IT LAW

Encryptions
Harikrishna.V.R.
1281
Introduction
 Encryption is the process of transforming information so it is
unintelligible to anyone but the intended recipient. Decryption is
the process of decoding encrypted information. A cryptographic
algorithm, also called a cipher, is a mathematical function used for
encryption or decryption.
 With most modern cryptography, the ability to keep encrypted
information secret is based not on the cryptographic algorithm,
which is widely known, but on a number called a key that must be
used with the algorithm to produce an encrypted result or to
decrypt previously encrypted information. Decryption with the
correct key is simple. Decryption without the correct key is very
difficult, if not impossible.
Public key Encryption
 The problems of key distribution are solved by public key
cryptography, the concept of which was introduced by
Whitfield Diffie and Martin Hellman in 1975.
 Public key cryptography is an asymmetric scheme that uses a
pair of keys for encryption: a public key, which encrypts data,
and a corresponding private, or secret key for decryption.
You publish your public key to the world while keeping your
private key secret. Anyone with a copy of your public key can
then encrypt information that only you can read.
The primary benefit of public key cryptography is that it
allows people who have no preexisting security arrangement
to exchange messages securely. The need for sender and
receiver to share secret keys via some secure channel is
eliminated; all communications involve only public keys, and
no private key is ever transmitted or shared. A key is a value
that works with a cryptographic algorithm to produce a
specific ciphertext. Keys are basically really big numbers. Key
size is measured in bits; the number representing a 1024-bit
key is huge. In public key cryptography, the bigger the key, the
more secure the ciphertext.
Digital signatures

 A major benefit of public key cryptography is that it provides

a method for employing digital signatures. Digital signatures
enable the recipient of information to verify the authenticity
of the information’s origin, and also verify that the
information is intact. Thus, public key digital signatures
provide authentication and data integrity. A digital signature
also provides non-repudiation, which means that it prevents
the sender from claiming that he or she did not actually send
the information. These features are every bit as fundamental
to cryptography as privacy, if not more. A digital signature
serves the same purpose as a handwritten signature.
Hash functions

 The system described above has some problems. It is slow,

and it produces an enormous volume of data—at least double
the size of the original information. An improvement on the
above scheme is the addition of a one-way hash function in
the process. A one-way hash function takes variable-length
input—in this case, a message of any length, even thousands
or millions of bits—and produces a fixed-length output; say,
160-bits. The hash function ensures that, if the information is
changed in any way—even by just one bit—an entirely
different output value is produced.
Digital certificates

 Digital certificates, or certs, simplify the task of establishing

whether a public key truly belongs to the purported owner. A
certificate is a form of credential. A digital certificate is data
that functions much like a physical certificate. A digital
certificate is information included with a person’s public key
that helps others verify that a key is genuine or valid. Digital
certificates are used to thwart attempts to substitute one
person’s key for another.
Legal Position in India

 The Indian Supreme Court on 29 June 2016 refused to entertain a

petition that sought a ban on WhatsApp and other similar applications
that use strong end to end encryption technologies to safeguard the
communications on their services. The petition stated that employment
of such stringent encryption standards rendered a national security
hazard as it would be impossible for law enforcement agencies to
uncover communications of/amongst parties that pose a threat to the
safety and security of the country.
 The Information Technology Act, 2000 that regulates the electronic and
wireless modes of communication is silent on any substantive provision
or policy on encryption apart from Section 84A that delegates the
Central Government the authority to frame any rules on the use and
regulation of encryption. Till date, no such rules have been framed by
the Central Government under this section. Besides that, the following
are few sectors where the use of encryption technology and products
have been regulated and mandated by specific conditions and terms:
Securities and Exchange Board of India (SEBI)
Guidelines on Internet based Trading and
Services
 As per the Report on Internet Trading by the SEBI Committee on
Internet based Trading & Services, 2000, a 64/128 bit encryption
standard is advisable to secure transactions and online tradings. It
strongly recommended that "128 bit encryption should be allowed
to be freely used". However, it is qualified with a condition that
the DoT prescribed policy and regulation will be adhered to with
respect to encryption. In paragraph 30 of the cyber security and
cyber resilience framework of Stock Exchanges, Clearance
Corporations and Depositories, and for Registrars to an Issue /
Share Transfer Agent with a portfolio of over two crore, SEBI
requires that "Data in motion and data at rest should be in
encrypted form by using strong encryption methods such as
Advanced Encryption Standard (AES), RSA, SHA-2, etc."
Reserve Bank of India (RBI)

 In paragraph 6.4.5 of the Report on Internet

Banking released in 2001, RBI mandated a minimum security
standard of using of SSL for server authentication and the use
of client side certificates, the use of 128-bit SSL encryption
for communication between browsers and the server, and
encryption of sensitive data like passwords in transit within
the enterprise itself.
Information Technology (Certifying
Authorities) Rules, 2000
 These Rules specify the manner in which digital signatures are to
be authenticated. Under Rule 3, a digital signature authentication
is mandated to be undertaken via a public key encryption method.
Rule 6 of these Certifying Authorities Rules provide the requisite
standards for public keys that can be used for this purpose, such as
PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit),
PKCS#5 Password Based Encryption Standard or
PKCS#7 Cryptographic Message Syntax Standard. Most of the
standards listed under this rule resort to an encryption strength
higher than 40 bits, which is the maximum permitted standard
under the license terms of an agreement between an ISP and DoT.
Data Security Council of India’s (DSCI)
recommendation
 The DSCI & NASSCOM with other industry inputs
submitted recommendations to the Department of Information Technology in
2009 regarding an Encryption Policy for India. One of the recommendations
made therewith is the departure from a 40 bit standard as enshrined in the DoT
license to ISPs, and to upgrade to a 256 bit encryption standard with AES
algorithm or other equivalents for e-commerce platforms, along with SSL for
end to end authentication.
 The license agreement between the ISP & DoT carries a stipulation to the effect
that users are not permitted to use encryption standards higher than 40 bits
with symmetric key algorithms or equivalent algorithms without prior approval
and deposition of decryption keys. As mentioned above, there are various other
regulations & guidelines that employ a higher standard of encryption than 40
bits for certain specific sectors. Also, in the absence of a comprehensive
encryption policy /regulation, or any procedures detailed under the
Information Technology Act, 2000, the service providers under the terms of
Unified Service License Agreement don’t have any limitation on encryption
strength. Therefore, the restriction of 40 bits effectively applies only to the
individuals, organizations, or groups using the platform of ISPs that function
under the license agreement between DoT & ISP.
Conclusion

 With a plurality of actors and interests involved, encryption is

perhaps the most complex issue of this decade. It implicates rights,
commerce, law enforcement and intelligence. India's Draft Policy
only addressed law enforcement concerns while failing to truly
address the multifarious issues at play. Privacy activists and the
ICT industry have long favoured stronger encryption standards.
However, one important stakeholder that has not yet weighed in
on the debate is the intelligence community. Not unlike law
enforcement agencies, espionage organisations also prefer easy
access to information. Unlike law enforcement agencies, however,
intelligence organisations are mandated with maintaining
'information assurance.' So a proper legislation on encryption
standards is the need of the hour.