Digital signatures are going to play an important role in our lives with the gradual electronization of records and documents. The IT Act has given legal recognition to digital signature meaning, thereby, that legally it has the same value as handwritten or signed signatures affixed to a document for its verification. The Information Technology Act, 2000 provides the required legal sanctity to the digital signatures based on asymmetric cryptosystems. The digital signatures are now accepted at par with handwritten signatures and the electronic documents that have been digitally signed are treated at par with paper documents.
WHO NEEDS A DIGITAL SIGNATURE CERTIFICATE ?
Under MCA21 Every person who is required to sign manual documents and returns filed with ROC is required to obtain a Digital Signature Certificate (DSC). Accordingly following have to obtain Digital Signature Certificate: 1. Directors 2. Auditors 3. Company Secretary - Whether in practice or in job. 4. Bank Officials - for Registration and Satisfaction of Charges 5. Other Authorized Signatories.
TYPES OF DIGITAL SIGNATURE CERTIFICATE
There are 3 types of Digital Signature Certificates, having different security levels, namely :- Class-1, Class-2 , Class-3. For filing documents under MCA21, a Class-2 Digital Signature Certificate issued by a Licensed Registration Authority is required. We also offer Class 1 and 3 besides Class 2 certificates.
Why USB e-token?
A Digital Signature certificate (DSC) is kept in internet explorer of computer system (PC) but keeping DSC on your computer system has following draw backs :- a) It can be misused by anyone who is having access to your computer system. b) DSC is lost if computer system is formatted or internet explorer is changed. Accordingly, safe and proper method is to keep DSC on e-token, a small USB port devise, which is password protected. The said e-token is a small hardware device and can be plugged to USB port of any system to digitally sign the documents and when not in use can be kept in safe custody.
Why Digital Signatures?
Ministry of Company Affairs, Government of India (GoI) has initiated MCA21 program, for easy and secure access to its services in a manner that best suits the businesses and citizens. MCA21 is envisioned to provide anytime and anywhere services to businesses. It is a pioneering program being the first mission mode e- governance project being undertaken in the country. This program builds on the GoI vision to introduce a Service Oriented Approach in the design and delivery of Government services, establish a healthy business ecosystem and make the country globally competitive. The MCA21 application is designed to support Class 2 & 3 Digital Signature Certificates (DSC) issued by licensed Certifying Authority under Controller of Certifying Authorities, GoI. Those individuals recommended and forwarded by Superior Authority or those who approach any RA office operating under CA with proper certification from Chartered Accountant/Cost Accountant can avail our certification services for obtaining digital certificate.
What is a Digital Signature Certificate?
Digital signature certificates (DSC) are the digital equivalent (that is electronic format) of physical or paper certificates. Examples of physical certificates are drivers' licenses, passports or membership cards. Certificates serve as a proof of identity of an individual for a certain purpose; for example a driver's license identifies someone who can legally drive in a particular country. Likewise, a digital certificate can be presented electronically to prove your identity, to access information or services on the Internet or to sign certain documents digitally.
What is PKI
A PKI (public key infrastructure) enables users of a basically non-secure public network such as the Internet to securely and privately exchange data through the use of a public and a private cryptographic key pair. This key pair is obtained and shared through a trusted authority. Public key infrastructure provides digital certificates that identify individuals or organizations and directory services that store and, when necessary, revoke these certificates. Public key infrastructure uses public key cryptography, which is the most common method on the Internet for authenticating a message sender or encrypting and decrypting a message. This is also sometimes referred to as asymmetric cryptography. PKI provides users with a means of conducting electronic transactions and electronic correspondence that ensures confidentiality, integrity of information, authentication, access control, and non-repudiation.
A certifying Authority (CA) is an authority in a network that issues and manages security which works as a trusted third party who validates the identity, of a user/organization, and issues the certificates attesting to the identity of the user/organization. Depending on the public key infrastructure implementation, the certificate includes the owner's public key, the expiration date of the certificate, the owner's name, and other information about the public key owner.
How long do digital signatures remain valid?
Normally, a key expires after some period of time, such as one year, and a document signed with an expired key should not be accepted. However, there are many cases where it is necessary for signed documents to be regarded as legally valid for much longer than two years; long-term leases and contracts are examples. By registering the contract with a digital time-stamping service at the time it is signed, the signature can be validated even after the key expires.
What happens when you sign a file?
When you digitally sign information, you are giving the recipients the ability to determine that the contents of the document have not been altered since you signed it. In other words, data integrity is guaranteed. Even if there is a minor alteration in digitally signed information, the verification process fails, warning recipients that the information has changed since it was signed. In order to sign a file, you must have a public/private key pair and a certificate associated with the pair. When you sign a file, first a message digest is created of that file. A message digest is essentially a digital fingerprint of a specific file. It is created using the Hash Algorithm that you specify e.g. MD4, MD5 or SHA1. The message digest is then encrypted using your private key. The resultant file is your Digital Signature for that specific file. The signature and a copy of the original file are placed into one file. The recipient can then verify the signature to establish your identity and data integrity of the file. If the file has been altered, then the verification process fails.
What happens when you verify a file?
A digitally signed file can be verified to check Data Integrity, Certificate Trust, Certificate Validity and Certificate Revocation Status.
Data Integrity: The data signed by the sender and data received by the recipient is same Certificate Trust: During the verification process, the CA (Certificate Authority) database is first checked for the CA (e.g. SafeScrypt) that issued the signer certificate. If SafeScrypt is a Root CA, then the certificate is trusted only if SafeScrypt is trusted. If SafeScrypt is an intermediate CA, the verification application looks for the next CA (VeriSign, which has issued the certificate of SafeScrypt), and so on till it finds the Trusted Root Certificate Authority. This process is called chaining up.. If a chain cannot be formed (e.g., a certificate in the chain was missing or not trusted), then the verification process fails. Certificate Validity: The certificate has not expired Certificate Revocation Status: The certificate is not revoked. A Certificate revocation List(CRL) is published on CA's site and the certificate is validated against it.
Do's : -
# Generate Digital Certificate on cryptographic token
# Use difficult-to-guess passwords while initializing your USB Token and while enrolling for your Digital Certificate. Never leave the Digital Certificate password blank when your enroll for your Digital Certificate
# Make sure you remember the Challenge Phrase password you gave while enrolling for your certificate. The Challenge Phrase is required for revoking your Digital Certificate
# Use the Digital Certificate only for Authorized and Legal purposes
# If you suspect your certificate has been tampered with or stolen, Revoke your Digital Certificate immediately using challenge phrase or contact SafeScrypt
# Do not shared your Digital Certificate with anyone
# Do not reveal your Digital Certificate password to anyone
# Do not Challenge Phrase Password to anyone
# Do not share your cryptographic token with anyone
# Do not initialize your cryptographic token if it contain valid certificate