ASeminar Report

On

DIGITAL SIGNATURE

In partial fulfillment of requirements for the degree of

Bachelor of TechnologyIn

Computer Engineering

Department of Computer science and Engineering

CHANDRAVATI GROUP OF INSTITUTIONS

BHARATPUR 321001

Submitted By Submitted To

SURABHI AGRAWAL Ms. POOJA SONI

09ECHCS053 (Seminar Head).

ACKNOWLEDGEMENT

I would like to pay a great thanks to my institution and a special one to my seminar head Ms. Pooja Soni without whose extent support, I would never have been able to complete my seminar report.

I would also like to pay on record a sincere thanks to Almighty, my parents, my family and my friends who have helped me a lot to get the matter.

Surabhi Agrawal

09ECHCS053

Deptt: Computer Science

2Digital Signature

PAGE INDEX

Topic Page No.

ABSTRACT 5

1. Introduction 6 2. What is Digital Signature 7 3. Why and where Digital Signature used 9 4. Act of Digital Signature 10 5. Difference in Conventional and Digital Signature 13 6. Paper V/s Digital Signature 14 7. Classes, Deliverables, Contents 158. How Digital Signature works 179. Signing and Verification 19

9.1 Signing Ceremony 9.2 Verification Ceremon

10.Form 16 and Digital Signature 21 – Saral eSign

11.Security Services in Digital Signature 22 12.Attacks on Digital Signature 23

12.1 Attack Types12.2 Forgery Types

13.Security Considerations 24– Risks not Mitigated

14.Advantages and Disadvantages 2515.Conclusion 26

BIBLIOGRAPHY 27

3Digital Signature

FIGURE INDEX

Figure Page No.

1. Figure 1.1- Cryptography 6 2. Figure 2.1- Private Key 73. Figure 2.2- Digital Signature Structure 84. Figure 4.1- IDRBT Certificate 115. Figure 6.1- Paper Signature 146. Figure 6.2- Digital Signature 147. Figure 8.1- Way of Signing Messages 178. Figure 9.1- Signing of Document 199. Figure 9.2- Verification of Document 2010.Figure 11.1- Non Repudiation Mechanism 22

4Digital Signature

Abstract

Scope

i. A Digital Signature is an XDS document (changed from June public comment version)

ii. There are four Use Cases considered for this year.

iii. Vendor must provide signature mechanism for XDS Submissions

iv. Possibility to use digital signatures without having an XDS registry. Approach is determined by other domain-specific groups (e-Prescribing, e-Referral)

Out of Scope

i. Certificate management.

ii. Standards and implementations are available

iii. Focus begins with signing, not encryption.

iv. Partial Document Signature

5Digital Signature

1. Introduction

Cryptography is one best technology that has made giant effect in protecting data and information in recent years. It is the science of securing your information by means of a code.

Cryptography provides an encryption for the data and information that passes via single/multiple channels. This is done to keep the data from any external or third party influence.

Digital signature is one of the kinds of encrypting your signature that is specific to you and saves it from forgery of any kind

A digital signature or e-signature for short is an electronic signature that can be utilized to authenticate the identity of the sender of a message or the signer of a document

Fig1.1- Cryptography

6Digital Signature

2. What is Digital Signature?

A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.  This indeed is so commonly observed now in internet transactions

A digital signature can be used with any kind of message, transactions and the like, whether it is encrypted or not, simply so that the receiver can be sure of the sender’s identity and that the message arrived intact.

Hash value of a message when encrypted with the private key of a person is his digital signature on that e-Document

Digital Signature of a person therefore varies from document to document thus ensuring authenticity of each word of that document.

As the public key of the signer is known, anybody can verify the message and the digital signature.

Fig2.1- Private Key

Concepts

A 1024 bits number is a very big number much bigger than the total number of electrons in whole world.

Trillions of Trillions of pairs of numbers exist in this range with each pair having following property

A message encrypted with one element of the pair can be decrypted ONLY by the other element of the same pair. Two numbers of a pair are called keys, the Public Key & the Private Key. User himself generates his own key pair on his computer.

7Digital Signature

Any message irrespective of its length can be compressed or abridged uniquely into a smaller length message called the Digest or the Hash. Smallest change in the message will change the Hash value.

Fig2.2- Digital Signature Structure

Each individual generates his own key pair [Public key known to everyone & Private Key only to the owner] Private Key – Used for making digital signature Public Key – Used to verify the digital signature

The signing and the verifying ceremony are done with the help of suitable algorithms.

