University of Glamorgan

MSC COMPUTER SYSTEMS SECURITY

(FULL-TIME)

MODULE CODE: MS4S01

MODULE NAME: CRYPTOGRAPHY AND ELECTRONIC COMMERCE

LECTURERS: Dr DAVID KNIGHT AND Dr PAUL ROACH

COURSEWORK TITLE: CRIMINAL USES OF CRYPTOGRAPHY AND LAW

ENROLMENT NUMBER: 06140483

CONTENTS

Abstract

Introduction

What is Cryptography

Historical examples

Modern examples

Cyber crime or fraud related internet

Hacking

Fraud related Cryptography

Cryptographic Attacks

Bank frauds in India by using Cryptography

Survey of Cryptography laws and regulations

Criminal law

Terrorism n Steganography

Conclusion

References
CRIMINAL USES OF CRYPTOGRAPHY AND LAW

Abstract :

An analysis of the role of cryptography till date as used in the commission

of the crime. It gives description about the cryptography and its criminal uses also about
the available laws in misusing the cryptography. This report discuss the current
regulatory framework and examine whether the proposals deriving mainly from various
national law enforcement bodies for tighter national controls of Internet service provision
and the cryptography are justification in the light of expanding role of e-commerce. Also
a few modern and historical examples of cryptography were given. Fraud related
cryptography concentrated on some of the crimes in India especially bank related frauds
and I present some of the laws on cryptography crime not only in India but it covers on
the whole.

Introduction :

Cryptography has emerged as the only alternative to protect Internet data,

and it does the job well. Modern crypto techniques have evolved from the secret codes of
the decades past, brilliantly augmented with a deep knowledge of modern mathematics.
New cryptographic products and techniques have been developed particularly for Internet
applications. Some people “cracking” codes and making misuse of the cryptography
technology. Crypto is useless if used incorrectly. One of cryptography's primary purposes
is hiding the meaning of messages, but not usually their existence. Cryptography also
contributes to computer science, particularly in the techniques used in computer and
network security for such things as access control and information confidentiality.
Cryptography is also used in many applications encountered in everyday life; examples
include security of ATM cards, computer passwords, and electronic commerce all depend
on cryptography.

Almost since people began writing, they have found ways to hide what they
were writing. Cryptography, which is said to be the art of secret writing, has for a long
time been used mainly by governments, diplomats, armies, and intelligence agencies.
With the advent of modern (public-key) cryptography in the 1970s, cryptography is being
used by an ever wider range of users. In effect, in the present information society,
cryptography has become an essential tool for safeguarding information security.

In its history, cryptography has been controlled by governments to prevent

it from falling into the wrong (mostly: foreign) hands. Over the past few years,
governments have increasingly worried about the threat of criminals using cryptography
to thwart law enforcement. Some governments have passed specific legislation to address
this problem; others are still studying the issue, unsure whether to attach more weight to
the beneficent use of cryptography in safeguarding information security or to its nefarious
use by criminals.

Cryptography is a necessary tool in the information society. Yet if

criminals use it, wiretaps and computer searches will become useless. So, there is a clash
of concerns: how to ensure that the police can still catch criminals, while respecting the
essential uses of cryptography in information security?

What is Cryptography

Definition Cryptography is the study of mathematical techniques related to aspects

of information security such as confidentiality, data integrity, entity authentication,
and data origin authentication.

Cryptography is not the only means of providing information security, but

rather one set of techniques. Cryptography presents various methods for taking legible,
readable data, and transforming it into unreadable data for the purpose of secure
transmission, and then using a key to transform it back into readable data when it reaches
its destination. Cryptography is about scrambling data so that it looks like babble to
anyone except those who know the trick to decoding it. Almost anything in the world can
be hidden from sight and revealed again.

Cryptographic goals

The following four form a framework upon which the other will be derived.

Privacy or Confidentiality.
Data Integrity.
Authentication.
Non-repudiation.

A fundamental goal of cryptography is to adequately address these four areas in

both theory and practice. Cryptography is about the prevention and detection of
cheating and other malicious activities.

HOW MUCH CRYPTO IS ENOUGH?

Enough to make attacks too expensive to be practical. The traditional

competitors in crypto have been governments: one hides its secrets while the other tries to
go through them. With political and military objectives at stake the threat has few limits.
The traditional mantra of the US National Security Agency (NSA) has been:“ Never
underestimate the time, money, and effort an adversary will spend to read your traffic.”
At the other end of the scale we have casual e-mail between acquaintances. Who would
bother to read or manipulate the plaintext of such messages, much less take the effort to
penetrate an encrypted version? Crypto requires special facilities, and it takes extra time
and effort to apply crypto protections correctly. It is simply an expensive bother when it
isn’t really needed. The risk for commercial traffic falls somewhere between these
extremes, and so does its practical application.

CRYPTO IS HARD TO USE :

Popular imagination traditionally associates crypto with diplomats, soldiers

and spies. In fact, crypto techniques have been used for centuries to protect business and
commercial messages. With the evolution of computer communications, strong crypto
techniques were developed for commercial purposes as well as for protecting government
messaging. Initially , these techniques were only used by institutions that had a lot at risk
and were willing to invest a lot in protection. While the history of crypto holds many
stories of weak codes overcome by clever adversaries, it is also has many stories about
codes overcome by improper use. Though many stories are of wars and armies, the
lessons apply to the private and commercial worlds, too.

All modern histories of World War II credit various Allied victories to code
breaking : cracking enemy codes. The US Navy’s successful attack on the Japanese in the
Battle of Midway is credited largely to decrypted Japanese radio messages. The US Navy
also cracked the Japanese convoy code and waged a devastating submarine campaign
against their convoys. In the Atlantic, the Allies used knowledge of German codes to
track their submarines.

