What is a Digital Signature?

An introduction to Digital Signatures, by David Youd

(Bob's public key)

Bob
(Bob's private key)

Bob has been given two keys. One of Bob's keys is called a Public Key, the other is
called a Private Key.

Bob's Co-workers:

Anyone can get Bob's

Public Key, but Bob
keeps his Private Key
to himself
Pat Doug Susan

Bob's Public key is available to anyone who needs it, but he keeps his Private Key
to himself. Keys are used to encrypt information. Encrypting information means
"scrambling it up", so that only a person with the appropriate key can make it
readable again. Either one of Bob's two keys can encrypt data, and the other key
can decrypt that data.

Susan (shown below) can encrypt a message using Bob's Public Key. Bob uses his
Private Key to decrypt the message. Any of Bob's coworkers might have access to
the message Susan encrypted, but without Bob's Private Key, the data is worthless.

HNFmsEm6Un
"Hey Bob, how
BejhhyCGKOK
about lunch at
JUxhiygSBCEiC
Taco Bell. I
0QYIh/Hn3xgiK
hear they have
BcyLK1UcYiY
free refills!"
lxx2lCFHDC/A
HNFmsEm6Un
"Hey Bob, how
BejhhyCGKOK
about lunch at
JUxhiygSBCEiC
Taco Bell. I
0QYIh/Hn3xgiK
hear they have
BcyLK1UcYiY
free refills!"
lxx2lCFHDC/A
With his private key and the right software, Bob can put digital signatures on
documents and other data. A digital signature is a "stamp" Bob places on the data
which is unique to Bob, and is very difficult to forge. In addition, the signature
assures that any changes made to the data that has been signed can not go
undetected.

To sign a document, Bob's software will crunch down the data into just a
few lines by a process called "hashing". These few lines are called a
message digest. (It is not possible to change a message digest back into
the original data from which it was created.)

Bob's software then encrypts the message digest with his private key. The result is
the digital signature.

Finally, Bob's software appends the digital signature to document. All of the data
that was hashed has been signed.
Bob now passes the document on to Pat.

First, Pat's software decrypts the signature (using Bob's public key)
changing it back into a message digest. If this worked, then it proves that
Bob signed the document, because only Bob has his private key. Pat's
software then hashes the document data into a message digest. If the
message digest is the same as the message digest created when the
signature was decrypted, then Pat knows that the signed data has not
been changed.
Plot complication...
Doug (our disgruntled employee) wishes to deceive Pat. Doug makes
sure that Pat receives a signed message and a public key that appears to
belong to Bob. Unbeknownst to Pat, Doug deceitfully sent a key pair he
created using Bob's name. Short of receiving Bob's public key from him
in person, how can Pat be sure that Bob's public key is authentic?

It just so happens that Susan works at the company's certificate authority center.
Susan can create a digital certificate for Bob simply by signing Bob's public key as
well as some information about Bob.

Bob Info:
    Name
    Department
    Cubical Number

Certificate Info:
    Expiration Date
    Serial Number

Bob's Public Key:

    
Now Bob's co-workers can check Bob's trusted certificate to make sure that his
public key truly belongs to him. In fact, no one at Bob's company accepts a
signature for which there does not exist a certificate generated by Susan. This gives
Susan the power to revoke signatures if private keys are compromised, or no
longer needed. There are even more widely accepted certificate authorities that
certify Susan.

Let's say that Bob sends a signed document to Pat. To verify the signature on the
document, Pat's software first uses Susan's (the certificate authority's) public key to
check the signature on Bob's certificate. Successful de-encryption of the certificate
proves that Susan created it. After the certificate is de-encrypted, Pat's software can
check if Bob is in good standing with the certificate authority and that all of the
certificate information concerning Bob's identity has not been altered.

Pat's software then takes Bob's public key from the certificate and uses it to check
Bob's signature. If Bob's public key de-encrypts the signature successfully, then
Pat is assured that the signature was created using Bob's private key, for Susan has
certified the matching public key. And of course, if the signature is valid, then we
know that Doug didn't try to change the signed content.

Although these steps may sound complicated, they are all handled behind the
scenes by Pat's user-friendly software. To verify a signature, Pat need only click on
it.

(c) 1996, David Youd

Permission to change or distribute is at the discretion of the author

Warning: You may be missing a few lines of text if you print this document. This seems to occur on pages
following pages that have blank space near the bottom due to moving tables with large graphics in them to the
next page so that the images are not split across pages. If this happens to you, simply print out document in
sections. (Ex: I have the problem on page 4, so I print pages 1-3, then pages 4-5.)

- A digital signature (not to be confused with a digital certificate) is an electronic

signature that can be used to authenticate the identity of the sender of a message or the signer
of a document, and possibly to ensure that the original content of the message or document
that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated
by someone else, and can be automatically time-stamped. The ability to ensure that the
original signed message arrived means that the sender cannot easily repudiate it later.

A digital signature can be used with any kind of message, whether it is encrypted or not,
simply so that the receiver can be sure of the sender's identity and that the message arrived
intact. A digital certificate contains the digital signature of the certificate-issuing authority so
that anyone can verify that the certificate is real.

How It Works

Assume you were going to send the draft of a contract to your lawyer in another town. You
want to give your lawyer the assurance that it was unchanged from what you sent and that it
is really from you.

