In the past decade, numerous efforts have been made to develop technology beyond the ideas of a common man to facilitate better wellbeing. The world has made a remarkable leap from using Stenography to Cryptography. These innovations have constant created multiple dimension of evolutions focusing mostly on the aspects of Connectivity and Privacy. However, the newly developed technology may seem to be very reliable and secure, but the bigger picture speaks the contrary. The aspect of encryption was introduced as one such path breaking evolution in the fields of communication making it a "must-have" criterion, instantly within a few days of its development. Traditionally the process of communication was designed as a 3-step mechanism involving:
- Service Provider
- End User.
The rate of dissemination was specifically noteworthy given the fact that, the end-users are not completely aware of the functional mechanism and subtly fall prey to the policies of the player up in the chain of hierarchy as an act of subterfuge.
WHAT IS ENCRYPTION?
Cryptography is a mechanism to convey information from amongst the confidantes in a secured manner, following the legatee of security and confidence. The process involves colleting the necessary information and data, then converting it into a secured format, and transmitting. The converted information upon reaching the correct designated recipient shall be de-secured and be open for access and use. The entire process is known as encryption.
Encryption is the most effective way to achieve data security. An encrypted file will appear scrambled to anyone who tries to view it, to read an encrypted file, one must have access to a secret key or password that enables the person to decrypt it. Unencrypted data is called "plain text"; encrypted data is referred to as cipher text and the key to opening such data is referred to as decipher. Some encrypted files require a simple decipher to open, while other require a private/ personalized key, which can be used to unlock files associated with the key.
The primary purpose of encryption is to protect the confidentiality of digital data stored on computer system or transmitted via the internet or other computer networks. Modern encryption algorithms play a vital role in the assurance security of IT Systems and communication as they provide not only confidentiality, but also the following essential elements of security:
- Authentication: The origin of a message can be Verified
- Integrity: Proof that the contents of a message have not been changed since it was sent.
- Non – Repudiation: the sender of a message cannot deny sending the message.
Decryption is the inverse of encryption process, following the same steps but reversing the order in which the keys are applied. The encryption algorithms are divided into:
- ASYMMETRIC ENCRYPTION: Also known as the public key encryption it can be opened and accessed by anyone in the general public who possesses the key. However, this process is used by general audience to ensure safety of transmitted data.
- SYMETRIC ENCRYPTION: also known as private key encryption, it can only be opened and accessed by specific target people who has the authorization to open the data. This is mostly used by secured agencies and organizations which for transmitting secured data.
- ONE-WAY HASH FUNCTIONS: One-way hash functions are mathematical algorithms that transform an input message into a message of fixed length. The key to the security of hash functions is that the inverse of the hash function must be impossible to prove.
- MESSAGE AUTHENTICATION CODES: MACs are data blocks appended to messages to protect the authentication and integrity of messages. MACs typically depend on the use of one-way hash functions.
- RANDOM NUMBER GENERATORS: An unpredictable sequence of numbers that is produced by a mathematical algorithm.
LEGAL CHALLENGES IN ENCRYPTION
Encryption Law or Cryptography Law deals with legislation ensuring that information is secure and transmitted confidentially, as well as policies designed to keep secure encryption schemes are out of the hands of unauthorized individuals and foreign powers. The agencies have implemented several tools to transform data via encryption technology to prevent unauthorized access or modification of sensitive governmental and public information.
EXPORT CONTROL LAWS
Export control laws restrict the export of cryptography methods within a country to other countries or commercial entities. These laws often relate to matters of national security, but can also relate to private or commercial matters. To protect cryptography for military use, there are international export control agreements such as the Wassenaar Arrangement which requires disclosures by member nations of any military technology exported to other countries, including cryptography technology.
IMPORT CONTROL LAWS
Import control laws pertaining to cryptography restrict the use of certain types of cryptography within a country. These laws are designed to go hand-in-hand with international agreements to discourage the importation of cryptography from other nations. It also helps to protect international business interests by allowing governments to prohibit the importation of private sector encryption technologies that could jeopardize legitimate business interests and allow for unfair competition.
Some cryptography law deals with the use of cryptography tools that are patented. These laws pertain to protecting intellectual property that allows for different forms of encryption, such as technologies for securing electronic financial transactions, keeping E-mail communications private or authenticating web sites. These often go hand-in-hand with import laws designed to protect intellectual property from illegal import and use in another country without the permission of the inventor.
