Digital Signatures: Risks and Threats!! By Shreya Sharma

Updated: 3 days ago


" There only two types of companies, those that have been hacked, and those that will be.”

Robert Mueller


Digital signature under IT Act, 2000 means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provision of Section 3 (Yadugiri & Bhasker, 2011). A digital signature is equivalent to a handwritten signature. It is an electronic verification of the sender. It ensure integrity of documents, electronic tracking and storage, can accommodate high volumes of documents, enhance security and ensure compliance and reduce costs. Signatures on deeds, Wills, property documents etc. require witnesses and hence excluded from electronic signatures.

Understanding Digital-Based Signature

Online authentication has become a necessity in the fast growing digital environment. Many brands and types of electronic signatures are available to authenticate. Digital signatures not only authenticates the person-who sends the data but also ensures the integrity of the data transferred thereby, making sure that the data has not been tampered while transference from one medium to another medium i.e. protection through encryption (Chowbe, 2012).

It is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. It is meant to be highly authentic as it offers far more inherent security and is intended to solve the problem of tempering and impersonation in digital communications. These signatures aids the protection of document and can provide added assurances of evidence of origin, identity and status of an electronic document, transaction or message and can be acknowledged by notifying the informed consent by the signer.

Cryptography is a Latin word compromised of two words i.e. krypts means “hidden or secret” and graphene signifies “study in writing”(Rawal, Chhikara, Kaur, & Khanna, 2019). Cryptography is a method of transference of data from one person to another in a form that the third party is unable to understand the content of the data (Menezes, 1996). Cryptography is about the prevention and detection of cheating and other malicious activities. Cryptography allows the data or information to transmit through network in unidentified ways so that the intruders are unable to understand the data. Under the mechanism of cryptography, only sender and the receiver are having allowance and permission of reading and understanding the message. Cryptography can be applied in various sectors like e-commerce, online transaction through debit or credit cards, crypto currencies, passwords enabling and military communication. It is an art in the field of secrecy and privacy. Cryptography mainly is completed in two different methods (Guru 99):


Encryption: Data encryption translates data into another form or code so that only people with access to the secret key or password can read it. Conversion of original information into unreadable cipher information is processed by using a key. This process usually happens in the sender’s end. It is a process of encoding a message or information in a way that only authorized parties can access it and disables the unauthorized ones. Encryption of digital data can be executed by following methods:

  • Symmetric Key Cryptography: A conventional method using a one ‘secret code’ for both sender as well as receiver. The code/ key are applied to both encoding as well as decoding the information. Sender is supposed to send the message along with the key and receiver will use it to decipher the encoded message. It is a one-to-one end encryption process. In symmetric encryption, the same key is used for both encryption as well as decryption.

  • Asymmetric Key Cryptography: An algorithm which requires two separate keys, one of which is private and another is public key. The public key is used to encrypt the message whereas; the private one is used to decrypt the message. It is a very advance form of cryptography (Karandikar, 2007). A private key is key utilized by one own-self. It is not shared by anyone. Data encrypted with the help of private key can only be encrypted by using public key at the end of receiver. Public key is mostly used to encrypt the data and is accessible for all the users who are willing to communicate with the desired recipient. It consists of policies, standards, people and systems that support the distribution of pubic keys and identity validation of individuals or entities with digital certificates and a certificate authority (Fritz Grupe, Kerr, Stephen, Kuechler William, 2003).

Decryption: a back-conversion of the cipher information into the original information by using a key, which usually happens at receiver’s end. In simple terms, it is a conversion of data that has been rendered unreadable through encryption back to unencrypted form.

Cryptographic Algorithms


A cryptographic algorithm or cipher is a mathematical function which is used in the encryption and decryption flow of the digital data. It is mainly a composite of a key i.e. a word, number or a phrase which is needed to encrypt the data. Opening of plain text paves way for cipher texts. Privacy and security of encrypted data is dependent on the strength of the cryptographic algorithm and the secrecy of the key (Kannan, Prasad, & Varalakshmi, 2012).


