A brief history of the internet, cryptography, cryptanalysis and encryption laws of India

The internet

Thanks to the internet you are reading this article right now. How did the internet get to where it is right today?
There is so much history we cannot possibly get it together in this short article.

The internet actually got a start about 50 years ago, and computers at that time filled up entire rooms. Scientists and researchers used these to do research work in the field of physics, mathematics, statistics among other subjects.

In 1962, a scientist at the ARPA1 named J C R Licklider proposed the idea of linking computers with physical cables. According to him computers would be able to ‘talk’ to each other.

In 1969, the first message was sent from one computer to another through a cable. One computer was placed at University of California, Los Angeles and another was at Stanford University. The cable was laid by ARPA and was called the ARPANET. The message was simply the word ‘LOGIN’ which was received incompletely as ‘LO’.

By the end of the year 1969, there were only four computers connected on ARPANET. But news of this development spread far and wide to Latin America and Europe leading to development of similar computer networks.

By 1971 the University of Aloha in Hawaii started its own network, followed by networks in London and Norway.

In 1971, Ray Tomlinson was working at the ARPA to create a messaging system where computers connected with each other could send and receive electronic ‘mails’, later shortened to e-mails.

However, Ray’s work would not have been possible without another system created by Vinton Cerf, who was also working at the ARPA in 1980. He invented a way in which computers across the globe irrespective of their networking structure would be able to connect and discover each other. This invention of Vinton helped computer users connect via long distance cables, recognise each other and be able to communicate through an intricate system of digital signals. This invention was called Transmission Control Protocol (TCP). It was soon followed by the Internet Protocol (IP) in 1983.2 The rest of the 80s revolved around the IP and e-mail. A standardisation which guaranteed compatibility between networks irrespective of the make or brand of computers.

Telecommunication was well developed by then and telephone lines could carry analog electrical waves over long distances. For computers to be able to exploit the already established telephone lines, data had to be modulated into analog signals and then demodulated after being transferred. However, only 56,000 bits per second could be transferred through this medium. This was referred to as the 56K connection. To use the internet through telephone lines one had to ‘dial up’ the local telephone exchange and request internet access. Once granted, a telephone line could connect two computers through their respective modems (modulator and demodulator).

Computers which are specifically designed for serving information on a network are called servers. Computers accessing information are called clients.

In 1991, British Scientist Tim Berners-Lee who was working at the CERN laboratory submitted a proposal named:  Information Management in March 1989.3 This was the groundwork behind organising text into an easily readable format and a code through which computers could exchange it. He invented what we call the Hypertext Transfer Protocol (HTTP) and coined the term ‘world wide web’. This protocol enabled one to many network connections. This was the first time when the distinction between client and server took place.

Tim also built the first ever prototype of a web browser which ran on a client computer connected through the HTTP to a server. Called the ENQUIRE it could send queries to a server and receive replies.

However, the most important development happened when four Finnish students created the first web browser to be able to download image files, it was named ERWISE (a wordplay on ‘otherwise’).

Soon after in 1993, Mosaic followed ERWISE into the web space. Although Mosaic influenced the public on what a web browser should look like, the current look of web browsers with back, forward, history and address bar was established by Netscape Navigator in 1994.

All of these developments were possible because of corporations like America Online (AOL) and Compuserve. They were popularising and massively advertising the oncoming of the internet. Advertisements of electronic mails, file transfers, instant messaging and online directories made their ways to television. By the fall of 1990 there were 313,000 computers hooked onto the internet.

In those times the monitors on a screen could only show text, therefore a highly skilled operator with expert knowledge was required for researchers to manage their data.

Tim however developed all the three things: HTTP protocol, web server and web browser, away from American influence. He decided to give away his inventions for free to the masses, he did not want regulatory control or stifled growth of this technology.

By 1995, Jeff Bezos started selling books out of his garage. And by 1998, Google had already indexed 25 million internet pages.

As of now the Internet Protocol Version 4 (IPv4) 4 is the most prevalent method of global information dissemination. This protocol requires a specific numerical address called an IP Address to locate a server (analogous to a cellphone number). One server may have multiple IP Addresses.

For e.g. the IP Address which I mostly get to use to access Google is: 216.58.220.206. If you put this IPv4 Address on the address bar of your browser it would take you to the Google website.

Although IPv6 is out since a long time the vast majority of telecom operators still use legacy devices which have not yet progressed to this new protocol. You can test if your operator supports IPv6 here on a Google’s testing tool.

Once we connect with a server using their IP Address, it is up to the server how they treat our connection request. Some may deny access to their files (you will see error code ‘403 Forbidden’), some may lead you to an index of all files stored on them (like this Enrique Iglesias Music Collection), and some may show you a HTML document to easily guide you and help you find relevant information quickly.

For e.g.: This website Alcohol. And this David Prati. These are the simplest kinds of websites where only text is publicly available.

 

Cryptography and Cryptanalysis

Cryptography and Cryptanalysis are the hallmark of each other. While cryptography is the science of encryption, cryptanalysis is the science of decryption. Since the beginning of communication itself people have tried many ingenuous methods to gain privacy over conversations only to get intercepted and decrypted.

You can find everything about Encryption and Symmetric Cryptography in under ten minutes in this article: Encryption and Symmetric Cryptography – How is data secured electronically?

In the case of modern day internet information has to be transferred through physical cables across the world. Telephone companies who were skinny dipping into billions in profits suddenly had access to petabytes of data. All those companies who dealt in cable networks and telecommunications had direct access to the bulk of information which go through the cables they had laid.

And yes needless to say, browsing history, search history, emails, instant messages, every bit of data which go through the cables were accessible to the ones who owned them.

Steve Wozniak invented the blue box, it was capable of dialing and connecting to any telephone globally.

Information could be put to any use. Eavesdropping and blackmailing were the least of them. Politicians could use this data to gain advantage, massive surveillance could take away individual liberty.