However, this was not a one-sided success. Thanks to what some have called
“sloppy” behavior by Allied coding clerks, the Germans were equally effective in reading
dispatches sent to Allied convoys. Thus, the German submarines played the same game
in the Atlantic that the US Navy played in the Pacific.

The Navy appreciated both the value of code breaking and their own
vulnerability to it. A classified dispatch was distributed in late 1943 to alert
communications personnel to the risk and to repeat various rules for correct operation.
While the rules of the 1940’s for secure radio communication are hardly relevant, the
rationale behind them still holds true.

Confidentiality was crucial to the achievement of the Navy’s objectives, and

they relied on communications security measmures to provide it. They also realized that
subtle mistakes, especially when repeated, could provide an “entering wedge” for
cracking the system. All crypto systems are vulnerable to the entering wedge – the
careless mistakes that give adversaries the opening they need to crack your system.
Historical Examples
Codes and ciphers have been used since ancient times 1900 BC. Actually the word
cryptography means the science of codes came from the Greek words Kryptos
(secrect) and graphos (writing). In 405 BC the Greek general LYSANDER OF
SPARTA was sent a coded message written on the inside of a servent’s belt. When
Lysander wound the belt around a wooden baton the message was revealed. The
message warned Lysander that Persia was about to go to war against him. He
immediately set sail and defeated the Persians. The Greeks also invented a code
which changed letters into numbers. A is written as 11 and B as 12 and so on. So
WAR would read as 52 11 42. A form of this code was still being used two thousand
years later during the First World War.

Marry queen of scots : cryptanalysis example

In Elizabethan England MARY QUEEN OF SCOTS sent coded
messages to her supporters who were plotting to murder Queen Elizabeth one. The
messages intercepted by the head of Elizabeth’s secret service, Sir Francis
Walsingham. He deciphered them and discovered the plot. Mary was executed for
treason in 1587.

German spies n null ciphers

Null Ciphers are some of the oldest cited examples of modern
steganography, and are some of the few steganographic algorithms that use either
synthetic or immutable carriers. In contrast, the vast majority of today's
steganographic algorithms use mutable carriers where the embedding process
requires modifying the carrier in some way. The main deficiency with mutating the
carrier during the embedding process is that the algorithms will leave some sort of
signature. We explore algorithms that use Variable Interval Symbol Aggregation
(VISA) for both text and binary data.

KGB one timer pads

A KGB one-time pad is a cryptosystem invented by Vernam. It is a very
simple system and is unbreakable if used correctly. To use a one-time pad, you need
two copies of the ‘pad’ which is a block of random data equal in length to the
message you wish to encode. The word ‘random’ is used in its most literal possible
sense here. If the data on the pad is not truly random, the security of the pad is
reduced, potentially near to zero. If used properly a one-time pad must be truly
random data and must be kept secure in order to be unbreakable.
Modern Examples

Enabling wiretaps with mobile phones (mobile pone

encryption)
We call it as Cryptophone by which mobile phone encryption is done. The use of
wiretapping has become so widespread, simple and uncontrolled that we must
assume that the records of our private calls end up in the wrong hands. Equipment
for wireless interception of mobile phone calls has become available at low prices
that it is deployed frequently even in comparatively small business conflicts. So
using encryption to protect your privacy is the prudent choice. Now there is a
solution that we can trust, because it can be verified by our known experts. GSMK
CryptoPhone, the first secure mobile phone that comes with full source code
available for independent review is available now. Finally, we can perform a
independent assessment to ensure that there is no weak encryption and no backdoors
in the device we entrust our telecommunications security.

Examples of phone enemy

THE PROBLEM :

Wiretapping : It is considered by many law enforcement people an necessary

investigation measure. It is considered particularly effective in fight organized crime,
since criminal organizations have a high communication need.

In the United States, there are over 1,000 federal law-enforcement wiretaps a
year. In Germany and the Netherlands, the figure is much higher, well over 3,000
wiretaps a year. There are not many figures on the efficacy of wiretaps. A German
study of US wiretaps in the late 1980s found that in 95% of the cases, incriminating
conversations were recorded; in 47% of wiretap cases, there were arrests, and in
33%, there were convictions. A 1996 Dutch report by the WODC concluded that
wiretapping is an effective investigation measure.

Cryptography used for encrypting telephone conversations and e-mail

communications will hamper wiretapping; this will be particularly relevant in
organized crime and computer crime cases. Crypto phones and crypto fax machines
are readily available; moreover, Internet telephony can also use cryptography, such
as PGPfone. Note, however, that it only slows down retrieving the content of
messages.
RSA

How RSA works: One commonly used cipher of this form is called ``RSA Encryption'',
where ``RSA'' are the initials of the three creators: ``Rivest, Shamir, and Adleman''. It
is based on the following idea: It is simple to multiply numbers together, especially
with computers. But it can be difficult to factor numbers. For example, if we
multiply together 34537 and 99991, it is a simple matter to put those numbers into a
calculator and 3453389167. But the reverse problem is much harder.

Suppose if we take a number 1459160519. I'll even tell you that I got it by
multiplying together two integers. Can you tell me what they are? This is a very
difficult problem. A computer can factor that number fairly quickly, but it basically
does it by trying most of the possible combinations. For any size number, the
computer has to check something that is of the order of the size of the square-root of
the number to be factored. In this case, that square-root is roughly 38000.

