ENCRYPTION

1
Association of Competitive Telecom Operators
Presentation to Department of
Information Technology
Encryption In India
28 March 2009
2
Introduction

• ACTO is an industry association formed by
  several leading long
• distance carriers that predominately provide
  data connectivity
• services to the Enterprise market segment
• Its members provide enterprise services to
  multi-sited
• corporations, Indian BPO outsourcing and ITES
  sector operating
• global networks
• ACTO is committed to further Indias
  pro-competitive policies
• and topartner closely with TRAI and DoT to
  enhance the
• stakeholdersengagement with the specific
  needs of the
• enterprise segment.
• ACTO is a registered entity under Societies
  Registration Act.

3
Members Office Bearers
4
Aims Objectives

• To represent the dedicated long distance
  telecom operators /
• carriers industry to the government and
  regulatory bodies
• To promote best practice regulations to reflect
  the dynamism
• of the long distance telecom data services
  sector
• To promote regulatory certainty for investor
  confidence and
• consumer benefit
• To partner with the national and international
  organizations,
• Governments, regulators, stakeholders to
  further the interest
• of Enterprise Industry segment
• To advocate for rationalization of Licensing
  and Regulatory
• framework to keep pace with the technological
  developments

5
INDUSTRY USE

• Use no longer limited to Government, Military and
  Intelligence Services
• Businesses, hospitals, utilities, and
  communications companies
• Encryption to protect their information from
  being compromised.
• Foundation for E-Commerce and E-Banking

6
LEVEL OF ENCRYPTION IN INDIA

• Current levels poses major security risks.
• No Uniformity amongst various Govt. Departments
  and Regulatory Bodies.
• Department of Telecom permitted levels are not
  uniform with the levels prescribed by other
  regulatory bodies.
• Inconsistent with the International Standards as
  well.

7
GUIDELINES BY INDIAN REGULATORY BODIES
8
SEBI Guidelines on Internet Trading

• Mandates the use of Encryption
• Prescribes 64 bit/128 bit encryption for network
  security.
• Recommends 128 bit encryption for both WAP based
  securities trading and internet based securities
  trading.
• Committee on Internet Based Securities Trading
  and Services urges that DOT should freely allow
  128-bit encryption to ensure safety and build
  investor trust.
• Inclined towards adoption of standards set by the
  Internet Engineering Task Force and the World
  Wide Web Consortium.

9
RBIGuidelines on Internet Banking

• Makes the use of SSL/128 bit encryption as
  minimum level of security, Mandatory for Banks.
• Strong Encryption to be used for protection of
  sensitive and confidential information of bank
  and customers in transit.

10
The Information Technology (IT) Security
Guidelines

• The IT Security Guidelines issued DIT state that
  electronic communication systems used for the
  transmission of sensitive information must be
  equipped or installed with suitable security
  software and, if necessary, with an encryptor or
  encryption software.
• The IT Security Guidelines mandate that the
  appropriate procedure in this regard be
  documented. Further the IT Security Guidelines
  provide for encryption of passwords and storage
  of highly sensitive information assets in
  encrypted format.

11
DEPARTMENT OF TELECOMMUNICATION GUIDELINES
12
LICENSE REQUIREMENTS

• NLD LICENSE
• Mandates evaluation and approval of Encryption
  Equipment.
• Makes the Licensee responsible for protection of
  privacy of communication
• ILD LICENSE
• Like the NLD License, stipulates prior approval
  of DOT
• No Bulk Encryption
• Encryption Equipment to be approved

13
LICENSE REQUIREMENTS

• ISP LICENSE
• Obligation on the Internet Service Provider to
  ensure that Bulk Encryption is not deployed.
• Level of Encryption limited by DOT to 40 bit key
  length.
• For use of encryption more than the prescribed
  limit of 40 bit, written permission of DOT
  required with mandatory deposit of the Decryption
  Key with DOT

14
OPPORTUNITY FOR UPDATION

• Information Technology Amendment Act, 2008
• Section 84A- Modes and Methods of Encryption
• Central Government for secure use of the
  electronic medium and for promotion of
  e-governance and e-commerce, would prescribe the
  modes or methods for encryption.

