Cover Story

Digital Integrity with PKI

Balancing the benefits and implementation hassles of public key infrastructures (PKI) and digital signatures is easier said than done. There have been some successes—but do traditional business transactions require digital signatures? By Akhtar Pasha.

We contemplated for a long time on the idea of doing a story on the success of Public Key Infrastructure (PKI)-based digital signatures and certificates Are there any takers for this technology? Do traditional business transactions require digital signatures? Who is using it anyway?

"One can say that the demand for 'secure transaction (using PKI) that offer audit trail history has grown by four to five times in the last two years" - Dhiraj Beri National Sales Manager, Sify Communication Ltd

The Sardar Sarovar Narmada Nigam Ltd, Gujarat Housing Board, Gujarat Water Supply & Sewerage Board, Gujarat State Police Housing Corporation are a few users of PKI-based digital signatures. What is surprising is the way in which the use of PKI and digital signatures has grown in the recent past. According to Dhiraj Beri, National Sales Manager, Sify Communication Ltd (formerly SafeScrypt), “Demand for PKI and digital certificates have been particularly high during the last six to eight months.” He adds that putting an exact number to the transactions being done using digital signatures is difficult since PKI is implemented in several ways . He however says, “One can say that the demand for ‘secure transactions (using PKI) that offer audit trails have grown four to five times in the last two years.”

"A Public Key Infrastructure is the prime enabler for securing the flow of information on the Web" - Dr M Vidyasagar Executive Vice President and Head, Advanced Technology Centre, Tata Consultancy Services (TCS))

Agrees Dr. M. Vidyasagar, Executive Vice President and Head, Advanced Technology Centre, Tata Consultancy Services (TCS). He adds “Security is imperative to the success of e-commerce and e-governance which is why PKI and digital signatures have become increasingly important. A PKI is the prime enabler for securing the flow of information on the Web. The future of e-commerce and e-governance depends on the trust that transacting parties place on the security of transmission and the integrity of contents.”

Srikiran Raghavan, Regional Sales Head, RSA - the Security Division of EMC says, “There is a paradigm shift in India with non-repudiation being legally recognised through the use of electronic signatures. Electronic signatures are not limited to digital signatures. This change was introduced by the government to account for the fact that digital signatures may not be the only technology to establish authentication and non-repudiation. The fact that it was important to establish flexibility in the mode of non-repudiation that was most appropriate for a specific business process also contributed to this change.”

The question here is whether an electronic document can be relied upon as an authentic document, much like an original paper document. There are several factors driving the need for digital certificates.

e-filing in MCA21

The Government of India has initiated a major e-Governance initiative, known as MCA-21, in the Ministry of Company Affairs (MCA) for putting in place an operational system for electronic transactions of the core activities under the Companies Act. After the launch of the above e-Governance initiatives, e-Filing of returns or forms to be submitted to the Income Tax, Excise, ROC (under MCA21 Project) authorities would become mandatory in due course. MCA envisages that paper forms and documents will no longer be accepted by ROC offices once e-Filing is launched. MCA 21 was launched by the Prime Minister at Delhi on 18th March, 2006 and is expected to be rolled out to all parts of the country. It is mandatory for corporate assesses to file their e-returns (Income Tax) with effect from 24th July 2006. According to MCA, filing of returns by companies from September 16, 2006 will be accepted by the MCA21 system only if the document was signed by authorised personnel. Dr Vidyasagar says, “The MCA21 system has instilled confidence in businesses doing transactions on the Web and the uptake of PKI and digital signatures are a ‘digital acknowledgement’ of the transactions that have taken place, which are legally binding and provide an adequate audit trail.”

Satish Naralkar, Chief Executive Officer NSE.IT., adds, “Rather than deploy an in-house PKI solution we wanted to focus on making good use of SafeScrypt’s proven Digital Certificate infrastructure and offer a new range of Trust enabled services to the Securities Industry.”

An important case in point that needs to be discussed here is that of the Income Tax Department (ITD) project. One of the initiatives of the ITD was the introduction of electronic filing (e-filing) of returns to make the filing process easier for taxpayers as well as to reduce the time required for data entry on receipt of applications. Enabling filing of returns over the Internet was the most viable answer to the department’s needs. A PKI suite developed by TCS Certifying Authority (TCS-CA) provides a comprehensive solution for the ITD. The e-filing application has been PKI enabled to incorporate digital signatures. Using this tool, intermediaries are able to digitally sign documents. The verification of digital signatures is done automatically on a 24X7 basis. Digital certificates secure the information being transferred and ensure total privacy, integrity and security. According to a company official, “e-filing helped furnish electronic returns through authorised intermediaries who are called ‘e-Return Intermediaries’. Response time for processing returns has dropped significantly. Data entered by intermediaries is available in the system for immediate use and reference eliminating the duplication of efforts. The online process does not require taxpayers to be physically present for filing their returns.”