The growth of the Internet and electronic commerce have brought to the forefront the issue of privacy in electronic communication. Large volumes of personal and sensitive information are electronically transmitted and stored every day. What guarantees does one have that a message sent to another person is not intercepted and read without their knowledge or consent? Tools to ensure the privacy and confidentiality of paper-based communication have existed for a long time.5 Similar tools exist in the electronic communications arena.

Encryption is the standard method for making a communication private. Anyone wanting to send a private message to another user encrypts (enciphers) the message before transmitting it. Only the intended recipient knows how to correctly decrypt (decipher) the message. Anyone who was “eavesdropping” on the communication would only see the encrypted message. Because they would not know how to decrypt it successfully, the message would make no sense to them. As such, privacy can be ensured in electronic communication.

Privacy and security quickly became a public issue. Soon the telecom industry started using encryption while transferring information in their cables. Although a lesser evil, telecom companies still had continued access to data and would frequently allow the government and other interested parties to snoop into it.

In further developments internet companies like Google, AOL, Amazon etc. started using their own layer of encryption. To their amusement these newly established businesses had access to the information, the burden of which big telecom companies were having to carry.

However, in the race towards information the government also wanted its own share. Back in 1952, President Harry Truman signed the National Security Agency (NSA) into the United States. It was an assemble of the best cryptanalysis experts in the world. Although an American agency, it was tasked to intercept and decrypt information from across the globe.

By the advent of asymmetric cryptography and the RSA algorithm the situation changed a bit. You may please read this short article on Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm.

Let’s find out what changed.

While Cryptography is the science of encryption methods, three types of algorithms exist:

  1. Hashing/ Digital Fingerprinting/ Digest/ Message Digest
  2. Symmetric Cryptography or Secret Key Cryptography
  3. Asymmetric Cryptography or Public Key Cryptography

Hashing/ Digital Fingerprinting/ Digest/ Message Digest

Hashing is the generation of a fixed length string of characters from another string of random length called hash or message digests. Hashing is a one-way encryption which uses no key. This makes it impossible for either the contents or length of the original string to be recovered.

E.g.: 7778889990 = 7+7+7+8+8+8+9+9+9+0 = 72
The hash of 7778889990 is 72.

You can learn about hashing in this short and succinct article: What is digital fingerprint and hashing? And how is it generated?

 

Symmetric Cryptography or Secret Key Cryptography

Symmetric Cryptography is where a single key is used to both encrypt or decrypt a message. This is made possible by converting any text first to numbers, and then further applying complex mathematical functions.

For e.g. if I were asked to securely broadcast the message:
‘Bomb Xanadu at 0930’.

I would first change it to ASCII:
’66 111 109 98 32 88 97 110 97 100 117 32 97 116 32 48 57 51 48′

and multiply all the numbers with 777743 (key) to get the ciphertext:
‘51331038 86329473 84773987 76218814 24887776 68441384 75441071 85551730 75441071 77774300 90995931 24887776 75441071 90218188 24887776 37331664 44331351 39664893 37331664’

The key therefore would be the prime number 777743. If you know the key you can divide the values and get the original message once you receive the encrypted message. More lengthier the key better the protection.

There’s a lot of different SC algorithms you can choose from—the popular symmetric algorithms include Twofish, Serpent, AES (Rijndael), Blowfish, CAST5, RC4, TDES, and IDEA. All of which probably have been compromised by the NSA.6

Gain an insight into Encryption and Symmetric Cryptography in under ten minutes from this article: Encryption and Symmetric Cryptography – How is data secured electronically?

 

Asymmetric Cryptography

This is a two-key crypto system in which two parties could engage in a secure communication over a non-secure communications channel without having to physically share any key.

In this method two different keys are used, one for encrypting the message and another for decrypting the message. The key used to write and encrypt a message is called a public key and it is kept publicly available, while the one used to decrypt and read a message is called a private key this is kept a secret.

Every recipient has to generate this set of two keys. Both the keys are mathematically linked in such a way that messages encrypted with a public key can be decrypted only by the private key.

Rivest-Shamir-Adleman from Left to Right

The invention of the RSA algorithm in 1978 made it possible for people to hold fully online communication without a physical key exchange.7 You can read more on Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm.

There was rapid growth in the usage of the RSA algorithm, and many other asymmetric cryptography algorithms appeared. Research in Motion the company behind Blackberry held another patent on elliptic curves. By August 2013, Blackberry held 130 patents in cryptographic algorithms.8

However, this proved to be difficult to crack than any other encryption method. The difficulty of the keys in RSA algorithm depends on prime factorisation of very large numbers. It is therefore estimated, that standard desktop computing power would take 4,294,967,296 x 1.5 million years to break a 2048-bit encryption. Or, in other words, a little over 6.4 quadrillion years.9

Still it would be naive to think that our communications are secure. The first factorization of a 512-bit RSA modulus was reported a decade and a half ago.10 On December 12, 2009 a group of researchers successfully factored a 768 bit, 232 digit semi-prime number.11 And Lenstra warned, “Thus, it would be prudent to phase out usage of 1024-bit RSA within the next three to four years (2013-2014)“.

But even now in 2017, banks use 256 bit RSA algorithm proudly claiming: “OnlineSBI allows you to transact over a completely secure medium, Protected by the most stringent security systems. All your transactions travel via an SSL encrypted medium (minimum of 128-bit to maximum of 256-bit SSL tunnel), the highest level of security (emphasis added) on the internet.”12

This huge lapse in security is due to governments’ desire to harvest information and at the same time struggling to keep up with global weapons race for data security.

 

Encryption Laws of India

Why does the government want to control and regulate encryption?

As much as encryption is desirable and instrumental in free communication, it also brings in a plethora of abuse cases.

On December 11, 1994 the Philippines Airlines Flight 434 got severely damaged midair by a bomb. It was going from Cebu to Tokyo on a Boeing 747-283B. The pilot of the flight, with his experience somehow managed to land it.

Later on January 6, 1995, police responded to an apartment fire in Manila, Philippines. They found a Toshiba Laptop along with some chemicals and materials used in bomb making. An open file on the laptop which referred to the bombing of Philippines Airlines Flight 434.

