Documente Academic
Documente Profesional
Documente Cultură
Infrastructure
Dr. Balaji Rajendran
(balajirajendran@gmail.com)
Centre for Development of Advanced Computing (C-DAC)
Bangalore
17th October 2015
NITK, Surathkal
Agenda
What & Why: Digital Signature?
What is Digital Signature Certificate?
Achieving Confidentiality
Certifying Authority & Trust Model
Certificate Issuance, Types, Classes
Certificate Life Cycle Management and Validation Methods
Risks and Precautions with DS
Policy and Legal Aspects of PKI
e-Sign An Instant & Online way of Digital Signing in India
PKI Applications in India
2
Understanding Signature
Hand-written Signature Definition & Purpose
A persons name written in a distinctive way as a
form of identification in authorizing a cheque or
document
A distinctive pattern, product, or characteristic by
which someone or something can be identified
Attacks on Identity
Impersonation
How is Identity verified?
Authentication Process of verifying who somebody is
against his claim
Identity is established / proved through Authentication!
Electronic World
Attacks on Integrity
Deposit 1,00,000
in Veerus Account
Deposit 1 in Veerus
Account and 99,999 in
Gabbars Account
Customer
Bank
Breach of Integrity
Attacks on Identity
Gabbar
Veeru
Im Veeru
Send Me all Corporate
Correspondence
with abc.
Breach of Authenticity
Jai
Digital Signatures
Properties of Signatures
Verifiable
Provides Authentication
Provides Data Integrity
Provides Non-repudiation
Private key
To verify a digital signature the verifier uses the signers Public
key
KnJGdDzGSIHDZuOE
Private Key
iWLI+4jxMqmqVfAKr2E
X
13
Computationally Infeasible
010a
e493
9653
d278
4c08
97ec
0a8a
3ceb
f82e
32a8
2840
0282
bab6
8466
be68
299d
199b
cf42
7103
6135
f92a
8102
0101
06d3
0500
2a44
4055
c105
b2f0
a938
c629
54fb
0301
00b1
0d59
da44
5e2f
eb3c
68fd
1cd5
4a16
4c2a
ff78
0001
d311
bd3e
4980
cfcc
7d83
e6b7
5ffb
6c89
d02a
41bc
e079
c1ce
d854
185e
deb5
a991
6bed
2aca
63d1
bd71
5543
4367
0aa5
47bc
f0f7
942c
6856
da33
6559
28f4
0708
018a
2586
3ab1
8a83
e478
7b39
1379
b4f8
bb90
4ccb
21a8
94ed
463d
0ea1
4824
2c72
c255
cdf9
bcff
0542
efbc
6356
1ef0
4cb4
1a25
38b0
8ced
f400
9634
Public Key
3082
e493
8466
2a44
eb3c
e6b7
6bed
da33
b4f8
bcff
01e4
bab6
0500
5e2f
7d83
a991
6856
1379
cdf9
9634
f267
0673
da44
cfcc
deb5
942c
7b39
c255
f400
04de
0142
0d59
4980
185e
f0f7
e478
2c72
8ced
84b6
45de
0f61
bf3e
d8b4
47bc
8a83
4824
38b0
9cbb
5742
af46
dd12
c1ce
0aa5
3ab1
0ea1
1a25
ee93
f2cb
859d
2240
e089
4367
2586
463d
4cb4
193a
a9d3
5b10
32a8
8410
5547
012a
94ed
1df0
3aa5
eb95
7b77
f82e
f92a
02f1
0f08
11a8
6356
b92c
b35f
9c39
3ceb
6135
54fb
0001
4ccb
efbc
ff70
345f
5a22
0a8a
7103
c629
ff78
0542
ccd0
6ca3
8c7c
97ec
cf42
a938
4c2a
41bc
00e2
a2cc
a119
4c08
199b
b250
4a16
d02a
bd71
0d83
b055
d278
299d
c105
1cd5
6c89
63d1
28f4
463d
9653
be68
4055
68fd
5ffb
2aca
6559
bb90
00e2
ccd0
ff70
b92c
3aa5
193a
ee93
9cbb
84b6
04e3
0d83
a2cc
6ca3
345f
b35f
eb95
a9d3
f2cb
5742
459e
p and q
z
e such that (e*d )= 1 mod z
Public Key (n, e)
Private Key (n, d)
MODULUS
PUBLIC EXPONENT
ALGORITHM VERSION
PUBLIC EXPONENT
MODULUS
PRIVATE
COMPONENT
PRIME 1
PRIME 2
EXPONENT 1
EXPONENT 2
COEFFICIENT
SEPERATOR
This is an example of
how to create a
message digest and
how to digitally sign a
document
using
Public
Key
cryptography
Hash
Message
Digest
Hash Function
A hash function is a cryptographic mechanism that
21
21
Hash - Example
Hi Jai,
Hi Jai,
Message
3 pm
3 pm.
