Digital transactions are central to the effective implementation of e-Governance. How does the Controller of Certifying Authorities (CCA) facilitate secure e-Governance?
The Controller of Certifying Authorities (CCA) is responsible for creating standards for the operation and issuance of Digital Signatures, licensing Certifying Authorities and monitoring and regulating the whole process. In other words, the whole operation is monitored by the CCA. Digital Signature Certificates are issued by the Certifying Authorities (CA) to the individual users. There are certain procedures that have been prescribed by the CCA that are to be followed for issuance of Digital Signature Certificates. The CA is being periodically audited by the CCA on an annual basis. These procedures are regularly reviewed for operational as well as technological changes. Most of these Certificates are issued in a Smart Card or on a USB Token. The major advantage of using the Digital Signature is that once a person digitally signs, the content, the authenticity of the content and the ownership of the content can easily be verified. When we say that a document is digitally signed, it means that when the private key is applied to the hash of the content, it generates a 128-bit or 160-bit string. This digital string is called ‘Digital Signature’. It is to be noted that the Digital Signature very much depends upon the content as well as the private key that is applied. As the public key is available on the internet, one can easily verify the contents and authenticity of the documents by applying the related public key.
In e-Governance, for instance, the MCA 21 project of Ministry of Corporate Affairs avails Digital Signatures for uploading of the documents into its system. By this process, the Ministry is ensured of the contents as well as the identity of the person who uploaded the content. DGFT, IFFCO, RBI are some of the other Departments that are making use of the Digital Signatures for net-based transactions. High Courts are using Digital Signatures for dissemination of the judgements on the internet.
What is the role of the CCA? Under the IT Act, 2000, how are the electronic records authenticated?
The CCA was set up under Section 17 of the IT Act, 2000. At present, CCA is responsible for all aspects regarding the standards, the process and the procedures for issuing the Digital Signature Certificates. The CCA is also responsible for issuing Digital Signature Certificates to the Certifying Authorities. It also maintains the National Repository of Digital Signatures issued by the Certifying Authorities.
Thus, the whole operation of Public Key Infrastructure and its security are supported by the rules and regulations issued by the CCA. The CCA ensures that the Public Key Infrastructure is secure and safe. In addition to these, it also ensures the security of the Certifying Authorities by regularly auditing them. Stringent procedures are followed for this audit as per the Information Technology Act.
Are there any other Government Departments in the pipeline, which are planning to apply security solutions in their services?
There are many departments in the Government that have taken note of the significance of Public Key Infrastructure. Income-tax Department has initiated a process for availing Digital Signature Certificates. The Ministry of External Affairs is also planning to introduce Digital Signatures for the e-Passport.
What are the major security concerns in cyberspace? What the steps taken by CCA to ensure the trust in, and security of, e-Transactions?
There are many security issues in the cyberspace. One is regarding the genuineness and security (from virus, malware, spyware, etc.) of the emails received. For instance, when a person is carrying out a transaction, how does he/she ensure that it is not hijacked in-betweenthe process. The computer may be safe and secure but, the concern is regarding the safety of the network. Thus, there are lot of issues related to the security in cyberspace. Each of the segments has to be secured. The operations, applications and the systems have to be secured along with the networks. In fact, each and every part has to be secured so that trustworthy transactions are ensured.
Could you tell us more about the Public Key Infrastructure and the services offered by it? What are the major security concerns in this regard?
Out of all the mechanisms, Public Key Infrastructure is given utmost importance. Generally, when we have to encrypt something, we use a code that is known to both the parties involved in a transaction so that we can exchange it. The problem here is with a third person, who needs a separate code. The other security solution that exists is called the Public Key Security. There are two keys, and each person or each entity, will have two keys/codes – one is Public and the other is Private. The technology is such that these two work in conjunction. If you encrypt with one of them you can only decrypt with the other and vice versa.
The technology for Public Key Infrastructure is such, that if a person has to sign something digitally, he/she uses their Private Key. It remains with them and they do not give it to anybody. But their Public Key is available to anyone who wants to use it. Once, another person has access to his/her signature and the Public Key, the other person can verify it and see whether he/she has sent it. Another issue is that how does one know that it is his/her authentic Public Key. The certifi cate for this purpose is issued by a Certifying Authority. When they have a Public-Private Key pair, they take their Public Key to a Certifying Authority. The Certifying Authority issues a Digital Signature Certifi cate, which is essentially a certifi cate containing a Public Key and binding it with a digital signature. That is how the technology works and in this way all the Certifying Authorities with the CCA at the root complies the Public and Private Key Infrastructure. With CCA at the root, we have issued 700,000 certifi cates which is an estimate of the key infrastructure. Each person has a unique key that can not be replicated. Thus, when somebody signs with the digital signature of the Private Key, the content differs as the signature varies. Therefore they cannot generate a key using a different mechanism and it varies from certifi cate to certifi cate. This system has been used in banks such as HDFC, ICICI and others for DMAT accounts to certify the statements regularly. A chain of sequence is used to give the authenticity so that it cannot be repudiated. Without knowing the 40 byte character for security, the content cannot be regenerated. Through the reverse mechanism, encrypted information can be sent to a particular person using the Public Key of that person available on the Internet. In any other operation it is easy to copy the fi ngerprints and it can be used. Whereas, here it cannot be used. This is the highest level of security for transactions on the Internet.
What are some of the e-Transactions carried out within the government agencies and for government services?
As far as technology is concerned, we provide the highest level of security in electronic transactions. When you have to work on the Internet for net banking, DMAT trading, fi ling income tax returns, etc. digital signature authenticates the person and provides the integrity of the content. The transactions cannot be repudiated and denied. These are the factors required for e-Commerce transactions. We are talking more about products, so we are based on electronics. Suppose, I take a print out of a paper that is digitally signed with 40 bytes, in a printed form, anybody can change it. But in the electronic form, if the content is changed, it automatically alerts you about the modifi cations. This is because there is a strong relation between the content and privacy.
Does the current Indian regulatory and certifying laws have adequate security related aspects? How often are these laws updated, considering the growing security threats?
The Certifying Authority has created a procedure for issuing secure transactions. It is today, the highest level of security in this context. As the technology is fast changing, we have to regularly deal with it and make appropriate changes. Nevertheless, the procedures used, are quite adequate. In cyber space, what is secure today is not secure tomorrow. Therefore, we make sure that the system we use ensures the highest level of security and for this we follow certain encryption technologies of a very high level. In the future, we have to see what is to be done. There are many people carrying out e-Transactions, for net banking, e-Tendering, etc. When they upload it, they digitally sign it. They use the Public Key, encrypt and transmit it. This way they cannot personally encrypt and change the content until the whole team of 6 – 7 people is present. Yet, if you are just transmitting a fi le, you have access to it, from any computer. Suppose, two people are responsible for the tendering, and their Public Key is used for encrypting the whole thing, until both of them use their Private Keys, they cannot encrypt it. So, this is the highest level of security that is possible.