While other files in the laptop were encrypted it created a sense of mind-numbing fear. The Philippines Police with assistance from the NSA decrypted some of the files successfully revealing several bomb making recipes. And all evidences pointed towards a suspect from the 1993 World Trade Center bombing, Ramzi Yousef.

Yousef’s plan to bomb Flight 434 was properly documented through the evidence collected. He was soon tracked down and put into US custody within six weeks. This event stirred the media globally and immediately legal cryptanalysis gained public confidence.

High levels of encryption make it difficult for law enforcement agencies to collect and analyse electronic evidence. While low levels of encryption is harmful for online activities such as e-commerce. A middle ground is therefore desirable which leads us to legal regulations on encryption.

 

Information Technology Act

In India, the Information Technology (Amendment) Act, 2008 provides for encryption under Section 84A, which is as follows:

84A. The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption.

This section permits the Central Government to prescribe encryption standards and methods to secure electronic communications, and promote e-governance & e-commerce. There is no dedicated law on encryption methods or standards. The sectoral regulations in the banking, finance and telecom industries define minimum standards to be used in transactions.

The Government has also been granted the power to gain access to means of decryption or simply, decrypted information under Section 69(1) of the IT Act. It says

69(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.

and the entire literature of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 provides for the legal mechanism in which the government may deem itself responsible to legally cryptanalyse the contents of any message.

 

Draft National Encryption Policy

On 21 September 2015 a draft National Policy on Encryption under S. 84A was published and the general public was invited for comments. The Central Government sought to specify and notify the encryption protocols and technologies that can be used by industries and general populace.

However, it was withdrawn two days later as there were reactions across the industry indicating that Indians do not want government regulations dictating encryption standards.

A large amount of criticisms from businesses, IT sector, users and civil society advocacy groups were leveled against the policy:

  • The policy called for storage of plain text copies of encrypted communications for 90 days by users and businesses.
  • Registration for foreign service providers like WhatsApp, Facebook or Google before they establish services to the Indian population.
  • Heightened security concerns associated with storage of plain text copies for 90 days.
  • The key length, methods and algorithms to be used in encryption were to be prescribed and restriction on the maximum standard of encryption were also to be maintained. The policy did not leave any room for discretion of a user to use higher or different security standards.
  • Foreign service providers like WhatsApp, Facebook or Google were directed to store plain text copies of communications and release when sought by a law enforcement agency.

Other sectoral laws

Department of Telecommunication (DoT) License with Internet Service Providers (ISPs)13

Clause 2.2 (vii) of the ISP License:

The Licensee shall ensure that Bulk Encryption is not deployed by ISPs. Further, Individuals/ Groups/ Organizations are permitted to use encryption up to 40 bit key length in the symmetric key algorithms or its equivalent in other algorithms without obtaining permission from the Licensor. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organizations shall obtain prior written permission of the Licensor and deposit the decryption key, split into two parts, with the Licensor.

This permits the use of up to 40 bit encryption key in the symmetric algorithms or its equivalent in others. This restriction is applicable not only on ISPs but also all individuals, groups and organisations that use encryption. Prior permission from the DoT is to be taken and the decryption key must be deposited with the DoT if encryption above 40 bit is to be used.

While Clause 22 and 22 of the same ISP License states:

22.1 The Licensee shall provide on demand the details of the technology proposed to be deployed for operation of the service.

23.1 The LICENSEE shall furnish to the Licensor or its authorized representative(s), in such manner and at such times as may be required, complete technical details with all calculations for engineering, planning and dimensioning of the system/network, concerned relevant literature, drawings, installation materials regarding the applicable system.

While the words decryption or any such method is not expressly laid down, at the same time the words have been cleverly used in a way that a decryption order can not be ruled out.

RBI guidelines on Internet Banking14

RBI released internet banking guidelines on April 29, 2011. It mandated the use of a minimum of 128 bit encryption on all banking sites and warned against the constantly increasing cryptanalysis capability of computers.

The Certifying Authority Rules15

The most ahead of all encryption laws are the CA Rules. The rules allow and prescribe usage of 2048 bit RSA encryption for digital signatures. I guess, decryption of digital signatures is not much useful, the government would not care so much to impersonate private citizens.

 

The WhatsApp debacle

Earlier WhatsApp was quite hackable as security protocols were absent. Anyone using the same wifi connection could intercept the connection and send and receive messages. Only last April (2016) WhatsApp enabled end to end encryption using a fairly new algorithm called the Signal Protocol. This algorithm only encrypts the content of the message, however identity and time of message is stored as plaintext on WhatsApp servers.

The end to end encryption uses a 256 bit (60 digit) key. Although fairly crackable by all governments, it is safe to say that this level of security is optimum for public usage. The limit of 40 bit encryption is not applicable on WhatsApp as it does not fall under ISPs and is instead classified as over the top (OTT) service, which is not regulated as of now.

On 29th June, 2016 a Gurugram based activist Sudhir Yadav filed a PIL at the Supreme Court alleging national security lapses. A bench of Chief Justice T S Thakur and Justice A M Khanwilkar rejected the PIL, and directed him to approach the government or the TRAI.16

 

Conclusion

Over all the expectation of privacy from public channels is very low. If one has to communicate super sensitive messages it is best to do it through custom made softwares or apps. Hoping that with more and more sensitisation in these topics, situation shall improve.

 

If you liked the article please like and share it with your followers. If you have doubts or questions about any part of this article, please feel free to leave a comment below or ask questions directly to the author here: Ask Questions.


 

What is SBI doing with Blockchain technology? Intro to Bankchain

As per the latest reports, State Bank of India along with ten other commercial banks, is taking the lead in building the country’s first financial blockchain framework. Reportedly, Axis Bank, Central Bank of India, DCB Bank, Deutsche Bank, HDFC Bank, ICICI Bank, IDBI, Kotak Mahindra Bank and Saraswat Bank are the other players in this consortium. This framework built upon the blockchain technology is being developed for SBI by global technology giants IBM, Microsoft and KPMG, among others.1

 

What is blockchain?

