Digital signatures

The digital security era

Public Key Infrastructure (PKI) is just the technology the Indian banking and financial sector needs for creating a trust infrastructure, feels Devendra Parulekar.

For somebody who has been in the information security industry for sometime, it is easy to get a sense of the direction a particular product, company or technology is taking. PKI is a technology that seemed to be the killer-app technology of the dotcom era that would have solved all the problems of information security (authentication, non-repudiation and so on); yet, strangely it never seemed to gain popular acceptance and achieve the potential that it supposedly possessed. To start with let us get a lowdown on what PKI is.

Digital signatures and the IT Act 2000

Devendra Parulekar

The growth of e-commerce and e-governance depends largely upon the trust that transacting parties place on the communication process. Creating trust in an insecure environment involves assuring the transacting parties about the confidentiality and integrity of their messages. This requires identification and authentication of transacting parties, such that they cannot repudiate the transaction at a later date.

Digital signatures are created and verified using Public Key Cryptography that is based on the concept of the main pair—the public and private keys generated by a mathematical algorithm. The sender sends the message along with an encrypted (using his private key) hash (created using a hashing algorithm such as MD5). This encrypted hash (digital signature) can be verified by the recipient of the message using the sender’s public key. The public-private key pair itself is endorsed by the Certifying Authority (CA), licensed by the Controller of Certifying Authorities (CCA). This entire process assures the recipient that the message has originated from the purported source, the contents of the message have not been altered and the sender cannot deny sending the message.

The IT Act provides for the CCA to licence and regulate the functioning of CAs that issue digital certificates. The CCA also maintains the National Repository of Digital Certificates (NRDC), which contains all the certificates issued by all the CAs in the country. Presently, there are seven licensed CAs (Safescrypt , NIC, IDRBT, TCS, MTNL, Customs & Central Excise and (n)Code Solutions CA (GNFC)) operating in India.

The Information Technology Act, 2000 provides the required legal sanctity to digital signatures, which are considered at par with handwritten signatures and the electronic documents that have been digitally signed are treated at par with paper documents. The Indian Evidence Act and other statutes have been suitably amended to recognise digital signatures and digitally signed documents and electronic records.

PKI overview and components

PKI is not one single protocol or standard, but a whole set of services. Its components include among other things, digital certificates, CAs, Registration Authorities (RAs), security-enabled applications, databases and Lightweight Directory Access Protocol (LDAP). Simply put, PKI is a combination of technologies, policies and practices that help in identifying, authenticating and protecting information assets and transacting even on the insecure public domain, the Internet. The implementation may cover the whole set of services or technologies or a part thereof, depending on intended use. Any organisation’s PKI infrastructure encompasses the issuance of digital certificates to individual users and servers; user registration software; user provisioning engines; tools for managing, renewing, and revoking certificates; and related services and support.

Technology adoption

Now we come to the million-dollar question. Why has PKI not lived up to its intended promise? Perhaps, it is too early to write off PKI and digital signatures and write its obituary as it is a technology that will surely have a ‘tipping point,’ from where there will be no looking back. One reason could be the inadequate growth of e-governance; a major driver for growth and adoption of PKI. With the present government stressing on e-governance as an effective delivery channel of all government services to its citizens, PKI would find more takers, as that is the best way for citizens to be authenticated on the Internet. But this would require a massive process of creating, verifying and maintaining a database of India’s citizens with each of them having a unique citizen ID. The National Institute of Smart Governance (NISG) is making efforts in this direction.

While Internet banking has become popular, bankers complain about the huge resistance that customers are putting up against the introduction of PKI or client-side digital certificates for authentication.

One reason could be that if the certificate is loaded onto a smart card; where are the card readers to read the cards? Or for that matter, if browser-based certificates are to be rolled out, it ties down the user to a particular PC or set of PCs. Studies show that most Indians access Internet through cyber cafes, which do not provide either. Further, in the absence of a common citizen ID, an individual would have to obtain and maintain multiple digital certificates for different objectives and to access various government and enterprise Web sites.

Moreover, PKI implementation is expensive and most organisations have not been able to justify the expected budget outlays with quantitative Return on Investment. The Indian industry has seen tremendous growth, and with increasing globalisation, information security spending will slowly but surely increase. Today, information security spends account for less than 2 to 3 percent of the overall IT budget, as compared to international standards of 5 to 7 percent of the overall IT budget.

PKI is supposed to be a simple concept, but a complex technology (ironically, most people do not understand PKI, beyond the acronym).The inter-operability issues are also to be considered.

One of the advantages that the country has is that the IT Act mandates the PKI technology over other competing technologies, as compared to other countries’ IT legislation that remain technology agnostic.

What will drive growth?

While digital certificates are useful in almost every industry, one of the important sectors where deployment of digital certificates could benefit is the banking and financial services sector, where data security is important than perhaps any other sector. Players like IDRBT (Institute for Development and Research in Banking Technology) are pushing digital certificates aggressively for adoption by banks.

Though the Indian digital signature market is in a nascent stage, the real potential will unfold once all banks are PKI-enabled and the customers start using digital signatures the way they use credit cards. One smart card that most of us carry (without really knowing about it) is the GSM SIM card in our GSM phone. Recently banks have announced their intentions to launch GSM-based credit card micro-payment facilities that convert your phone into a Mobile Wallet and the merchant’s phone into a Point of Sale (PoS) terminal. Digital certificates are being loaded onto these mobile PoS terminals and Mobile Wallets. This may see an explosion in the near future.

Already, online stock-trading portals sign their contract notes using digital certificates obviating the need to maintain physical contract notes and in turn reducing the paper work that usually one finds in a broker’s office.

If CBDT allows electronic filing of income tax returns to individual assessees, one may soon see the proliferation of digital certificates.

With local self government agencies (such as Brihanmumbai Municipal Corporation), states and the central government looking at e-governance initiatives, the market for digital certificates could receive a fillip.

While the Indian digital certificate market is still in a nascent stage, these small islands of adoption in diverse sectors could definitely help in spreading awareness and increasing the adoption levels.

Devendra Parulekar is Senior Manager, Ernst & Young.

He can be reached at devendra.parulekar@in.ey.com