Now it doesn't take a computer much time to try out 38000 possibilities, but
what if the number to be factored is not ten digits, but rather 400 digits? The square-
root of a number with 400 digits is a number with 200 digits. The lifetime of the
universe is approximately 10^{18}seconds - an 18 digit number. Assuming a
computer could test one million factorizations per second, in the lifetime of the
universe it could check 10^{24} possibilities. But for a 400 digit product, there are
10^{200} possibilities. This means the computer would have to run for
10^{176}times the life of the universe to factor the large number. It is, however, not
too hard to check to see if a number is prime--in other words to check to see that it
cannot be factored. If it is not prime, it is difficult to factor, but if it is prime, it is not
hard to show it is prime. So RSA encryption works like this. In a real RSA
encryption system, keep in mind that the prime numbers are huge. These are few
more topics in RSA to be known.

digital certification

digital signature

forging digital signature

DES
The Data Encryption Standard (DES) was jointly developed in 1974 by IBM and the U.S.
government to set a standard that everyone could use to securely communicate with
each other. It operates on blocks of 64 bits using a secret key that is 56 bits long. The
original proposal used a secret key that was 64 bits long. It is widely believed that
the removal of these 8 bits from the key was done to make it possible for U.S.
government agencies to secretly crack messages.

DES started out as the "Lucifer" algorithm developed by IBM. The US National Security
Agency (NSA) made several modifications, after which it was adopted as Federal
Information Processing Standard (FIPS) standard 46-3 and ANSI standard X3.92.

How DES works: Encryption of a block of the message takes place in 16 rounds. From
the input key, sixteen 48 bit keys are generated, one for each round. In each round,
eight so-called S-boxes are used. These S-boxes are fixed in the specification of the
standard. Using the S-boxes, groups of six bits are mapped to groups of four bits.
The contents of these S-boxes has been determined by the U.S. National Security
Agency (NSA). The S-boxes appear to be randomly filled, but this is not the case.
Recently it has been discovered that these S-boxes, determined in the 1970s, are
resistant against an attack called differential cryptanalysis which was first known in
the 1990s.

The block of the message is divided into two halves. The right half is
expanded from 32 to 48 bits using another fixed table. The result is combined with
the sub key for that round using the XOR operation. Using the S-boxes the 48
resulting bits are then transformed again to 32 bits, which are subsequently
permutated again using yet another fixed table. This by now thoroughly shuffled
right half is now combined with the left half using the XOR operation. In the next
round, this combination is used as the new left half.

PGPfone – Pretty Good Privacy Phone

PGPfone is a software package that turns our desktop or notebook computer into a secure
telephone. It uses speech compression and strong cryptography protocols to give us
the ability to have a real time secure telephone conversation. Secure voice calls are
supported over the Internet, or through a direct modem-to-modem connection, or
even over AppleTalk networks.

Cyber Crime or Fraud on Internet

This is a form of white collar crime. Internet fraud is a common type of crime whose
growth has been proportionate to the growth of internet itself. The internet provides
companies and individuals with the opportunity of marketing their products on the
net. It is easy for people with fraudulent intention to make their messages look real
and credible. There are innumerable scams and frauds most of them relating to
investment schemes and have been described in detail below as follows:
Online investment newsletters Many newsletters on the internet provide the investors
with free advice recommending stocks where they should invest. Sometimes these
recommendations are totally bogus and cause loss to the investors.

Bulletin boards This is a forum for sharing investor information and often fraud is
perpetrated in this zone causing loss of millions who bank on them.

E-mail scams: Since junk mail is easy to create, fraudsters often find it easy to spread
bogus investment schemes or spread false information about a company.

Credit card fraud: With the electronic commerce rapidly becoming a major force in
national economies it offers rich pickings for criminals prepared to undertake
fraudulent activities. In U.S.A. the ten most frequent fraud reports involve
undelivered and online services; damaged, defective, misrepresented or undelivered
merchandise; auction sales; pyramid schemes and multilevel marketing and of the
most predominant among them is credit card fraud. Something like half a billion
dollars is lost to consumers in card fraud alone. Publishing of false digital
signature .According to section 73 of the I.T. Act 2000, if a person knows that a
digital signature certificate is erroneous in certain particulars and still goes ahead and
publishes it, is guilty of having contravened the Act. He is punishable with
imprisonment for a term that may extend to two years or with fine of a lakh rupees or
with both.

Making available digital signature for fraudulent purpose: This is an offence

punishable under section 74 of the above mentioned act, with imprisonment for a
term that may extend to two years or with fine of two lakh rupees or with both.

Alteration And Destruction Of Digital Information The corruption and destruction of

digital information is the single largest menace facing the world of computers. This
is introduced by a human agent with the help of various programs which have been
described in detail below as follows:

Virus just as a virus can infect the human immunity system there exist
programs, which, can destroy or slow down computer systems. A computer virus is
nothing but a program designed to replicate and spread, generally with the victim
being oblivious to its existence. Computer viruses spread by attaching themselves to
programs like word processor or spreadsheets or they attach themselves to the boot
sector of a disk. When an infected file is activated or when the computer is started
from an infected disk, the virus itself is also executed.

HACKING
It is the most common type of Cyber crime that is committed across the
world. Hacking has been defined in section 66 of The Information Technology Act,
 2000 as follows "whoever with the intent to cause or knowing that he is likely to
cause wrongful loss or damage to the public or any person destroys or deletes or
alters any information residing in a computer resource or diminishes its value or
utility or affects it injuriously by any means commits hacking". Punishment for
hacking comes under the above mentioned section is imprisonment for three years or
fine which may be upto two lakh rupees or both. A Hacker is a person one who
breaks in or trespasses a computer system. Hackers are of different types ranging
from code hackers to crackers to cyber punks to freaks. Some hackers just enjoy
cracking systems and gaining access to them as an ordinary pastime; they do not
desire to commit any further crime. Whether this itself would constitute a crime is a
matter of fact. At most such a crime could be equated with criminal trespass.

