryptographic key that must be kept secret and secure. |
It can be distributed freely and widely to anyone who needs to encrypt data or verify a digital signature. | It must be kept confidential by its owner to maintain security. |
It is used to encrypt data that can only be decrypted by the corresponding private key. | It is used to decrypt data that was encrypted with the corresponding public key. |
It is used to verify a digital signature created with the corresponding private key. | It is used to create digital signatures that can be verified by the corresponding public key. |
When someone wants to send a secure message, they use the recipient’s public key to encrypt the data. Only the recipientโs private key can decrypt it. | When data encrypted with a public key is received, the private key is used to decrypt it and access the original information. |
It verifies the authenticity of a digital signature. If the signature can be verified using the public key, it confirms that it was created by the corresponding private key holder. | It creates a digital signature for a document. This signature can be verified by others using the public key, proving the documentโs origin and integrity. |
Thus, the public key and private key pair in asymmetric cryptography provide a robust method for securing communications and verifying identities in digital environments. The public key can be freely distributed and used for encryption and signature verification, while the private key must be kept secure and is used for decryption and creating digital signatures. This separation of roles enhances security and trust in electronic transactions and communications.
Usage of Digital Signature:
Digital signatures have diverse applications across various domains, including personal use, business use, and legal filings such as ROC e-filing, income tax returns, and GST filings. Here’s an overview of how they can be utilized in these contexts:
Personal Use
- Email Security: Individuals can use digital signatures to sign emails, ensuring that recipients can verify the sender’s identity and that the content has not been altered.
- Document Signing: For signing personal agreements or contracts electronically, digital signatures provide a secure and legally recognized method.
- Authenticating Online Transactions: Digital signatures can be used to authenticate online transactions, providing an additional layer of security for online banking or shopping.
Business Use
- Contract Signing: Businesses use digital signatures to sign contracts with partners, clients, or employees, streamlining processes and reducing the need for physical paperwork.
- Invoicing and Payments: Digital signatures can be applied to invoices, ensuring their authenticity and facilitating secure electronic payments.
- Confidential Communication: For confidential business communications, digital signatures provide a way to ensure that messages and documents are not tampered with.
- Software Integrity: Companies that distribute software often sign their applications to assure users that the software is genuine and has not been altered.
ROC E-filing (Registrar of Companies)
- Company Filings: Digital signatures are used for submitting various forms and documents to the ROC, such as incorporation forms, annual returns, and other statutory filings.
- Director Signatures: Directors of companies use digital signatures to sign resolutions, annual reports, and other corporate documents that need to be filed with the ROC.
Filing Income Tax
- Individual Tax Returns: Taxpayers can use digital signatures to sign their income tax returns electronically, providing a secure and efficient way to file.
- Corporate Tax Filings: Companies and firms use digital signatures for e-filing corporate tax returns and other tax-related documents, ensuring compliance with regulatory requirements.
- Authentication: Digital signatures help authenticate the identity of the filer, making the process more secure and reducing the risk of fraud.
GST Filing (Goods and Services Tax)
- GST Registration: Businesses can use digital signatures during the GST registration process to verify their identity and the authenticity of their documents.
- Filing Returns: Digital signatures are required for filing GST returns, including monthly, quarterly, and annual returns. This ensures that the filings are authentic and compliant with regulations.
- Invoice Signing: Businesses may use digital signatures on GST invoices to ensure their authenticity and to streamline record-keeping and auditing processes.
Classes of Digital Signatures:
Digital signatures can be categorized into different classes based on the level of security and the type of usage they are intended for. The classification may vary depending on the regulatory framework of a particular country or region. In many places, digital signatures are divided into three main classes: Class 1, Class 2, and Class 3. Hereโs a breakdown of these classes:
Class 1 Digital Signatures
- Purpose: Primarily used for securing email communication and low-risk online transactions where there is no need for high-level identification assurance.
- Verification Level: The verification of the user’s identity is minimal. The certificate is typically issued based on basic information, such as an email address.
- Use Cases:
- Email encryption and signing
- User authentication for accessing certain online services
Class 2 Digital Signatures
- Purpose: Suitable for more secure transactions and document signing where the user’s identity is verified against a pre-verified database.
- Verification Level: Involves a more thorough verification process, often including verification of identity documents and cross-referencing with databases.
