Digital Signatures and Digital Certificates
a) What is a Digital Signature?
Digital signatures are electronically generated and can be used to ensure the integrity and authenticity of some data, such as an e-mail message and protect against non-repudiation.
b) Are Digital Signatures legally valid in India?
Yes, after the enactment of Information Technology Act 2000 in India, Digital Signatures are legally valid in India.
c) What is a Digital Certificate?
A Digital certificate is a form of an electronic credential for the Internet. Similar to a driver's license, employee ID card, a Digital certificate is issued by a trusted third party to establish the identity of the certificate holder. The third party who issues the Digital Certificate is known as the Certifying Authority (CA).
d) What is the relationship between public keys and Digital Certificates?
A certificate is an electronic document that binds a public key to a particular individual or organization. A trusted third party, called a Certifying Authority (CA), issues certificates. Before issuing a certificate, a CA will go though a series of authentication procedures to make sure that you are what you claim to be, and that the public key in the certificate really belongs to you.
The certificate is then encrypted (signed) with the CA's private key. Thus, if the end users trust the CA, and have the CAs public key, he can be sure of the certificate's legitimacy.
e) Is there any difference between Digital Certificate and Digital Signature?
Digital Signatures provide Authentication, Privacy, Non repudiation and Integrity in the virtual world . IT Act 2000 in India gives legal validity to electronic transactions that are digitally signed. Therefore we need digital signatures for secure messaging, online banking applications, online workflow applications, e-tendering, supply chain management etc.
Digital Certificates are digital documents attesting to the binding of a public key to an individual or specific entity. They allow verification of the claim that a specific public key does in fact belong to a specific individual. Digital Certificates help prevent someone from using a phony key to impersonate someone else.
In their simplest form, certificates contain a public key and a name. As commonly used, a certificate also contains an expiration date, the name of the Certifying Authority that issued the certificate, a serial number etc. Most importantly, it contains the digital signature of the certificate issuer.
A digital signature is an electronic method of signing an electronic document whereas a Digital Certificate is a computer based record which
1) Identifies the Certifying Authority issuing it.
2) Has the name or I the identity of its subscriber.
3) Contains the subscriber's public key.
4) Is digitally signed by the Certifying Authority issuing it.
f) Why do I need a Digital Certificate?
A Digital Certificate provides an electronic means of proving your identity. It also provides you with a high level of security for your online transactions. You can use certificates to encrypt information such that only the intended recipient can read it. You can digitally sign information to provide assurance to the recipient that it has not been changed in transit, and enable verification that you actually sent the message.
g) Where can I use Digital Certificates?
You can use Digital Certificate for secure email and web-based transactions, or to identify other participants of web-based transactions. You can use Digital Certificate to prove ownership of a domain name and establish SSL / TLS encrypted secured sessions between your website and the user for web based transaction. As a developer you can use Digital Certificate for proving authorship of a code and retain integrity of the distributed software programs. You can use Digital Certificates for signing web forms, e-tendering documents, filing income tax returns etc.
h) How does a Digital Certificate work ?
Certificates use the Public Key Infrastructure (PKI technology, which is a sophisticated, mathematically proven method of encrypting and decrypting information).
Information can be decrypted only when both a private key and a public key match each other.
The certificate contains information about a user's identity (for example, their name, email address, the date the certificate was issued and the name of the Certifying Authority that issued it.) The certificate also contains the public key.
The private key is stored on the user's computer hard disk or on an external device such as a smart card. The user retains control of the private key; it can only be used with the issued password.