INFORMATION TECHNOLOGY ACT 2000 AN OVERVIEW

1
INFORMATION TECHNOLOGY ACT 2000 AN OVERVIEW
2
PRESENTATION OVERVIEW

• Need for the law
• Legal issues regarding offer, Acceptance and
  conclusion of contract
• Issues of Digital Signature
• Public Key infrastructure
• Certifying Authorities.

3
Preamble of IT Act, 2000

• An Act to provide Legal Recognition for
  E-Commerce
• EDI transactions and Electronic communications
• Use of alternatives to paper based methods of
  communication and storage of information.
• To facilitate electronic filing of documents with
  the Government agencies.
• And further to amend
• Indian penal code
• The Indian Evidence Act, 1872
• The Bankers Books Evidence Act, 1891 RBI Act
  1934.

4
Components of the Act

• Legal Recognition to Digital Signatures
• Electronic Governance
• Mode of Attribution, Acknowledgement and Despatch
  of Electronic Records.
• Secure Electronic Records.
• Regulation of Certification Authorities.
• Digital Certificates.

5
Components of the Act (Cont)

• Duties of subscribers
• Penalties and Adjudication
• Offences
• Protection to Network Service Providers in
  certain situations.

6
Definitions terms defined in the Act

• Access
• Addressee
• Computer
• Computer Resource
• Data
• Electronic Form
• Information
• Intermediary
• Secure System
• Asymmetric Cryptography
• Digital Signature.

7
E-commerce

• Simply put
• E-commerce refers to doing business and
  transactions over electronic networks prominently
  the internet.
• Obviates the need for physical presence
• Two parties may never know, see or talk to each
  other but still do business.
• Has introduced the concept of electronic delivery
  of products and services.
• Unmanned round-the-clock enterprises Available
  always.

8
E-Com- Potential Problems

• Security on Net-Confidentiality, Integrity and
  Availability.
• Cyber crimes-Hackers, Viruses
• Technological Complexities
• Lack of Information trail
• Complex cross border Legal Issues
• Desparate Regulatory Environment and Taxation
  Policies.

9
Challenges

• Protecting Information in Transit
• Protecting Information in storage
• Protecting Information in Process
• Availability and Access to information to those
  Authorised.

10
Concerns in E-Transactions

• Confidentiality
• Integrity
• Availability

11
Confidentiality concerns

• Eavesdropping
• Wire Tapping
• Active/Passive
• E-mail snooping
• Shoulder Surfing

12

• Integrity Attacks
• Data Diddling
• Buffer Overflow
• Used to insert malicious code
• Channel violation
• Spoofing

13

• Availability Threats
• Denial of Service (DDOS)
• Ping of Death
• SYN Flooding
• Remote Shut Down

14
Tools and Techniques

• Key Loggers
• Password Crackers
• Mobile Code
• Trap Doors
• Sniffers
• Smurf (Ping tools)

15
Tools and Techniques

• Viruses
• Exe, Script, Datafile, Macro
• Worms
• Trojan Horse
• Logic Bombs
• Remote Access Trojans

16
Attacks on Cryptosystems

• Cipher-text only attacks
• Known plain text attacks
• Brute Force Attacks
• Man-in-middle attacks

17
Social Engineering

• The best bet ever
• Trickery and Deceit
• Targeting Gullible victims
• Most effective can penetrate the most
• secure technologies

18
Parameters

• Data Confidentiality
• User Authentication
• Data Origin Authentication
• Data Integrity
• Non Repudiation.

19
Legal Recognition of Digital Signature

• All information in electronic form which requires
  affixing of signature for legal recognition now
  satisfies if authenticated by affixing digital
  signature.
• Applicability includes
• Forms, licences, permits, receipt/payment of
  money.

20

• DIGITAL
• SIGNATURES.

21
How Digital Signature Works

• XYZ wants to send a message relating to new
  Tender to DOD.
• XYZ computes message digest of the plain text
  using a Hash Algorithm.
• XYZ encrypts the message digest with his private
  key yielding a digital signature for the message.
• XYZ transmits the message and the digital
  signature to DOD.

