8/13/2019 Slide 5.3bnb
1/36
INFORMATION
TECHNOLOGY ACT 2000
AN OVERVIEW
8/13/2019 Slide 5.3bnb
2/36
PRESENTATION OVERVIEW
Need for the law
Legal issues regarding offer, Acceptance
and conclusion of contract
Issues of Digital Signature
Public Key infrastructure
Certifying Authorities.
8/13/2019 Slide 5.3bnb
3/36
Preamble of IT Act, 2000
An Act to provide Legal Recognition for E-Commerce
EDI transactions and Electronic communications
Use of alternatives to paper based methods ofcommunication and storage of information.
To facilitate electronic filing of documents with the
Government agencies.
And further to amendIndian penal code
The Indian Evidence Act, 1872
The Bankers Books Evidence Act, 1891 & RBI Act 1934.
8/13/2019 Slide 5.3bnb
4/36
Components of the Act
Legal Recognition to Digital Signatures
Electronic Governance
Mode of Attribution, Acknowledgement
and Despatch of Electronic Records.
Secure Electronic Records.
Regulation of Certification Authorities.
Digital Certificates.
8/13/2019 Slide 5.3bnb
5/36
Components of the Act (Cont)
Duties of subscribers
Penalties and Adjudication
Offences
Protection to Network Service Providers in
certain situations.
8/13/2019 Slide 5.3bnb
6/36
Definitionsterms defined in the
Act Access
Addressee
Computer
Computer Resource
Data
Electronic Form
Information
Intermediary
Secure System
Asymmetric Cryptography
Digital Signature.
8/13/2019 Slide 5.3bnb
7/36
E-commerce
Simply put:
E-commerce refers to doing business and transactionsover electronic networks prominently the internet.
Obviates the need for physical presence
Two parties may never know, see or talk to each otherbut still do business.
Has introduced the concept of electronic delivery of
products and services. Unmanned round-the-clock enterprisesAvailable
always.
8/13/2019 Slide 5.3bnb
8/36
E-Com- Potential Problems
Security on Net-Confidentiality, Integrityand Availability.
Cyber crimes-Hackers, Viruses Technological Complexities
Lack of Information trail
Complex cross border Legal Issues Desparate Regulatory Environment and
Taxation Policies.
8/13/2019 Slide 5.3bnb
9/36
Challenges
Protecting Information in Transit
Protecting Information in storage
Protecting Information in Process
Availability and Access to
information to those Authorised.
8/13/2019 Slide 5.3bnb
10/36
Concerns in E-Transactions
Confidentiality
IntegrityAvailability
8/13/2019 Slide 5.3bnb
11/36
Confidentiality concerns
Eavesdropping
Wire TappingActive/Passive
E-mail snooping
Shoulder Surfing
8/13/2019 Slide 5.3bnb
12/36
Integrity Attacks
Data Diddling
Buffer Overflow
Used to insert malicious code
Channel violation Spoofing
8/13/2019 Slide 5.3bnb
13/36
Availability Threats
Denial of Service (DDOS)
Ping of Death
SYN Flooding
Remote Shut Down
8/13/2019 Slide 5.3bnb
14/36
Tools and Techniques
Key Loggers
Password Crackers
Mobile Code
Trap Doors
Sniffers
Smurf (Ping tools)
8/13/2019 Slide 5.3bnb
15/36
Tools and Techniques
Viruses
Exe, Script, Datafile, Macro
Worms
Trojan Horse
Logic Bombs Remote Access Trojans
8/13/2019 Slide 5.3bnb
16/36
Attacks on Cryptosystems
Cipher-text only attacks
Known plain text attacks
Brute Force Attacks
Man-in-middle attacks
8/13/2019 Slide 5.3bnb
17/36
Social Engineering
The best bet ever
Trickery and Deceit
Targeting Gullible victims
Most effectivecan penetrate the mostsecure technologies
8/13/2019 Slide 5.3bnb
18/36
Parameters
Data Confidentiality
User AuthenticationData Origin Authentication
Data Integrity
Non Repudiation.
8/13/2019 Slide 5.3bnb
19/36
Legal Recognition of Digital
Signature All information in electronic form which
requires affixing of signature for legal
recognition now satisfies if authenticated byaffixing digital signature.
Applicability includes:
Forms, licences, permits, receipt/payment ofmoney.
8/13/2019 Slide 5.3bnb
20/36
DIGITALSIGNATURES.
8/13/2019 Slide 5.3bnb
21/36
How Digital Signature Works
XYZ wants to send a message relating to new
Tender to DOD.
XYZ computes message digest of the plain textusing a Hash Algorithm.
XYZ encrypts the message digest with his private
key yielding a digital signature for the message.
XYZ transmits the message and the digital
signature to DOD.