Blockchain is a decentralised transactional record management system where exchange of value is independently managed by participants of the network.

The technology behind blockchain relies on the undeniable proof of mathematics. Identity and authority to make transactions on the blockchain medium is ascertained by mathematical functions.

As of now the most popular use case of blockchain is bitcoin. Currently, the publicly available ledger of bitcoin records each bitcoin transaction with little or no cost, and stores them permanently on an immutable chain of records called the blockchain. It provides for a traceable history of all transactions till the very beginning. This offers an ironclad proof of ownership. As there is no single trusted authority to maintain the database it is not susceptible to hacking and accounting errors.

However, blockchain can be used to transact in any goods or services. Like diamond2 and gold instead of bitcoins.

You may read quickly about bitcoin and the underlying technology blockchain in this detailed article: What are bitcoins / cryptocurrency / blockchain – what is so different than fiat money?

 

What is Bankchain?

The blockchain’s new found use case in the clearing and settlement of financial transactions is being taken seriously from the past 18 months. According to the consulting firm Oliver Wyman, clearing and settlement alone costs the global financial industry a whopping USD 50 billion annually.3 The structural inefficiencies and the traditional delay associated with clearing houses make for an industry ripe for disruption.

Initially started out as a secretive consensus-based ledger system exclusively for financial institutions, Bankchain is a project of industry leading bitcoin exchange – ItBit.

Chad Cascarilla, CEO, itBit

itBit was started by CEO Chad Cascarilla in 2012 as an early stage growth fund directed at bitcoin/digital currency-related startups. itBit was possible as Chad was a highly experienced manager and co-founder of the hedge fund Cedar Hill Capital Partners.

ItBit invited almost 100 participants including major banks, brokers and stock exchanges of the USA to its “Bankchain Discovery Summit” at Washington, D.C. on 27th April, 2015. This summit was especially closed to the press.

In later stages ItBit formed a product named Bankchain, a custom technology to meet the specific needs of the financial world. Bankchain then joined hands with Euroclear to create the Euroclear Bankchain4 which was to be specifically used in international gold transaction.

Euroclear group is a consortium of Euroclear banks. It is rated AA+ by Fitch Ratings and AA by Standard & Poor’s. The consortium includes Euroclear Belgium, Euroclear Finland, Euroclear France, Euroclear Nederland, Euroclear Sweden and Euroclear UK & Ireland. The group settled an equivalent of EUR 675 trillion in securities transactions in 2015, representing 191 million domestic and cross-border transactions. By December 2015, the group held EUR 27.5 trillion in assets for clients.

On December 20, 2016 a good number of participants performed 600 mock London bullion trade transactions in a pilot project with Bankchain. It was ascertained that Bankchain helped lower trade risk and simplify post-trade process. The next pilot and live service is scheduled to happen in 2017.

 

The technology behind itBit’s Bankchain

Bankchain is built upon protocols derived from the blockchain technology but not purely the same thing. It is built on some proprietary algorithms developed by itBit to create a permissioned blockchain where members require special permissions to transact.

“It’s a private network. You know who everyone is. You can sign legal agreements among everyone involved that lay out the rules, and create a variety of ways to establish trust among the known participants. This allows you to reach a much speedier consensus not based on work, but on the fact [that] you are in the system.” – Chad Cascarilla

Unlike blockchain which relies on public creation of tokens (bitcoins) through a mix of cryptography and economics, Bankchain is not open to public and can be populated only by verified actors and tokens. Here the incentive is not in mining or maintaining the blockchain for rewards, it is the simple need of cost savings, which faster processing speeds and reduced red tape bring.

Bankchain does not rely on proof of work like the blockchain did. Unlike solving difficult math puzzles Bankchain relies on a variety of ways to establish trust. In a private network where the identities of the parties are established, trust can be easily created by consensus.

Also in place of the original token on blockchain, Euroclear Bankchain tokenizes physical gold. Digitised gold tokens are standardised to an unit of physical gold. These units are redeemable against gold coins amongst each other.

Instead of bitcoins, digital gold tokens are issued and these units can then be traded against. For e.g. instead of 100 BTC I may hold 100 DGT (digital gold tokens). I would be then able to buy 100 Gold coins worth of goods and services from the members of the same network who will honor the agreement. The ingress and egress of the DGTs is also based on a mutually agreed method.

This helps in dynamic reduction of time taken for international settlement of trade. As of now it takes about two working days for Bombay Stock Exchange to settle a transaction, on this technology it would be instantaneous.

However, this altered version of blockchain still uses the most of the original technology to create inviolable and immutable transaction records which take effect instantly! Participants get to control their own data without any central point of failure. Ultimately, the core difference is control, something critical to financial institutions with fiduciary concerns.

 

SBI Bankchain – meaning for India

RBI’s research wing Institute for Development and Research in Banking Technology released a White Paper on Blockchain Technology – IDRBT on 6th January, 2017.

It talks about the technology and the mathematics behind bitcoins and presents use cases of the blockchain technology after explaining various concepts in bitcoin terminology. And finally, in chapter five it concludes with favourably putting the application of blockchain to Indian Banking and Finance.

Fast enough on 26th January, Dy Managing Director and CIO of State Bank of India, Mrutyunjay Mahapatra confirmed that 15 of India’s largest bank is coming together to make an interbank blockchain platform.

This platform would serve heavily in subverting scams like the ones of Harshad Mehta where a few banks issued bogus Bank receipts not backed by any security. An unified credit record can be established which would help in reducing Credit Card fraud. Current mechanisms like NEFT, IMPS cost banks a lot of money spent in interoperability, with Bankchain such problems would be non-existent.

However, Bankchain is only the probable technology they may use, the usage of the word in context to SBI does not mean they have settled upon the use of the proprietary technology owned by itBit. As of now, they have only invited technology companies and other banks to come together and devise ingenious ways to solve the Indian market conditions using blockchain.