Why Signing Digitally is more effective?


A digital signature can be used with any kind of message, whether it is encrypted or plain text. Digital signature serves following purposes:

  • Fabrication (Authentication): A digital signature gives the receiver reason to believe the message was created and sent by the claimed sender. Identification of data and verification of data is a common meaning to authentication. Entity authentication and data origin authentication implicitly provide data integrity. Authentication ensures the ownership and the validity of the sender.

  • Non-Repudiation: With digital signature, the sender cannot deny having sent the message later on. This service provides prevention of an entity by denying previous commitments or actions. Resolving the arising issues while of entity must be taken care of and ensured by a trusted and authentic third party. In simple terms, it ensures that the sender who has signed the relative information cannot deny to acknowledge the

  • Modification (Integrity): A digital signature ensures that the message was not altered in transit. It is a service which addresses the unauthorized alteration of data. To ensure the integrity of data, one must possess ability to detect active manipulation of data by unauthorized parties. Manipulation of data can be done by insertion, deletion and substitution.

  • Interception (Confidentiality): it specifies that contents of message are accessible to nobody; expect the sender and intended receiver. It is used to keep the content of information secretive from all. There are numerous approaches to provide confidentiality, ranging from physical protection to mathematical algorithms which eventually render data unintelligible.

Why Digital Signatures Are More Useful?


Digital signatures are very important tools to implement security and genuineness. Today, the traditional physical signature stands out to be outdated. Confidential communication between two partners must be secured and protected. Digital signatures tend to provide suitable background for sending secured messages using various methods. However, the success rate of the methods depends on security, authenticity and the integrity of the information which is being transmitted between the user of sending end and the users at receiving end. Digital signatures are used for financial transactions, and other cases where it is important to detect forgery and tampering. Digital signatures are very popular with email users. Digital signature uses asymmetric cryptography, which means public key algorithm is employed. Following are some of the pros and benefits of digital-based signatures:

  • High Efficacy: With a nippy response over small span of turn-around time, these signatures also promise to reduce the work-flow time and are ultimate ideals as far as corporates are concerned.

  • Cost-saving: Cost-benefit is one of the essential part of corporate and business development. Corporate may see a little or no expense in ink, paper-printing, scanning and travel apart from this indirect cost such as filing, re-keying, achieving and tracing becomes eventually minimized. These signatures also enhance the risk assessment analysis for corporate.

  • Future and Legal Validity: The digital signature hold the validity into future i.e. Electronic Signature and Infrastructures (ETSI) and Advanced Signature with its Electronic Identification, Authentication and Trust Services (eIDAS), have validity in terms of long-future. They help in tracing the path of information with due- time process and improved audit and compliance (S, Kapoor, Oza, & Kamat, 2019) (Arvind et al., 2019). Corporate logically tend to accept digital signatures to legally bind the authentic documents because of their belief towards its security.

  • Security: The digital signatures offer more security than an electronic signature. The probable reason behind this can be its unique identification of “digest content/fingerprint” permanently embedded within a document.

  • Better Efficiency: with lesser delays, digital-signatures ensure better efficiency. The management and tracking of documents tends to flow easier, with lesser effort, highly protected and with less consumption of time.

Host of Companies offer cloud based signing solution to digitally sign documents related to business viz Contracts, Non-disclosure agreements, offer letters, Board Meeting resolutions, invoices etc. Some of the services offered in digital signing process are given below:

  • Dongle Based Electronic Signature (USB Key): The USB Key offers good protection. There are chances of physically losing the USB Key. Copy, cloning and duplicating of USB Key go against the guidelines of the service provider.

  • Software for Sharing USB Based Signatures: There are advanced software solutions which offer sharing of USB based signatures on multiple devices for use by many users. Digital identity of the signatures thus needs to be secured throughout the corporate workflow cycle. Electronic signatures should be kept secure with password protection and Multi-factor authentication.

  • Standard Electronic Signatures (SES): Signature manually drawn or scanned signatures. They are not used for high-risk transactions and contracts, such as loans or insurance.

