What is digital singnature under the Information Technology Act?

U/s2(p) "digital signature" means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3;
S/3. (/) Subject to the provisions of this section any subscriber may authenticate an of electronic record by affixing his digital signature.

(2) The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record.

Explanation.—For the purposes of this sub-section, "hash function" means an algorithm mapping or translation of one sequence of bits into another, generally smaller, set known as "hash result" such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible —

(a) to derive or reconstruct the original electronic record from the hash result produced by the algorithm;

(b) that two electronic records can produce the same hash result using the algorithm.

(3) Any person by the use of a public key of the subscriber can verify the electronic record.

(4) The private key and the public key are unique to the subscriber and constitute a functioning key pair.

Digital signatures are created and verified by cryptography, the branch of applied mathematics that concerns itself with transforming messages into seemingly unintelligible forms and back again

The processes used for digital signatures have undergone thorough technological review for over a decade. Digital signatures have been accepted in several national and international standards developed in cooperation with and accepted by many corporations, banks, and government agencies. The likelihood of malfunction or a security problem in a digital signature cryptosystem designed and implemented as prescribed in the industry standards is extremely remote, and is far less than the risk of undetected forgery or alteration on paper or of using other less secure electronic signature techniques.


Figure 1 below describes the process of digital signature creation

Figure 2 describes the process of Verification of a digital signature

asymmetric crypto system

The Act u/s3 provides that the authentication of electronic record shall be effected by the use of asymmetric crypto system, which is a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature.

The person who intends to use the key pair in order to digitally sign electronic records normally generates a key pair. Software does the job. One of the most popular software is PGP (www.pgpi.org) .

The private key remains with the person signing and is not known to the world .In fact under the act it is the duty of the maker (subscriber) to retain control of the private key.(u/s42).Private key is the key of a key pair to create a digital signature (u/s2).

Public key of a key pair is used to verify a digital signature send by a subscriber of the key pair and is listed in the Digital Signature Certificate (u/s2).

Digital Signature Certificate will be issued by the Certifying Authorities (popularly know as CA) u/s35 for a fees not exceeding twenty five thousand rupees.

Some of the famous international CA are Verisign, ID Certify, Arcanvs, Sure Sign, British Telecom, Thawte (www.thawte.com) etc. Under the Act, foreign CA also will be able to apply for a licence to act as CA in India.