Advertisment

Changing Face of Encryption Standards in India

author-image
PCQ Bureau
New Update

Today people use Internet  for anything right from booking  air ticket,

mobile recharge, communication to even acts of terrorism. However, with lots of

critical information being exchanged over the Internet, the rising concern of

security of data in transit is cropping up.

Advertisment

Securing data in transit



Here is where the idea of encryption comes in. The process of encryption

involves using an encryption algorithm called cipher to scramble the

information in  plaintext format to an unreadable format called ciphertex t.

This ciphertext makes sense to only the one who possesses the decryption key.

Using the decryption key, the ciphertext is converted back to understandable

plaintext. The more the complexity of the encryption algorithm, higher is the

difficulty level of intercepting the data in transit by an attacker. Govt of

most  developed countries allow the usage of strong encryption standards ranging

from 128 bits to 256 bits or more to ensure the security of sensitive

information exchanged via networks. Any terrorist communication or rogue

activity  that needs to be decrypted and read for security reasons is achieved

by the security agencies by using highly sophisticated technology and decryption

intelligence.

IT Amendment Act 2008 vis-a-vis encryption norms in India

“Under the Amended IT act 2008, section 84 A, Govt has

a chance to make a separate encryption policy. This would be formed under IT

act and not as part of the ISP's license. The DoT's ISP license puts forth

that it is the ISP operator who is liable to enforce 40 bit encryption. Now

under the amended IT Act, an encryption policy can be created which can be

independent of telecom guidelines and DSCI has been requesting that

encryption of higher strength should be permitted for the end users. When it

comes to encryption, there are two  things — one is the end user who is

encrypting information, other is the systems like Blackberry that provides

encryption, between the end user and the Blackberry server.  And then there

is bulk encryption, i.e point to point encryption provided by ISPs. The

encryption policy should be looking into all this and also in situations

like an imminent terrorist communication, etc, where govt requires decrypted

information”.

Kamlesh Bajaj, CEO, DSCI

Encryption norms in India



The encryption norms put forth by Department of Telecom (DoT) and Department

of Information Technology (DIT) are as follows:

Advertisment

ISP license issued in 1998-99 by DoT limits the level of encryption by 40 bit

key length and for the use of more than this prescribed limit, written

permission from DoT is required with mandatory deposit of decryption key with

DoT. Also there is an obligation on ISPs to ensure that bulk encryption is not

deployed.

The IT amendment Act passed in 2008 which has amended the IT Act of 2000, and

has come into effect from 27th of Oct 2009, has led to addition of Section 84 A,

which says that the Central govt may, for secure use of electronic medium and

for promotion of e-Governance and e-commerce prescribe the modes or methods of

encryption.

Section 69 of IT Act 2000 empowers the, Central Government/State Government/

its authorized agency to intercept, monitor or decrypt any information

generated, transmitted, received or stored in any computer resource if it is

necessary or expedient so to do in the interest of the sovereignty or integrity

of India, defence of India, security of the State, friendly relations with

foreign States or public order or for preventing incitement to the commission of

any cognizable offence or for investigation of any offence.

Advertisment

Why 40-bit encryption standard for ISPs?



40-bit encryption standard stands outdated today, as it can be easily

cracked. This creates vulnerability especially when it comes to e-commerce or

e-Governance. The law of the land says that only 40-bit encryption must be

followed by ISPs, but most  e-commerce and e-Governance websites, including

RBI's website are using higher encryption standard, as it is impossible to

conduct any e-transaction with 40- bit encryption.

40-bit Encryption Standard for ISPs

“40-bit encryption limit is what is legally permitted

in our country and this is more of a tragedy as banks are using anything

from 128 to 256 bits.  40-bit encryption is more being followed in breach

rather than in observance. The IT amendment Act, 2008 has given central Govt

the discretion to prescribe the modes or methods of encryption for secure

use of electronic medium and for promotion of e-Governance and e-Commerce.

But as on date, Govt has not prescribed any specific modes of encryption.

And somewhere down the line I think the law under the IT act must be amended

again. Because you can't deal with the entire complex subject of encryption

only by coming up with one small provision of 84 A. You need to have

detailed provisions of how you will control encryption, the legal

consequences if you misuse encryption, what kind of offenses pertaining to

encryption to be classified by law, how will they be enforced, how will they

be investigated, detected and prosecuted. These are all critical issues that

needs to be addressed”.

Pavan Duggal, Advocate, Supreme Court of India

and President, Cyberlaws.Net

“When the Internet license was drafted, the policy

makers like DoT prescribed a 40-bit encryption to ISPs. Since then,  the

licensing condition specifying a 40-bit encryption remains the same. In

order to curb the misuse and crime in the cyberspace, the law enforcement

agencies and the policy makers should be always one step ahead of cyber

criminals. For the sake of security of nation and of the individual users,

security agencies must update themselves with the intelligence of higher

encryption rather than asking the users or service providers to submit the

decryption key. With the IT Act amended 2008, we hope that this issue will

be addressed and soon a new policy allowing higher encryption standard would

come into force”.

Rajesh Chharia, President, Internet Service

Providers Association of India 

Indian regulatory bodies like SEBI and RBI have mandated encryption standard

greater than 40-bit.  SEBI's Committee on Internet Based Securities Trading and

Services urges that DoT should freely allow 128-bit encryption to ensure safety

and build investor trust in the Internet based trading system. RBI guidelines on

Internet Banking makes the usage of SSL-128 bit encryption as minimum level of

security mandatory for securing browser to web server communications and

encryption of sensitive data like passwords in transit within the enterprise

itself. Then why does  ISP's license limit encryption standard to 40-bit key

length?

In the past,  Indian security agencies were said to have issues in

decrypting anything beyond 40-bit key length and hence required decryption

keys.  “Govt may not have the bandwidth to decrypt all the communications

happening over the Internet, but in specific cases where there is an imminent

terrorist communication or a fake money transaction, they should be able to

decrypt it for the sake of security,” says Rajat Khare, Director, Appin Group of

Companies.  “It has happened in the past that communication which was very

sensitive, could not be decrypted. The need of the hour is to upgrade our

infrastructure to be able to decrypt at Govt level, and also allow the ISPs to

take necessary encryptions at their end.   He adds.

The laws around encryption in India are evolving and the stakeholders are

eagerly looking forward to the encryption policy that Govt would come out with

along with a higher encryption standard. On the other side, Govt should also

beef-up its security agencies' cryptography know-how to ensure lack of knowledge

doesn't compromise national security.

Advertisment