Fraud related Cryptography

Crypto Viruses : Deniel of service attack, info extortion attack

Here I describe the various laws and regulations on cryptography that
currently exist or are being discussed around the world. I focus on cryptography that is
used for confidentiality purposes; authentication cryptography, with which digital
signatures can be made, in general does not hamper law enforcement. I shall first describe
export and import rules in general, and then deal with the existing and domestic
encryption laws and regulations per country. Next one is the developments taking place
in international bodies, especially the European Union and the OECD.

Cryptographic Attacks:

After all the work cryptographers put into testing their algorithms for
holes, that modern crypto systems would be hard to break. Anyway in a sense it is hard to
break these well-developed systems if u go at it with a sledgehammer approach.
However, most of the modern attacks find ways to simply circumvent the security in an
algorithm or crypto system instead of finding ways to “break” them. Because we are
human, we sometimes make mistakes in hardware and software that makes it easier for
attackers to find the weaknesses in a security mechanism.
Sometimes crypto attacks are made easier because the vendor made a
simple mistake in creating the encryption program. This has happened more often than
you’d care to know. There are tons of people out there with time, energy, and spare
computers around who love to find holes in crypto programs, and when they do, they take
a fair amount of delight in publishing their results. If you do an Internet search on
“cracking crypto” or “attacking cryptography,” you’ll find hundreds of highly technical
papers and lots of freeware that will do the job for you.
That’s not to say that encrypting your data and messages is a bad thing. It’s
certainly more secure than not encrypting it. In fact, in one well-known case, an
e-commerce site went to all the trouble of setting up SSL to encrypt credit card numbers
for purchases, but they store those numbers unencrypted on the Web Server. The
attackers did not need to attack the SSL sessions, they just found a path into the Web
Server and stole the credit card numbers with no problem. Sometimes smart people do
dumb things. It’s up to you to try to play it smart.

Here are some of the common attacks you are likely to come across in your reading or
discussions about cryptography.
Known Plaintext Attack.
Chosen Ciphertext Attaks.
Chosen Plaintext Attacks.
The Birthday Attack.
Man-in-the-Middle Attack.
Timing Attaks.
Rubber Hose Attack.
Electrical Fluctuation Attaks.

Security Related Crimes:

With the growth of the internet, network security has become a major
concern. Private confidential information has become available to the public.
Confidential information can reside in two states on the network. It can reside on the
physical stored media, such as hard drive or memory or it can reside in the transit across
the physical network wire in the form of packets. These two information states provide
opportunities for attacks from users on the internal network, as well as users on the
Internet.

IP Spoofing :
An IP attack occurs when an attacker outside the network pretends to be a trusted
computer either by using an IP address that is within its range or by using an external IP
address that you trust and to which you wish to provide access to specified resources on
your network. Normally, an IP spoofing attack is limited to the injection of data or
commands into an existing stream of data passed between client and server application or
a peer to peer network connection.

Password attacks:
Password attacks can be implemented using several different methods like the brute force
attacks, Trojan horse programs. IP spoofing can yield user accounts and passwords.
Password attacks usually refer to repeated attempts to identify a user password or
account. These repeated attempts are called brute force attacks.

Distribution of sensitive internal information to external sources:

At the core of these security breaches is the distribution of sensitive information to
competitors or others who use it to the owners’ disadvantage. While an outside intruder
can use password and IP spoofing attacks to copy information, an internal user could
place sensitive information on an external computer or share a drive on the network with
other users. Man-in-the-middle attacks. This attack requires that the attacker have access
to network packets that come across the networks. The possible use of such attack are
theft of information, hijacking an ongoing session to gain access to your internal network
resources, traffic analysis to drive information about one’s own network and its users,
denial of service, corruption of transmitted data, and introduction of new information into
network sessions.

Cryptography, privacy and National Security concerns in

INDIA:

The Internet has provided its users with a new forum to express their
views and concerns on a world wide platform. As a essential corollary to the freedom to
communicate and speak is the fact that this must be allowed with as little State
interference as possible; in other words, in the absence of State intrusion. This
immediately raises the controversial issue of the right to privacy. It can be considered a
logical corollary to the freedom of speech and expression. The practice of encryption and
its study which is known as cryptography provides individuals with means of
communication that no third party can understand unless specifically permitted by the
communicators themselves. It would therefore seem that this practice is a legitimate
utilization of the right to freedom of speech and expression and the right to have a private
conversation without intrusion.
Breach Of Confidentiality And Privacy Under The Information And
Technology Act 2000. According to section 72 of the above mentioned Act, if a person
has secured access to any electronic record, book, register correspondence, information,
document or other material without the consent of the person concerned and discloses the
same to any other person then he shall be punishable with imprisonment upto two years,
or with fine which may extend to one lakh rupees, or with both. Encryption And
Cryptography. Encryption is like sending a postal mail to another party with a lock code
on the envelope which is known only to the sender and the recipient. This therefore has
the effect of ensuring total privacy even in open networks like the internet. Encryption
involves the use of secret codes and ciphers to communicate information electronically
from one person to another in such a way that the only person so communicating, would
know to use the codes and ciphers. The field of cryptography on the other hand deals
with the study of secret codes and ciphers and the innovations that occur in the field. It is
also defined as the art and the science of keeping messages secure. Thus while encryption
is the actual process, cryptography involves a study of the same and is of wider
connotation.

