Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy Controller

Electronic Transactions The success of electronic transactions depends on “the trust that the transacting parties place in the security of the transmission and content of their communications” Authenticity Non-Repudiability Confidentiality Integrity

Information Technology (IT) Act, 2000 Accorded legal recognition to Digital signatures Digital signatures treated at par with handwritten signatures Technology-specific

Public key cryptography for Digital signatures Pair of keys for every entity One Public key – known to everyone One Private key – known only to the possessor To digitally sign an electronic document the signer uses his/her Private key. To verify a digital signature the verifier uses the signer’s Public key. No need to communicate private keys

Creating a Digital signature Encryption Algorithm Signed document Document + Digital signature Document + Digital signature Private Key

Verifying a Digital signature Decryption Algorithm Document + Digital signature Document + Digital signature Signature verification and Document integrity Public Key of signer

Public key Cryptography & Digital Signatures Assurance of Authenticity of the Digital Signature created by the Private key is determined by the Trust that can be placed in the Public key Public key Certificates or Digital Signature Certificates bind a “public key” to an “Identity”

Public key Cryptography & Digital Signatures Change in Document => Change in the Digital Signature Digital Signature is bound to the Document as well as the Signer => Assurance of Integrity

Issues in Public key Cryptosystems How will verifier get signers public key? How will verifier authenticate signers public key ? How will the signer be prevented from repudiating his/her digital signature?

Public key Cryptography & Digital Signatures Digital Signature Certificates(containing the public key) are issued by Certifying Authorities after Identity verification Responsibility of protecting the private key lies with its owner. Loss or compromise of private key should be communicated to the CA so as to result in REVOCATION of the corresponding Digital Signature Certificate.

Certifying Authority Issues Digital signature Certificates (Public Key Certificates). Is widely known and trusted Has well defined methods of assuring the identity of the parties to whom it issues certificates. Confirms the attribution of a public key to a person by means of a public key certificate. Always maintains online access to the Digital Signature Certificates issued.

Public Key Certification User credentials User’s Public Key CA’s Name Validation period Signature of CA User credentials User’s Public Key CA’s Name Validation period Signature of CA User 1 certificate User 2 certificate. User 1 certificate User 2 certificate. Digitally Signed using CA’s private key Digitally Signed using CA’s private key User credentials User credentials User’s Public key User’s Public key Digital Signature Certificate Certificate Database Publish Certificate Request

Certificate Revocation List (CRL) A list of Certificates that have been revoked and declared invalid

Public Key Infrastructure & the IT Act 2000 Controller of Certifying Authorities as the “Root” Authority certifies the technologies and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates

CCA’s role Licensing Certifying Authorities (CAs) under section 21 of the IT Act and exercising supervision over their activities. Controller of Certifying Authorities as the “Root” Authority certifies the technologies and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates Certifying the public keys of the CAs, as Public Key Certificates (PKCs). Laying down the standards to be maintained by the CAs, Addressing the issues related to the licensing process including: Approving the Certification Practice Statement(CPS); Auditing the physical and technical infrastructure of the applicants through a panel of auditors maintained by the CCA.

Audit Process Adequacy of security policies and their implementation; Existence of adequate physical security; Evaluation of functionalities in technology as it supports CA operations; Compliance to the adopted Certification Practice Statement (CPS); Adequacy of contracts/agreements for all outsourced CA operations; Adherence to Information Technology Act 2000, the Rules, Regulations and Guidelines issued by the Controller from time-to-time.

CCA’s technical Infrastructure The CCA operates the following :- Root Certifying Authority (RCAI) under section 18(b) of the IT Act, and National Repository of Digital Signature Certificates (NRDC) under section 20 of the IT Act.

Internet Directory Client CA LAN Cert/CRL RCAI CCA NRDC Relying Party Subscriber  CA Public Keys Certified by RCAI  CA’s Revoked Keys CCA : Certificates of Public Keys of CAs National Repository of Certificates

CCA TCSCANICCASafescrypt India PKI IDRBTCA iCert (CBEC) (n)Code MTNLTrustline

PKI enabled Applications eProcurement IFFCO DGS&D ONGC GAIL Air-India Railways Others MCA21 Income Tax e-filing IRCTC DGFT RBI Applications (SFMS)

Challenges ahead Interoperability Uniformity in certificate contents Validation methods - Certificate Revocation Lists,.. International alliances End User Adoption Application interoperability. Digital Signature Certificate interoperability. Trusted Verification Authority. Storage medium

Challenges ahead..contd Awareness Understanding of digital signature concepts Knowledge about legal rights, duties and liability of owning digital certificate

Controller of Certifying Authorities Thank you