INFORMATION TECHNOLOGY ACT 2000 AN OVERVIEW
PRESENTATION OVERVIEW Need for the law Legal issues regarding offer, Acceptance and conclusion of contract Issues of Digital Signature Public Key infrastructure Certifying Authorities.
Preamble of IT Act, 2000 An Act to provide Legal Recognition for E-Commerce EDI transactions and Electronic communications Use of alternatives to paper based methods of communication and storage of information. To facilitate electronic filing of documents with the Government agencies. And further to amend Indian penal code The Indian Evidence Act, 1872 The Bankers Books Evidence Act, 1891 & RBI Act 1934.
Components of the Act Legal Recognition to Digital Signatures Electronic Governance Mode of Attribution, Acknowledgement and Despatch of Electronic Records. Secure Electronic Records. Regulation of Certification Authorities. Digital Certificates.
Components of the Act (Cont) Duties of subscribers Penalties and Adjudication Offences Protection to Network Service Providers in certain situations.
Definitions – terms defined in the Act Access Addressee Computer Computer Resource Data Electronic Form Information Intermediary Secure System Asymmetric Cryptography Digital Signature.
E-commerce Simply put: E-commerce refers to doing business and transactions over electronic networks prominently the internet. Obviates the need for physical presence Two parties may never know, see or talk to each other but still do business. Has introduced the concept of electronic delivery of products and services. Unmanned round-the-clock enterprises – Available always.
E-Com- Potential Problems Security on Net-Confidentiality, Integrity and Availability. Cyber crimes-Hackers, Viruses Technological Complexities Lack of Information trail Complex cross border Legal Issues Desparate Regulatory Environment and Taxation Policies.
Challenges Protecting Information in Transit Protecting Information in storage Protecting Information in Process Availability and Access to information to those Authorised.
Concerns in E-Transactions Confidentiality Integrity Availability
Confidentiality concerns Eavesdropping Wire Tapping Active/Passive snooping Shoulder Surfing
Integrity Attacks Data Diddling Buffer Overflow Used to insert malicious code Channel violation Spoofing
Availability Threats Denial of Service (DDOS) Ping of Death SYN Flooding Remote Shut Down
Tools and Techniques Key Loggers Password Crackers Mobile Code Trap Doors Sniffers Smurf (Ping tools)
Tools and Techniques Viruses – Exe, Script, Datafile, Macro Worms Trojan Horse Logic Bombs Remote Access Trojans
Attacks on Cryptosystems Cipher-text only attacks Known plain text attacks Brute Force Attacks Man-in-middle attacks
Social Engineering The best bet ever Trickery and Deceit Targeting Gullible victims Most effective – can penetrate the most secure technologies
Parameters Data Confidentiality User Authentication Data Origin Authentication Data Integrity Non Repudiation.
Legal Recognition of Digital Signature All information in electronic form which requires affixing of signature for legal recognition now satisfies if authenticated by affixing digital signature. Applicability includes: Forms, licences, permits, receipt/payment of money.
DIGITAL SIGNATURES.
How Digital Signature Works XYZ wants to send a message relating to new Tender to DOD. XYZ computes message digest of the plain text using a Hash Algorithm. XYZ encrypts the message digest with his private key yielding a digital signature for the message. XYZ transmits the message and the digital signature to DOD.
Digital Signatures (Cont) When DOD receives the message, DOD computes the message digest of the message relating to plain text, using same hash functions. DOD decrypts the digital signature with XYZ’s public key. If the two values match, DOD is assured that: a. The originator of the message is XYZ and no other person. b. Message contents have not been tampered with.
Digital Signatures- How & Why Integrity, Authentication and Non Repudiation 1. Achieved by use of Digital Signatures 2. If a message can be decrypted by using a particular sender’s public key it can be safely presumed that the message was encrypted with that particular sender’s private key. 3. A message digest is generated by passing the message through a one-way cryptographic function-i.e it cannot be reversed.
Digital Signatures- How & Why 4. When combined with message digest, encryption using private key allows users to digitally sign a message. 5. When digest of the message is encrypted using senders private key and is appended to the original message,the result is known as Digital Signature of the message. 6. Changing one character of the message changes message digest in an unpredictable way. 7. Recipient can be sure that the message was not changed after message digest was generated if message digest remains unaltered.
Digital Signatures Central Government is conferred with powers to make rules in respect of Digital Signatures. Rules would prescribe Type of Digital Signature, Manner and form in which Digital Signature shall be affixed and procedure for identifying the person affixing the Digital Signature.
Enabling Principles of Electronic Commerce Legal Recognition of Electronic Record. Legal requirement of Information to be in writing shall be deemed to be satisfied if it is: a. Rendered or made available in an electronic form. b. Accessible so as to be usable for subsequent reference.
RETENTION OF ELECTRONIC RECORDS. Requirements of law as regards retention of records met even if in electronic form and if the: Information therein is accessible and usable. In original format or ensure accuracy Details as to Origin, Destination, Date and Time of Dispatch and Receipt of Electronic records are maintained.
Applicability of the Act Does not apply to: Negotiable Instrument Act Power of Attorney Act Trusts Will Contract for sale/conveyance of immovable property. Any other transactions that may be notified.
Public Key Infrastructure CERTIFYING AUTHORITIES CA is a person who has been granted a license to issue Digital Signature Certificate by the Controller. CA are licensed by the Controller on satisfaction of certain conditions and an approved Certification Practice Statement.
CERTIFICATION PRACTICE STATEMENT CAs shall generate and manage Digital Certificates and signatures in accordance with approved CPS. The controller shall issue a guide for preparation of Certification Practice Statement and any changes require approval.
KEY MANAGEMENT Cryptographic keys provide the basis for the functioning of Digital certificate and Authentication of Digital Signatures. Keys must be adequately secured at every stage. Key generation, distribution, storage, usage, backup, Archival CAs should take necessary precautions to prevent loss,disclosure,modification or unauthorised use. CA should use trustworthy Hardware, Software and encryption techniques approved by the controller for all operations requiring use of private key.
Information Technology – Security Procedure and Guideline Rules prescribe Physical and operational security Information Management Systems Integrity, risks and integrity controls Audit trail and verifications Data centre operations security Change Management Guidelines.
Offences Without permission Accesses or secures access to computer, computer system or computer network Downloads,copies or extracts any data, computer data base or information from such computer resource. Introduces or causes to be introduced any computer containment or computer virus into any computer resources Damages or causes to be damaged any computer resource.
Offences Under the Act Tampering with Computer Source Documents Hacking with computer System Publishing of information which is obscene in Electronic form.
Who is liable Every person who, At the time of contravention was committed Was in charge of, and was responsible to, the company for the conduct of business. Shall be guilty of the contravention and shall be liable to be proceeded against and punished.
Penalties Upto Rupees Two lakh with Imprisonment. Upto rupees one crore in case of impersonation and masquerading crimes involving Legal bodies-Adjudicating officer,The Cyber Regulations Appellate Tribunal.