Restrictions On Cryptography In India :

 The use of the cryptography and encryption in India is a relatively new
phenomenon. The use of this technology for the purposes of communication has begun
only over the last 15-20 years in India. According to a recent report in India there are
very few companies involved in the development of cryptography. Further, cryptography
remains within the domain of the defense sector. It is only as late as 1995 that India
introduced a list of items that required licensing before export. The list only included
encryption software for telemetry systems in specific and did not relate to encryption
software in general. The Information and Technology Act 2000 seeks to introduce some
sort of control over the use of encryption for communication in India.

BANK FRAUDS IN INDIA BY USING CRYPTOGRAPHY

Bank Frauds-A chronic Disease
Some relevant issues to tackle the bank frauds.
An INDIA FORENSIC approach.

BANK FRAUDS – A CHRONIC DISEASE, by

Anuradha A. Pujari

All the major operational areas in banking represent a good opportunity for
fraudsters with growing incidence being reported under deposit, loan and inter-branch
accounting transactions, including remittances.

A broad analysis of various frauds that have taken place throw up the
following high-risk areas in committing frauds:
1. Misappropriation of cash by dodging accounts.
2. Unauthorized withdrawal or transfers of funds, mostly from long dormant accounts.
These kinds of frauds involve the forgery also.
3. Opening of fictitious accounts to misappropriate funds from illegal activities ie.
Laundering through the fictitious accounts.
4. Use of interbank clearing for accommodation, kite flying and misappropriation.
5. Cheating in foreign exchange transactions by flouting exchange control provisions.
6. Over valuations of the securities and tampering with the security documents, which has
lead to many of the co-operative bank failures in the recent past.
7. Fraud in collusion with bank staff in emerging areas and services under the
computerized environment.

Frauds take place in a financial system only when safeguards and procedural
checks are inadequate or when they are not scrupulously adhered to, leaving the system
vulnerable to the perpetrators. Anecdotal evidence shows that whether the agency or
individual committing the fraud works for the bank or deals with it, the culprit does
careful planning before he attacks the system at its most vulnerable point.

The most effective defense banks could have against fraud is to strengthen
their operational practices, procedures, controls and review systems so that all fraud-
prone areas are fully sanitized against internal or external breaches. Anyway, the huge
expansions in banking transactions consequent to the transition of banks to mass banking
and the large-scale computerization have played a major role in the commit of the frauds.
Hence mere reliance on the internal controls is of no use. Expect fraud, to expect the
fraud one needs formal education to think on the given guidelines. Nowhere in the world
the fraud can be avoided and the banks are no exceptions. It is a human trend of taking
the risk to commit the frauds if he finds suitable chances or ways. So it is wise to expect
the occurrence of the fraud. When different schemes of frauds are classified it gives a
broad idea of fraud schemes that are possible in the country. Unfortunately no Indian
body does this work. If the fraud is expected, efforts can be concentrated on the areas,
which are fraud prone. Fraud is the game of two. The rule makers and rule breakers.
Whoever is strong in the anticipation of the situations wins the game of frauds. Fraud is a
fact, which cannot be eliminated, but it needs to be managed.

Develop a fraud policy. The policy should be written and distributed to all
employees, Borrowers and depositors. This gives a moral tension to the potential
Fraudster. Maintain a zero tolerance for violations. The Indian bank needs to roar against
the action that is taken against the Fraudsters. The media publicity against the fraudsters
at all the levels is necessary. The announcement by US president George W. Bush that
the “Corporate crooks will not be spared” gave the deep impact to the Corporate
America. In India also we need to consider it as a sever problem and need to fight against
it.

Assess Risk. Look at the ways fraud can happen in the organization. It is
very important to study the trend and the style of frauds in the bank. The Basel-II accord
deals in the assessment of various kinds of risk. Some of the big nationalized banks in
India maintain the databases of the fraud cases reported in their banks. But the databases
are dumb. They yield nothing unless they are analyzed effectively. Establish regular
fraud-detection procedures. It could be in the form of Internal audit or it could also be in
the form of inspections. These procedures alone discourage employees from committing
fraud. In addition to this the Institute of Chartered Accountants of India has issued a
“Accounting and Assurance standard on internal controls which is a real guideline to test
internal controls. Controls break down because people affect them, and because
circumstances change.

Segregate duties in critical areas. It is the absolutely basic principle of

auditing a single person should not have the control of the books of accounts and the
physical asset. Because this is the scenario which tempts the employee to commit the
fraud. Hence it becomes essential to see that no one employee should be able to initiate
and complete a critical transaction without involving someone else. Most of the banks in
India have the well-defined authorization procedures. The allocation of the sanctioning
limits is also observed in most of the cases. But still the bankers violate the authorities
very easily. They just need to collude with the outside parties. However the detection of
the collusions is possible in most of the cases if the higher authorities are willing to dig
the frauds. Maintain the tone of Ethics at the top. The subordinates have the tendency to
follow their superiors. When the signals are passed on to the middle management about
the unethical behavior of the top management the fear of punishment gets reduced and
the tendency of following the superior dominates. Fear vanishes when the tendency of “If
I have to die I’ll take along the superior and die” tendency rises.

Review and enforce password security. The incidences of hacking and the
Phishing have troubled the Indian Private sector banks to a great extent. In addition to
this most of the Indian banks are running behind the ATM and credit cards to compete
with each other but have conveniently forgone the fact that ATM cards and the credit
cards are the best tools available in the hands of the fraudsters. Inappropriate system
access makes it possible to steal large amounts of money very quickly and, in many
cases, without detection. Hence the review and the enforcement of the security policy is
going to be a crucial.