SEARCH AND SEIZURE
A final area of interest to cryptography laws are issues related to search and seizure. These are often criminal constitutional issues regarding under what circumstances a person can be compelled to decrypt data files or reveal an encryption key to allow investigators to compile a case against that individual. This is a hotly contested area of encryption law given the competing interests in protecting the public and national security versus the constitutional protections against self-incrimination and for due process.
It is an arrangement whereby a copy of the key that enables the content of a document to be subsequently recovered, is held securely by a third party. Licensed key escrow refers to a system where a copy of the key is held by a trusted third party, who has satisfied the stringent regulations concerning maintenance and custody of client keys, generally – but not always – the company that is providing the encryption service.
ENCRYPTION IN INDIA
Encryption in India is a hotly debated and very confusing subject. The government has issued one standard, but individuals and organizations follow completely different standards. According to a note issued by the Department of Telecommunications ("DOT") in 2007, the use of bulk encryption is not permitted by Licensees, but nevertheless Licensees are still responsible for the privacy of consumers' data (section 32.1). The same note pointed out that encryption up to 40 bit key length in the symmetric key algorithms is permitted, but any encryption higher than this may be used only with the written permission of the Licensor. Furthermore, if higher encryption is used, the decryption key must be split into two parts and deposited with the Licensor. The 40 bit key standard was previously established in 2002 in a note submitted by the DOT: "License Agreement for Provision of Internet Service (including Internet Telephony)' issued by Department of Telecommunications" Though a 40 bit standard has been established, there are many sectors that do not adhere to this rule.
Below are a few sectoral examples:
1. BANKING: 'Report on Internet Banking' by the Reserve Bank of India 22 June 2001: "All transactions must be authenticated using a user ID and password. SSL/128 bit encryption must be used as the minimum level of security. As and when the regulatory framework is in place, all such transactions should be digitally certified by one of the licensed Certification Authorities."
2. TRADE: The following advanced security products are advisable: «Microprocessor based SMART cards, Dynamic Password (Secure ID Tokens), 64 bit/128 bit encryption»
3. TRAINS: 'Terms & Conditions' for online Railway Booking 2010: "Credit card details will travel on the Internet in a fully encrypted (128 bit, browser independent encryption) form. To ensure security, your card details are NOT stored in our Website." The varying level of standards poses a serious obstacle to Indian business, as foreign countries do not trust that their data will be secure in India. Also, the differing standards will pose a compliance problem for Indian businesses attempting to launch their services on the cloud.
NATIONAL SECURITY AND ENCRYPTION
Encryption is a subject matter that causes governments a great deal of concern. For example in order to preserve foreign policy and in national security interests, the US maintains export controls on encryption items. This means that a license is required to export or reexport identified items. Though the Indian government currently does not have an analogous system, it would be prudent to consider one. Though the government is aware of the connection between encryption and national security, it seems to be addressing it by setting a low standard for the public which enables it to monitor communications etc. easily. It is important to remember though that today we live in a digital age where there are no boundaries. One cannot encrypt data at 40 bits in India and think it is safe, because that encryption can be broken everywhere else in the world. Despite the fact that there are no boundaries in the digital age, users of the internet and communication technologies are subject to different and potentially inconsistent regulatory and self-regulatory data security frameworks and consequently different encryption standards.
One way to overcome this problem could be to set in fact a global standard for encryption that would be maximal for the prevention of data leaks. For instance, there are existing algorithms that are royalty free and available to the global public such as the Advanced Encryption Standard algorithm, which is available worldwide. The public disclosure and analysis of the algorithm bolsters the likelihood that it is genuinely secure, and its widespread use will lead to the expedited discovery of vulnerabilities and accelerated efforts to resolve potential weaknesses. Another concern that standardized encryption levels would resolve is the problem of differing export standards and export controls. As seen by the example of the US, industrialized nations often restrict the export of encryption algorithms that are of such strength that they are considered "dual use" – in other words, algorithms that are strong enough to be used for military as well as commercial purposes. Some countries require that the keys be shared, while others take a hands-off approach. In India joining a global standard or creating a national standard of maximum strength would work to address the current issue of inconsistencies among the required encryption levels.
Section 69 of the Information Technology Act, as amended by the Information Technology (Amendment) Act, 2008, empowers the central and state government to compel assistance from any "subscriber or intermediary person in charge of computer resource" in decrypting information. Failure to comply is punishable by up to seven years imprisonment and/or a fine. There are no strict laws in the Indian Parlance, however there was a National Encryption Policy Draft, it has been withdrawn because of multiple issues which are yet to be resolved. The national policies are yet to be amended to incorporate a better standpoint.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.