Law

Information and Communication Technology

Digital Signatures & Electronic Signatures
 Role Name Affiliation
Principal Prof. (Dr.) Ranbir Vice Chancellor,
Investigator Singh National Law
University, Delhi
Co-Principal Prof. (Dr.) G.S. Registrar, National
Investigator Bajpai Law University
Delhi
Paper Coordinator Dr. Aparajita Bhatt Assistant Professor,
National Law
University Delhi
Content Dr. Atul Kumar Assistant Professor,
Writer/Author Pandey National Law
Institute University,
Bhopal

Content Reviewer Mr. Pavan Duggal Advocate, Supreme

Court of India

DESCRIPTION OF MODULE

Items Description of Module

Subject Name Law
Paper Name Information and Communication Technology
Module Name/Title Digital & Electronic Signatures
Module Id V
Objectives To learn about the following:
 Techno-legal aspects of digital signature
and electronic signature
 Legal Provisions related to digital
signature and electronic signature under
Information Technology Act,2000.
 Role of digital signature and electronic
signature in digital transactions.

Prerequisites Knowledge of I.T. Act 2000

Key words Digital Signature, Electronic Signature, Certifying

Authority, Hash Value.
Learning Outcome:

The reader shall be able to understand the concept and need for digital signature
and electronic signature in India in the context of authentication of digital
communications and transactions.

1. Introduction:
With the advancement of Information and Communication Technologies
especially “Internet” as a premier marketplace and transaction place, the
concern of security for billions of bytes of information and privacy is not a small
thing. Digital Signature as a security tool for such purposes provides some level
of assurance, trust to both the receiver and sender.

United Nations Commission on International Trade Law (UNCITRAL) came up

with a Model Law on Electronic Commerce in 1996 and proposed to all countries
that they should amend their laws to facilitate Electronic-Commerce keeping in
mind their domestic requirements. Government of India being signatory to
UNCITRAL model law on Electronic Commerce of 1996 enacted Information
Technology Act,2000 with an objective to “provide legal recognition for
transactions carried out by means of electronic data interchange and other means
of electronic communication, commonly referred to as “electronic commerce”
which involve the use of alternatives to paper-based methods of communication
and storage of information, to facilitate electronic filing of documents with the
government agencies”. 1 Through this approach technologies like- Digital
Signature, Electronic Signature got legal recognition. Before going into the depth
of thismatter, it is pertinent to understand the meaning of the “signature”.
According to Oxford Advance Learner’s Dictionary “signature” means - your
name as you usually write it, for example at the end of a letter.2 If you have put
your signature in some paper it simply shows that you have full knowledge of
document and you agreed on your part.

1
The Information Technology Act, 2000.
2
Available at <http://www.oxfordlearnersdictionaries.com/definition/english/signature>visited on
10/10/14
 2. From Handwritten/Physical Signature to Digital Signature:
Signature is used to pinpoint the signer; it’s a proof of his personal attention for
the document he signed and to incur some legal rights, duties and liabilities it is
used. In past, when technology was not advanced, business transactions,
contracts were carried out in offline medium but with the advancement in the
technology, contracts, businesses are now being conducted in online medium as
well. But the problem was how to sign a electronic document or digital
transaction?Here the need for some suitable technology was felt that can work in
the similar fashion as it was working in offline medium. Technology that evolved
is termed as“Digital Signature”.

A digital signature differs from a handwritten/physical signature. It is unique

and different every time it is created, and is related to the electronic document it
is signing. It is created by using a mathematical process on the electronic
document that is being signed that produces a unique numerical value. Numeric
value generated by way of mathematical process is encrypted using a private key
of the sender (Originator) and the result linked to the electronic documents that
were signed. So to create a digital signature, signer is required to generate or buy
a key pair3.The intention was to use a trustworthy technology that makes digital
transactions legally binding.

