Securing E-Commerce: Adoption of Digital Signatures and Electronic Signatures

Introduction:

E-commerce has been around for several years, and with it, security issues. With e-commerce taking the world by a storm, the task of foremost importance is to ensure security.

The development and evolution of e-commerce have completely changed commercial activity.

The paperless route is convenient, no doubt; however, some aspects make one shy away from the same.

Development of e-commerce

The paperless way, referred to as Electronic Data Interchange (hereafter referred to as EDI)), is the exchange of documents between two people, through computers, in the digital format, with electronically coded documents interpreted by computers.

Now, how exactly does an EDI work? The customer creates a purchase order through their computer or mobile device and sends it over to the trading partner, after which the trading partner places the order on their computer or system. As we see, this is far more convenient than the procedure of e-commerce without the help of EDI, which is, placing a purchase order via fax, telegram, or post. After receiving the order, the trading partner interprets the same and then adds it to their system. Therefore, the usage of EDI brought forth speed and efficiency.

However, EDI wasn’t a viable option for small businesses due to its cost.  The Internet soon changed the situation, and electronic markets rose through the Internet.

In their 2016 Press Note No.3, the Government of India defined e-commerce and suitable e-commerce models. This Press Note has brought about two models, the inventory-based model where there is direct selling of goods to the consumer, and a marketplace based model where a third party makes the exchange of information or goods.[1]

Issues associated with e-commerce

The Internet is of a large scale and cannot be made secure as a whole; this brings forth many problems regarding e-commerce. Internal and external factors out of one’s control may bring about severe loss and alteration of data.

Let us take a look at the issues that one face while participating in e-commerce and the requirement for stringent security measures:[2]

1. Theft, destruction, and alteration of intellectual property.
2. Virus attacks aimed at e-commerce sites.
3. Theft and misuse of client’s personal and credit information.
4. Alterations made to e-commerce websites with malicious intent.
5. Hackers putting a block on the services of websites, erasing or blocking data.
6. Unreliable and complex nature of online transactions.

Solutions to Security Issues

Solutions to counter such issues are, bringing about various authentication levels, protection, firewalls, and transparency from the commercial establishment side.

How do we make e-commerce more secure, preferred, and trustworthy?

Ensuring commercial transactions over the Internet is legal requires the fulfillment of specific requirements. Firstly, a mechanism that ensures an authentic party has sent the message or order by the trading partner, or ‘relying’ party. Secondly, the ability to tell whether the message was intercepted and modified between being sent and received; and thirdly, a system to ensure that the sender cannot deny themselves doing the same. Cryptography protected data to this level and was hence widely accepted.

The usage of the Internet always comes with its fair share of disadvantages. Most importantly, it became of the utmost importance to bring about legally binding transactions.

However, this does not mean risking the occurrence of fraud, theft, or other cybercrimes every time one chooses e-commerce; which brings digital signatures and electronic signatures into the picture.

Protection by Digital Signatures and Electronic Signatures

Simply put, these signatures are a digital version of a written signature or a thumbprint, as practiced on traditional paper-based transactions.

Before getting into the function of digital and electronic signatures, let us understand what they mean.

Though they sound similar, and one may confuse them as the same thing, they’re very different from each other.

Digital Signatures

A Digital Signature is simply the digital version of a signature. For example, it can be a fingerprint of a written signature, embedded into a document.

There is also the requirement of a Digital Certificate linked to the document in question. The Digital Certificate, provided by certification authorities who authorize it, is similar to a passport or an identification card. It validates the legitimacy of the document to ensure there is no fraud or forgery. Digital Signatures also secure digital records, making them tamper-proof and further verifies personal identity.

The Digital Signatures are encrypted messages with specific private keys that allow authentication. The signature connects to the data so that, if the data is changed, the signature is automatically invalidated.[3]

The Technology behind Digital Signatures

A digital signature is not a digital representation of a handwritten signature. It is a ‘block of data’ towards the end of an electronic message that lends credence to the message’s validity. Digital signatures are a transformation of an electronic message using public-key cryptography. It needs a key pair (private encryption key and public decryption key) and a hash function.