High volume or high value

Applitech Tendercity.com India Pvt. Ltd, specialises in e-Procurement and it has successfully enabled Rs 6,000 crores worth of business for various government organisations. The company maintains Web sites of major government bodies such as Sardar Sarovar Narmada Nigam Ltd, Gujarat Housing Board, Gujarat Water Supply & Sewerage Board, Gujarat State Police Housing Corporation, Ahmedabad Municipal Corporation and like.

Dr Vidyasagar says, “We have seen PKI-based digital signatures being used in high volume and high value transactions. It (PKI) has been successful in protecting transactions and safeguarding the interests of transacting parties.” For instance, in the case of the Clearing Corporation of India Ltd (CCIL), who happen to be our customers, each transaction is worth crores of rupees. Therefore each transaction is risky. The bank’s High Net Worth Individuals and bank managers use digital signatures for all Internet-based transactions.”

The Sardar Sarovar Narmada Nigam Ltd, implemented PKI. It has saved the cost of printing 10 lakh pages per year. Prior to the implementation, 300 tenders were floated annually. Each tender document comprised of five volumes that ran into a minimum of 300 pages. For each tender, 12 such documents were prepared that resulted in 3,600 pages for a tender or approximately 10 lakhs A4 pages in a year. Further bids were received from contracts, which were equally bulky and considering five bids per tender, this worked out to an additional five lakhs A4 pages a year.

e-procurement saved 15 lakhs pages annually. e-procurement has replaced the conventional procurement system. By facilitating online submission of tenders and bids, e-procurement has eliminated the paperwork and caused significant improvements in transparency and efficiency. Additionally, online procurement has reduced the processing cost of advertising, preparing, printing and disseminating tender documents.

Beri says, “The use of PKI has significantly reduced the need to store papers. The process is transparent and secure. The fact that digital signatures cannot be repudiated, provides a legal foundation for all electronic transactions like e-filling and e-tendering.”

“Given the stakes involved in bids and tenders, ensuring fairness and accountability while maintaining the confidentiality of bids and vendors are important,” says Dr Vidyasagar.

Under the current SEBI (Securities and Exchange Board of India) guidelines, every stockbroker has to issue a ‘Contract Note’ to a client at the end of each trading day. This note must contain details of all transactions for that day and should be issued within 24 hours of the trade. The SEBI guidelines permit the issuance of contract notes authenticated by means of using digital signatures. This has provided a much needed boost to the online trading community. Anup Bagchi, Chief Operating Officer, ICICIWebTrade, says, “The PKI solution from SafeScrypt has automated the process of generating signed Contract Notes and making them available to the customers quickly. It has helped us move from a paper-based system to an electronic one enabling our customers to access critical information at their convenience.”

Removing transaction barriers

Beri says, “A primary hurdle had been awareness and marketing and the end-user’s mindset, which I believe is diminishing due to increasing public interest and several awareness workshops being held. Another problem is the lack of infrastructure. Applications today do not come with in built support for PKI. Because of this a lot of customisation has to be done.” Raghavan adds “The other hurdle for PKI is integration with available applications. Most systems still do not support PKI and therefore one has to adopt different standards for different systems. This also leads to a considerable development or customisation effort in making the technology usable within the business application or process.”

There are a variety of uses for electronic signatures and they include strong authentication, form signing, secure communication with Web sites and transaction validation. For example Tendercity is using it to sign forms digitally. The ITD will be using it for e-filing.

Digital signatures have become affordable. Today a digital certificate is priced at Rs 1,600 for two years or less then Rs 1,000 per year. A USB token is priced at Rs 1,300.

Further impetus

Going forward digital signatures will be used by travel agents, charted accountants, banking managers and in legal systems. TCS has recently conducted a pilot project in Delhi. Dr Vidyasagar explains that when a session or court judge passes a judgement it is documented. The document is digitally signed so that it can be made available right away and nobody can tamper with it. Similarly many Chartered Accountants file returns on behalf of their clients.

Raghavan says, “The demand for electronic signatures will stem from the proliferation of e-governance projects, financial institutions establishing consumer identity protection and online risk management projects or telecom and ISP organisations initiating secure content licensing initiatives.”

As transactions become electronic in nature, the demand for PKI-based digital signatures and certificates will increase manifold.