Promote the Whistle blowing Culture. Many of the surveys on Frauds have
shown that the frauds are unearthed by the “TIPS” from insider or may be from outsiders.
Internal audits and internal controls come much later. The message about contacting the
vigilance officers is flashed in most of the branch premises. However the ethics lines are
very rarely seen. The ethics lines are the help lines to the employees or the well-wishers
of the bank, which tells them whether a particular activity constitutes a fraud, or not.

Conduct pre-employment screening. Since the raw material of the Banks is

cash the banker needs to be more alert than any other employer before they recruit. Only
testing the aptitude of a person is not of any use. Know whom you are hiring. More than
20 percent of resumes contain false statements. Most employers will only confirm dates
of employment. Some times post employment condition might create the greed in the
minds of employee, hence atleast the bankers should test check the characters of their
subordinates by creating real life scenarios such as offering the bribes by calling on some
dummy borrower.

Screen and monitor Borrowers. Bad borrowers cause the biggest losses to
the banks. What are they? Who they represent themselves to be? Look at their ownership,
clients, references, and litigation history. In many cases the potential fraudsters have
history of defaulting in some other bank or Financial Institution. The more realistic
approach is to maintain the centralized databases of the defaulters and the properties
offered by them, which would give the banks very easy access to the list of defaulters,
which in turn could be used to take the decisions regarding the disbursements and all
other issues. This ten-fold approach to combat the frauds is an endeavor to reduce the
operational risks of the banks in the wake of the coming BASEL-II norms. These norms
have identified the operational risks to be one of the biggest threats to the progress of the
banking sector. Complying with these norms yields the definite results.

A survey of cryptography laws and regulations

Cryptography is a necessary tool in the information society. Yet if criminals use it,
wiretaps and computer searches will become useless. So, there is a clash of concerns:
how to ensure that the police can still catch criminals, while respecting the essential uses
of cryptography in information security?

Criminal Law :
In these heady days of the Internet, other forms of global communication, and
multinational corporations, the need for privacy in electronic communications is greater
than ever. Without it, consumers will not make credit card purchases, and companies and
individuals will be extremely reluctant to disseminate confidential information to their
worldwide offices and to their clients, lest such information fall prey to hacking
competitors and criminals.

Encryption not only is valuable in terms of ensuring privacy, but also facilitates
"authentication" in that it creates non-forgeable "digital" signatures on electronic
documents and also provides a fool-proof way of detecting whether anybody has
attempted to alter a communication while in transition.

(1) Thus, in many ways, "paperless" electronic transactions are, at least potentially, both
more efficient and safer for the consumer and the seller of goods and services than more
standard transactions. The art and science of cryptography is old as civilization, during
the time of Julius Caesar, who sent encrypted messages, replacing each letter by the third
later letter in the Latin alphabet, to his field generals in battle.

(2) Cryptography has proven particularly valuable during times of war, enabling our
country, for example, to crack the German’s "Ultra" codes and the Japanese’s "Purple"
codes during World War II, thereby substantially shortening the war and saving
thousands of lives.

(3) In addition to military applications, cryptography plays a vital role within the
intelligence community, helping us stay one step ahead of international terrorists and the
like. While computers have played an important role in the area of code-breaking, they
have likewise played an important role in the area of code-making. Through the
encryption process, readable data (plaintext) is run through a computer program, which
uses algorithms, and is converted into unreadable format known as "ciphertext".
Decryption is the process whereby the ciphertext is translated back to plaintext by
someone possessing the appropriate code or "key."Generally speaking, the strength of a
particular cryptographic system is gauged by the length of its key and the complexity of
its algorithm.

(4) As this statement implies, there are encryption products already in existence that
contain codes that are so complex that they are virtually impossible to break without the
proper key, which are oftentimes in the sole possession of the recipient of the
information. As one might expect, the international market for encryption hardware and
software is huge, and getting bigger, its demand being limited only by the demand for
computers and cellular telephones. FBI Director Louis Freeh bluntly stated that, "law
enforcement remains in unanimous agreement that the widespread use of robust non-
recovery encryption will destroy our ability to fight crime and terrorism."

(5) One good example, encryption to prevent our intelligence community from collecting
data was detected in the Aldrich Ames spy case, and Ramzi Yousef, the convicted
mastermind of the World Trade Center bombing and other despicable acts, used
encryption products to protect his computer files that related to terrorist activities.

(6) Encryption has also been used by child pornographers to transmit obscene images
over the Internet, and by major drug traffickers, violent gangs, and domestic anti-
government groups seeking to stifle government investigators.

(7) For this reason, ever since its "Clipper Chip" initiative in 1993, the Clinton
Administration’s policy and proposals have all involved the concept of "escrowed"
encryption. An escrowed encryption system is one in which "key" to the system is kept
"in escrow" by a designated, government-approved agency or third party who can be
served with a request or court order .

(8) to turn the key over to law enforcement officials without notifying the user. As one
might expect, each of these proposals has met with a negative reaction from the computer
industry and from civil libertarians. In addition to escrowed encryption proposals, the
other response by the Clinton Administration has been an attempt to forge a compromise
by permitting unregulated and unlimited domestic use and distribution of encryption
technology, despite objections from the FBI, but severely regulating and limiting the
exportation of encryption products. Prior to 1996, the exportation of encryption products
was governed by the Arms Export Control Act (AECA) and the International Traffic in
Arms Regulations (ITAR).

(9) In late 1996, the Clinton Administration transferred authority over the export of non-
military encryption to the Commerce Department, which issued its own set of
regulations. These regulations provided for exceptions to export restrictions for certain
encryption products, including non-recovery encryption software up to a 56-bit key
length.