3. Legal Recognition of Digital and Electronic Signatures:

In India the Information Technology Act, 2000 (Hereinafter referred to as “Act”)
has facilitated the development of digital signature regime. Functional equivalent
of hand written/physical signature was developed through digital signature. In
cyberspace the basic legal functions of a signature are performed by way of
method that identifies the sender (originator) of an electronic record 4 and

3
According to Section 2 (1)(x) of the Information Technology Act, 2000, a "key pair", in an
asymmetric crypto system, means a private key and its mathematically related public key, which are
so related that the public key can verify a digital signature created by the private key
4
According to Section 2 (1)(t) of the Information Technology Act,2000- "electronic record" means
data, record or data generated, image or sound stored, received or sent in an electronic form or micro
film or computer generated micro fiche
confirms that the sender (originator) approved the content of that electronic
record, any attempt to change the content of the record must be seen to be
incompatible with the signature.

It is a technology specific Act that accepts digital signatures [Section. 2(1)(p)]5 as

an authentication standard. Section 3 6 of the Act enumerates the whole process
of digital signature creation and its verification. It is important that the following
provisions of the Act should be read and understood along with Rule 3 (The
manner in which information be authenticated by means of digital signatures),
Rule 4 (Creation of digital signature), Rule 5 (Verification of digital signature),
Rule 6 (Standards) of the Information Technology (Certifying Authorities Rules
2000). Section 57 of the Information Technology Act, 2000 provides legal
recognition to use of electronic signatures8.

4. Technology behind Digital Signatures:

5
"digital signature" means authentication of any electronic record by a subscriber by means of an
electronic method or procedure in accordance with the provisions of section 3;
6
Authentication of electronic records.
(1) Subject to the provisions of this section any subscriber may authenticate an electronic record by
affixing his digital signature.
(2) The authentication of the electronic record shall be effected by the use of asymmetric crypto system
and hash function which envelop and transform the initial electronic record into another electronic
record.
Explanation- For the purposes of this sub-section, "hash function" means an algorithm mapping or
translation of one sequence of bits into another, generally smaller, set known'as "hash result" such that
an electronic record yields the same hash result every time the algorithm is executed with the same
electronic record as its input making it
computationally infeasible-
(a) to derive or reconstruct the original electronic record from the hash result produced by the
algorithm;
(b) That two electronic records can produce the same hash result using the algorithm.
(3) Any person by the use of a public key of the subscriber can verify the electronic record.
(4) The private key and the public key are unique to the subscriber and constitute a functioning key
pair
7Section 5 of the Information Technology Act,2000: Legal recognition of Electronic Signature:
Where any law provides that information or any other matter shall be authenticated by affixing
the signature or any document should be signed or bear the signature of any person then,
notwithstanding anything contained in such law, such requirement shall be deemed to have been
satisfied, if such information or matter is authenticated by means of digital signature affixed in
such manner as may be prescribed by the Central Government.
Explanation -
For the purposes of this section, "Signed", with its grammatical variations and cognate
expressions, shall, with reference to a person, mean affixing of his hand written signature or any
mark on any document and the expression "Signature" shall be construed accordingly.
8
Electronic signatureis a wider term which includes digital signature.
Public Key Infrastructure (PKI): Digital Signature is based upon Public Key
Infrastructure that allows you to transfer your data or documents securely and
secretly over an untrusted channel with the use of public and private key pair
obtained through an authority. PKI also performs administrative work for Digital
Signature certificates that involves- generating, issuing, maintaining, and
revoking of public key certificates. PKI is a trust model that broadly covers two
approach; Hierarchal Approach and Mesh or Cross Certification Approach.
Hierarchal Approach: In this approach trust starts from Root CA 9 i.e., Controller
of Certifying Authorities then it flows down to end entities i.e., users through a
chain of Certifying Authorities (CAs).

CCA

CA1 CA2

CA3 CA4

End End End

entity entity entity

Figure 1: Hierarchal Approach

Cross Certification Approach: In this approach, trust flows between the Root CA of
different networks. Suppose we have two networks; Network ‘1’ which is of India
and Network ‘2’ which is of Japan. If Root CA of network ‘1’ wants to cross certify
the network ‘2’ then it will communicate to the Root CA of network ‘2’ and vice-

9
Controller Certifying Authority of (CCA) is the Root Certifying Authority of India (RCAI)
versa. In simple words, cross certification is a process which is established
between the Root Certifying Authority of two or more countries.

