The ongoing expansion of broadband and Internet services is expected to give a boost to e-commerce in India. In this context, digital signatures or public key infrastructure (PKI) are often considered to be essential for guaranteeing information security which is vital for the growth of e-commerce and e-governance. Digital signatures were announced as the only legal medium of authentication by the IT Act way back in 2000. However, large-scale digital signature implementation is yet to happen in the country.
More resources on digital signature implementation
According to Manish Naik, the head of technology for (n) code solutions (a licensed certifying authority), the digital signature architecture essentially takes care of the privacy, authenticity, integrity and non-repudiation (PAIN) issues of online business.
The PKI architecture starts with the top umbrella organization or root certifying authority—the Controller of Certifying Authorities (CCA) in the case of India—which creates the primary key under which every digital signature certificate (DSC) is created. The CCA creates CAs or Sub-CAs (there are currently seven licensed CAs in India) whose licenses and keys are signed by the CCA. Licensed CAs can in turn issue DSCs to individuals, servers, VPN devices and routers, informs Naik. As far as retail- or consumer-level use of digital certificates is concerned, all operating systems have a root CA public key repository in the browser itself, which mainly helps them to open only trusted Websites. Digital signature implementations largely work on the key pair concept—a public key which is publicly available for use and a private key (which is confidential and only available to a particular individual).
Different usage scenarios for DSCs
According to Naik, the analogy of public and private keys can be used to secure any number of online processes and Web-based transactions. To illustrate the functioning, Naik uses the example of using digital signatures for e-procurement. "The buyer or host of the tender puts his public key on the Website. The buyer wants to ensure that neither he nor any other vendor can see the price offered in the tender till the day that it's supposed to open. A vendor will encrypt his tender details using the buyer's public key, and sign the tender with his private key. On the day of tender opening, the buyer will confirm each vendor's identity using that vendor's public key. He will then use his private key to see the tender's contents, thus protecting the whole e-procurement process."
Similarly, you can have a PKI-enabled document management, commercial and finance system. Ravi Jagannathan, the managing director and CEO of 3i Infotech Consumer Services, says that digital signature implementations can be used in any kind of electronic data interchange such as online trading, electronic purchase orders within ERP systems, e-contracts or PDF documents.
Current state of digital signature implementation in India
While many feel that the adoption of digital signature is at its peak, others debate about the low numbers of large-scale deployments. Vishal Salvi, the CISO of HDFC Bank feels that there is a definite push from the government side. "There are more digital signature implementations at the government agency level," he says.
In June 2010, the Central Board of Direct Taxes made it mandatory for all companies to file their income tax returns electronically in Form No ITR-6 with digital signatures. Naik informs that more than 10,00,000 certificates have been issued in India till date. (n) code itself claims to have issued more than 3,00,000 certificates in the past five to six years.
Indian banks have already started experimenting with digital signature implementations as the online authentication mechanisms for their corporate customers. For instance, Corporation Bank recently implemented eMudhra PKI-based authentication security solutions from 3i Infotech for its corporate customers. Explaining the reasons, the bank says that while there are a number of authentication methods such as one-time passwords as well as virtual keyboards, using the organization's own DSC is the only method which provides legal sanctity to the transaction (besides providing additional security).
HDFC Bank has been one of the largest users of digital signatures for corporate banking for almost five years now. The bank itself issues DSCs to its customers though it is not a licensed CA. Salvi explains why. "Whenever there is a legal requirement, we get the certificate validated by a licensed CA. Thus, we have the option of issuing either legally binding or normal certificates from the same infrastructure."
Does this mean that digital signature implementations will replace the traditional two-factor authentication solutions (hardware and software tokens) for securing online banking transactions? While Jagannathan feels that more banks will follow Corporation Bank to secure their online transactions, Salvi believes that this may be limited to corporate customers, because of the huge number of retail customers in online banking. "Digital signature implementation for such a huge customer base can be a major challenge from both the cost and complexity perspectives," says Salvi.
Issues hampering adoption of digital signatures in India
Digital signature implementation got wings after the ministry of company affairs mandated the use of digital signatures for online annual tax returns. Many other government organizations such as IREPS, Northern Railways, ONGC, GAIL and IFFCO have started the e-tendering process and other online processes which require the use of DSCs. Nevertheless, the fact remains that digital signatures are not much used in the private sector.
On this front, Salvi notes that there are hardly any large-scale PKI-based digital signature implementations in the private sector. Naik is also in agreement that private companies lag behind in exploring PKI in comparison to the state sector.
So what are the issues hampering the growth of PKI architecture which has been proved to be the highest form of online security? "I think distribution, deployment and usability are the most significant challenges for the large-scale deployment of DSCs," says Salvi.
At this point of time, the cost of obtaining digital certificates is also very high. "If an organization consists of 5,000 employees, it would have to spend a massive amount to buy so many digital certificates," adds Naik. He also says that it will involve certain changes in the respective application(s) and database(s) since the organization will need to store the hash and encrypted content.