(10) The Clinton Administration and the law enforcement community face a wide array
of formidable opponents. In addition to groups such as the American Civil Liberties
Union, the Electronic Frontier Foundation, the Center for Democracy and Technology,
and the Electronic Privacy Information Center, a coalition of over 100 business and
associations, including Intel, Microsoft, Sun Microsystems, and the Business Software
Alliance, recently formed Americans for Computer Privacy (ACP), whose sole goal is to
promote pro-encryption legislation.

(11) These groups generally fear the possibility of "Orwellian snooping" by the
government, and fervently believe that encryption restrictions violate fundamental rights
to privacy, as well as the First, Fourth, and Fifth Amendments. Suffice it to say that many
of these groups are well-financed and highly motivated. Some of the systems, designed to
prevent crime, would, paradoxically, leave law abiding citizens and companies more
susceptible to computer-savvy criminals who desire to steal and misuse sensitive
information. If, as has been acknowledged by the Department of Defense, two 17-year-
old hackers can penetrate the Pentagon’s computer system,

(12) Last December, Cylink Corp. was granted a license to export strong encryption
without a key recovery to members of the European central bank network, and in
February, the Commerce Department expanded its definition of "financial institutions"
permitted to export strong encryption hardware to include credit card companies and
securities firms.

(13) Despite the recent easing of export restrictions, the debate about encryption shows
no signs of abating. There are currently pending before Congress no fewer than five bills
dealing with encryption technology, some of which impose additional restrictions and
some of which eliminate those restrictions that currently exist. In the House,some
members have proposed the Security and Freedom through Encryption (SAFE) Act.

(14) As originally proposed, SAFE would prohibit mandatory key escrow and ease export
controls. However, SAFE has been subjected to numerous revisions that offend civil
libertarians, such as the addition of key-recovery provisions and a provision making it a
crime to use encrypted communications. In the Senate, John McCain and Bob Kerrey
have introduced the Secure Public Networks Act of 1996 which authorizes the export of
encryption products without key recovery of up to 56-bit strength to certain buyers. The
bill would allow the president to increase the encryption strength of exportable products
and further provides that the president "shall take such action as necessary to increase the
encryption strength for encryption products for export if similar products are marked by
the President to be widely available for export from other Nations."

(15) In the absence of an executive order, the bill prohibits the exportation of encryption
products with more than 56 bits unless they are "based on a qualified system of key
recovery."

(16) Pro-CODE would essentially eliminate export controls of encryption technology

products, by permitting the export of encryption technologies if products of similar
strength are available anywhere else in the world and by prohibiting the imposition of
mandatory key-recovery programs. The bill would also prohibit both the federal
government and state governments from regulating the interstate sale of encryption
devices. Patrick Leahy has introduced the Encrypted Communications Privacy Act of
1997,

(17) which, like Senator Burns’s bill, would eliminate export controls on encryption
devices and technology. However, it also offers protection to any United States citizen or
entity who uses encryption of any strength in any state or foreign country, and
criminalizes the use of encryption when used in furtherance of a crime. Most recently,
John Ashcroft and Senator Leahy introduced the Encryption Protects the Rights of
Individuals from Violation and Abuse in Cyberspace Act,
(18) which would allow companies to export advanced encryption products, after a one-
time review of mass-market encryption products and after it is verified that comparable
technology is already available in foreign markets; however, exports to certain countries,
such as Iraq, Iran, and Libya, would still be banned.

When it comes to encryption technology and products, regardless of the

hopes and wishes of the law enforcement community. This is not the first time, though,
that the law enforcement community has faced challenges from emerging technologies.
Law enforcement officers have managed to overcome the data processing difficulties
posed by fax machines, communication networks, and other. In short, the law
enforcement and intelligence community is ultimately going to have to rely, as it has
done many times before, on being smarter, faster, and technologically superior if it is
going to stay ahead of the curve and continue to be effective at cracking the crook’s code.

Easily available crypt tools

Cryptography tools provide command-line tools for code signing, signature verification,
and other cryptography tasks.

Introduction to Code Signing : The software industry must provide users with the means
to trust code including code published on Internet. Many of the Web pages contain
only static information that can be downloaded with risk. Some pages, contain
controls and applications to be downloaded and run on a user's computer. These
executable files can be risky to download and run.

Packaged software uses branding and trusted sales outlets to assure users of its
integrity, but these guarantees are not available when code is transmitted on the
Internet. Additionally, the Internet itself cannot provide any guarantee about the
identity of the software creator. Nor can it guarantee that any software downloaded
was not altered after its creation. Browsers can exhibit a warning message that
explains the possible dangers of downloading data of any kind, but browsers cannot
verify that code is what it claims to be. A more active approach must be taken to
make the Internet a reliable medium for distributing software.

One approach to providing guarantees of the authenticity and integrity of files

is attaching digital signatures to those files. A digital signature attached to a file
positively identifies the distributor of that file and ensures that the contents of the file
were not changed after the signature was created. Digital signatures can be created
and verified by using Microsoft's cryptography APIs. For background information on
cryptography and the CryptoAPI functions, see Cryptography Essentials. For
detailed information on digital signatures, certificates, and certificate stores, see the
following topics:

Hashes and Digital Signatures

Digital Certificates
Managing Certificates with Certificate Stores
Certificate Trust Verification

Currently, CryptoAPI Tools supports Microsoft Authenticode technology by allowing

software vendors to sign the following types of files for Authenticode verification.
The following are a couple of crypt tools.

crypt-xor_2.1-1_i386.deb

crypt-xor_2.1-1.tar.gz

Terrorism n Steganography
Steganography is the art and science of writing hidden messages in such a way that no
one apart from the intended recipient knows of the existence of the message, this is
in contrast to cryptography, where the existence of the message itself is not
disguised, but the content is obscured. Quite often, steganography is hidden in
pictures.

