Trends Watch

Changing Face of Encryption Standards in India

PCQ Bureau

01 May 2010 08:03 IST

New Update

Today people use Internet for anything right from booking air ticket,
mobile recharge, communication to even acts of terrorism. However, with lots of
critical information being exchanged over the Internet, the rising concern of
security of data in transit is cropping up.

Advertisment

Securing data in transit

Here is where the idea of encryption comes in. The process of encryption
involves using an encryption algorithm called cipher to scramble the
information in plaintext format to an unreadable format called ciphertex t.
This ciphertext makes sense to only the one who possesses the decryption key.
Using the decryption key, the ciphertext is converted back to understandable
plaintext. The more the complexity of the encryption algorithm, higher is the
difficulty level of intercepting the data in transit by an attacker. Govt of
most developed countries allow the usage of strong encryption standards ranging
from 128 bits to 256 bits or more to ensure the security of sensitive
information exchanged via networks. Any terrorist communication or rogue
activity that needs to be decrypted and read for security reasons is achieved
by the security agencies by using highly sophisticated technology and decryption
intelligence.

IT Amendment Act 2008 vis-a-vis encryption norms in India

“Under the Amended IT act 2008, section 84 A, Govt has
a chance to make a separate encryption policy. This would be formed under IT
act and not as part of the ISP's license. The DoT's ISP license puts forth
that it is the ISP operator who is liable to enforce 40 bit encryption. Now
under the amended IT Act, an encryption policy can be created which can be
independent of telecom guidelines and DSCI has been requesting that
encryption of higher strength should be permitted for the end users. When it
comes to encryption, there are two things — one is the end user who is
encrypting information, other is the systems like Blackberry that provides
encryption, between the end user and the Blackberry server. And then there
is bulk encryption, i.e point to point encryption provided by ISPs. The
encryption policy should be looking into all this and also in situations
like an imminent terrorist communication, etc, where govt requires decrypted
information”.

Kamlesh Bajaj, CEO, DSCI

Encryption norms in India

The encryption norms put forth by Department of Telecom (DoT) and Department
of Information Technology (DIT) are as follows:

Advertisment

ISP license issued in 1998-99 by DoT limits the level of encryption by 40 bit
key length and for the use of more than this prescribed limit, written
permission from DoT is required with mandatory deposit of decryption key with
DoT. Also there is an obligation on ISPs to ensure that bulk encryption is not
deployed.

The IT amendment Act passed in 2008 which has amended the IT Act of 2000, and
has come into effect from 27th of Oct 2009, has led to addition of Section 84 A,
which says that the Central govt may, for secure use of electronic medium and
for promotion of e-Governance and e-commerce prescribe the modes or methods of
encryption.

Section 69 of IT Act 2000 empowers the, Central Government/State Government/
its authorized agency to intercept, monitor or decrypt any information
generated, transmitted, received or stored in any computer resource if it is
necessary or expedient so to do in the interest of the sovereignty or integrity
of India, defence of India, security of the State, friendly relations with
foreign States or public order or for preventing incitement to the commission of
any cognizable offence or for investigation of any offence.

Advertisment

Why 40-bit encryption standard for ISPs?

40-bit encryption standard stands outdated today, as it can be easily
cracked. This creates vulnerability especially when it comes to e-commerce or
e-Governance. The law of the land says that only 40-bit encryption must be
followed by ISPs, but most e-commerce and e-Governance websites, including
RBI's website are using higher encryption standard, as it is impossible to
conduct any e-transaction with 40- bit encryption.

40-bit Encryption Standard for ISPs

“40-bit encryption limit is what is legally permitted
in our country and this is more of a tragedy as banks are using anything
from 128 to 256 bits. 40-bit encryption is more being followed in breach
rather than in observance. The IT amendment Act, 2008 has given central Govt
the discretion to prescribe the modes or methods of encryption for secure
use of electronic medium and for promotion of e-Governance and e-Commerce.
But as on date, Govt has not prescribed any specific modes of encryption.
And somewhere down the line I think the law under the IT act must be amended
again. Because you can't deal with the entire complex subject of encryption
only by coming up with one small provision of 84 A. You need to have
detailed provisions of how you will control encryption, the legal
consequences if you misuse encryption, what kind of offenses pertaining to
encryption to be classified by law, how will they be enforced, how will they
be investigated, detected and prosecuted. These are all critical issues that
needs to be addressed”.

Pavan Duggal, Advocate, Supreme Court of India
and President, Cyberlaws.Net

“When the Internet license was drafted, the policy
makers like DoT prescribed a 40-bit encryption to ISPs. Since then, the
licensing condition specifying a 40-bit encryption remains the same. In
order to curb the misuse and crime in the cyberspace, the law enforcement
agencies and the policy makers should be always one step ahead of cyber
criminals. For the sake of security of nation and of the individual users,
security agencies must update themselves with the intelligence of higher
encryption rather than asking the users or service providers to submit the
decryption key. With the IT Act amended 2008, we hope that this issue will
be addressed and soon a new policy allowing higher encryption standard would
come into force”.

Rajesh Chharia, President, Internet Service
Providers Association of India

Indian regulatory bodies like SEBI and RBI have mandated encryption standard
greater than 40-bit. SEBI's Committee on Internet Based Securities Trading and
Services urges that DoT should freely allow 128-bit encryption to ensure safety
and build investor trust in the Internet based trading system. RBI guidelines on
Internet Banking makes the usage of SSL-128 bit encryption as minimum level of
security mandatory for securing browser to web server communications and
encryption of sensitive data like passwords in transit within the enterprise
itself. Then why does ISP's license limit encryption standard to 40-bit key
length?

Advertisment

In the past, Indian security agencies were said to have issues in
decrypting anything beyond 40-bit key length and hence required decryption
keys. “Govt may not have the bandwidth to decrypt all the communications
happening over the Internet, but in specific cases where there is an imminent
terrorist communication or a fake money transaction, they should be able to
decrypt it for the sake of security,” says Rajat Khare, Director, Appin Group of
Companies. “It has happened in the past that communication which was very
sensitive, could not be decrypted. The need of the hour is to upgrade our
infrastructure to be able to decrypt at Govt level, and also allow the ISPs to
take necessary encryptions at their end. He adds.

The laws around encryption in India are evolving and the stakeholders are
eagerly looking forward to the encryption policy that Govt would come out with
along with a higher encryption standard. On the other side, Govt should also
beef-up its security agencies' cryptography know-how to ensure lack of knowledge
doesn't compromise national security.

Advertisment

Stay connected with us through our social media channels for the latest updates and news!