8/13/2019 Slide 5.3bnb
22/36
Digital Signatures (Cont)
When DOD receives the message, DOD computesthe message digest of the message relating to plaintext, using same hash functions.
DOD decrypts the digital signature with XYZspublic key.
If the two values match, DOD is assured that:
a. The originator of the message is XYZ andno other person.
b. Message contents have not been tamperedwith.
8/13/2019 Slide 5.3bnb
23/36
Digital Signatures- How &
Why Integrity, Authentication and Non Repudiation
1. Achieved by use of Digital Signatures
2. If a message can be decrypted by using aparticular senders public key it can be safelypresumed that the message was encrypted withthat particular senders private key.
3. A message digest is generated by passing themessage through a one-way cryptographicfunction-i.e it cannot be reversed.
8/13/2019 Slide 5.3bnb
24/36
Digital Signatures- How & Why
4. When combined with message digest,encryption using private key allows users todigitally sign a message.
5. When digest of the message is encrypted using
senders private key and is appended to theoriginal message,the result is known as DigitalSignature of the message.
6. Changing one character of the message changes
message digest in an unpredictable way.7. Recipient can be sure that the message was not
changed after message digest was generated ifmessage digest remains unaltered.
8/13/2019 Slide 5.3bnb
25/36
Digital Signatures
Central Government is conferred with
powers to make rules in respect of Digital
Signatures. Rules would prescribe Type ofDigital Signature, Manner and form in
which Digital Signature shall be affixed and
procedure for identifying the personaffixing the Digital Signature.
8/13/2019 Slide 5.3bnb
26/36
Enabling Principles of
Electronic Commerce Legal Recognition of Electronic Record.
Legal requirement of Information to be in
writing shall be deemed to be satisfied if itis:
a. Rendered or made available in anelectronic form.
b. Accessible so as to be usable forsubsequent reference.
8/13/2019 Slide 5.3bnb
27/36
RETENTION OF ELECTRONIC
RECORDS.Requirements of law as regards retention ofrecords met even if in electronic form and if
the: Information therein is accessible and usable.
In original format or ensure accuracy
Details as to Origin, Destination, Date andTime of Dispatch and Receipt of Electronicrecords are maintained.
8/13/2019 Slide 5.3bnb
28/36
Applicability of the Act
Does not apply to:
Negotiable Instrument Act
Power of Attorney Act Trusts
Will
Contract for sale/conveyance of immovableproperty.
Any other transactions that may be notified.
8/13/2019 Slide 5.3bnb
29/36
Public Key Infrastructure
CERTIFYING AUTHORITIES
CA is a person who has been granted a
license to issue Digital Signature Certificateby the Controller.
CA are licensed by the Controller on
satisfaction of certain conditions and anapproved Certification Practice Statement.
8/13/2019 Slide 5.3bnb
30/36
CERTIFICATION PRACTICE
STATEMENT CAs shall generate and manage Digital
Certificates and signatures in accordance
with approved CPS. The controller shall issue a guide for
preparation of Certification Practice
Statement and any changes requireapproval.
8/13/2019 Slide 5.3bnb
31/36
KEY MANAGEMENT
Cryptographic keys provide the basis for thefunctioning of Digital certificate andAuthentication of Digital Signatures.
Keys must be adequately secured at every stage.
Key generation, distribution, storage, usage,backup, Archival
CAs should take necessary precautions to prevent
loss,disclosure,modification or unauthorised use. CA should use trustworthy Hardware, Software and
encryption techniques approved by the controllerfor all operations requiring use of private key.
8/13/2019 Slide 5.3bnb
32/36
Information Technology
Security Procedure and
GuidelineRules prescribe
Physical and operational security
Information Management Systems Integrity, risks and integrity controls
Audit trail and verifications
Data centre operations security Change Management Guidelines.
8/13/2019 Slide 5.3bnb
33/36
Offences
Without permission
Accesses or secures access to computer, computersystem or computer network
Downloads,copies or extracts any data, computerdata base or information from such computerresource.
Introduces or causes to be introduced any
computer containment or computer virus into anycomputer resources
Damages or causes to be damaged any computerresource.
8/13/2019 Slide 5.3bnb
34/36
Offences Under the Act
Tampering with Computer Source
Documents
Hacking with computer System
Publishing of information which is obscene
in Electronic form.
8/13/2019 Slide 5.3bnb
35/36
Who is liable
Every person who,
At the time of contravention was committed
Was in charge of, and was responsible to,
the company for the conduct of business.
Shall be guilty of the contravention and
shall be liable to be proceeded against and
punished.
8/13/2019 Slide 5.3bnb
36/36
Penalties
Upto Rupees Two lakh with Imprisonment.
Upto rupees one crore in case of
impersonation and masquerading crimesinvolving Legal bodies-Adjudicating
officer,The Cyber Regulations Appellate
Tribunal.