 

If you liked the article please like and share it with your followers. If you have doubts or questions about any part of this article, please feel free to leave a comment below or ask questions directly to the author here: Ask Questions.

What are bitcoins / cryptocurrency / blockchain – what is so different than fiat money?

Bitcoins are all set to disrupt financial exchanges globally. In just one year the value of all bitcoins together have risen from USD 6 billion to USD 16 billion.1 At this rate I am sure by 2020 bitcoins will have a global value of at least USD 500 billion. Just like Potato Chips are a subset of Chips in general, bitcoin is a subset of cryptocurrency. There are other variants of cryptocurrency which are equally doing well in global markets. Litecoin, Titcoin, Zetacoin, so on and so forth.

Bitcoins are a form of cryptocurrency, and cryptocurrency is an application of the blockchain technology. In this article we would find out what are bitcoins made up of, what provides for the force behind cryptocurrencies, and what is blockchain.

To understand the working of bitcoins you would need to understand:

In any case I will be providing a brief overview of the concepts when they come up for discussion.

 

Background of blockchain

How do computers work?

To understand how computers work you have to (and I insist) read on how information can be stored digitally.6

If you are too lazy here it is:

Information is stored in the form of text, converted to numbers, say T is 084, and U is 085.7. These numbers are further converted to hexadecimal and then to binary numbers.8 The binary can now be stored directly on a USB Drive which has billions of transistors. Each transistor can hold two bits of information (0 or 1). Together they hold billions of bits. An 8 GB Flash drive has 32 billion transistors which hold 64 billion bits. Eight bits make a byte. 64 billion bits make 8 billion bytes or 8 gigabytes.

 

What is hashing?

To understand what is hashing and how digital fingerprints work you have to (and I insist) read on What is digital fingerprint and hashing? And how is it generated?

Hashing is reduction of information into a fixed set of characters. A huge chunk of binary numbers is taken and converted to a specific set of alphanumeric characters. The thing about hashing is that it can be done only one way. Once a piece of information is hashed it is impossible to retrieve the original data. Also, a hash changes radically with the inclusion or exclusion of even one bit of information.

For e.g.:
Donnie = 6f171d413bee711762beff4276595068 
Donni  = 02d5a92d1fc9b4903bb8ed51bcb6fd3b

Therefore just by comparing the hash of two files one can assert if the files are same or different. Hashing is therefore mainly use to check file integrity and malware infection.

 

What is asymmetric cryptography?

If you have not already then you have to (and I insist) read on asymmetric encryption and cryptography.9

Unlike symmetric cryptography10 (which uses the same key to encrypt and decrypt), asymmetric cryptography (also called public key cryptography) uses two different keys belonging to a pair.

We can encrypt a piece of information with one key and decrypt using the other. It is impossible to generate one without the other as they are mathematically linked. The keys can be found only by using complex maths.

If a piece of information is decrypted by using a decryption key, it would mean that whoever has the encryption key is the sole person to have encrypted it. If one of the keys is lost it is impossible to generate it solely on the basis of the other key.

 

What is a digital signature?

Digital signatures are here to gain advantage over handwritten signatures. Please read on What are digital signatures? Signing and verification – Relevant Indian Laws.

This is what a digital signature looks like: 7t418gpx7ms74j9g6kf0xbvyka4n17qz

This digital signature would be sent along with a document such as a word or PDF document.

This is nothing but the hash of the document asymmetrically encrypted using the encryption key. This can be verified only by decrypting the signature by the linked decryption key. The signature is decrypted and the hash is compared with the hash of the document to find out if it was the same document which was signed.

The presence of a digital signature affirms the integrity of the document and that it was the same document which was signed digitally by the one who encrypted it.

 

—x—

What is blockchain?

In order to record global transactions a list of all global transactional events happening in a fixed period of time are processed into single immutable read-only record files, called blocks. The blocks are added one after one in a linear chronological chain of blocks called a blockchain.

The blockchain is made publicly available for anyone with a computer system to download and analyze. Also anyone can add new transactions to a blockchain just by broadcasting a message. This renders banks and law enforcement agencies redundant. As a result, payments cannot be prevented and accounts cannot be seized.

 

Application

As explained earlier a blockchain is nothing but a chain of transactional events stored in an immutable form. Anything you can imagine as transactional in nature where one party provides and another party accepts can be secured through the application of this technology.

For e.g. Diamond trade in the world is nothing but exchange of diamonds from one party to another. Every new transaction from now on till infinity can be stored on a blockchain. This innovation can do a lot to fully prevent disputes from manifesting in the first place.

As of now, blockchain has already found application in legal contracts (one party transfers goods or services to another), insurance, diamond trade11, etc. Quirky applications can be like organ transplants, vehicle or apartment renting,  etc. so on and so forth. Basically anything.

In the coming paragraphs I would discuss the most important and prevalent application of blockchain with which this technology found place in popular notion. Bitcoins. It was in fact other way round that bitcoins introduced blockchain in an anonymous paper titled: Bitcoin: A Peer-to-Peer Electronic Cash System by Satoshi Nakamoto

Although I would be explaining the working of bitcoins, you may please try and substitute it with anything of interest to you during the course of reading. Maybe real chocolates instead of bitcoins. Read on..

 

Bitcoins (BTC)

Bitcoins are nothing but simple numbers beside public keys (for the easiness of this article we shall substitute public keys with names). The names of the owners and the respective numbers are stored in a ledger format.

Donnie 5.777784
Bimal 70
Narendra 90.06

These numbers can be used just like fiat money to make transactions. After every transaction the balance of a transferor shall decrease and the balance of the transferee shall increase.

For e.g. If Narendra pays Bimal 5.4 BTC. The ledger will reflect the change and become:

Donnie 5.777784
Bimal 75.4
Narendra 84.66

However, in order to be used at par with fiat money BTC has to solve problems which money faces in general. In the coming paragraphs we will analyze each of the problems and find out how BTC uses the blockchain technology to solve them.

 

First problem: everyone should be able to read the ledger

To ascertain who owns how much, it is necessary that a copy of the ledger should be available globally.