Veeru
Veeru
Hash Algorithm
Message Digest
86D19C25294FB0D3E4CF8A026823439064598009
B5EA1EC376E61DB2680D0312FC26D3773F384E43
Hash One-way
B5EA1EC376E61DB2680D0312FC26D3773F384E43
Hi Jai,
Veeru
23
Hi Jai,
Hi Jai,
I will be in the
I will be in the
I will be in the
park at 3 pm
park at 3 pm
park at 3 pm
Veeru
Veeru
Veeru
MD5
SHA-1
SHA-2
1f695127f210144329ef
98e6da4f4adb92c5f18
2
2g5487f56r4etert654tr
c5d5e8d5ex5gttahy55e
Message Digest
cfa2ce53017030315f
de705b9382d9f4
128 Bits
160 Bits
224/256/384/512
Message
Digest
Encrypt with
private key
Digital
Signature
Digital
Signature
Append
This is an example of
how to create a
message digest and
how to digitally sign a
document
using
Public
Key
cryptography
Digital
Signature
This is an example of
how to create a
message digest and
how to digitally sign a
document
using
Public
Key
cryptography
Digital
Signature
Hash
Message
Digest
Decrypt with
public key
Message
Digest
efcc61c1c03db8d8ea8569545c073c814a0ed755
My place of birth is Gwalior.
fe1188eecd44ee23e13c4b6655edc8cd5cdb6f25
I am 62 years old.
0e6d7d56c4520756f59235b6ae981cdb5f9820a0
I am an Engineer.
ea0ae29b3b2c20fc018aaca45c3746a057b893e7
I am a Engineer.
01f1d8abd9c2e6130870842055d97d315dff1ea3
These are digital signatures of same person on different documents
General Conventions
Signing Private Key of the Signer
Verification Public Key of the Signer
Name: Veeru
Department: AMD
Certificate Info:
Serial No: 93 15 H0
Exp Date: dd mm yy
Sign
Sample Certificate
Trust Model
Subscribers
Subscribers
Subscribers
...
...
Make Online
Payment
Other
Identity
Information
X.509 v3 Cert
Crypto Tokens
Contain a Cryptographic co-processor
with a USB interface
Key is generated inside the token.
Key is highly secured as it doesnt leave
the token
Highly portable and Machineindependent
FIPS 140-2 compliant; Tamper-resistant;
Certificate Classes
Classes of Certificates
3 Classes of Certificates
Class 1 Certificate
Issued to Individuals
Assurance Level: Certificate will confirm Users name
and Email address
Suggested Usage: Signing certificate primarily be used
for signing personal emails and encryption certificate is
to be used for encrypting digital emails and
SSL certificate to establish secure communication
through SSL
Classes of Certificates
Class 2 Certificate
Issued for both business personnel and private
individuals use
Assurance Level: Conforms the details submitted in
the form including photograph and documentary
proof
Suggested Usage: Signing certificate may also be used
for digital signing, code signing, authentication for VPN
client, Web form signing, user authentication, Smart Card
Logon, Single sign-on and signing involved in eprocurement / e-governance applications, in addition to
Class-I usage
Classes of Certificates
Class 3 Certificate
Issued to Individuals and Organizations
Assurance Level: Highest level of Assurance; Proves
existence of name of the organization, and assures
applicants identity authorized to act on behalf of the
organization.