NETWORK 1 NETWORK 2
(INDIA) (JAPAN)
CCA CCA

CA1 CA2 CA3

CA1 CA2 CA3

Figure 2:Cross Certification between Root Certifying Authorities of two

Countries

Digital signature is nothing but a block of data that may consist of alphabets,
numeric, special characters or mixture of all. Digital Signature technology uses
asymmetric key crypto system for the authentication purpose as stated under
section 3 of the Information Technology Act, 2000-
 Subscriber (In whose name Electronic Signature Certificate has been issued)
may authenticate Electronic Record by way of affixing Digital Signature.
 Authentication process must involve use of asymmetric crypto system and
hash function10.

10
Hash Function- An algorithm that maps or translates one set of bits into another (generally smaller)
set in such a way that-
(i)A message yields the same result every time the algorithm is executed using the same message as
input.
(ii)It is computationally infeasible for a message to be derived or reconstituted from the result produced
by the algorithm.
  Public Key and Private Key is unique key pair associated with the subscriber,
any person may verify the Electronic Record by making use of Public Key of
the subscriber.
Asymmetric crypto system: It is defined in section 2 (1) (f)under Information
Technology Act, 2000 as a system of secure key pair consisting of a Private Key
for creating a Digital Signature and Public Key to verify the Digital Signature.
Asymmetric key cryptography has various advantages - Firstly, you need not to
share your keys in advance, the only key that you need to share with other party
is your Public Key. Secondly, only the party which is creating the digital signature
needs to secure the keys. To create a Digital Signature one must understand
following terms:
Encryption: A technique by which Plain text is converted into Cipher text.
Decryption: A technique by which Cipher text is converted into Plain text.
Private Key: as defined in section 2(1) (zc) under IT Act, 2000, means the key of a
key pair used to create a Digital Signature;
Public Key: as defined in section 2(1) (zd) under IT Act, 2000, means the key of a
key pair used to verify a digital signature and listed in the Digital Signature
Certificate.
Signer: One who creates Digital Signature.
Recipient: One who verifies the Signature.
Hash Function: As discussed above.

4.1. How does it Work?

Creation of Digital Signature-
If, a Sender ‘A’ wants to send a document to Recipient ‘B’ and wish to
authenticate that electronic document by the use of Digital Signature then, ‘A’
will perform following functions-

I. ‘A’ will generate a hash value by applying hash function on an electronic

document.

(iii)It is computationally infeasible to find two different messages that produce the same hash result
using the same algorithm.
The Information Technology (Certifying Authorities) Rules, 2000
II. ‘A’ will encrypt the hash value with its Private Key. Encrypted hash value is
known as Digital Signature.
III. ‘A’ will append Digital Signature with the electronic document and send it to the
recipient ‘B’.

Verification of Digital signature by the recipient end involves following steps-

I. ‘B’ receives the Digital signature along with electronic document.

II. ‘B’ will generate a hash value by applying hash function on the electronic
document received in its original form.
III. Then ‘B’ will decrypt the Digital Signature by applying ‘A’’s (Sender’s)Public
Key and recovers the hash value that was calculated by ‘A’.
IV. If, both hash values obtained in step I and II are same then, the received
document is authentic i.e. it was sent by ‘A’only and was not tampered with
during transit.