This problem is solved by active nodes12 which continuously broadcast a copy of the BTC ledger. The copies of the ledger quickly spread across the internet and every node ultimately hosts a copy of the ledger.

This common storage of the ledger gives it a character of a public database, thereby establishing an irrefutable and indisputable clarity of ownership patterns.

Even if one node is dormant, other nodes on the network which are live would be able to store and continuously broadcast a copy of the ledger. In the most unlikely event of a global catastrophe, failure of internet across nations would only prevent registration of new transactions.

 

Second problem: fraudulent entries should be prevented

It is of prime concern to prevent malicious or fraudulent changes to the ledger. Random entries therefore should be prevented at all costs.

To solve this, the technology behind BTC – blockchain uses a concept called proof of stake. It basically means that only the stakeholders of a transaction should be able to make a transaction.

Therefore, only the transferor is allowed to make an entry (that too) on events of change of ownership of the BTC he holds. The only way to effect change in ownership is to transact.

To transact one has to broadcast a message containing

  • transferor’s name (however, in practice public keys are used)
  • transferee’s name
  • amount of BTC
Bimal -> 7 -> Narendra

Whoever receives the message can now update his own ledger. This updation would require calculation of the transaction w.r.t to the previous state of the ledger. The result would be:

Donnie 5.777784
Bimal 75.4-7 = 68.4
Narendra 84.66+7 = 91.66

 

Third problem: ascertaining authenticity of the message

If making a transaction were that simple then anyone could send transactional messages, or spoof it as if it were coming from a transferor. To avoid this, the message would simply be digitally signed by the transferor, and asymmetrically encrypted with his private key, to prove authenticity.

 

Fourth problem: dubious ownership

What will happen if the person sending the message does not in effect own the BTC? Disputes and eventual crash of the economy.

Solution: All transactional messages ever broadcasted are to be stored forever. The state of ownership pattern is then determined by every node independently. This is done by continuously calculating all the transactions that has taken place since the initial ledger.

Thus, every bit of it is kept accountable and traceable to the epoch of transactions. Every BTC transacted even in fractions and pieces can now be traced to the original BTC at any point of time.

Also, there cannot be negative BTC balances – blockchain does not allow anyone to pay what he does not have. Figuring out one’s own balance requires iterating through every transaction ever made and adding up the unspent inputs.

 

Fifth problem: the issue of double-spending

One may transmit two different messages transferring the same BTC twice to two different people. It would basically mean that the person is transferring something which he does not have by refuting an earlier transaction.

To ascertain immutability of previous transactions, new transactions carry the hash of the previous transaction. Every transaction is thus linked with the previous one and is in turn linked to the epoch of the transactions. This irrefutable link of all transactions is called a transaction chain.

For e.g.
Narendra -> 12.143 -> Bimal #a507a3a558f1e1858945e112a05bcee9 (hash of previous transaction Bimal -> 7 -> Narendra)
Bimal -> 2.0001 -> Amit     #0a931b4a58b7169e8e36ed4f6c2e6089 (hash of previous transaction Narendra -> 12.143 -> Bimal)
Amit -> 1.564 -> Naresh     #82ed03b2e546ebd51845507914deec39 (hash of previous transaction Bimal -> 2.0001 -> Amit)
Naresh -> 3 -> Donnie       #e50ac779f7bc9e6a2e6acf3eace05fc8 (hash of previous transaction Amit -> 1.564 -> Naresh)

Transaction chain:
a507a3a558f1e1858945e112a05bcee9 <-> 0a931b4a58b7169e8e36ed4f6c2e6089 <-> 82ed03b2e546ebd51845507914deec39 <-> e50ac779f7bc9e6a2e6acf3eace05fc8

 

Sixth problem: the issue of global syncing

Many transaction chains may quickly branch out from a single high volume transaction. Transaction chains are created by nodes who deal closely. They are sometimes country specific or industry specific. The different chains encounter different network and threat conditions globally. Computers may crash, hackers may manipulate, and networks may delay reporting of transactions.

To defeat these anomalies all transaction chains globally are queued for hashing. The longest available chain is hashed at the first followed by smaller chains.

One single transaction chain is hashed into a single file called a block. Blocks are permanent indisputable records of transactions. The block is then stored along with the current time and the hash of the previous block in a linear chronological arrangement called a blockchain. Every block is globally broadcasted and everyone updates their copy of the ledger.

 

Seventh problem: issues of data security, ingress and egress of BTC, centralisation of computational power

Generating a block after processing a transaction chain is an easy task and does not require much effort, anyone can generate a block. This creates a security threat from malicious users having huge computational power.

If it were true that only the best computers could manage blockchains then Google and Facebook would have been controlling the global BTC economy. To prevent such centralisation of computational power the blockchain works on a system of a mathematical lottery.

To be able to add a block to the end of a blockchain the publisher needs to solve a mathematical problem every time. This problem involves generating a 256 bit hexadecimal hash with a value lower than the specification set by the blockchain.

When a hash is generated it is mathematically random. Try generating the hash of your name here. Generating a hash within a given specification is very difficult and is akin to a lottery. If the hash generated is larger than the required value, 0s are appended to the beginning of the block to try and get a different hash. This is done with a hope that the random hash value generated would be lower than the specification set.

Lower the specification of the hash set by the blockchain, the more difficult it is to solve. The difficulty level of a blockchain keeps increasing over time as total computation power of the network increases (more and more nodes enter the network).

In practicality, billions of hashes need to be generated in order to get lucky and be able to add a block. As this is a lottery it does not matter what kind of computer you are using. This process of solving a mathematical challenge to add a block to a blockchain is called mining.

To incentivise mining and maintenance of the blocks, every addition to the block is automatically awarded by crediting the miner with new BTC. As a result the entry of new BTCs in global economy is intrinsically related to a real phenomenon of investing energy resources (electricity required to run nodes) in mining. This provides for a predictable, regular and stable growth of BTCs.

