Slide 5.3bnb

8/13/2019 Slide 5.3bnb

1/36

INFORMATION

TECHNOLOGY ACT 2000

AN OVERVIEW

8/13/2019 Slide 5.3bnb

2/36

PRESENTATION OVERVIEW

Need for the law

Legal issues regarding offer, Acceptance

and conclusion of contract

Issues of Digital Signature

Public Key infrastructure

Certifying Authorities.

8/13/2019 Slide 5.3bnb

3/36

Preamble of IT Act, 2000

An Act to provide Legal Recognition for E-Commerce

EDI transactions and Electronic communications

Use of alternatives to paper based methods ofcommunication and storage of information.

To facilitate electronic filing of documents with the

Government agencies.

And further to amendIndian penal code

The Indian Evidence Act, 1872

The Bankers Books Evidence Act, 1891 & RBI Act 1934.

8/13/2019 Slide 5.3bnb

4/36

Components of the Act

Legal Recognition to Digital Signatures

Electronic Governance

Mode of Attribution, Acknowledgement

and Despatch of Electronic Records.

Secure Electronic Records.

Regulation of Certification Authorities.

Digital Certificates.

8/13/2019 Slide 5.3bnb

5/36

Components of the Act (Cont)

Duties of subscribers

Penalties and Adjudication

Offences

Protection to Network Service Providers in

certain situations.

8/13/2019 Slide 5.3bnb

6/36

Definitionsterms defined in the

Act Access

Addressee

Computer

Computer Resource

Data

Electronic Form

Information

Intermediary

Secure System

Asymmetric Cryptography

Digital Signature.

8/13/2019 Slide 5.3bnb

7/36

E-commerce

Simply put:

E-commerce refers to doing business and transactionsover electronic networks prominently the internet.

Obviates the need for physical presence

Two parties may never know, see or talk to each otherbut still do business.

Has introduced the concept of electronic delivery of

products and services. Unmanned round-the-clock enterprisesAvailable

always.

8/13/2019 Slide 5.3bnb

8/36

E-Com- Potential Problems

Security on Net-Confidentiality, Integrityand Availability.

Cyber crimes-Hackers, Viruses Technological Complexities

Lack of Information trail

Complex cross border Legal Issues Desparate Regulatory Environment and

Taxation Policies.

8/13/2019 Slide 5.3bnb

9/36

Challenges

Protecting Information in Transit

Protecting Information in storage

Protecting Information in Process

Availability and Access to

information to those Authorised.

8/13/2019 Slide 5.3bnb

10/36

Concerns in E-Transactions

Confidentiality

IntegrityAvailability

8/13/2019 Slide 5.3bnb

11/36

Confidentiality concerns

Eavesdropping

Wire TappingActive/Passive

E-mail snooping

Shoulder Surfing

8/13/2019 Slide 5.3bnb

12/36

Integrity Attacks

Data Diddling

Buffer Overflow

Used to insert malicious code

Channel violation Spoofing

8/13/2019 Slide 5.3bnb

13/36

Availability Threats

Denial of Service (DDOS)

Ping of Death

SYN Flooding

Remote Shut Down

8/13/2019 Slide 5.3bnb

14/36

Tools and Techniques

Key Loggers

Password Crackers

Mobile Code

Trap Doors

Sniffers

Smurf (Ping tools)

8/13/2019 Slide 5.3bnb

15/36

Tools and Techniques

Viruses

Exe, Script, Datafile, Macro

Worms

Trojan Horse

Logic Bombs Remote Access Trojans

8/13/2019 Slide 5.3bnb

16/36

Attacks on Cryptosystems

Cipher-text only attacks

Known plain text attacks

Brute Force Attacks

Man-in-middle attacks

8/13/2019 Slide 5.3bnb

17/36

Social Engineering

The best bet ever

Trickery and Deceit

Targeting Gullible victims

Most effectivecan penetrate the mostsecure technologies

8/13/2019 Slide 5.3bnb

18/36

Parameters

Data Confidentiality

User AuthenticationData Origin Authentication

Data Integrity

Non Repudiation.

8/13/2019 Slide 5.3bnb

19/36

Legal Recognition of Digital

Signature All information in electronic form which

requires affixing of signature for legal

recognition now satisfies if authenticated byaffixing digital signature.

Applicability includes:

Forms, licences, permits, receipt/payment ofmoney.

8/13/2019 Slide 5.3bnb

20/36

DIGITALSIGNATURES.

8/13/2019 Slide 5.3bnb

21/36

How Digital Signature Works

XYZ wants to send a message relating to new

Tender to DOD.

XYZ computes message digest of the plain textusing a Hash Algorithm.

XYZ encrypts the message digest with his private

key yielding a digital signature for the message.

XYZ transmits the message and the digital

signature to DOD.

