The Information Technology Act gives legal validity to internet based communications / transactions like email and EDI etc, i.e. e-commerce in short.In these internet based transactions, a digital signature serves the purpose of identifying the originator of the transaction and ensuring that the communication has happened without any intermediary disturbance like data tampering or modification.
A digital signature works as follows:
A message digest (or hash value) is generated by applying a hash function (like MD5, SHA1, and SHA2) on the electronic message. This message digest is a sequence of bits of fixed length which cannot be reversed to the original message.
A key pair consists of a private key (known to the sender of the message alone and kept as a secret) and a corresponding public key (published – available to anyone who wants to verify the private key). The public and private keys are mathematically related to each other and are generated using any of the various available encryption algorithms like RSA, DSA etc.
A message encrypted using a private key can be decrypted using its corresponding public key only and vice versa. This is the concept of asymmetric encryption.
Now the message digest created is encrypted using the sender’s private key resulting in a digital signature. This digital signature is attached to the electronic message and sent to the recipient.
At the receiving end, the receiver decrypts the encrypted message digest (i.e. digital signature) using the sender’s public key. This proves that the message is authentic i.e. originated from the sender who secretly maintains the private key corresponding to the public key with which it was decrypted.
Also the receiver re-computes the message digest by applying the same hash function on the electronic record received. This should match with the original message digest to ensure that the electronic data was not disturbed in transit.
However if the original hash value and the re-computed hash values are different, then the digital signature becomes invalid. This may not necessarily mean that the message was tampered in between though that could be a reason. It may also result from situations where the sender owns several digital signature certificates resulting in the usage of a wrong public key by the receiver on the digital signature.
Whatever be the reason, when the digital signature becomes invalid, the verification of the sender is considered to be unsuccessful and the transaction incomplete.