Monday, 22 June 2020

Basic concept of Digital signature and Electronic signature

1) Concept of Electronic signature was introduced in Information Technology Act by Amendment Act 2009.

Statement of Objects and Reasons of Amendment Act 10 of 2009.-
The United Nations Commission on International Trade Law (UNCITRAL) in the Year 2001 adopted the Model Law on Electronic Signatures. The General Assembly of the United Nations by its Resolution No. 56/80, dated 12th December, 2001, recommended that all States accord favourable consideration to the said Model Law on Electronic Signatures. Since the digital signatures are linked to a specific technology under the existing provisions of the Information Technology Act, it has become necessary to provide for alternate technology of electronic signatures for bringing harmonisation with the said Model Law.

2) Purpose of Model Law on Electronic Signatures 2001

The Model Law on Electronic Signatures (MLES) aims to enable and facilitate the use of electronic signatures by establishing criteria of technical reliability for the equivalence between electronic and hand-written signatures. Thus, the MLES may assist States in establishing a modern, harmonized and fair legislative framework to address effectively the legal treatment of electronic signatures and give certainty to their status.

Why is it relevant?

The increased use of electronic authentication techniques as substitutes for handwritten signatures and other traditional authentication procedures suggested the need for a specific legal framework to reduce uncertainty as to the legal effect that may result from the use of electronic means. In response to such needs, the MLES builds on the fundamental principle underlying article 7 of the UNCITRAL Model Law on Electronic Commerce with respect to the fulfilment of the signature function in an electronic environment by following a technology-neutral approach, which avoids favouring the use of any specific technology or process. This means in practice that legislation based on this Model Law may recognize both digital signatures based on cryptography (such as public key infrastructure - PKI) and electronic signatures using other technologies.

Key provisions

The MLES is based on the fundamental principles common to all UNCITRAL texts relating to electronic commerce, namely non-discrimination, technological neutrality and functional equivalence. The MLES establishes criteria of technical reliability for the equivalence between electronic and hand-written signatures as well as basic rules of conduct that may serve as guidelines for assessing duties and liabilities for the signatory, the relying party and trusted third parties intervening in the signature process. Finally, the MLES contains provisions favouring the recognition of foreign certificates and electronic signatures based on a principle of substantive equivalence that disregards the place of origin of the foreign signature.
3) Provisions of Information Technology Act relating to Electronic signature and digital signature

2. Definitions.—(1) In this Act, unless the context otherwise requires,—
(d) “affixing [electronic signature] with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of [electronic signature];
Subs. for “digital signature” by Act 10 of 2009, S. 2 (w.e.f. 27-10-2009).
(p) “digital signature” means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of Section 3;

[(ta) “electronic signature” means authentication of any electronic record by a subscriber by means of the electronic technique specified in the Second Schedule and includes digital signature;

3. Authentication of electronic records.—(1) Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his digital signature.
(2) The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record.
Explanation.—For the purposes of this sub-section, “hash function” means an algorithm mapping or translation of one sequence of bits into another, generally smaller, set known as “hash result” such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible—
(a) to derive or reconstruct the original electronic record from the hash result produced by the algorithm;
(b) that two electronic records can produce the same hash result using the algorithm.
(3) Any person by the use of a public key of the subscriber can verify the electronic record.
(4) The private key and the public key are unique to the subscriber and constitute a functioning key pair.
1 Subs. for “DIGITAL SIGNATURE” by Act 10 of 2009, S. 5 (w.e.f. 27-10-2009).
[3-A. Electronic Signature.—(1) Notwithstanding anything contained in Section 3, but subject to the provisions of sub-section (2), a subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which—
(b) may be specified in the Second Schedule.
(2) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if—
(a) the signature creation data or the authentication data are, within the context in which they are used, linked to the signatory or, as the case may be, the authenticator and to no other person;
(b) the signature creation data or the authentication data were, at the time of signing, under the control of the signatory or, as the case may be, the authenticator and of no other person;
(c) any alteration to the electronic signature made after affixing such signature is detectable;
(d) any alteration to the information made after its authentication by electronic signature is detectable; and
(e) it fulfils such other conditions which may be prescribed.
(3) The Central Government may prescribe the procedure for the purpose of ascertaining whether electronic signature is that of the person by whom it is purported to have been affixed or authenticated.
(4) The Central Government may, by notification in the Official Gazette, add to or omit any electronic signature or electronic authentication technique and the procedure for affixing such signature from the Second Schedule:
Provided that no electronic signature or authentication technique shall be specified in the Second Schedule unless such signature or technique is reliable.
(5) Every notification issued under sub-section (4) shall be laid before each House of Parliament.]

