Vous êtes sur la page 1sur 4


Encryption is a mechanism through which the privacy, integrity and security of a communication or electronic transaction is ensured. Encryption strength is measured in terms of bits and the more bits are there the stronger is Encryption is an essential aspect of cyber security and secure e-commerce transactions1. Encryption works by scrambling the original message with a very large digital number (key). This is done using advanced mathematics. Commercial-level encryption uses 128 bit key that is very, very hard to crack. The computer receiving the message knows the digital key and so is able to work out the original message2. Governments have taken different policy approaches in their efforts to contain the threat they see posed by encryption. Mechanisms for controlling encryption can be placed into three general categories: import controls, export controls, and use controls. The summaries that follow of encryption policy in INDIA, US, UK, Russia, and China explore these forms of control.

Section 84(A) of the IT ACT is talk about the modes or methods for encryption- the central government may, for secure use of the electronic medium and for promotion of e-governance and e- commerce, prescribe the modes or methods for encryption3. ISP license issued in 1998-99 by DoT limits the level of encryption by 40 bit key length and for the use of more than this prescribed limit, written permission from DoT is required with mandatory deposit of decryption key with DoT. Also there is an obligation on ISPs to ensure that bulk encryption is not deployed. 40-bit encryption standard stands outdated today, as it can be easily cracked. This creates vulnerability especially when it comes to e-commerce or eGovernance. The law of the land says that only 40-bit encryption must be followed by ISPs, but most e-commerce and e-Governance websites, including RBI's website are using higher encryption standard, as it is impossible to conduct any e-transaction with 40- bit encryption.

1 2

http://tlnind.blogspot.in/2011/03/encryption-laws-and-regulations-in.html http://www.teach-ict.com/technology_explained/encryption/encryption.html 3 The Information Technology Act, 2000

Indian regulatory bodies like SEBI and RBI have mandated encryption standard greater than 40bit. SEBI's Committee on Internet Based Securities Trading and Services urges that DoT should freely allow 128-bit encryption to ensure safety and build investor trust in the Internet based trading system. RBI guidelines on Internet Banking makes the usage of SSL-128 bit encryption as minimum level of security mandatory for securing browser to web server communications and encryption of sensitive data like passwords in transit within the enterprise itself4. The Joint Cipher Bureau works closely with the IB, RAW and operations of military intelligence agencies. It is responsible for cryptanalysis and encryption of sensitive data. The inter-services Joint Cipher Bureau has primary responsibility for cryptology and SIGINT (signal intelligence), providing coordination and direction to the other military service organizations with similar mission.

There are signs that many governments are beginning to believe that international coordination on encryption policy is necessary to prevent widespread international deployment of strong encryption. The U.S. government spearheaded the Organization for Economic Cooperation and Development (OECD) talks on the development of cryptography guidelines. As a result of these talks, an ad hoc group of experts on cryptography completed in March 1997 a Recommendation Concerning Guidelines for Cryptography Policy. The likely purpose of the OECD talks on encryption policy was to raise the consciousness of other governments about the problem of uncontrolled encryption. At the same time, the talks also were intended to demonstrate to the private sector, especially in the U.S., that other countries were likely to have the same concerns as the FBI about criminal use of encryption, so that defeating U.S. export controls would not open the door to a vast market for unscrewed encryption, but could instead spark new and perhaps inconsistent national government regulation of encryption in countries where encryption previously was not regulated. the United States, along with thirty-three other countries throughout the world, have been restricting the export of


encryption for years. Those restrictions have been in place to protect national security and foreign policy interests, not necessarily the interests of public safety and law enforcement.

The Licensing of Trusted Third Parties for the Provision of Encryption Services, affirms that cryptography is vital, essential, and one of the most effective tools" for protecting the integrity and confidentiality of information and for promoting electronic commerce. DTI (Department of Trade and Industry) also considers it essential that security, intelligence, and law enforcement agencies have the ability to legally intercept communications and legally access stored data through the disclosure of escrowed keys. The UK government anticipates that additional legislation may be required to allow appropriate authorities to obtain private encryption keys other than those held by licensed TTPs. This paragraph has provoked speculation that the UK will seek to regulate encryption products or to impose use restrictions. DTI's Information Security Policy Group recently responded that users will remain free to use or import any form of encryption in the UK5.

As, russia is not a OECD member and has not participated in oecd talk on encryption In order to develop, produce, sell, export, or use encryption products, those products must be licensed by FAPSI (Federal Agency of Government Telecommunications and Information). The ordinance also requires that all government entities only use cryptography and encryption products that are certified by FAPSI. There are, however, many indications that these requirements are not strictly enforced6. At least one article written by a prominent Russian mathematician and published in the influential Russian newspaper "Izvestia" on April 20, 1995 harshly criticized the Edict as overbroad, granting unlimited discretion to the secret police and ignorant customs officers, violating civil rights, creating obstacles for international cooperation in the field of exchange and processing of information, and making meaningless the recently adopted intellectual property
5 6

http://encryption_policies.tripod.com/us/baker_060100_regulation.htm http://encryption_policies.tripod.com/us/baker_060100_regulation.htm

laws. The article expresses the existing concern that the new statutes seek to revive and legitimize the tested methods in controlling the Russian society.

In the People's Republic of China, a company wishing to import or export encryption products must first obtain a license. License applications can be reviewed either by the Ministry of Foreign Trade or the province's foreign trade bureau. The Ministry of Foreign Trade maintains the List of Prohibited and Restricted Imports and Exports. This list, enacted in 1987, indicates that China restricts the import and export of voice-encoding devices. Anecdotal evidence from U.S. multinationals indicates that approval for use of encryption products inside China is not necessarily easy to obtain. Some companies have waited a year or more to receive approval for the import or use of encryption products7.

From above scenario we conclude that the policies and regulations related to encryption varies from nations to nations the proper implementation of ICT4D always a major part of this problem. The laws around encryption in developing and developed are evolving and the stakeholders are eagerly looking forward to the encryption policy that Govt. would come out with along with a higher encryption standard. On the other side, Govt. should also beef-up its security agencies' cryptography know-how to ensure lack of knowledge doesn't compromise national security.