Figure 3: Block Diagram for Digital signature

5. Why to use Digital Signature?

Digital Signature is considered as powerful as handwritten signature and widely
adopted as well. It is used as a tool that increases accountability and control in
paperless process. Now a days individuals, banks, government bodies, private
organizations whoever operate in online mediumare making use of Digital
Signature in their daily business routine because it is considered as a highly
secured and advanced technology that provides Authenticity, Integrity (through
Hash Value), and Non-repudiation to the electronic documents. To achieve
authenticity, integrity and non-repudiation of an electronic document is a major
concern of online environment. Let’s understand the meaning of these terms
with some examples;
Integrity: Suppose, A and B are authorized person in a channel, A is sending a
document to B, if there is no change in the content of the document at B’s end
then it means integrity is not compromised. In the same situation, during the
transit of the document, if unauthorized person C anyhow manages to read or
alter or modify the document then it means integrity is compromised.
Authenticity: Any document which is undisputed of its source, true or genuine is
said to be authentic.
Non- repudiation: It is a method that ensures one party cannot deny of his part.
Suppose A is sending an electronic document (by affixing digital signature) to B,
then after sending the document, A cannot deny that he has not sent that
document, because A had affixed his Digital Signature which is a sign of unique
identification. In case of non-repudiation it may established with help of A’s
public that electronic document was signed A only.

6. Who can issue Electronic Signature Certificate?

It is a hierarchal framework where top most authority is called Controller of the
Certifying Authorities (CCA) which controls and keeps check on all the Certifying
Authorities. Now focusing on Certifying Authorities (CAs), they are trust worthy
entities in Public Key Infrastructure. Certifying Authorities are responsible to
issue electronic signature certificates11. There is a prescribed way by which any

11
Section 35of the Information Technology Act,2000- Certifying authority to issue Electronic
signature certificate
person if satisfies all conditions can apply for the Electronic Signature Certificate.
Certifying Authorities reserve the right to suspend12, revoke13 the Electronic
Signature Certificate if they find any violation of the rules or, negligence
performed by the subscribers. In similar manner Controller of Certifying
Authority can take action against CAs in case of any contravention. If Subscribers
are facing any problem in relation to Electronic Signature Certificates, they can
report their problem to the concern CA. Complaint against CAs will be heard by
Controller of Certifying Authority after proper enquiry.

7. Classes of Digital Signature Certificates:

Digital Signatures are categorized into four classes;
Class 0: Digital Certificates under this class shall be issued for “test purpose” or
for the “demonstration purpose” only not otherwise.
Class 1: Digital Certificates under this class do not hold any legal recognition,
however these are considered to be valid on the basis of a valid e-mail not on the
direct verification. These certificates shall be issued to the private subscriber or
individual.
Class 2: Digital Signature Certificate under this class can be issued for both – for
private individual use and for business personnel. This class has a pre-verified
database which is used to verify the identity of the person.
Class 3: This class of Certificate is considered as a top class, these are high
assurance Certificate that are preliminary projected for Electronic Commerce
applications. This class of Certificate will be issued to individuals as well as to
organizations. This class requires personal verification means person need to
present himself before Registration Authority (RA) to prove his identity.

8. How Digital Signature is different from Electronic Signature?

Technologically speaking there is no difference between a digital signature and

electronic signature14. Digital signature is a subset of electronic signature. Both

12
Section37of the Information Technology Act,2000- Suspension of Digital Signature Certificate
13
Section 38 of the Information Technology Act,2000- Revocation of Digital Signature Certificate
14
Vakul Sharma, “Information Technology-Law and Practice”,3rdEdn.,Universal Law Publishing Co.
Pvt. Ltd.,2011.
perform the same functions-signer’s authentication, message integrity and non-
repudiation. The Information Technology (Amendment) Act, 2008, in order to
maintain continuity with the regime of the digital signatures has introduced the
concept of ‘electronic signature’15. Example of electronic signature may include
biometric signatures, passwords, PIN, etc.16

9. Digital Signature and Indian Evidence Act, 1872:

Indian Evidence Act, 1872 is a part of legislation that talks about the
admissibility of the evidences produced by the parties before the court. When
Indian Evidence Act was enacted in 1872 it did not envisage Electronic Records
or Electronic Signature as evidence. But as we can see the use of this technology
on a very wider level, it was felt necessary to bring required changes by the way
of amendments in the Indian Evidence Act, 1872 to make it in accordance with
the changing trend in the society. Let’s discuss some provisions of Indian
Evidence Act, 1872 that talks about evidentiary value of Digital Signature.