8/13/2019 Slide 5.3bnb

22/36

Digital Signatures (Cont)

When DOD receives the message, DOD computesthe message digest of the message relating to plaintext, using same hash functions.

DOD decrypts the digital signature with XYZspublic key.

If the two values match, DOD is assured that:

a. The originator of the message is XYZ andno other person.

b. Message contents have not been tamperedwith.

8/13/2019 Slide 5.3bnb

23/36

Digital Signatures- How &

Why Integrity, Authentication and Non Repudiation

1. Achieved by use of Digital Signatures

2. If a message can be decrypted by using aparticular senders public key it can be safelypresumed that the message was encrypted withthat particular senders private key.

3. A message digest is generated by passing themessage through a one-way cryptographicfunction-i.e it cannot be reversed.

8/13/2019 Slide 5.3bnb

24/36

Digital Signatures- How & Why

4. When combined with message digest,encryption using private key allows users todigitally sign a message.

5. When digest of the message is encrypted using

senders private key and is appended to theoriginal message,the result is known as DigitalSignature of the message.

6. Changing one character of the message changes

message digest in an unpredictable way.7. Recipient can be sure that the message was not

changed after message digest was generated ifmessage digest remains unaltered.

8/13/2019 Slide 5.3bnb

25/36

Digital Signatures

Central Government is conferred with

powers to make rules in respect of Digital

Signatures. Rules would prescribe Type ofDigital Signature, Manner and form in

which Digital Signature shall be affixed and

procedure for identifying the personaffixing the Digital Signature.

8/13/2019 Slide 5.3bnb

26/36

Enabling Principles of

Electronic Commerce Legal Recognition of Electronic Record.

Legal requirement of Information to be in

writing shall be deemed to be satisfied if itis:

a. Rendered or made available in anelectronic form.

b. Accessible so as to be usable forsubsequent reference.

8/13/2019 Slide 5.3bnb

27/36

RETENTION OF ELECTRONIC

RECORDS.Requirements of law as regards retention ofrecords met even if in electronic form and if

the: Information therein is accessible and usable.

In original format or ensure accuracy

Details as to Origin, Destination, Date andTime of Dispatch and Receipt of Electronicrecords are maintained.

8/13/2019 Slide 5.3bnb

28/36

Applicability of the Act

Does not apply to:

Negotiable Instrument Act

Power of Attorney Act Trusts

Will

Contract for sale/conveyance of immovableproperty.

Any other transactions that may be notified.

8/13/2019 Slide 5.3bnb

29/36

Public Key Infrastructure

CERTIFYING AUTHORITIES

CA is a person who has been granted a

license to issue Digital Signature Certificateby the Controller.

CA are licensed by the Controller on

satisfaction of certain conditions and anapproved Certification Practice Statement.

8/13/2019 Slide 5.3bnb

30/36

CERTIFICATION PRACTICE

STATEMENT CAs shall generate and manage Digital

Certificates and signatures in accordance

with approved CPS. The controller shall issue a guide for

preparation of Certification Practice

Statement and any changes requireapproval.

8/13/2019 Slide 5.3bnb

31/36

KEY MANAGEMENT

Cryptographic keys provide the basis for thefunctioning of Digital certificate andAuthentication of Digital Signatures.

Keys must be adequately secured at every stage.

Key generation, distribution, storage, usage,backup, Archival

CAs should take necessary precautions to prevent

loss,disclosure,modification or unauthorised use. CA should use trustworthy Hardware, Software and

encryption techniques approved by the controllerfor all operations requiring use of private key.

8/13/2019 Slide 5.3bnb

32/36

Information Technology

Security Procedure and

GuidelineRules prescribe

Physical and operational security

Information Management Systems Integrity, risks and integrity controls

Audit trail and verifications

Data centre operations security Change Management Guidelines.

8/13/2019 Slide 5.3bnb

33/36

Offences

Without permission

Accesses or secures access to computer, computersystem or computer network

Downloads,copies or extracts any data, computerdata base or information from such computerresource.

Introduces or causes to be introduced any

computer containment or computer virus into anycomputer resources

Damages or causes to be damaged any computerresource.

8/13/2019 Slide 5.3bnb

34/36

Offences Under the Act

Tampering with Computer Source

Documents

Hacking with computer System

Publishing of information which is obscene

in Electronic form.

8/13/2019 Slide 5.3bnb

35/36

Who is liable

Every person who,

At the time of contravention was committed

Was in charge of, and was responsible to,

the company for the conduct of business.

Shall be guilty of the contravention and

shall be liable to be proceeded against and

punished.

8/13/2019 Slide 5.3bnb

36/36

Penalties

Upto Rupees Two lakh with Imprisonment.

Upto rupees one crore in case of

impersonation and masquerading crimesinvolving Legal bodies-Adjudicating

officer,The Cyber Regulations Appellate

Tribunal.