A digital signature is thus, a two-part process. The creator of the digital signature, or Signer, signs a document, and the verifier, or recipient, verifies the signature for its authenticity.

Creation of a Digital Signature

1. The signer demarcates what needs to be signed, and this information is known as the “message”.
2. The hash function in the signatory’s software calculates the hash result/digital fingerprint unique to the “message”.
3. The Signer’s software further encrypts the hash result to a digital signature using the Signer’s private key. The digital signature created is unique to the message and the private key used to construct it.
4. The digital signature will be attached to its message and stored or distributed with the message. Because a digital signature is unique to its message, it is beneficial to maintain a reliable link to its message.

How to verify a Digital Signature

1. The recipient receives the digital signal with its message.
2. Applies Signer’s public key to the digital signature.
3. Recovers hash signature from the digital signature.
4. Computes the new hash result of the original message using the same hash function used by the signatory to create digital signatures.
5. Hash result compared to the above two steps.

Once the hash result is verified to be identical, it means that the message has not changed. If not identical, it means that the message faced alteration, or that the signature came from elsewhere.

Digital Signature and Public Key Infrastructure

Digital Signatures work with no human intervention. The only requirement is for the Signer and recipient to have the software required for digital signatures, on both ends. To ensure that the Signer sent the signature, and not any other person, the need for a Trusted Third Party (TTP) comes into play. The TTP must vouch for the Signer’s identity and their relation to the public keys.

This TTP is none other than the Certifying Authority (CA), who verifies the Signer’s identity and authenticity. A Digital Signature Certificate, assigned by the CA, binds the Signer to the digital signature.

A digital Signature Certificate consists of the following: name of the Signer, public key information, name of the CA who gave the Digital Signature Certificate, their public key information, and the validity of the certificate.

The Controller of CA, store the certificates in a publicly available, online repository, or the Certifying Authority stores it in their repository. Each CA must continue to operate per its certification practice statement (CPS). The CPS defines the practices that each CA uses to issue digital signature certificates.

Public Key Infrastructure (PKI) Process

PKI is concerned with managing and regulating key-pairs by assigning tasks between contracting parties to develop licensing and business standards for CAs and establishing business processes to create contractual relationships in a digitalized world. The idea is to build a sound PKI for efficient allocation and verification of digital signature certificates.

Let us look at the steps of the PKI process:

1. Signer applies for Digital Signature Certificate to CA.
2. The identity of the Signer is verified, and CA issues the digital signature certificate.
3. CA forwards Certificate to Controller who updates it into the repository.
4. Signer signs electronic message digitally with a Private Key to ensure authenticity, integrity, and non-repudiation of the sender and sends it to the Relying Party.
5. Relying Party receives a letter, verifies the Digital Signature with the Public Key of the Subscriber, and goes to the repository to verify the status and validity of the Subscriber Certificate.
6. After a status check through the repository and relying party is informed.

Hash Functions

A digital signature uses the ‘hash-function’ for validation. The hash function is an algorithm that generates a digital representation or “fingerprint” in the form of a standard length “hash value” or “hash result” that is typically much smaller than the message but unique to it. Any adjustment to a message will invariably result in a different hash upon using the same hash function.

Electronic Signatures

Electronic signatures are simply symbols placed where a document is required to be signed. It has no authorization compared to a digital signature. There is simply the intention to sign the document at hand.

 Electronic signatures are most prevalent in contracts, where the intent is an essential factor. With the required intent, electronic signatures become legally binding. Electronic signatures range from PINs to biometric identification.

Creation of Electronic Signature

1. Signer signs/uses a secure electronic signature or an electronic authentication technique.
2. At the time of signature, Signer holds the ‘electronic key’.
3. The signer will then affix the electronic signature.

Verification of Electronic Signature

1. Electronic record with attached electronic signature received by the recipient.
2. The recipient verifies the authenticity of the electronic signature on the electronic record.
3. Once confirmed that there were no alterations made, the record receives acceptance.