8Digital Signature

3. WHY AND WHERE DIGITAL SIGNATURE USED

Why we need DIGITAL SIGNATURE?

a) To provide Authenticity, Integrity and Non-repudiation to electronic documents

b) To use the Internet as the safe and secure medium for e-Commerce and e-Governance

c) Providing accountability

d) Providing document integrity

e) Providing non-repudiation

f) Providing satisfactory evidence of: Authorship, Approval, Review, and Authentication

g) Infrastructural pattern to be further profiled by domain specific groups (e-Prescribing, e-Referral).

What type of Document need DIGITAL SIGNATURE?

The main purposes for using a digital signature include:

a) Signer verification: By placing a digital signature on any kind of document, especially one that requires it, shows the one who signed it is real and accepts responsibility for the signed document as being real and legal.

b) Authentication: A digital signature will also authenticate the document as being real and valid. It will prove to the executioner that

9Digital Signature

the information contained on the document is valid and can be put in

action.

10Digital Signature

c) 4. ACT FOR DIGITAL SIGNATURE

The Information Technology Act, 2000 provides for the use of Digital Signatures on the documents submitted in electronic form.

Under the provision of IT Act, 2000, the office of Controller of Certifying Authorities (CCA) appoints the Certifying Authorities (CA) by issuing Certificates for the same.

These CA will issue the Digital Signature to the End Users Directly or through the Registration Authorities (RA) /Local Registration Authorities (LRA).

It must be obtained from an ISO 17090 compliant Certificate Authority

Including the role extension for the signer’s role in the healthcare profession

For purposes of signature verification, the signer’s certificate (public key portion) must be available

Test certificates can be obtained without rigorous identification requirements for the purpose of the Connection.

For test certificates contact lori.fourquet@sbcglobal.net

How Digital Signature will be issued to the End-users.

Information Technology Act, 2000

Controller of Certifying Authorities (CCA)

Certifying Authorities (CA)

Registration Authorities (RA)

Local Registration Authorities (LRA)

End Users

11Digital Signature

Certification Agencies

The Certification Agencies available in India are:

Tata Consultancy Services Ltd.

National Informatics Centre

Institute for Development & Research in Banking Technology (IDRBT)

MTNL

Customs & Central Excise (CBEC)

Code Solutions Ltd., (A division of Gujarat Narmada Valley Fertilizers Company Ltd.)

SafeScrypt from Sify Communications

E Mudhra

IDRBT Certificate

Fig4.1- IDRBT Certificate

12Digital Signature

IDRBT CertificatePaper Electronic

Trust Path

Controller is the Root certifying authority responsible for regulating Certifying Authorities (CAs)

Controller certifies the association of CA with his public key Certifying Authority (CA) is the trusted authority responsible for creating

or certifying identities. CA certifies the association of an individual with his public key

Role of Controller

Controller of Certifying Authorities as the “Root” Authority certifies the technologies, infrastructure and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates.

Four CAs has been licensed

1. Safes crypt1.1 5th Feb 20021.2 A subsidiary of Satyam Info way

2. National Informatics Center (NIC) 2.1 17th July 20022.2 Govt. of India

3. Institute for Development & Research in Banking Technology (IDRBT)3.1 6th August 20023.2 A society of Reserve Bank of India

4. Tata Consultancy Services (TCS)4.1 9th September 2002

13Digital Signature

Charges of certificates varies from Rs. 500/- to Rs. 20,000/- per year

5. DIFFERENCE IN CONVENTIONAL AND DIGITAL SIGNATURE

A conventional signature is included in the document; it is part of the document. But when we sign a document digitally, we send the signature as a separate document.

These are the various major differences:-

i. Verification Method

For a conventional signature, when the recipient receives a document, she compares the signature on the document with the signature on file. For a digital signature, the recipient receives the message and the signature. The recipient needs to apply a verification technique to the combination of the message and the signature to verify the authenticity.

ii. Relationship

For a conventional signature, there is normally a one-to-many relationship between a signature and documents. For a digital signature, there is a one-to-one relationship between a signature and a message.

iii. Duplicity

In conventional signature, a copy of the signed document can be distinguished from the original one on file. In digital signature, there is no such distinction

unless there is a factor of time on the document.

