Transcript INFORMATION TECHNOLOGY ACT 2000

INFORMATION
TECHNOLOGY ACT 2000
AN OVERVIEW
PRESENTATION OVERVIEW

Need for the law
 Legal issues regarding offer, Acceptance
and conclusion of contract
 Issues of Digital Signature
 Public Key infrastructure
 Certifying Authorities.
Preamble of IT Act, 2000





An Act to provide Legal Recognition for E-Commerce
EDI transactions and Electronic communications
Use of alternatives to paper based methods of
communication and storage of information.
To facilitate electronic filing of documents with the
Government agencies.
And further to amend
Indian penal code
The Indian Evidence Act, 1872
The Bankers Books Evidence Act, 1891 & RBI Act 1934.
Components of the Act

Legal Recognition to Digital Signatures
 Electronic Governance
 Mode of Attribution, Acknowledgement and
Despatch of Electronic Records.
 Secure Electronic Records.
 Regulation of Certification Authorities.
 Digital Certificates.
Components of the Act (Cont)

Duties of subscribers
 Penalties and Adjudication
 Offences
 Protection to Network Service Providers in
certain situations.
Definitions – terms defined in the
Act

Access
 Addressee
 Computer
 Computer Resource
 Data
 Electronic Form
 Information
 Intermediary
 Secure System
 Asymmetric Cryptography
 Digital Signature.
E-commerce

Simply put:
E-commerce refers to doing business and transactions
over electronic networks prominently the internet.
• Obviates the need for physical presence
• Two parties may never know, see or talk to each other
but still do business.
• Has introduced the concept of electronic delivery of
products and services.
• Unmanned round-the-clock enterprises – Available
always.
E-Com- Potential Problems

Security on Net-Confidentiality, Integrity
and Availability.
 Cyber crimes-Hackers, Viruses
 Technological Complexities
 Lack of Information trail
 Complex cross border Legal Issues
 Desparate Regulatory Environment and
Taxation Policies.
Challenges
 Protecting
Information in Transit
 Protecting Information in storage
 Protecting Information in Process
 Availability and Access to
information to those Authorised.
Concerns in E-Transactions
Confidentiality
Integrity
Availability
Confidentiality concerns

Eavesdropping
 Wire Tapping
 Active/Passive
 E-mail snooping
 Shoulder Surfing
Integrity Attacks





Data Diddling
Buffer Overflow
Used to insert malicious code
Channel violation
Spoofing
Availability Threats




Denial of Service (DDOS)
Ping of Death
SYN Flooding
Remote Shut Down
Tools and Techniques






Key Loggers
Password Crackers
Mobile Code
Trap Doors
Sniffers
Smurf (Ping tools)
Tools and Techniques
• Viruses
 – Exe, Script, Datafile, Macro
 Worms
 Trojan Horse
 Logic Bombs
 Remote Access Trojans

Attacks on Cryptosystems




Cipher-text only attacks
Known plain text attacks
Brute Force Attacks
Man-in-middle attacks
Social Engineering
The best bet ever
 Trickery and Deceit
 Targeting Gullible victims
 Most effective – can penetrate the most
secure technologies
Parameters
 Data
Confidentiality
 User Authentication
 Data Origin Authentication
 Data Integrity
 Non Repudiation.
Legal Recognition of Digital
Signature

All information in electronic form which
requires affixing of signature for legal
recognition now satisfies if authenticated by
affixing digital signature.
 Applicability includes:
Forms, licences, permits, receipt/payment of
money.
DIGITAL
SIGNATURES.
How Digital Signature Works

XYZ wants to send a message relating to new
Tender to DOD.
 XYZ computes message digest of the plain text
using a Hash Algorithm.
 XYZ encrypts the message digest with his private
key yielding a digital signature for the message.
 XYZ transmits the message and the digital
signature to DOD.
Digital Signatures (Cont)

