E-Sign

As India has Prescriptive Electronic Signature Laws, after the IT Act was implemented in the year 2000, recognizing the validity of digital signatures, it was important to set up a process to make these a reality. For this purpose, the concept of Digital Signature Certificates (DSCs) was created and adopted. These were USB-based keys that were used by parties wanting to sign any electronic record. These USB keys could only be issued by limited registered entities (Exhibit 1) and required the signer to undergo a long process (refer Fig. 2) to obtain them which included a tedious video KYC process and pay a fee of about Rupees 1000 (USD 12). Even after the whole process, the actual token took a few days to be delivered for use to the signer. 

Exhibit 1: List of ESPs

2.1. Technical Framework of the DSC: In this method of digital signage, the user, to be able to digitally sign any document digitally, it needed to have three key components namely Electronic record; Secure key pair and Hash algorithm.

2.1-1 Electronic Record: An electronic record is any document or piece of data that is stored electronically which is to be signed by the signees. The allowed formats for this record can be either PDF or XML for it be signed.

2.1-2 Secure Key Pair: The digital signature worked on the process of asymmetric cryptography which consists of two functions namely private key and public key.

2.1-2a Private Key: This is a unique and confidential code available to the signer who owns the key pair

2.1-2b Public Key: This is a unique, but not confidential code that can be seen by any party who views the digital signature

Both keys were required together for any digital signage.

2.1-3 Hashing Function: A Hash result may be thought to be the unique digital fingerprint of any document. It was generated by an algorithm in the form of an alpha-numeric code. Hash result represented the electronic record only at the time at which the hash function was performed. If even a full stop was added to the electronic record, the hash result changed.

The hash function and the secure key pair were both stored in the hardware security module which was housed in the USB drive that was given by the CA.

The module was activated by a unique PIN which acted as an identifier for the signer. Once all the key requirements for the signing were fulfilled, the user had to follow a 4-step procedure to sign any contract7:

Step1: Generating a Hash Result for the Electronic Record

• The user plugs in the USB in his/her device and opens the PDF document that needs to be signed 
• The user is prompted to enter the unique PIN 
• The hash module is activated, and a unique hash ID is created for the document

Step 2: Encryption

The private key of the user then encrypts the obtained hash result and gives a scrambled hash result

Step 3: Affixture 

• The scrambled hash and public key are stored together on the document that was to be signed and an electronic signature certificate is created
• The scrambled hash result is affixed on the contract

Step 4: Decryption

• The hash function is performed on the document with the same algorithm and the hash result is displayed. If the document hasn’t been tampered with, the hash will be same as the hash obtained in the first part 
• The public key then decrypts the scrambled hash in the document. It will only work if the public key corresponding to the private key is used. 
• Both generated hash results are matched, and the document signature is validated.

Challenge with the Current Process

The major challenge with the DSC method was verifying documents physically which also added to the costs largely. Certifying authorities engaged registration authorities to carry out the verification of credentials prior to issuance of certificate that caused significant delays. Additionally, the physical USB dongle given to the users added to the cost of DSCs. There was also a huge environmental impact due to this technology that used USB drives which added to electronic waste and junk being produced.

In 2020, the smartphone penetration in India was 54%8. India is clearly a mobile-first country and for any technology introduced to reach masses, it should be compatible with mobile phones. The challenge with DSC was that it could not be used on handheld devices. Additionally, one of the main purposes to introduce electronic signature was to allow mobility and flexibility in signing of contracts. Carrying a USB at all times was not a very feasible solution.

In order to overcome all these challenges, the government launched the eSign- an online service for electronic signatures without using physical cryptographic token9 in 2015.

eSign Features and Developmental Process

eSign allows users to digitally sign documents as long as the signer fulfils the criteria of having an Aadhar number and his/her biometrics and mobile number linked with Aadhar. The process of using eSign is fairly simple and straightforward. It has the steps listed as per Fig. 8.

This technology digitises the document verification step in the earlier process which was very time consuming by introducing eKYC. eKYC can also be done by one of two methods depending on the availability of resources:

eKYC based on OTP: Generates and sends an OTP to the registered mobile number of the user once he/she enters the Aadhar number. Once the correct OTP is entered, the DSC is issued stating that the details of the signer match the details present in the Aadhar data base. Post use, the provate keys are deleted ensuring safety.

eKYC based on Biometrics: In cases where biometric devises are available, eKYC can be done by using those details. Once the details are matched, the DSC is issued stating that the details of the signer match the details present in the Aadhar data base. Post use, the provate keys are deleted ensuring safety.