- Use Cases:
- Filing income tax returns (ITR)
- Registering businesses and filing returns with the Registrar of Companies (ROC)
- Signing documents and agreements in medium-security environments
Class 3 Digital Signatures
- Purpose: Provides the highest level of security and is used in situations where a high level of identity assurance is required.
- Verification Level: Requires in-person verification of the user’s identity, typically including a face-to-face verification process. This class provides the strongest assurance of the signer’s identity.
- Use Cases:
- E-procurement and e-tendering
- Filing in government portals, such as for goods and services tax (GST) and customs
- High-value transactions and legal documents where the risk of fraud is significant
Extended Validity and Special Use Cases
Some digital signature certificates may have extended validity periods or be designed for specialized use cases, such as organizational certificates for companies, where multiple employees can use a single certificate under certain conditions.
Additional Considerations
- Encryption and Signature: Some certificates may be used not only for signing documents but also for encrypting them. This can be important for sensitive data transmission.
- Regulatory Compliance: The use of different classes of digital signatures may be governed by national or regional laws, which specify the appropriate class for various types of transactions.
The choice of digital signature class depends on the specific needs and the level of security required for the transaction or communication.
Authentication Using Digital Signature:
Authentication using a digital signature involves verifying the identity of the sender of a digital message or the signer of a document. This process ensures that the information comes from a verified source and has not been tampered with. Chapter II of the Information Technology Act, 2000 lays down that any subscriber may authenticate an electronic record by affixing their digital signature to the record. As per the provisions a person can verify electronic record by the use of public key of the subscriber.
Important Definitions Related to Process:
- Subscriber: According to Section 2(zg) โsubscriberโ means a person in whose name the electronic signature Certificate is issued.
- Asymmetric Crypto System: According to Section 2(1)(f) โasymmetric crypto systemโ means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature.
- Key Pair: According to Section 2(1)(x) โkey pairโ, in an asymmetric crypto system, means a private key and its mathematically related public key, which are so related that the public key can verify a digital signature created by the private key.
- Private Key: According to Section 2(1)(zc) โprivate keyโ means the key of a key pair used to create a digital signature;
- Public Key: According to Section 2(1)(zd) โpublic keyโ means the key of a key pair used to verify a digital signature and listed in the Digital Signature Certificate;
Principle of Irreversibility:
The message is encrypted by the private key of the sender and is decrypted by the receiver having the public key which depicts the authenticity of the sender, this process is called the principle of irreversibility.
Creating a Digital Signature (Encryption):
It is the process in which plain message is transformed into cipher text.
Step 1: Generating a Hash
When a user wants to sign a document or message, they first generate a hash value (also known as a digest) from the content using a cryptographic hash function. This hash function produces a unique, fixed-size string of characters that corresponds to the content of the message or document.
Step 2: Encrypting the Hash
The user then encrypts this hash value using their private key, which is part of a pair of cryptographic keys (the other being the public key). The encrypted hash, along with the sender’s public key and information about the hashing algorithm used, constitutes the digital signature.
Verifying a Digital Signature (Decryption):
In this process the cipher text received in encryption stage in cipher text is transformed into original message.
Step 1: Receiving the Signed Document
When the recipient receives the signed document or message, it comes with the digital signature attached.
Step 2: Decrypting the Hash
The recipient uses the sender’s public key to decrypt the hash value from the digital signature. Because the public key is paired with the sender’s private key, only the sender’s public key can decrypt the hash correctly.
Step 3: Generating a New Hash
The recipient independently generates a new hash from the received document or message using the same hash function as the sender.
Step 4: Comparing Hashes
The recipient compares the decrypted hash (from the signature) with the newly generated hash. If they match, it indicates that the document or message has not been altered since it was signed and that the signature is authentic.
Electronic Signature:
Under the Information Technology Act, 2000 (IT Act, 2000), the concept of electronic signatures is addressed alongside digital signatures, although the two terms are sometimes used interchangeably. The IT Act provides a framework for the legal recognition and use of electronic signatures in India.
Electronic signatures can include a range of methods, such as typed names, scanned handwritten signatures, and click-to-sign buttons. They do not necessarily use cryptographic techniques. Electronic signatures are more versatile and can be used in various types of electronic transactions, but their security level can vary depending on the method used.