When DOD receives the message, DOD computes
the message digest of the message relating to plain
text, using same hash functions.
 DOD decrypts the digital signature with XYZ’s
public key.
 If the two values match, DOD is assured that:
a. The originator of the message is XYZ and
no other person.
b. Message contents have not been tampered
with.
Digital Signatures- How &
Why

1.
2.
3.
Integrity, Authentication and Non Repudiation
Achieved by use of Digital Signatures
If a message can be decrypted by using a
particular sender’s public key it can be safely
presumed that the message was encrypted with
that particular sender’s private key.
A message digest is generated by passing the
message through a one-way cryptographic
function-i.e it cannot be reversed.
Digital Signatures- How & Why
4.
5.
6.
7.
When combined with message digest,
encryption using private key allows users to
digitally sign a message.
When digest of the message is encrypted using
senders private key and is appended to the
original message,the result is known as Digital
Signature of the message.
Changing one character of the message changes
message digest in an unpredictable way.
Recipient can be sure that the message was not
changed after message digest was generated if
message digest remains unaltered.
Digital Signatures

Central Government is conferred with
powers to make rules in respect of Digital
Signatures. Rules would prescribe Type of
Digital Signature, Manner and form in
which Digital Signature shall be affixed and
procedure for identifying the person
affixing the Digital Signature.
Enabling Principles of
Electronic Commerce

a.
b.
Legal Recognition of Electronic Record.
Legal requirement of Information to be in
writing shall be deemed to be satisfied if it
is:
Rendered or made available in an
electronic form.
Accessible so as to be usable for
subsequent reference.
RETENTION OF ELECTRONIC
RECORDS.
Requirements of law as regards retention of
records met even if in electronic form and if
the:
 Information therein is accessible and usable.
 In original format or ensure accuracy
 Details as to Origin, Destination, Date and
Time of Dispatch and Receipt of Electronic
records are maintained.
Applicability of the Act







Does not apply to:
Negotiable Instrument Act
Power of Attorney Act
Trusts
Will
Contract for sale/conveyance of immovable
property.
Any other transactions that may be notified.
Public Key Infrastructure
CERTIFYING AUTHORITIES
 CA is a person who has been granted a
license to issue Digital Signature Certificate
by the Controller.
 CA are licensed by the Controller on
satisfaction of certain conditions and an
approved Certification Practice Statement.
CERTIFICATION PRACTICE
STATEMENT

CAs shall generate and manage Digital
Certificates and signatures in accordance
with approved CPS.
 The controller shall issue a guide for
preparation of Certification Practice
Statement and any changes require
approval.
KEY MANAGEMENT




Cryptographic keys provide the basis for the
functioning of Digital certificate and Authentication
of Digital Signatures.
Keys must be adequately secured at every stage.
Key generation, distribution, storage, usage,
backup, Archival
CAs should take necessary precautions to prevent
loss,disclosure,modification or unauthorised use.
CA should use trustworthy Hardware, Software and
encryption techniques approved by the controller
for all operations requiring use of private key.
Information Technology –
Security Procedure and
Guideline






Rules prescribe
Physical and operational security
Information Management
Systems Integrity, risks and integrity controls
Audit trail and verifications
Data centre operations security
Change Management Guidelines.
Offences





Without permission
Accesses or secures access to computer, computer
system or computer network
Downloads,copies or extracts any data, computer
data base or information from such computer
resource.
Introduces or causes to be introduced any
computer containment or computer virus into any
computer resources
Damages or causes to be damaged any computer
resource.
Offences Under the Act

Tampering with Computer Source
Documents
 Hacking with computer System
 Publishing of information which is obscene
in Electronic form.
Who is liable

Every person who,
 At the time of contravention was committed
 Was in charge of, and was responsible to,
the company for the conduct of business.
 Shall be guilty of the contravention and
shall be liable to be proceeded against and
punished.
Penalties

Upto Rupees Two lakh with Imprisonment.
 Upto rupees one crore in case of
impersonation and masquerading crimes
involving Legal bodies-Adjudicating
officer,The Cyber Regulations Appellate
Tribunal.