Controller ofCertifying Authorities

Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status

Mrs Debjani NagDeputy Controller

Electronic Transactions

The success of electronic transactions depends on“the trust that the transacting parties place in the

security of the transmission and content of their communications”

• Authenticity• Non-Repudiability• Confidentiality • Integrity

Information Technology (IT) Act, 2000

Accorded legal recognition to Digital signatures Digital signatures treated at par with handwritten signaturesTechnology-specific

Public key cryptography for Digital signatures

Pair of keys for every entityOne Public key – known to everyone

One Private key – known only to the possessor

To digitally sign an electronic document the signer uses his/her Private key.

To verify a digital signature the verifier uses the signer’s Public key.

No need to communicate private keys

Creating a Digital signature

Encryption Algorithm

Encryption Algorithm

Signed document

DocumentDocument

Document+

Digital signature

Document+

Digital signature

Private KeyPrivate Key

Verifying a Digital signature

Decryption Algorithm

Decryption Algorithm

Document+

Digital signature

Document+

Digital signature

Signature verification and

Document integrity

Signature verification and

Document integrity

Public Key of signer

Public Key of signer

Public key Cryptography & Digital Signatures

Assurance of Authenticity of the Digital Signature created by the Private key is determined by the Trust that can be placed in the Public key

Public key Certificates or Digital Signature Certificates bind a “public key” to an “Identity”

Public key Cryptography & Digital Signatures

Change in Document => Change in the Digital Signature

 Digital Signature is bound to the Document as well as the Signer => Assurance of Integrity

 

Issues in Public key Cryptosystems

How will verifier get signers public key?How will verifier authenticate signers public key ?How will the signer be prevented from repudiating his/her digital signature?

Public key Cryptography & Digital Signatures

Digital Signature Certificates(containing the public key) are issued by Certifying Authorities after Identity verification

 Responsibility of protecting the private key lies with its owner.

Loss or compromise of private key should be communicated to the CA so as to result in REVOCATION of the corresponding Digital Signature Certificate.

Certifying Authority

Issues Digital signature Certificates (Public Key Certificates). Is widely known and trustedHas well defined methods of assuring the identity of the parties to whom it issues certificates.Confirms the attribution of a public key to a person by means of a public key certificate.Always maintains online access to the Digital Signature Certificates issued.

Public Key Certification

Usercredentials

User’sPublicKey

CA’sName

Validationperiod

Signatureof CA

Usercredentials

User’sPublicKey

CA’sName

Validationperiod

Signatureof CA

User 1 certificate

User 2 certificate.

User 1 certificate

User 2 certificate.

DigitallySigned usingCA’s

privatekey

DigitallySigned usingCA’s

privatekey

Usercredentials

Usercredentials

User’s Publickey

User’s Publickey

Digital Signature Certificate Certificate Database

PublishCertificateRequest

Certificate Revocation List (CRL)

A list of Certificates that have been revoked and declared invalid

Public Key Infrastructure & the IT Act 2000

Controller of Certifying Authorities as the “Root” Authority certifies the technologies and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates

CCA’s roleLicensing Certifying Authorities (CAs) under section 21 of the IT Act and exercising supervision over their activities. Controller of Certifying Authorities as the “Root” Authority certifies the technologies and practices of all the Certifying Authorities licensed to issue Digital Signature CertificatesCertifying the public keys of the CAs, as Public Key Certificates (PKCs). Laying down the standards to be maintained by the CAs, Addressing the issues related to the licensing process including:

• Approving the Certification Practice Statement(CPS); • Auditing the physical and technical infrastructure of the

applicants through a panel of auditors maintained by the CCA.

Audit Process

Adequacy of security policies and their implementation;Existence of adequate physical security;Evaluation of functionalities in technology as it supports CA operations;Compliance to the adopted Certification Practice Statement (CPS);Adequacy of contracts/agreements for all outsourced CA operations;Adherence to Information Technology Act 2000, the Rules, Regulations and Guidelines issued by the Controller from time-to-time.

CCA’s technical Infrastructure

The CCA operates the following :-Root Certifying Authority (RCAI) under section 18(b) of the IT Act, and National Repository of Digital Signature Certificates (NRDC) under section 20 of the IT Act.

Internet

Directory Client

CA

CA

CA

LAN

Cert/CRL

Cert/CRL

Cert/CRL

RCAI

CCA

NRDC

RelyingParty

SubscriberSubscriber Subscriber

CA Public Keys Certified by RCAI CA’s Revoked Keys

CCA : Certificates of Public Keys of CAs National Repository of Certificates

CCA

TCSCA NICCASafescrypt

India PKI

IDRBTCAiCert(CBEC)

(n)CodeMTNLTrustline

PKI enabled Applications

eProcurementIFFCODGS&DONGCGAILAir-IndiaRailways

OthersMCA21Income Tax e-filingIRCTCDGFTRBI Applications (SFMS)

Challenges ahead

InteroperabilityUniformity in certificate contentsValidation methods - Certificate Revocation Lists,..International alliances

End User AdoptionApplication interoperability.Digital Signature Certificate interoperability.Trusted Verification Authority.Storage medium

Challenges ahead ..contd

Awareness• Understanding of digital signature concepts• Knowledge about legal rights, duties and

liability of owning digital certificate

Controller ofCertifying Authorities

http://cca.gov.in

Thank you