Steganography used in electronic communication include steganographic coding inside of

a transport layer, such as an MP3 file, or a protocol, such as UDP. A steganographic
message (the plaintext) is often first encrypted by some traditional means, and then a
covertext is modified in some way to contain the encrypted message (ciphertext),
resulting in stegotext. For example, the letter size, spacing, typeface, or other
characteristics of a covertext can be manipulated to carry the hidden message; only
the recipient can recover the message and then decrypt it. Francis Bacon is known to
have suggested such a technique to hide messages .

Some of the modern steganography techniques

1. Chaffing and Winnowing

2. Invisible Ink

3. Null Ciphers

Terrorists and Steganography - Crypto-Gram Newsletter article by Bruce Schneier (30

Sept 2001): It doesn't surprise me that terrorists are using this trick. The very aspects
of steganography that make it unsuitable for normal corporate use make it ideally
suited for terrorist use. Most importantly, it can be used in an electronic dead drop.

Bin Laden: Steganography Master? - WIRED News article discusing USA TODAY
report that bin Laden and others are using steganography to communicate.

Reference : For the above two terrorist activities

http://www.ic.arizona.edu/ic/humanities/september11/pages/Terrorism/Internet/Steg
anography/

Conclusion
It is clear from the above report and all the available that the availability of
strong cryptography is a very mixed one, on one side it can be used in the
development of electronic commerce and the maintenance of personal privacy, on the
other it does provide a useful tool for the criminally minded. However as to whether
the arguments for criminals using cryptography is a reasonable justification for the
introduction of heavy handed regulation which would attempt to limit the availability
and use of such products, hence the conclusion is clear. While the law enforcement
communities case does hold unobtainable, it would in some cases make the
conviction of the criminal somewhat easier, it might even mean that a few more were
caught, but the price is simply too high. The infrastructure for strong encryption for
the individual already exists on a transnational basis. If regulations are promulgated
which require the use of Trusted Third Parties, lower strength encryption or even
merely a heavy paperwork burden which increases costs what must happen is that
those citizens who are law abiding in the first place will follow the new regulations,
whereas those who are not will simply ignore then and continue to use the system
which is currently in place anyway, of strong, virtually unbreakable encryption,
unencumbered by any legal framework. The only way in which this could be made
effective is to outlaw all non-regulated products and then trace any traffic which uses
them. This is simply not technically feasible, and is also a great deal of effort when
“the number of cases which actually involve cryptography is still very small” and
“the files which are eventually decrypted often have little or no bearing on the
outcome of the case.”

The reality if UK proposals as they stand is that they may provide a placebo
for non technical business and private users but will create a cumbersome system
with very flaws which flies in the spirit, if not the letter of the directives which it
seeks to implement, to say nothing of the desire of the majority of informed users.
The reality is that strong encryption is available to the ordinary user, and any
government attempt to successfully control it will place on business, and the possible
competitive disadvantage at which it will put them.

The reality is that misunderstanding surrounding issues of how electronic

networks function and the available security measures, has resulted in this report
being produced which merely show that there is confusion over many aspects of the
 situation. Generally criminals using cryptography is an argument for its regulation.
The internet is analogous to the high seas. No one owns it, yet people of all
nationalities use it. It would perhaps be ideal if unification of internet laws could be
so achieved so as to minimize the discrepancies in application of such laws. This is
vital considering the growth of commercial activities on the internet. Changes need
to be made to the existing Information and Technology Act 2000 in order to combat
the numerous problems caused by the internet.

References
Web References :

http://www.journals.cambridge.org/action/displayAbstract?
fromPage=online&aid=152046

http://www.privacy.org/pi/activities/tapping/

http://rechten.uvt.nl/koops/crypcrim.htm#General

http://www.fed-soc.org/Publications/practicegroupnewsletters/criminallaw/

encryption-crimv2i3.htm

http://www.usdoj.gov/criminal/cybercrime/intl.html

http://www.usdoj.gov/criminal/cybercrime/oeback.htm

http://rechten.uvt.nl/koops/CLSR-CLS.HTM

http://www2.epic.org/reports/crypto2000/overview.html

http://www.legalserviceindia.com/articles/article+2302682a.htm

http://www.asianlaws.org/report0102.pdf

jjtc.com/stegdoc

www.theregister.co.uk

http://www.cellular.co.za/accessories/encryption/cryptophone_gsm_phone_encryption.ht
m

rechten.uvt.nl/koops
www.crystalinks.com

http://www.activemind.com

http://cs.georgetown.edu

http://wikipedia.org

http://mobileshop.org/howitworks

http://www.pgpi.org

http://cryptovirology.com

http://www.iusmentis.com/technology/encryption/des

http://webopedia.com

http://simonsingh.net

Book References :

INTERNET CRYPTOGRAPHY by RICHARD E SMITH, 1952,ADDISON-

WESLEY

AN Article by AVINASH W. KADAM, issue of september 2003

Cryptography for Dummies by CHEY COBB, CISSP copyright 2004 by Wiley

Publishing Inc.

RSA Security's Official Guide to CRYPTOGRAPHY by Steve Burnett and

Stephen Paine copyright 2001 by The McGraw-Hill Companies.

The Computer Law & Security Report, November-December 1996, pp. 349-355
Bert- Jaap Koops, 1996