 

Cryptocurrency differences with fiat currency

Decentralised:

The management of cryptocurrency is decentralised. There would be no public policy affecting inflation or deflation in the economy. This nature of cryptocurrency also promotes cross border free trade and freedom to transfer and hold without any fees. Law enforcements agencies or governments will have no control over the currency.

Privacy safeguards:

In Bitcoin, only the public key and the amount is mentioned, making it impossible to affix a business or person’s name. At the same time the ledgers are publicly maintained rendering extreme clarity on ownership. One can have multiple bitcoin accounts to receive funds for multiple reasons.

Quality:

Bitcoin meets all the criteria of currency more than extant currencies. It cannot be forged, manipulated, created or destroyed unless as provided in the algorithm.

 

Overall Blockchain provides for the best medium to store and transfer intrinsic value. Instead of printing paper or plastic money if Rupees were to be printed digitally the blockchain medium has to be used.

For a good and long aftertaste of this article please watch this video:

 


 

What are digital signatures? Signing and verification – Relevant Indian Laws

Digital Signatures are considered to be more secure than the traditional ink signatures we all are used to. This is because ink signatures can be copied manually and exact duplicates can also be created through various ways. However, digital signatures can not be extracted, copied, or even stored. This immutability of digital signatures accords them a more secure status than all prevalent modes.

In this article we will see what is a digital signature, how it is generated and verified, and what are the concerning legalities.

 

What constitutes a signature?

Anything which ascertains the identity of an individual is a signature. The prime application of signature is to authenticate and bind parties into an agreement. The signature is also a major component which enables honor of an agreement at a future date. Signatures can link documents to their authors, proving helpful in ascertaining legal liability.

For long the handwritten signatures of an individual were considered to be unique and irreproducible, however, we all know nothing creates more disputes than a dead man’s will.

 

What is a digital signature?

Many of us still think that taking a photo of our handwritten signature and pasting it on a word document will suffice as a digital signature. This is totally wrong. This keeps happening with computer terminologies as almost all of them are loanwords from English.

To understand how digital signatures work we would need to revisit my previous articles on:

  1. What is digital information and how does the computer work? For a lawyer
  2. What is digital fingerprint and hashing? And how is it generated?
  3. Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm

in the given order. These are very short and focused articles which may help you in understanding the technological and mathematical background.

A digital signature verified by a Certificate Authority on a PDF document

Digital signatures are digital codes which are generated and verified using hashing and asymmetric cryptography. It is attached to an electronically transmitted document to ascertain its contents and the sender’s identity. While the document is being transferred a certificate authority can verify the codes and link it with the legal identity of the owner. Just for the idea you need to know what it looks like.

This is what one actually looks like: 7t418gpx7ms74j9g6kf0xbvyka4n17qz

This code will be transmitted along with the document. Once it reaches the recipient, he will use a software which will read it and validate it. On validation by the software the document file will show an image and some text (like the one above, with details of location, day and time).

Digital Signatures are never constant, they keep changing with every document signed. Digital Signatures are therefore meaningless if they are copied or stored for later use. They can prove useful to verify only the document with which they are linked.

 

Generating a Digital Signature

Please go ahead only if you are in terms with asymmetric cryptography.

Once you are done with asymmetric cryptography there is a small but very important difference you need to know. You just need to remember that the public key as given in the RSA algorithm shall be referred to as the encryption key here, and the private key shall be referred to as the decryption key.

 

The Document

The document can be anything it can be a video file, a word or PDF document, or it can be also just a series of numbers.

Every document undergoes a transformation through which it is rendered into a series of alphanumeric characters. This is done to store the data in the computer memory.

 

Signing

Key Generation

The Signing requires asymmetric generation of two cryptographic keys, viz. an encryption key and a decryption key.1 The RSA algorithm can be used to generate both the keys.

Hashing of the document

A digital fingerprint or hash of the document2 being transmitted shall be required.

Encryption

The hash of the document will then be encrypted with the encryption key of the sender3 This encrypted hash of the document is called the digital signature.

Broadcasted or Stored

The digital signature can now be transmitted to the intended recipient or stored for later reference along with the document. The digital signature would also be accompanied by the decryption key while being presented for verification. In this method the private key is actually published and public key is kept safely.

Verification

The validity of the signature can be verified by decrypting the digital signature using the decryption key. The hash of the document revealed from the decryption shall be compared against the hash of the file, if the hashes match it proves a lot of things.

Firstly, only the sender of the document could encrypt it using the encryption key of the key pair. This is simple to understand as anything decryptable with the decryption key needs to be mathematically linked with the encryption key. And the mathematical link gives it an assurance on which governments and banks are ready to bet millions of dollars in insurance.

Food for thought an SSL certificate bought at 175 USD carries an insurance of 1.75 Million USD. 4

Secondly, if the decrypted hash matches with the hash of the received document it would mean that the document has not been tampered with during storage or transmission. It would therefore mean that the clauses in the document have not been changed. This irrefutable form of agreement gives electronic contracts an advantage over traditional forms, called non-repudiation.

 

Digital Certificate Authority (“DCA”)

Digital Signatures are and can be used in secret dealings without any involvement of a third party. However, in order to provide for a legal sanction the encryption and decryption key need to be owned by a person against whom the signature and all legal liabilities may be executed. The necessity of a third party then comes into picture.

The job of a public notary is to verify and attest that a signature on a piece of paper has been made by the same person as is claimed. Similarly, the DCA acts just like a notary attesting the validity of a digital signature.

While the decryption and the encryption keys are pure alphanumeric characters it is very difficult to assign a human name to it unless the signatory himself acknowledges. Thus it was pertinent to maintain a record of all encryption and decryption keys and their respective owners. This record of keys is maintained by an entity called the Digital Certificate Authority. DCAs need heightened security and enjoy government protection in multiple cases.

These DCAs ascertain the validity of a signature and testify ownership of a signature. The institution, management and modalities of a DCA are provided by the law. DCAs issue certificates called Digital Signature Certificate (“DSC”) which is a proof of having a registered pair of encryption and decryption key.

