INFORMATION

TECHNOLOGY ACT 2000

AN OVERVIEW

PRESENTATION OVERVIEW
Need

for the law

Legal issues regarding offer, Acceptance
and conclusion of contract
Issues of Digital Signature
Public Key infrastructure
Certifying Authorities.

Preamble of IT Act, 2000

An Act to provide Legal Recognition for E-Commerce

EDI transactions and Electronic communications
Use of alternatives to paper based methods of
communication and storage of information.
To facilitate electronic filing of documents with the
Government agencies.
And further to amend
Indian penal code
The Indian Evidence Act, 1872
The Bankers Books Evidence Act, 1891 & RBI Act 1934.

Components of the Act

Legal

Recognition to Digital Signatures

Electronic Governance
Mode of Attribution, Acknowledgement and
Despatch of Electronic Records.
Secure Electronic Records.
Regulation of Certification Authorities.
Digital Certificates.

Components of the Act (Cont)

Duties

of subscribers
Penalties and Adjudication
Offences
Protection to Network Service Providers in
certain situations.

Definitions terms defined in the

Act

Access
Addressee
Computer
Computer Resource
Data
Electronic Form
Information
Intermediary
Secure System
Asymmetric Cryptography

Digital Signature.

E-commerce
Simply

put:

E-commerce refers to doing business and transactions

over electronic networks prominently the internet.
Obviates the need for physical presence
Two parties may never know, see or talk to each other
but still do business.
Has introduced the concept of electronic delivery of
products and services.
Unmanned round-the-clock enterprises Available
always.

E-Com- Potential Problems

Security

on Net-Confidentiality, Integrity
and Availability.
Cyber crimes-Hackers, Viruses
Technological Complexities
Lack of Information trail
Complex cross border Legal Issues
Desparate Regulatory Environment and
Taxation Policies.

Challenges
Protecting

Information in Transit
Protecting Information in storage
Protecting Information in Process
Availability and Access to
information to those Authorised.

Concerns in E-Transactions
Confidentiality
Integrity
Availability

Confidentiality concerns

Eavesdropping
Wire Tapping
Active/Passive
E-mail snooping
Shoulder Surfing

Integrity Attacks

Data Diddling
Buffer Overflow
Used to insert malicious code
Channel violation
Spoofing

Availability Threats
Denial of Service (DDOS)
Ping of Death
SYN Flooding
Remote Shut Down

Tools and Techniques

Key Loggers
Password Crackers
Mobile Code
Trap Doors
Sniffers
Smurf (Ping tools)

Tools and Techniques

Viruses
Exe, Script, Datafile, Macro
Worms
Trojan Horse
Logic Bombs
Remote Access Trojans

Attacks on Cryptosystems
Cipher-text only attacks
Known plain text attacks
Brute Force Attacks
Man-in-middle attacks

Social Engineering
The best bet ever
Trickery and Deceit
Targeting Gullible victims
Most effective can penetrate the
most
secure technologies

Parameters
Data

Confidentiality
User Authentication
Data Origin Authentication
Data Integrity
Non Repudiation.

Legal Recognition of Digital

Signature
All

information in electronic form which

requires affixing of signature for legal
recognition now satisfies if authenticated by
affixing digital signature.
Applicability includes:
Forms, licences, permits, receipt/payment
of money.

DIGITAL
SIGNATURES.

How Digital Signature Works

XYZ

wants to send a message relating to new

Tender to DOD.
XYZ computes message digest of the plain text
using a Hash Algorithm.
XYZ encrypts the message digest with his private
key yielding a digital signature for the message.
XYZ transmits the message and the digital
signature to DOD.

Digital Signatures (Cont)

When

DOD receives the message, DOD computes the

message digest of the message relating to plain text,
using same hash functions.
DOD decrypts the digital signature with XYZs
public key.
If the two values match, DOD is assured that:
a. The originator of the message is XYZ and
no
other person.
b. Message contents have not been tampered
with.

Digital Signatures- How &

Why

1.
2.

3.

Integrity, Authentication and Non Repudiation

Achieved by use of Digital Signatures
If a message can be decrypted by using a
particular senders public key it can be safely
presumed that the message was encrypted with
that particular senders private key.
A message digest is generated by passing the
message through a one-way cryptographic
function-i.e it cannot be reversed.

Digital Signatures- How & Why

4.

5.

6.
7.

When combined with message digest,

encryption using private key allows users to
digitally sign a message.
When digest of the message is encrypted using
senders private key and is appended to the
original message,the result is known as Digital
Signature of the message.
Changing one character of the message changes
message digest in an unpredictable way.
Recipient can be sure that the message was not
changed after message digest was generated if
message digest remains unaltered.

Digital Signatures
Central

Government is conferred with

powers to make rules in respect of Digital
Signatures. Rules would prescribe Type of
Digital Signature, Manner and form in
which Digital Signature shall be affixed and
procedure for identifying the person
affixing the Digital Signature.

Enabling Principles of
Electronic Commerce
Legal Recognition of Electronic Record.
Legal requirement of Information to be in
writing shall be deemed to be satisfied if it
is:
a. Rendered or made available in an
electronic form.
b. Accessible so as to be usable for
subsequent reference.

RETENTION OF ELECTRONIC
RECORDS.
Requirements of law as regards retention of
records met even if in electronic form and if
the:
Information therein is accessible and usable.
In original format or ensure accuracy
Details as to Origin, Destination, Date and
Time of Dispatch and Receipt of Electronic
records are maintained.

Applicability of the Act

Does

not apply to:

Negotiable Instrument Act
Power of Attorney Act
Trusts
Will
Contract for sale/conveyance of immovable
property.
Any other transactions that may be notified.

Public Key Infrastructure

CERTIFYING AUTHORITIES
CA is a person who has been granted a
license to issue Digital Signature Certificate
by the Controller.
CA are licensed by the Controller on
satisfaction of certain conditions and an
approved Certification Practice Statement.

CERTIFICATION PRACTICE
STATEMENT
CAs

shall generate and manage Digital

Certificates and signatures in accordance
with approved CPS.
The controller shall issue a guide for
preparation of Certification Practice
Statement and any changes require
approval.

KEY MANAGEMENT
Cryptographic keys provide the basis for the
functioning of Digital certificate and Authentication
of Digital Signatures.
Keys must be adequately secured at every stage.
Key generation, distribution, storage, usage, backup,
Archival
CAs should take necessary precautions to prevent
loss,disclosure,modification or unauthorised use.
CA should use trustworthy Hardware, Software and
encryption techniques approved by the controller for
all operations requiring use of private key.

Information Technology
Security Procedure and
Guideline

Rules prescribe
Physical and operational security
Information Management
Systems Integrity, risks and integrity controls
Audit trail and verifications
Data centre operations security
Change Management Guidelines.

Offences
Without

permission
Accesses or secures access to computer, computer
system or computer network
Downloads,copies or extracts any data, computer
data base or information from such computer
resource.
Introduces or causes to be introduced any computer
containment or computer virus into any computer
resources
Damages or causes to be damaged any computer
resource.

Offences Under the Act

Tampering

with Computer Source

Documents
Hacking with computer System
Publishing of information which is obscene
in Electronic form.

Who is liable
Every

person who,
At the time of contravention was committed
Was in charge of, and was responsible to,
the company for the conduct of business.
Shall be guilty of the contravention and
shall be liable to be proceeded against and
punished.

Penalties
Upto

Rupees Two lakh with Imprisonment.

Upto rupees one crore in case of
impersonation and masquerading crimes
involving Legal bodies-Adjudicating
officer,The Cyber Regulations Appellate
Tribunal.