15 Section 3A of the Information Technology Act, 2000 defines Electronic

Signature (1) Notwithstanding anything contained in section 3, but subject to the provisions of
sub-section (2), a subscriber nay authenticate any electronic record by such electronic signature
or electronic authentication technique which-
(a) is considered reliable ; and
(b) may be specified in the Second Schedule
(2) For the purposes of this section any electronic signature or electronic authentication
technique shall be considered reliable if-
(a) the signature creation data or the authentication data are, within the context in which they
are used, linked to the signatory or , as the case may be, the authenticator and of no other person;
(b) the signature creation data or the authentication data were, at the time of signing, under the
control of the signatory or, as the case may be,the authenticator and of no other person;
(c) any alteration to the electronic signature made after affixing such signature is detectable
(d) any alteration to the information made after its authentication by electronic signature is
detectable; and
(e) it fulfills such other conditions which may be prescribed.
(3)The Central Government may prescribe the procedure for the purpose of ascertaining
whether electronic signature is that of the person by whom it is purported to have been affixed
or authenticated
(4)The Central Government may, by notification in the Official Gazette, add to or omit any
electronic signature or electronic authentication technique and the procedure for affixing such
signature from the second schedule;
Provided that no electronic signature or authentication technique shall be specified in the Second
Schedule unless such signature or technique is reliable
(5)Every notification issued under sub-section (4) shall be laid before each House of Parliament.
16
Vakul Sharma, “Information Technology-Law and Practice”, 3rdEdn., Universal Law Publishing Co.
Pvt. Ltd., 2011.
Section 317 – Interpretation Clause of the Indian Evidence Act, 1872 includes
Electronic Record in the meaning of “evidence” by the way of amendment. It says
that– all those document including Electronic Record that are produced before
the court for the purpose of inspection are considered as evidence.
Section 47A- Opinion as to Digital Signature when relevant18-This section is
included to help the court to reach to a decision on the basis of “third-party”
opinion. This provision says that when court feels necessary or want to draw an
opinion about a person or a person’s Electronic Record then court may invite the
opinion of the Certifying Authorities (which has issued Electronic Signature
Certificate)and the opinion of Certifying Authorities will be considered as a
relevant fact.
Section 67A- Proof as to digital signature19- This particular provision protects the
Secure Electronic Signature. It say that if any proof regarding the Digital
Signature is asked to the subscriber by the court then subscriber has to present
strong arguments before the court that shows Digital Signature belongs to him.
Execution of an Electronic Record by simply attaching Electronic Signature into
it will not be count as a satisfactory or a reasonable proof in the eyes of law.
For the purpose of this section, definition of Secure Electronic Signature is given
under Information Technology Act, 2000 and we will consider the same here;
Section 15- Secure electronic signature20-An Electronic Signature shall be deemed
to be a secure Electronic Signature if—
(i) The signature creation data, at the time of affixing signature, was under the
exclusive control of signatory and no other person; and
(ii) The signature creation data was stored and affixed in such exclusive manner
as may be prescribed.

17
http://www.advocatekhoj.com/library/bareacts/indianevidence/index.php?Title=Indian%20Evidence
%20Act,%201872 visited on 11/10/2014
18
Section- 47A of The Indian Evidence Act, 1872-Opinion as to digital signature when relevant-
When the Court has to form an opinion as to the digital signature of any person, the opinion of the
Certifying Authority which has issued the Digital Signature Certificate is a relevant fact.
19
Section- 67A of The Indian Evidence Act, 1872-Proof as to digital signature- Except in the case of a
secure digital signature, if the digital signature of any subscriber is alleged to have been affixed to an
electronic record the fact that such digital signature is the digital signature of the subscriber must be
proved.
20
The Information Technology Act, 2000
Section 73A- Proof as to verification of digital signature21 – This particular section
will only be applicable to the pending matters before the court. Court will
validate whether a Digital Signature belongs to that person to whom it is
attributed or not. In order to verify this, court may direct;
(1) That person (who is the subscriber of the certificate) to produce the Digital
Signature Certificate before the court, and court may also direct the Controller
of the Certifying Authorities and the Certifying Authorities to provide the
details about that subscriber’s Digital Signature Certificate because they are
authorized to maintain repositories of all issued, suspended, and revoked
Digital Signature Certificate.
(2) Any other person to apply the Public Key listed in the Digital Signature
Certificate and verify the Digital Signature purported to have been affixed by
that person.
Section 85A- Presumption as to electronic agreements22- It says that if any
electronic agreement is concluded by affixing Electronic Signature to it, then
court will presume that it’s an authentic Electronic Document.
Section 85B- Presumption as to electronic records and digital signatures23-
(1) It says that Court will assume unless contrary is proved, a Secure Electronic
Record means to be a Secure Electronic Record from that time when any
security procedure has been applied to it till the time of verification.