Difference between Digital and Electronic Signature

1. A Digital Signature is authorized by CA, while Electronic Signatures do not require authorization.
2. Digital Signatures have more security features than Electronic Signatures.
3. Digital Signatures can be verified while Electronic Signatures cannot.
4. Digital Signatures are more concerned with securing the document, while electronic signatures show the intent of being signed.

Therefore, we can conclude that while a digital signature is to secure a document, an electronic signature is to verify one. A digital signature is thus, more secure than an electronic signature and both are legally binding.^[4]

The use of these signatures, make agreements and commerce over the Internet legally binding and fool-proof.

What is eSign?

eSign is an electronic signature service (online) incorporated with service delivery applications through an API to make it easier for the eSign user to sign a document digitally. The online electronic signature service, enabled by the authentication of the eSign customer via the e-KYC service.[5]

Features that make eSign an attractive option are: it is cost and time-efficient, legally recognized and provided by licensed CAs, a secure way to sign information, legally valid signatures digitally, and easy to implement.

Position of the Information Technology Act, 2000

Digital Signatures, referred to in the Information Technology Act, 2000 (Henceforth referred to as the IT Act) as a mode of authenticating electronic records. The IT Act has played a considerable role in developing the usage of digital signatures concerning e-commerce and legal agreements.

Even though digital signatures were already in usage for commercial transactions and agreements, the IT Act and its Amendments bestowed legality upon digital signatures and electronic signatures.

If we look into Section 3 of the IT Act, it talks about the authentication of electronic records. It states that, following this section’s provisions, any subscriber can, by affixing his digital signature, authenticate an electronic document.[6]

The IT Act has focused on such measures because lack of security and genuineness during online transactions leads to tremendous losses.

Both parties face these losses as no one is genuinely wholly utterly on the Internet. The IT Act speaks about putting in such a signature, the process of verification of digital signatures.

Coming to electronic signatures, the IT Act discusses the same in Section 3A. The section talks about the authentication of electronic records using electronic signatures prescribed under the Act’s second schedule and is considered reliable. Ways to confirm the reliability of the signatures are: if the authentication data is linked only to the authenticator and no one else; the authentication data was under the control of the authenticator at the time of being signed; alterations made to the electronic signature or information, after signing is detectable; and upon fulfillment of any other prescribed criteria.[7]

The Central Government has the power and authority to prescribe the necessary procedures and criteria for the application and authentication of electronic signatures.

Conclusion

Commercial activity has taken a big step to the digital side. More and more businesses now exchange goods, services, and information over the Internet. People favor the digital mode of e-commerce, as it is convenient and enticing. However, without strict measures in place, this convenience comes at a cost. As seen in the article, there are several methods in which online transactions could backfire, leading to loss.

While going digital has repercussions that place e-commerce in jeopardy, there are various mechanisms and systems to ensure secure transactions and efficient commerce.

We can see that electronic and digital signatures thus bring us one step closer to e-commerce security; they have played an essential role in slowly normalizing the shift to a paperless route of commercial activity.

---

References:

[1] E-COMMERCE BUSINESS MODEL, PIB.GOV.IN (2019), https://pib.gov.in/Pressreleaseshare.aspx?PRID=1595850 (last visited, Jan 5, 2021)

[2] Jinson Varghese, Ecommerce Security: Importance, Issues & Protection Measures Astra Security Blog (2020), https://www.getastra.com/blog/knowledge-base/ecommerce-security/ (last visited Jan 6, 2021).

[3] Trevor Mark. “Difference Between Digital Signature and Electronic Signature.” DifferenceBetween.net. October 18, 2019 http://www.differencebetween.net/technology/difference-between-digital-signature-and-electronic-signature/.

[4] Trevor Mark. “Difference Between Digital Signature and Electronic Signature.” DifferenceBetween.net. October 18, 2019 http://www.differencebetween.net/technology/difference-between-digital-signature-and-electronic-signature/.

[5] NSDL E-GOVERNANCE INFRASTRUCTURE LIMITED

Footnote:NSDL e-Governance Infrastructure Limited Egov-nsdl.co.in, https://www.egov-nsdl.co.in/e-sign.html (last visited Jan 10, 2021)

[6] The Information Technology Act, 2000 (India)

[7] Ibid