14Digital Signature

6. PAPER SIGNATURES V/s DIGITAL SIGNATURE

Parameter Paper Electronic

Authenticity May be forged Cannot be copied

Integrity Signature independent of the document

Signature depends on the contents of the document

Non-repudiation a. Handwriting expert needed

b. Error prone

a) Any computer user

b) Error free

V/s Fig6.1- Paper Sign Fig6.2- Digital Signature

7. CLASSES, DELIVERABLES, CONTENTS

15Digital Signature

Classes

There are 4 general classes of Digital Signature.

i. Class 0: Issued for demonstration/test purpose.

ii. Class 1: Issued to Individuals/private subscribers. This class of certificate will authenticate only the User name and E-mail address.

iii. Class 2: Issued to both business personal and private individuals. This class of certificates confirms the information provided by the subscriber.

iv. Class 3: Issued to Individuals as well as Organizations. This class of certificate is used in the E-commerce application wherein high assurances of the certificates are required. This certificate is issued to an individual only on

their personal appearance before the CA.

Deliverables

The Digital Signature is provided with the following deliverables.

i. USB Token: Digital Signature allotted to the user .

ii. Password: Password required accessing the Digital Signature.

iii. Driver Software: Software required installing the Digital Signature in the system.

iv. Interface Software: Software which enables the user to embed the Digital Signature with the document.

Note: Only one document can be attached with the Digital Signature at a time.

Contents

16Digital Signature

A digital signature typically contains:

i. Owner's public key

ii. The Owner's name

iii. Expiration date of the public key

iv. The Name of the issuer (the CA that issued the Digital ID)

v. Serial number of the digital signature, and

vi. The digital signature of the issuer.

8. HOW DIGITL SIGNATURE WORKS?

17Digital Signature

Assume you were going to send the draft of a certain contract to your lawyer in another town. You want to give your lawyer the assurance that it was unchanged from what you sent and that it is really from you.

Here then would be the process:

1. You copy-and-paste the contract (it’s a short one!) into an e-mail note.

2. Using special software, you obtain a message hash (mathematical summary) of the contract.

3. You then use a private key that you have previously obtained from a public-private key authority to encrypt the hash.

4. The encrypted hash becomes your digital signature of the message. (Note that it will be different each time you send a message.)

Signed Messages

Fig8.1- Way of Signing Messages

How Signatures look?

18Digital Signature

Message+

Signature

Message+

Signature

HashHash

DecryptSignatureWith Sender’s Public Key

DecryptSignatureWith Sender’s Public Key

SIGN hashWith Sender’s Private key

SIGN hashWith Sender’s Private key

Message+

signature

Message+

signature

COMPARECOMPARE

Calculated Hash

Calculated Hash

MessageMessage

Sender Receiver

HashHash

Sent thru’ Internet

I agree

efcc61c1c03db8d8ea8569545c073c814a0ed755

My place of birth is at Gwalior.

fe1188eecd44ee23e13c4b6655edc8cd5cdb6f25

I am 62 years old.

0e6d7d56c4520756f59235b6ae981cdb5f9820a0

I am an Engineer.

ea0ae29b3b2c20fc018aaca45c3746a057b893e7

I am an Engineer.

01f1d8abd9c2e6130870842055d97d315dff1ea3

Note: These are digital signatures of same person on different documents

There may be three patterns possible for digital signature

i. Digital Signatures are numbers

ii. Same Length – 40 digits

iii. They are document content dependent

9. SIGNING AND VERIFICATION

19Digital Signature

9.1 Signing Ceremony

Original Combined Signed Document Document

Hash Function Asymmetric Algo

Private key used for Signing

Fig9.1- Signing Document

Explanation

In order to create a digitally signed documents the signing application:

i. Creates a digest of the document to be signed

ii. Creates a cryptographic hash of the digest using the private key of the signer

iii. Attaches the hash to the original document.

20Digital Signature

9.2 Verification Ceremony

Original Document Message Hash

Equal?

Signed Document

Public Key Signer

Signature Original hash (Signed Document)

Fig9.2- Verification of Document

Explanation

Begin with the signed document plus the signature, apply the algorithm using the public key of the signer that you may obtain from the signature, and you should end up with the same hash as the one that the signer created with their private key.

10. FORM 16 AND DIGITAL SIGNATURE

21Digital Signature

HASH function

EAdfj78oXWq

Asymmetric AlgorithmEAdfj78oXWq

Under the provision of IT Act, 2000 the digitally signed Form 16 has the same validity as of the physically signed form so as TDS Certificates issued under Income Tax Act.

Further, Circular No. 2/2007 dated 21/5/2007 from the Income Tax Dept clarifies, "The Central Board of Direct Taxes have, therefore, in exercise of powers under section 119 of the Income-tax Act, 1961, decided for the proper administration of this Act to allow the deductors, at their option, in respect of the tax to be deducted at source from income chargeable under the head "Salaries" to use their digital signatures to authenticate the certificates of deduction of tax at source in Form 16.“

Saral eSign

Saral e Sign is software developed to digitally sign Form 16 through the digital Signature of the user.