2 Ins. by Act 10 of 2009, S. 6 (w.e.f. 27-10-2009).
5. Legal recognition of 3[electronic signatures].—Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document shall be signed or bear the signature of any person, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied, if such information or matter is authenticated by means of 4[electronic signature] affixed in such manner as may be prescribed by the Central Government.
Explanation.—For the purposes of this section, “signed”, with its grammatical variations and cognate expressions, shall, with reference to a person, means affixing of his handwritten signature or any mark on any document and the expression “signature” shall be construed accordingly.

 Subs. for “digital signatures” and “digital signature” by Act 10 of 2009, S. 2 (w.e.f. 27-10-2009).
5[15. Secure electronic signature.—An electronic signature shall be deemed to be a secure electronic signature if—
(i) the signature creation data, at the time of affixing signature, was under the exclusive control of signatory and no other person; and
(ii) the signature creation data was stored and affixed in such exclusive manner as may be prescribed.
Explanation.—In case of digital signature, the “signature creation data” means the private key of the subscriber.]
Subs. by Act 10 of 2009, S. 11 (w.e.f. 27-10-2009).

4) Amendment to second Schedule

 The Ministry of Electronics and Information Technology has issued a notification amending the Second Schedule to the Information Technology Act, 2000 on 5th March 2019. In a nutshell, Section 3A of the IT Act,2000 specifies that a subscriber may authenticate any electronic record by such electronic signature or electronic authentication which is considered reliable and may be specified in the Second Schedule. The Second Schedule of the Information Technology Act prior to the amendment only mentioned e-Authentication technique using Aadhaar e-KYC services as the only mode of e-Authentication. This, in turn, meant that the mode of the electronic signature would have to be Aadhaar eKYC based to be valid.

The amendment to the Second Schedule dated 5th March 2019 has inserted the word “other” after Aadhaar in Second Schedule. The Second Schedule post the amendment would read as ‘e-Authentication technique using Aadhaar and other e-KYC services’. This indicates that Electronic Signature can now be generated by the Certifying Authority, using e-Authentication techniques which may or may not be Aadhaar, as long as it is issued in accordance with the e-Authentication Guidelines issued by the Controller of Certifying Authority.

5) Difference between Digital signature and electronic signature

The key difference between digital signature and electronic signature is that the electronic signature is just a representation of a person's handwritten signature, voice print or symbol in an electronic image form while the digital signature is a secure electronic signature that uses a cryptographic technique. The digital signature cannot be tampered, altered or copied and guarantees non-repudiation and data integrity.

Electronic Signatures - An electronic signature is an electronic version of the physical, hand-written signature. Just the way you sign your documents, electronic signatures are used the same way. Instead of using a pen to sign a document, you can easily sign documents with just a click by using various software available in market or your fingerprint.

Documents signed using electronic signatures are highly vulnerable to tampering and man-in-the-middle (MITM) attacks. It means that the document can be hijacked and tampered with when it is in the air. Such attacks can turn out to be deadly as far as the secrecy of an individual/organization is concerned.

Digital Signatures - Digital Signature is another breed of the electronic signatures, the only difference is that it involves the use of a code or algorithm to sign and validate the authenticity of a document. Unlike electronic signatures, digital signatures come under specific standards and a stringent verification process. They not only sign the document using a code, they encrypt data. Secure is a small word, encryption makes your documents invincible against cyber-attacks

Print Page

No comments:

Post a Comment