  • Biometric Signature: One needs to be careful regarding the security of Biometric Signature. Once the password is compromised, the Iris Scan and Fingerprints are compromised for ever. This holds true for Aadhar based signature also.

  • Advanced Electronic Signature (AES): Linked to the data signed in such a way that the document cannot be changed without it being detected, once it is signed. There is the certainty that the signature is uniquely linked back to the signer. AES require the involvement of electronic signature provider and are protected by cryptographic means.

  • Qualified Electronic Signature (QES): QES is advanced then AES. The signatures are linked to the data signed in such a way that the document cannot be changed without it being detected, once it is signed. There is the certainty that the signature is uniquely linked back to the signer. QES require the involvement of electronic signature provider and are protected by cryptographic means. QES is used if the risk is high.

Digital signatures have become a notable tool since last few decades. It mostly retains a high degree of the information security and identity. Using strong ‘encryption’ techniques, one can save the authenticity, confidentiality, integrity, control-access of the transferred data. Some of the prevalent security measures in the market include:

  • Vulnerability Assessment and Penetration Testing (VAPT): VAPT conducted insights into the gaps in the security apparatus of applications and network, Web Server, App server, database server, any middleware component and Operating system of the hardware.

  • Multi-factor authentication (MFA): Identity theft is a real risk for electronic signatures. A person could alter a digitally-signed document after it is signed. Multifactor authentication ensures authentication through the mobile number and email and can be used to strengthen the security of the digital signatures.

  • Signing Servers: Signing Server can create and verify all common signature formats. They identify services for ensuring the complete authenticity of each signer. It’s an important tool which needs to be employed.

  • Cryptography: Cryptography for Ensuring Secured Process at each Stage of Signing.

  • Audit Trails: Access to Entire Audit Trail to see the Workflow of Each Document.

  • Capturing Trails: Capturing the Device Type, IP address, Browser, Latitude / Longitude and Timestamp at Each Stage of Signing.

Going with the pace of digitalization, there is a need of advancement as well as securing the digital data. Many forgeries, along with cyber frauds and others illegalities have been encountered while using digital signatures. With the increase in the rate of cybercrimes, there’s an urgent need to develop a secured corporate environment by ensuring the penetrability of digital signature based data protection.

Cyber criminals are looking for an opportunity to defraud. Some risks associated with the digital signatures are as under:

  1. At times, the digital signatures do not comply with the legislation hence become invalid when the requirement crops up.

  2. The signed documents are subject to modifications, hence while employing the digital signature platform, it should be ensured that data once signed is tampering proof.

  3. There are chances of the signature getting compromised and being used by someone else. The encryption, hashing, audit trails and various other security measures should be present.

  4. Digitally signed online contracts and documents may contain sensitive information, Personally Identifying Information (PII), pricing, and intellectual property details and needs to be secured by attacks from the Man in the Middle attacks.

  5. Storing signatures on Servers, especially the Biometric Data may lead to their theft.

  6. The software’s are vulnerable and bugged, leaving it to exploitation by malware.


DRASInt Risk Alliance Private Limited focuses on aiding the corporate by strengthening their protection and providing the better methods of minimizing the threat by analyzing the risk. Our leaders have adequate expertise to carry out investigations and take a case to its logical conclusion. DRASInt Risk Alliance Private Limited acts as your Consultative Investigative Unit (CIU) for Field Investigation Services and Surveillance. We specialize in investigations related to Arson, White Collar Crime, Financial Fraud and Malpractice, Corporate frauds and Forgery. We specialize in Protective Intelligence, Industrial Counter Espionage, Industrial Surveys, Asset Verification, Accident Investigation Services and Fire Damage Investigation Services, Character Report, Background Verification, Identity Verification Services, Pre-Employment Check, Documentary Proofing, Bank Card Verification, Digital Forensics Services and Forensic Audit Services, Insurance Fraud investigation and Insurance Claim Verification. We also undertake to investigate Anti-Counterfeit Services, Infringement of Trade Mark, Trademark Verification and Pilferage of Good. As a private investigator we undertake Property Dispute and Asset Verification Investigations, investigations related to Matrimonial Discord, Extra Marital Affairs, and Spouse Fidelity and Pre Matrimonial Verification. Sourcing and provisioning of Security Manpower and Equipment, and to conduct Security, Investigation, Intelligence Awareness Training programs are some of our other specialties.