22
Digital Signatures (Cont)

• When DOD receives the message, DOD computes the
  message digest of the message relating to plain
  text, using same hash functions.
• DOD decrypts the digital signature with XYZs
  public key.
• If the two values match, DOD is assured that
• a. The originator of the message is XYZ and no
  other person.
• b. Message contents have not been tampered
  with.

23
Digital Signatures- How Why

• Integrity, Authentication and Non Repudiation
• Achieved by use of Digital Signatures
• If a message can be decrypted by using a
  particular senders public key it can be safely
  presumed that the message was encrypted with that
  particular senders private key.
• A message digest is generated by passing the
  message through a one-way cryptographic
  function-i.e it cannot be reversed.

24
Digital Signatures- How Why

1. When combined with message digest, encryption
   using private key allows users to digitally sign
   a message.
2. When digest of the message is encrypted using
   senders private key and is appended to the
   original message,the result is known as Digital
   Signature of the message.
3. Changing one character of the message changes
   message digest in an unpredictable way.
4. Recipient can be sure that the message was not
   changed after message digest was generated if
   message digest remains unaltered.

25
Digital Signatures

• Central Government is conferred with powers to
  make rules in respect of Digital Signatures.
  Rules would prescribe Type of Digital Signature,
  Manner and form in which Digital Signature shall
  be affixed and procedure for identifying the
  person affixing the Digital Signature.

26
Enabling Principles of Electronic Commerce

• Legal Recognition of Electronic Record.
• Legal requirement of Information to be in
  writing shall be deemed to be satisfied if it is
• Rendered or made available in an electronic form.
• Accessible so as to be usable for subsequent
  reference.

27
RETENTION OF ELECTRONIC RECORDS.

• Requirements of law as regards retention of
  records met even if in electronic form and if
  the
• Information therein is accessible and usable.
• In original format or ensure accuracy
• Details as to Origin, Destination, Date and Time
  of Dispatch and Receipt of Electronic records are
  maintained.

28
Applicability of the Act

• Does not apply to
• Negotiable Instrument Act
• Power of Attorney Act
• Trusts
• Will
• Contract for sale/conveyance of immovable
  property.
• Any other transactions that may be notified.

29
Public Key Infrastructure

• CERTIFYING AUTHORITIES
• CA is a person who has been granted a license to
  issue Digital Signature Certificate by the
  Controller.
• CA are licensed by the Controller on satisfaction
  of certain conditions and an approved
  Certification Practice Statement.

30
CERTIFICATION PRACTICE STATEMENT

• CAs shall generate and manage Digital
  Certificates and signatures in accordance with
  approved CPS.
• The controller shall issue a guide for
  preparation of Certification Practice Statement
  and any changes require approval.

31
KEY MANAGEMENT

• Cryptographic keys provide the basis for the
  functioning of Digital certificate and
  Authentication of Digital Signatures.
• Keys must be adequately secured at every stage.
• Key generation, distribution, storage, usage,
  backup, Archival
• CAs should take necessary precautions to prevent
  loss,disclosure,modification or unauthorised use.
• CA should use trustworthy Hardware, Software and
  encryption techniques approved by the controller
  for all operations requiring use of private key.

32
Information Technology Security Procedure and
Guideline

• Rules prescribe
• Physical and operational security
• Information Management
• Systems Integrity, risks and integrity controls
• Audit trail and verifications
• Data centre operations security
• Change Management Guidelines.

33
Offences

• Without permission
• Accesses or secures access to computer, computer
  system or computer network
• Downloads,copies or extracts any data, computer
  data base or information from such computer
  resource.
• Introduces or causes to be introduced any
  computer containment or computer virus into any
  computer resources
• Damages or causes to be damaged any computer
  resource.

34
Offences Under the Act

• Tampering with Computer Source Documents
• Hacking with computer System
• Publishing of information which is obscene in
  Electronic form.

35
Who is liable

• Every person who,
• At the time of contravention was committed
• Was in charge of, and was responsible to, the
  company for the conduct of business.
• Shall be guilty of the contravention and shall be
  liable to be proceeded against and punished.

36
Penalties

• Upto Rupees Two lakh with Imprisonment.
• Upto rupees one crore in case of impersonation
  and masquerading crimes involving Legal
  bodies-Adjudicating officer,The Cyber Regulations
  Appellate Tribunal.