e-Authentication or electronic authentication is the electronic process of verifying an individual’s identity presented in electronic format to an information system. Online systems employ user names to identify a user and a password to authenticate the true identity of the user. Some of the methods employed for electronic authentication are tokens, password and pin based, public key, symmetric key, sms based, biometric, digital identity authentication,etc. Multifactor authentication is also a large component of e-authentication that helps increase additional transactional security. Electronic authentication will give rise to technical obstacles as well, such as remote authentication of people over an individual network and the guidelines to e-authentication that are employed to deal with such issues, technical or otherwise.
Certifying Authorities (CA) can issue Digital Signature Certificates (DSC) to an applicant after successful verification of the address and identity proof of the applicant. The Second Schedule of the IT Act, 2000 states guidelines for CA electronic authentication service through e-KYC. ESP refers to eSign Service Provider in this article.
eSign Service Provider Requirements
- An applicant should have a 12 digit Aadhaar number to apply for the service.
- The eSign Service Provider should approve the applicant to use such services. An agreement of understanding should be in place between the two parties.
- The eSign Service Provider should function as an agent of the eKYC (Electronic Know Your Customer) and Authentication User Agencies (AUA) of the Unique Identification Authority of India (UIDAI).
DSC Application Form And Authentication
- Biometric fingerprint or One-Time Password should be used for electronic authentication in accordance with Aadhaar eKYC Services.
- The Aadhaar eKYC Service should be shared with the eSign Service Provider. The consent of the applicant is required to share digitally signed information such as name, address, phone number, photo and response code to any party.
- The response code should be recorded on the application. (The response code is preserved offline for a period of 2 years and online for a period of 6 months by the UIDAI)
- Aadhaar eKYC services should successfully authenticate the DSC of the applicant, following which the DSC application form will be electronically generated.
- The application form should be electronically signed with Aadhaar eKYC Services information.
- The authentication logs, the response code, activation mechanism for digital signatures and communication with CA’s for certificate issuance is recorded.
- Any consent from the subscriber needs to be obtained electronically, in order to obtain a Digital Signature certificate.
- The validity of the certificate is for 30 minutes for one-time use. On successful key generation for issuance of DSC, the certificate signing request is sent to the CA by the ESP.
- The DSC should be published in the repository maintained with the CA. The signature is permanent.
- Rule 27 of the Information Technology Rules, 2000, states certification functions and all relevant information relating to e-authentication of DSC applicant should be recorded for a period of 7 years for the purpose of providing evidence.
- All electronic records relating to e-authentication of a subscriber to access information stored is for a period of 2 years.
- Authentication and Identification
- eSign xml response and request should match the specifications as prescribed in the eSign API.
- The communication between the ESP and the ASP should be secured through VPN, SSL encryption, etc.
- The OTP Aadhaar request can be made to UIDAI by the ASP directly. The OTP request should be in accordance with Aadhaar OTP request API specification.
- eSign Request to ESP
- Biometric and Aadhaar number along with OTP should be encrypted and captured by ASP (front-end) application into PID blocks and Aadhaar authorization should be done as per specifications laid down by the UIDAI.
- Digital signature on the eSign XML request (formed by ASP using PID block) is required before the application is sent to the ESP eSign API.
- The ASP’s digital signature on each eSign xml request received should be verified by the ESP.
- eKYC Request to UIDAI
- The ESP should form the eKYC XML as per the specifications laid down by the UIDAI eKYC specifications prior to sending it to the KSA.
- The input is validated by the KSA. Before the KYC XML is forwarded to Aadhaar KYC API, KSA should ensure Aadhaar eKYC API structure compliance.
- eKYC Response to ESP
- After successful authentication by the Aadhaar eKYC service of the Aadhaar holder, the photograph and location details (in XML format) should be encrypted and digitally signed by the UIDAI as per specifications laid down in Aadhaar eKYC.
- Certification Request to CA
- Prior to sending the certification request to the CA, the ESP with the ESP’s key should form a digitally signed Certificate Generation Request.
- Digitally signed Certificate Signing Request (CSR) is accepted by the CA over a secure link only from designated ESP systems.
- Certification Response to ESP
- The CA system is configured to issue Aadhaar eKYC class end entity individual digital signature certificates.
- eSign Response
- The ESP formed eSign XML should be digitally signed and sent to the ASP.
- OTP Request and Response (Through ESP)
- The OTP is sent via ESP or directly and is conformed with Aadhaar OTP request API specifications.
- Gateway Options
- eSign Request (ASP to Gateway)
- The eSign API request XML should be signed by the ASP using the ASP key when a gateway is used.
- eSign Response (Gateway to ASP)
- The gateway should forward the request, without any modifications to the ASP.
- The key generation for any user should be secured and occur through Hardware Security Module (HSM).
- HSM should be used to secure the private key of a user in accordance with FIPS 140-2 Level 3 recommendations for cryptographic modules validation list.
An onboarding process manual should be referred to before any legal entity (registered in India) makes an application to integrate eSign Electronic Signature Service in their respective applications. The ASP should apply to the ESP to enable online electronic signature (as per the onboarding process manual) on the application form. An agreement is executed between the ASP and ESP after all the criteria stated in the onboarding process manual is fulfilled.
Certifying Authority Requirement
- CA systems accept digitally signed CSR over a secured link from respective ESP systems.
- The CA systems issue only Aadhaar eKYC class end entity individual DSC.
Requirements for Organizations that need eSign Service
- The Organizational person should be an Aadhaar holder.
- Pre verified Organizational person’s database is a must for any organization that wants to use eSign online electronic signature service. Any database submitted past 40 days will not be accepted by the ESP.
- The verification of the identity and existence of the organization should be carried out by the CA as per the identity verification guidelines.
- The DSC of the signatory authorized should be mapped with the name of the organization and be registered with the ESP.
- The name of the organization, location, details, designation, etc should be included and digitally signed in the eSign API’s request to the ESP.
- The ESP generates the DSC application form as per Form C of schedule IV of the Information Technology Act, 2000.
- The KYC information that has been digitally signed should be archived.
- The address mentioned in the DSC should be the organizational address and not the residential address of the Aadhaar holder.
eSignDesk.com is an online portal that enables companies to allow customers to electronically sign documents. LegalDesk.com provides eSign and eKYC services together. This article is based on the paper ‘e-authentication guidelines for eSign- Online Electronic Signature Service’ published on June 2016, by the Controller of Certifying Authorities (CCA), Department of Electronics and Information Technology, and the Ministry of Communications and Information Technology.