Suggested Usage: Signing certificate may also be used for
digital signing for discharging his/her duties as per official
designation and encryption certificate to be used for
encryption requirement as per his/her official capacity
Types of Certificates
Types of Certificates
Signing Certificate (DSC)
Issued to a person for signing of electronic
documents
Encryption Certificate
Issued to a person for the purpose of Encryption;
SSL Certificate
Issued to a Internet domain name (Web Servers,
Email Servers etc)
Achieving Secrecy
Encrypt
Public key
Private key
Encrypted Message
Eavesdropper
Message
Decrypt
Veerus Public
Key
Jai
Message
Hi Veeru
I am Jai
Encryptor
Gabbar
Encrypted Message
#$23R*7&#e
Veerus
Private Key
Decryptor
Veeru
Message
Hi Veeru
I am Jai
Achieving PAIN !
How to achieve Privacy, Authenticity, Integrity
and Non-repudiation all together in a
transaction
Signcryption
Why do you need Signcryption ?
The intended receiver alone should know the
contents of the message
Secrecy / Confidentiality / Privacy
General Conventions
Certificate Extensions
File Formats with Extensions
Description
.CER
.CRT
.DER
.P12
.PFX
.CSR
.CRL
A word of Caution!
Keep your Digital Security Tokens Safe!
Report loss of tokens immediately and seek for
revocation from the CA
If you have any doubts that private key has been
compromised, inform the CA
Remember that risks are inherent in any system!
Any Security system is only as safe as the weakest link in
the security chain!
Dimensions of PKI
e-Sign/e-Hastakshar
e-Hastakshar offers on-line platform to citizens for instant signing of their
documents securely in a legally acceptable form, under the Indian IT Act
C-DAC through its e-Sign/e-Hastakshar initiative enables citizens with
valid Aadhaar ID and registered mobile number to carryout digital signing of
their documents on-line.
DSC offered by C-DAC CA through eSign service to the applicant is for onetime signing usage and shall be of class Aadhaar-eKYC OTP.
C-DAC utilizes the service of Unique Identification Authority of India (UIDAI)
for on-line e-authentication and Aadhaar eKYC Service.
As a provider of DSC and eSign services, C-DAC plays the role of a Certifying
Authority (CA) under the Controller of Certifying Authorities (CCA)
e-Sign Architecture
e-Sign Overview
Benefits of e-Sign
No need of Hardware Tokens
No Physical Verification of user is required
Privacy is preserved
IT Act 2000
IT Act 2000 made changes in the Law of
Evidence, and provides
e-Invoice
e-Tax Filing
(G2C)
e-Customs
(G2B)
e-Passport
e-Governance
Bhoomi (G2C)
a PKI enabled registration and Land Records Services offered by
Govt. of Karnataka to the people. All the land records and
certificates issued are digitally signed by the respective officer
e-Payment
(B2C)
e-Billing
e-Procurement
G2B , B2B
e-Insurance
Service
10 Treasury
Operations
Other Implementations
DGFT - Clearance of goods are now initiated
by exporters through push of a button and in
their offices;
Previously it used to take days; and requests are now
cleared within 6 hours
Summary
PKI is an ecosystem comprising of Technology, Policy
and Implementations
Digital Signatures provide Authenticity, Integrity, and NonRepudiation for electronic documents & transactions
Asymmetric Key system enables Confidentiality
General Conventions
Conclusion
PKI and Digital Signatures have been
transforming the way traditional transactions
happen
PKI Ecosystem has the potential to usher
Transparency
Accountability
Time, Cost & Effort-savings
Speed of execution and to be an integral part of
Digital India and bring in Digital Identity
References
Ryder, Rodney D, Guide to Cyber Laws, 3rd Edition, Wadhwa & Company, New Delhi
88
Thank You
pki@cdac.in