Any updates or changes to be made in the technology are handled by the aa committee which holds regular reviews. This method of esigning has obvious advantages over earlier method of using a DSC.

The advantages include huge saving of administrative cost and time; Aadhaar e-KYC based authentication ensures validity and reduces chances of misuse. It has also helped to improve user experience by making the signing process faster and easier. It prevents forgery and increases authenticity checks by allowing for the signatories to be verified. Flexible and fast integration with application using APIs allows for a wide variety of use cases for private players as well. Privacy concerns are also addressed with a complete audit trail and an immediate destruction of keys after usage.

Apart from the convenience provided by this technology, it has a major environmental impact as well. In addition to eliminating the need of paper contracts completely, it does not require any additional physical device like a USB device which might add to e-waste; making it a completely eco-friendly alternative to earlier methods of signing.

The sheer number of people using the service is a testimony of the kind of impact created by the technology.

Flow chart and Structure

The flowchart for using an eSign process is shown in Fig. 9.

Fig. 9: Flowchart of working of eSign Process 

(Source: https://cca.gov.in/eSign.html)

At Application Service Provider (ASP)

• Asks the end user to sign the document 
• Creates the document hash (to be signed) on the client side 
• Capture Aadhaar number and authentication factor (OTP/Biometric)
• Creates the input API for eSign
• Calls the eSign API of the eSign provider

At eSign Service Provider (ESP)

• Validates the calling application input, and then creates the Aadhaar, e-KYC input based on Aadhaar e-KYC API specification 
• Invokes the Aadhaar e-KYC API 
• On success, creates a new key pair for that Aadhaar holder
• Sends public key and eKYC information to the Certifying Authority for certification 

At Certifying Authority (CA)

• Based on the eKYC authentication information received from UIDAI, Digital Signature Certificate is issued and sent to the ESP
• At eSign Service Provider (ESP)
• Signs the input document hash using the private key (Note: the original document never leaves the actual computer) 
• Creates an audit trail for the transaction 
  • Audit includes the transaction details, timestamp, and Aadhaar e-KYC response 
  • This is used for pricing and reporting 
  • Sends the e-Sign API response back to the calling application after obtaining end-user acceptance

At Application Service Provider (ASP)

• Receives the signature from the e-Sign provider
• Attaches the signature to the document 

Stakeholder Analysis

The stakeholders involved in the process include Application Service Provider (ASP), eSign Service Provider (ESP), the Certifying Authority (CA), e-KYC providers and the end user. All these players are instrumental in signing of a document through eSign. 

Application Service Provider: An organization or an entity using eSign service as part of their application to electronically sign the content. For example Government Departments, Banks, other public/ private organizations.

End User: An Individual using the application of ASP and represents himself/ herself for signing the document under legal framework. Also a resident holding the Aadhaar number and applicant/ subscriber for digital certificate.

eSign Service Provider: Trusted Third Party as per the definitions of Second Schedule of Information Technology Act to provide eSign service. ESP is a Licensed Certifying Authority (CA) that validates the data

Certifying Authority: An organization or an entity licensed under CCA; it issues Digital Signature Certificate and carries out allied CA operations. 

Unique Identification Authority of India (UIDAI)10: It provides unique identity to all Indian residents and also eKYC authentication service to registered KUAs.

Impact

eSign online electronic signature service can be effectively used in scenarios where signed documents are required to be submitted to service providers namely Government, Public or Private sector. There are several use cases for the service (Exhibit 2). This service has allowed the government to massively cut costs that were initially associated with the DSC Mechanism. This service will also allow businesses and enterprises to cut down on administrative costs associated with signing and drafting of contracts. This would also allow businesses to become more global, green and more sustainable. This initiative is a stepping stone for the nation towards a paper-less economy that has a green thumb. 

Exhibit 2: List of use cases and services

Way Forward

The technology has potential to be used within and outside the government and remove time delays due to signing of files and paperwork. It also has potential for being a good method of authenticating any document and ensuring that no tampering take place. It can be rolled out in a way to accommodate international transactions and contracts. The technology itself can be improved and built upon. With more and more smartphones coming with facial recognition technology, we can look at the possibility of integrating this technology with the eSign infrastructure to make it even more easier to use. This technology can also be leveraged to create a stable revenue stream and eventually become self-sufficient and sustainable.