15
INTERNATIONAL BEST PRACTICES
16
UNITED STATES OF AMERICA

• No restriction on domestic commercial use
• Encryption is dual use technology
• DES 3DES
  AES
• (56 Bit) (128-bit)
  (256-bit)
• FIPS-140-1- Commercial and Private Organization
• Massachusetts and Nevada require companies to
  encrypt electronic record containing personal
  data.

17
AUSTRALIA

• There are no relevant restrictions under
  Australian law on the use of strong encryption
  over (otherwise legal) communications traffic
  either wholly within Australia or to and from
  Australia
• While telecommunications service providers have
  an obligation to be able to intercept
  communications passing over their networks in
  accordance with an interception warrant there is
  no obligation in relation to encryption except
  where the carrier has itself encrypted the
  communication

18
FRANCE

• Relaxed stringent cryptography regulations in
  1999 after joint appeal from French companies,
  MNCs and trade associations seeking higher level
  of security to protect corporate data.
• Use of 128 bit encryption is now permitted.
• Consequently, Article 30 of the Law No 2004-575
  of 21 June 2004 for confidence in the digital
  economy allows for free use of the cryptography.

19
UNITED KINGDOM

• Under the Electronic Communications Act 2000, no
  power with the Govt. to impose a requirement to
  deposit a key for electronic data.

20
EUROPEAN UNION

• The EU directive require each member to pass
  legislation for personal data protection.
• Member states recommend ISO specified encryption
  systems for data confidentiality
• Spain has implemented EU Directive to make use of
  encryption mandatory.

21
International Organization for Standardization
(ISO)

• ISO specifies encryption systems for the purpose
  of data confidentiality.
• ISO/IEC 18033-32005 specifies block ciphers and
  the following algorithms for encryption
• 64-bit block ciphers TDEA, MISTY1, CAST-128.
• 128-bit block ciphers AES, Camellia, SEED

22
OECD Cryptography Guidelines

• Organization for Economic Cooperation and
  Development Guidelines on Cryptography Policy
  (OECD) provides that users of cryptography should
  be free to choose the type and level of data
  security.
• OECD Guidelines recommend that Govt. controls on
  cryptographic methods should be no more than are
  essential to the discharge of Govt.
  responsibilities and should respect user choice.
• Permitted Cryptographic methods should reflect
  demands and needs of individuals, business and
  governments. Development to be Market driven.
• National standards to be consistent with
  International standards to facilitate global
  interoperability, portability and mobility.

23
ISSUES
24

• 40-bit Encryption Outdated
• Can easily be hacked by a Brute Force Attack
• Now become obsolete, incompatible and is risky
• Hinders Development
• IT(CA) Rules, 2000 stipulate - internationally
  proven encryption techniques
• IT Amendment Act, 2008 Section 84A Government to
  prescribe encryption standard to promote
  e-commerce and e-governance.
• National Security Concerns addressed using other
  sophisticated techniques
• Need of the hour- adoption of internationally
  proven encryption standards allowing usage of
  AES/256-bit level encryption.

25
SUGGESTED PROVISION

• The  Encryption limits for all the telecom
  licenses should be harmonized to a common single
  benchmark and standard processThe Telecom
  Service Providers as well as the corporate
  customers should be allowed to use encryption
  upto 256 bits in line with international best
  practices provided undertaking is given by
  customer and the concerned Licensed entity to the
  licensor to make encryption key used If any,
  availaible on demand to LEA in the interest of
  National Security.Use of encryption beyond 256
  bit should be allowed on  a case to case basis
  after prior evaluation by Licensor.

26
Thank you !!
Contact Information S.N. ZindalDirector
General601, Nirmal Towers, 26, Barakhamba Road,
New Delhi-110 001Tel. No. 91-11-43575353
Mobile 91-9810040160 e-mail info_at_acto.in web
www.acto.in (under construction)