The IT Act provides general guidelines for electronic signatures but does not specifically regulate them in the same detail as digital signatures. The focus is on ensuring that they meet the required conditions for validity.
Kinds of Electronic Signature:
Electronic signatures (e-signatures) can be categorized into various types based on their level of security, complexity, and use cases. Choosing the appropriate type of electronic signature depends on the specific requirements of the transaction or document, including the level of security needed, the legal context, and the regulatory environment. Hereโs an overview of the different types of electronic signatures:
Simple Electronic Signature (SES)
It is the most basic form of e-signature, often used for less sensitive transactions or documents. It typically involves typing a name, clicking an “I agree” button, or using a scanned image of a handwritten signature. It is used in online agreements or consents, non-disclosure agreements (NDAs), routine business documents etc.
Advanced Electronic Signature (AES)
It provides a higher level of security and authenticity. An AES is linked to the signatory in a way that ensures that only they could have created it, and it is capable of identifying the signatory and detecting any changes to the signed data. It is created using a secure, unique process that involves authentication, such as a password or OTP (One-Time Password). It often involves the use of digital certificates or a secure signature creation device (like a hardware token or smart card).
It is used in legal agreements and contracts, financial transactions, regulatory compliance documents, etc.
Qualified Electronic Signature (QES)
The highest level of e-signature, offering the strongest legal standing. A QES is created using a qualified electronic signature creation device and is based on a qualified digital certificate issued by a trusted certificate authority. It meets stringent regulatory requirements and standards. It provides the highest level of assurance about the signer’s identity. It typically involves in-person verification of the signer’s identity before issuing the certificate.
It is used in high-value contracts, official government documents, cross-border transactions requiring high levels of security, etc.
Difference between Electronic Signature and Digital Signature:
Under the Information Technology Act, 2000 (IT Act, 2000), both digital signatures and electronic signatures are recognized, but they serve different purposes and have distinct characteristics.
Electronic Signature | Digital Signature |
An electronic signature is a broader term that encompasses any electronic method used to sign an electronic document. It includes digital signatures but also covers other forms of electronic authentication. | A digital signature is a specific type of electronic signature that uses asymmetric cryptography to ensure the authenticity, integrity, and non-repudiation of an electronic document. |
Section 5: The IT Act, 2000 grants legal recognition to electronic signatures and states that electronic signatures that meet certain criteria are legally valid. | Section 3 and 4: The IT Act, 2000 specifically addresses digital signatures. It defines digital signatures as those created using an asymmetric cryptosystem and a hash function, and it requires digital signatures to comply with the standards set by the Act. |
To be legally valid, electronic signatures must be unique to the signatory, created using a means under the signatory’s control, and linked to the electronic record in a way that any changes are detectable. | Digital signatures are issued by licensed certifying authorities under the IT Act. These authorities are responsible for verifying the identity of the certificate holders and managing digital certificates. |
In electronic signature, security varies based on the method used | In digital signature there is high level of security using cryptographic keys |
Electronic signature may not provide the same level of non-repudiation as the digital signature | Digital signature provides non-repudiation |
Examples: Typed names, scanned signatures, click-to-sign | Examples: Cryptographic digital signatures |
While both digital and electronic signatures are recognized under the IT Act, 2000, digital signatures offer a higher level of security through cryptographic methods and are subject to specific regulations. Electronic signatures, on the other hand, encompass a broader range of signing methods and are governed by general criteria for validity. Understanding the differences helps in selecting the appropriate method for securing electronic transactions and ensuring legal compliance.
Conclusion:
Digital and electronic signatures are crucial tools in modern transactions, ensuring authenticity and security in digital communications and documents. Digital signatures use cryptographic techniques to verify the integrity and origin of a document. They provide a high level of security through encryption, making it difficult to alter the document without detection. They require a public key infrastructure (PKI) to validate the signature and the identity of the signer. Electronic Signatures encompass a broader range of signing methods, including typed names, scanned images of signatures, or biometric methods. They are more flexible and can be applied in various contexts where a physical signature might be impractical.
Digital signatures offer a higher level of security and are often used in high-stakes or legally sensitive documents. Electronic signatures provide convenience and flexibility, making them suitable for everyday transactions. Both have their place in the digital world, with the choice often depending on the specific needs for security, legal compliance, and user convenience.