1. You copy-and-paste the contract (it's a short one!) into an e-mail note.
2. Using special software, you obtain a message hash (mathematical summary) of the
contract.
3. You then use a private key that you have previously obtained from a public-private
key authority to encrypt the hash.
4. The encrypted hash becomes your digital signature of the message. (Note that it will
be different each time you send a message.)

At the other end, your lawyer receives the message.

1. To make sure it's intact and from you, your lawyer makes a hash of the received
message.
2. Your lawyer then uses your public key to decrypt the message hash or summary.
3. If the hashes match, the received message is valid.

Also see hashing and Digital Signature Standard.

Getting started with digital signatures

To explore how digital signatures are used in the enterprise, here are some additional
resources:
Personal digital certificate pros and cons: Are you considering creating a personal digital
certificate for your company? Learn about the pros and cons of the technology and the
proper steps to follow for issuing these certificates.
Understanding multifactor authentication features in IAM suites: Do you think your
organization's multifactor authentication strategy works effectively with your IAM suite?
Get a better understanding of multifactor authentication, your IAM suite options and best
practices for deployment.

What is a Digital Signature Certificate (DSC)?

The Information Technology Act, 2000 provides for use of Digital Signatures on the documents submitted in
electronic form in order to ensure the security and authenticity of the documents filed electronically. This is the
only secure and authentic way that a document can be submitted electronically. As such, all filings done by the
companies under MCA21 e-Governance programme are required to be filed with the use of Digital Signatures
by the person authorised to sign the documents.

Legal Warning:
 You can use only the valid Digital Signatures issued to you. It is illegal to use Digital Signatures of anybody
other than the one to whom it is issued.

Certification Agencies:

Certification Agencies are appointed by the office of the Controller of Certification Agencies (CCA) under the
provisions of IT Act, 2000. There are a total of seven Certification Agencies authorised by the CCA to issue the
Digital Signature Certificates (DSCs). The details of these Certification Agencies are available on the portal of
the Ministry www.mca.gov.in

Class of DSCs:

The Ministry of Company Affairs has stipulated a Class-II or above category certificate for e-filings under
MCA21. A person who already has the specified DSC for any other application can use the same for filings
under MCA21 and is not required to obtain a fresh DSC.

Validity of Digital Signatures:

The DSCs are typically issued with one year validity and two year validity. These are renewable on expiry of
the period of initial issue.

Costing/ Pricing of Digital Signatures:

It includes the cost of medium (a UBS token which is a one time cost), the cost of issuance of DSC and the
renewal cost after the period of validity. The company representatives and professionals required to obtain
DSCs are free to procure the same from any one of the approved Certification Agencies as per the web site.
The issuance costs in respect of each Agency vary and are market driven.

owever, for the guidance of stakeholders, the Ministry has obtained the costs of issuance of DSCs at the
consumer end from the Certification Agencies. The costs as intimated by them are as under:

Prices For Issuance Of Class-II Digital Signature at the Consumer End

Sr. Name of Cost of USB Cryptotoken Cost of DSC with Renewal Charges Cost of DSC with Support charges
No. Certification one year validity for DSC with one two year validity
year validity
Agency (CA)

  MTNL CA Reference of USB crypto token Rs. 300/- ( for MTNL Rs. 300/- ( for Rs. 400/- ( for Inclusive
which the user can procure is phone subscriber) MTNL phone MTNL phone
provided on and Rs. 450/- for subscriber) and Rs. subscriber) and
1.
www.mtnltrustline.com. others (Taxes extra) 450/- for others Rs. 600/- for
(Taxes extra) others ( Taxes
extra)

  TCS Rs. 750 (Inclusive of 4% Sales Rs. 1245 (Inclusive of Rs. 1000/- Rs. 1900/- Not Provided by CA
Tax). Any other applicable 12.24% Sales Tax.) (Inclusive of (Inclusive of
Taxes Extra. Any other applicable 12.24% Sales Tax) 12.24% Sales
2.
Taxes Extra. Any other applicable Tax) Any other
Taxes Extra applicable taxes
Extra)

  IDBRT Not provided by the CA. The Rs. 750/- (Rs. 500/- Rs. 750/- Rs. 1500/- Inclusive
user can procure the token towards
from market directly and get administrative
3.
his DSC loaded into it expenses and Rs
250/-for Certificate)

  SAFESCRYPT Rs. 1000/- Rs. 995/- Rs. 995/- Rs. 1650/- Rs. 500/- per site visit
(SATYAM) payable directly to the
Authorised Partner.
4. Taxes extra (No service tax (No service tax (No service tax
applicable) applicable) applicable)

  nCODE Rs. 900/- Rs. 1090/- Not Finalised Rs. 1650/- Inclusive
Solutions
5. (Inclusive of VAT/Sales Tax) (No service tax (No service tax
applicable) applicable)
  NIC Certificate provided in Smart All certificates NIL NIL for Training Charges:
card. Cost of Card Rs. 400/-. provided with 2 years Government Rs.
For DSCs on USB token, the validity 150/- for PSU,
6. Rs. 500/- per
subscribers have to bring Autonomous &
participant (optional)
NICCA approved USB token Statutory Bodies

7 Central Excise
Does not issue DSCs to person other than those from the Department
& Customs