For more details regarding the contents of the course and photographs of the facilities available please visit https://www.drasintrisk.com//product-page/service-selection-boards

SSB Product: https://www.drasintrisk.com/shop

Book for free Consultation with our experts today.


DRASINT RISK ALLIANCE PRIVATE LIMITED कॉपीराइट के उल्लंघन, साहित्यिक चोरी या प्रकाशन के अन्य उल्लंघनों के मुद्दों को बहुत गंभीरता से लेती है। हम अपने इंसट्रक्टर्स के अधिकारों की रक्षा करना चाहते हैं और हम हमेशा साहित्यिक चोरी के दावों की जांच करते हैं। प्रस्तुत पाठ की जाँच की जाती है। जहाँ पाठों में पाया जाता है कि उन्होंने किसी अन्य कार्य को करने की अनुमति दी है या बिना अनुमति के या अपर्याप्त स्वीकृति के साथ तृतीय-पक्ष कॉपीराइट सामग्री शामिल है, हम कार्रवाई करने का अधिकार सुरक्षित रखते है । प्रतियाँ बनाने का अधिकार डेटाबेस, या वितरकों को उपलब्ध है जो विभिन्न दर्शकों को पांडुलिपियों या पत्रिकाओं को प्रसारित करने में शामिल हो सकते हैं।


DRASINT RISK ALLIANCE PRIVATE LIMITED प्रकाशित सामग्री का एकमात्र मालिक है।

Mobile Number:+918290439442, Email-forensic@drasintrisk.com


REFERENCES

  1. Chowbe, V. S. (2012). Digital Signature: Nature & Scope Under the IT Act, 2000 - Some Reflections. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.1680825

  2. Encryption vs Decryption_ What’s the Difference_. (n.d.).

  3. Fritz Grupe, Kerr, Stephen, Kuechler Willamm, P. N. (2003). Understanding Digital Signatures. Cpa, Vol. 73, p. 70.

  4. Kannan, Y. R. A., Prasad, S. A., & Varalakshmi, P. (2012). Cognitive symmetric key cryptographic algorithm. Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, 85(PART 2), 50–60. https://doi.org/10.1007/978-3-642-27308-7_5

  5. Karandikar, R. L. (2007). Introduction to cryptography. E-Business Process Management: Technologies and Solutions, 28–44. https://doi.org/10.4018/978-1-59904-204-6.ch002

  6. Menezes, A. J. (1996). Applied Cryptography. Electrical Engineering, 1([32), 429–455. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.99.2838&rep=rep1&type=pdf

  7. Rawal, A., Chhikara, G., Kaur, G., & Khanna, H. (2019). Cryptography algorithm. MAT Journals 2019, 4(1), 31–38.

  8. S, K. P., Kapoor, S., Oza, K. S., & Kamat, R. K. (2019). A Comprehensive Study on Sentiment Analysis Using Deep Forest International Journal of Computer Sciences and Engineering Open Access A Comprehensive Study on Sentiment Analysis Using Deep Forest. (August 2018). https://doi.org/10.26438/ijcse/v7i4.654658

  9. The Top 10 Threats To Your E-Signed Documents https://www.approveme.com/e-signature/top-10-threats-e-signed-documents/

  10. Yadugiri, M. A., & Bhasker, G. (2011). The Information Technology Act, 2000. English for Law, 482–511. https://doi.org/10.1017/upo9788175968660.018

© 2020 by DRASInt Risk Alliance Private Limited | Corporate Risk Management

  • Facebook
  • LinkedIn
  • Twitter
0