230 likes | 520 Views
Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status. Mrs Debjani Nag Deputy Controller. Electronic Transactions. The success of electronic transactions depends on
E N D
Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy Controller
Electronic Transactions The success of electronic transactions depends on “the trust that the transacting parties place in the security of the transmission and content of their communications” • Authenticity • Non-Repudiability • Confidentiality • Integrity
Information Technology (IT) Act, 2000 • Accorded legal recognition to Digital signatures • Digital signatures treated at par with handwritten signatures • Technology-specific
Public key cryptography for Digital signatures • Pair of keys for every entity One Publickey – known to everyone One Private key – known only to the possessor • To digitally sign an electronic document the signer uses his/her Private key. • To verify a digital signature the verifier uses the signer’s Publickey. • No need to communicate private keys
Signed document Creating a Digital signature Private Key Encryption Algorithm Document + Digital signature Document
Verifying a Digital signature Public Key of signer Decryption Algorithm Signature verification and Document integrity Document + Digital signature
Public key Cryptography & Digital Signatures • Assurance of Authenticity of the Digital Signature created by the Private key is determined by the Trust that can be placed in the Public key • Public key Certificates or Digital SignatureCertificates bind a “public key” to an “Identity”
Public key Cryptography & Digital Signatures • Change in Document => Change in the Digital Signature • Digital Signature is bound to the Document as well as the Signer => Assurance of Integrity
Issues in Public key Cryptosystems • How will verifier get signers public key? • How will verifier authenticate signers public key ? • How will the signer be prevented from repudiating his/her digital signature?
Public key Cryptography & Digital Signatures • Digital Signature Certificates(containing the public key) are issued by Certifying Authorities after Identity verification • Responsibility of protecting the private key lies with its owner. • Loss or compromise of private key should be communicated to the CA so as to result in REVOCATION of the corresponding Digital Signature Certificate.
Certifying Authority • Issues Digital signature Certificates (Public Key Certificates). • Is widely known and trusted • Has well defined methods of assuring the identity of the parties to whom it issues certificates. • Confirms the attribution of a public key to a person by means of a public key certificate. • Always maintains online access to the Digital Signature Certificates issued.
User 1 certificate User 2 certificate . Public Key Certification Digital Signature Certificate Certificate Database User credentials User credentials User’s Public Key CA’s Name Validation period Signature of CA Digitally Signed using CA’s private key Certificate Request Publish User’s Public key
Certificate Revocation List (CRL) • A list of Certificates that have been revoked and declared invalid
Public Key Infrastructure & the IT Act 2000 Controller of Certifying Authorities as the “Root” Authority certifies the technologies and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates
CCA’s role • Licensing Certifying Authorities (CAs) under section 21 of the IT Act and exercising supervision over their activities. • Controller of Certifying Authorities as the “Root” Authority certifies the technologies and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates • Certifying the public keys of the CAs, as Public Key Certificates (PKCs). • Laying down the standards to be maintained by the CAs, • Addressing the issues related to the licensing process including: • Approving the Certification Practice Statement(CPS); • Auditing the physical and technical infrastructure of the applicants through a panel of auditors maintained by the CCA.
Audit Process • Adequacy of security policies and their implementation; • Existence of adequate physical security; • Evaluation of functionalities in technology as it supports CA operations; • Compliance to the adopted Certification Practice Statement (CPS); • Adequacy of contracts/agreements for all outsourced CA operations; • Adherence to Information Technology Act 2000, the Rules, Regulations and Guidelines issued by the Controller from time-to-time.
CCA’s technical Infrastructure The CCA operates the following :- • Root Certifying Authority (RCAI) under section 18(b) of the IT Act, and • National Repository of Digital Signature Certificates (NRDC) under section 20 of the IT Act.
CCA : Certificates of Public Keys of CAs National Repository of Certificates CA • CA Public Keys Certified by RCAI • CA’s Revoked Keys Directory Client CCA Cert/CRL CA Internet Cert/CRL LAN CA Cert/CRL RCAI NRDC Subscriber Subscriber Subscriber Relying Party
India PKI CCA Safescrypt IDRBTCA TCSCA NICCA MTNLTrustline iCert (CBEC) (n)Code
PKI enabled Applications eProcurement • IFFCO • DGS&D • ONGC • GAIL • Air-India • Railways Others • MCA21 • Income Tax e-filing • IRCTC • DGFT • RBI Applications (SFMS)
Challenges ahead Interoperability • Uniformity in certificate contents • Validation methods - Certificate Revocation Lists,.. • International alliances End User Adoption • Application interoperability. • Digital Signature Certificate interoperability. • Trusted Verification Authority. • Storage medium
Challenges ahead..contd Awareness • Understanding of digital signature concepts • Knowledge about legal rights, duties and liability of owning digital certificate
http://cca.gov.in Thank you