21
Section 73A of the Indian Evidence Act, 1872-Proof as to verification of Digital Signature - In order
to ascertain whether a digital signature is that of the person by whom it purports to have been affixed,
the Court may direct-
(a) that person or the Controller or the Certifying Authority to produce the digital signature Certificate;
(b) any other person to apply the public key listed in the Digital Signature Certificate and verify the
digital signature purported to have been affixed by that person.
22
Section- 85A of The Indian Evidence Act, 1872 - Presumption as to electronic agreements.- The
Court shall presume that every electronic record purporting to be an agreement containing the digital
signatures of the parties was so concluded by affixing the digital signature of the parties
23
Section-85B of The Indian Evidence Act, 1872 - Presumption as to electronic records and digital
signatures.-
(1) In any proceedings involving a secure electronic record, the Court shall presume unless contrary is
proved, that the secure electronic record has not been altered since the specific point of time to which
the secure status relates.
(2) In any proceedings, involving secure digital signature, the Court shall presume unless the contrary
is proved that— (a) the secure digital signature is affixed by subscriber with the intention of signing or
approving the electronic record;
(b) except in the case of a secure electronic record or a secure digital signature, nothing in this section
shall create any presumption, relating to authenticity and integrity of the electronic record or any digital
signature.
 (2) It provides that unless the contrary is proved, the court shall presume that the
Secure Electronic Signature is attached by the subscriber with the intent of
signing or approving the Electronic Record. It also says that there shall be no
presumption related to authenticity and integrity of the Electronic Record or
Electronic Signature if the same is not secure.
Section 85C- Presumption as to Digital Signature Certificate24 - This particular
section says that court shall presume unless contrary is proved, that information
recorded in Digital Signature Certificate is correct and true as well. Reason for
this that why court is relying on the given information is that; subscriber while
making application for the Digital Signature Certificate, certifies that all the
information is given for this process is true.

Section 90-Presumption as to electronic records five years old25-It talks about two
main conditions that;
(1) If Electronic Record is proved to be five year old;
(2) If it is proved to be in proper custody;
Then, court may assume that the validity of agreement is authenticated by Digital
Signature which is fixed with it. Person who is authorized to use Digital
Signature can also fix the Digital Signature. Custody of the Electronic Record
should remain with the authorized person.

10. Conclusion:
Till date use of Digital Signature or Electronic Signature is limited to Electronic
documents, formation of contract by way of electronic medium and electronic
transactions. They are not applicable to the paper based documents yet.
However, electronic signatures in combination with other security features
(Which may be incorporated in the paper based documents.) may be used to sign
a paper-based document also.

24
Section 85Cof the Indian Evidence Act, 1872 - Presumption as to Digital Signature Certificate - The
Court shall presume, unless contrary is proved, that the information listed in a Digital Signature
Certificate is correct, except for information specified as subscriber information which has not been
verified, if the certificate was accepted by the subscriber.
25
Section 90A of the Indian Evidence Act, 1872- Presumption as to electronic records five years old-
Where any electronic record, purporting or proved to be five years old, is produced from any custody
which the Court in the particular case considers proper, the Court may presume that the digital
signature which purports to be the digital signature of any particular person was so affixed by him or
any person authorised by him in this behalf.