User should have a valid Digital Signature issued by any of the Certifying Authorities licensed under CCA.

Process flow of Saral eSign:

i. Picks the data from the software (Saral TDS/SPP) with TDS certificate prepared in Excel format.

ii. Convert the Excel certificate to PDF and apply Digital signature to all PDF files, with one time authentication.

iii. Display all the Certificates generated.

22Digital Signature

11. SECURIY SERVICES IN DIGITAL SIGNATURE

Digital Signature provides many security services such as message confidentiality, message authentication, message integrity, and nonrepudiation.

A digital signature can directly provide the last three but for message confidentiality we still need encryption/decryption mechanism.

These security mechanisms are discussed as follows:-

i. Message Authentication

A secure digital signature scheme, like a secure conventional signature can provide message authentication.

ii. Message Integrity

The integrity of the message is preserved even if we sign the whole message because we cannot get the same signature if the message is changed.

iii. Nonrepudiation

Fig11.1- Nonrepudiation Mechanism

Nonrepudiation can be provided using a trusted party.

iv. Confidentiality:Digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption must be applied.

23Digital Signature

12. ATTACKS ON DIGITAL SIGNATURE

There are certain attacks and forgeries associated with the Digital Signature.These are discussed as below.

12.1 Attack Types

12.1.1Key Only Attack

The attacker is only given the public verification key.

12.1.2Known Message Attack

The attacker is given valid signatures for a variety of messages known by the attacker but not chosen by the attacker.

12.1.3Chosen-Message Attack

The attacker first learns signatures on arbitrary messages of the attacker's choice.

12.2 Forgery Types

12.2.1Existential Forgery

Existential forgery is the creation (by an adversary) of any message/signature pair (m, σ), where σ was not produced by the legitimate signer.

12.2.2Selective Forgery

Selective forgery is the creation (by an adversary) of a message/signature pair (m, σ) where m has been chosen by the adversary prior to the attack.

24Digital Signature

13. SECURITY CONSIDERATIONS

Digital Signatures help mitigate risk for the following attacks:

i. In the storage or transmission of documents, characteristics of clinician orders reflected in the prescription could be modified.

ii. In the storage or transmission of documents, characteristics of countersigned clinician orders reflected in the prescription could be modified.

iii. A forged prescription could be introduced.

Risks Not Mitigated

The following scenarios will not be mitigated by using digital signatures and require additional security:

i. Corruption or bribery of a user, or counter-signerii. Theft of a private key

iii. Compromise of the physician’s workstation to allow access to the signing key

iv. The confirmation process could be corrupted or modified.v. The dispensing system could be corrupted or modified, including simple

attacks like burglary.vi. The dispensing feedback could be corrupted, modified, or destroyed.

25Digital Signature

14. ADVANTAGES AND DISADVANTAGES

Advantages

i. Imposter prevention: By using digital signatures you are actually eliminating the possibility of committing fraud by an imposter signing the document. Since the digital signature cannot be altered, this makes forging the signature impossible.

ii. Message integrity: By having a digital signature you are in fact showing and simply proving the document to be valid. You are assuring the recipient that the document is free from forgery or false information.

iii. Legal requirements: Using a digital signature satisfies some type of legal requirement for the document in question. A digital signature takes care of any formal legal aspect of executing the document.

Disadvantage

The disadvantages of using digital signatures involve the primary avenue for any business: money. This is because the business may have to spend more money than usual to work with digital signatures including buying certificates from certification authorities and getting the verification software.

26Digital Signature

15. CONCLUSION

Digital signatures are an essential breakthrough in the spheres of cryptography. Wherever there is a smart card the use of a digital signature almost becomes indispensable. A digital signature is very unique and is one very effective means of safeguarding your transaction concerns.

Digital signature is a very effective way of securing all your financial transactions so that you will experience more convenience in terms of doing various business and money matters.  This way you will not worry and go with the problems of the traditional transactions that use signatures.

27Digital Signature

REFERENCES

[1] IHE Web sites: www.ihe.net

[2] Technical Frameworks, Supplements

– Fill in relevant supplements and frameworks

[3] Non-Technical Brochures:

– Calls for Participation– IHE Fact Sheet and FAQ– IHE Integration Profiles: Guidelines for Buyers– IHE Connect-a-thon Results– Vendor Products Integration Statements

28Digital Signature