 

Application

Digital Signatures are necessary to sign digital documents. Digital Documents mostly in use and in popular business parlance are different e-filing documents required by the Ministry of Corporate Affairs and other ministries.

Documentation

This is what Digital Signature USB Drives look like

To be able to sign a document with your digital signature you will need to install a software given by the DCA on a USB thumbdrive. This software will merge with your Microsoft Office and Adobe Reader and will enable an option to digitally sign. This thumbdrive contains your pre-generated key pair.5

In your lifetime you will neither want to or get to know your encryption and decryption key, both your keys will remain secret in your USB Thumbdrive. Yet, every time you would plug the USB Thumbdrive in to digitally sign a document, the same key pair will be used to mathematically generate a digital signature specific to that document and append it to the document.

On reception of the same document the signature will require validation of ownership as much as the mathematical computation to find the link between the decryption key and the hash, as discussed earlier. Once the file is opened it would automatically verify the document and show a small representative image of verification (mostly a green tick or the signatory’s manual signature) on any part of the document.

Banking

Financial Transactions can be authorised over the internet using digital signature. Electronic wallets can use digital signature in future to go cashless (BitCoin).

World War III

Digital signatures will be used to authorise nuclear warfare.

 

Legalities

Global

The ESIGN Act of the United States6 and a similar directive in the European Union7 along with other legislations in most developed nations support the validity of digital signatures and regulate them.

India

The IT Act of India quite comprehensively covers the legalities of DSCs and DCAs. Section 5 of the IT Act gives digital signatures their legal character.8 It is therefore that digital signatures are lawful and binding in nature. Section 15, of the Act describes digital signatures by their usage.

Certifying Authority as provided in Section (2(1)(g)). “Means a person who has been granted a licence to issue a Digital Signature Certificate under Section 24 (issuance of certificates by Controller).”

The Ministry of Corporate Affairs launched the MCA-21 programme leading to a large scale increase in usage of digital signatures. It made E-filing mandatory for most of the documents required to be filed under the Companies Act and under the Limited Liability Partnership Act 2008.

Soon after this electronic filing of IT returns was made compulsory by the Income tax department. The Central Excise Act and Finance Act 1994 (dealing with service tax) also provides schemes for E-filing. Similarly, under the Foreign Contribution Regulations Act, application for registration is to made electronically.

Department of Commercial Taxes in Kerala has mandated e-filing of returns using digital signatures under the Kerala Value Added Tax Act 2003. C forms and F forms available on the website of the Department of Commercial Taxes can be filed using digital signatures. Other states are also following suit in amending VAT laws to make E-filing mandatory.

The Partnership Act 1932 provides that registration application for a new firm is to be filed electronically.

The Evidence Act was amended to include “electronic records” in definition of “evidence”.9 The opinion of a DCA as to the electronic signature of any person is a relevant fact10 and the court may also refer to the relevant DCA for forming an opinion.11

Section 67A waives the burden of proof of establishing ownership of a specific digital signature (secure electronic signature).

 


Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm

Encryption as explained earlier1 is simply substitution of letters with numbers and then using complex mathematical functions to alter the pattern of numbers. This article is about understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm.

Encryption has been there from a long time and symmetric key or secret key cryptography had a monopoly over all communications. Symmetric key meant using the same key to encrypt or decrypt a message. You can read this short article to understand basics of encryption in under ten minutes: Encryption and Symmetric Cryptography – How is data secured electronically?

 

Asymmetric Cryptography or Public Key Cryptography

Till the end of World War II humanity was suffering this problem where secure communication between nations could be established only by physically sharing encryption keys and risking adverse situations. It was impossible to hold fully wireless communication. Spies and agents were the sole key exchange mechanism.

Prior to WWII, cryptographic keys had to be transmitted in physical form such as this list of keys for the German Enigma cipher machine.

The concept of modern Asymmetric Cryptography or Public Key Cryptography (“PKC”) was published in a Mathematics paper titled, “New directions in cryptography” by a Stanford University professor Martin Hellman and a graduate student Whitfield Diffie in 1976. 2

They described the mechanism as a two-key cryptosystem in which two parties could engage in a secure communication over a non-secure communications channel without having to physically share a secret key chart.

In this method two different keys are used, one for encrypting the message, another for decrypting the message. The key used to encrypt a message is called a public key, while the one used to decrypt it is called a private key. The values of these keys are mathematically linked. It is impossible to carry out encryption and decryption without this functional link.

Every recipient has to generate this set of two keys. The encryption key or the public key would be made available publicly. And the decryption key or the private key would be privately stored.

Therefore only the intended recipient can decrypt the message. However, the sender may not decide to reveal his identity.

There are multiple asymmetric cryptography algorithms.

We will discuss RSA asymmetric algorithm. The RSA algorithm is the most widely used encryption algorithm in the world.

 

RSA algorithm (Rivest-Shamir-Adleman)

Ron, Adie and Leonard from Left to Right

Soon after the publication of Hellman and Diffie on asymmetric key exchange mechanism, three scientists at the MIT Lab. for Computer Science and Department of Mathematics, Ron Rivest, Adi Shamir and Leonard Adleman published another paper titled:

A Method for Obtaining Digital Signatures and Public-Key Cryptosystems3

The algorithm was made popular by the company of the same name – RSA Security. The company was owned by Ron, Adie and Leonard and it jointly held the US Patent No. US 4405829 A.4

Clifford Cocks, an English mathematician working at the English intelligence agency GCHQ, had developed an equivalent system in 1973, but it was not declassified until 1997.

 

The mathematics behind RSA algorithm

This algorithm uses a set of complex mathematics rules to find out the encryption and decryption key. The required mathematics for this include: prime factorisation, Euler totient function, Euclidean algorithm (for finding GCD) and modulus. The strength of the algorithm relies on the time difficulty required to solve prime factorisation of very large numbers.

 

Time Complexity

While it takes not even a fraction of a second to multiply two large prime numbers, it takes an awfully long time to find the prime factors from the product.

For e.g. if I were asked to find the prime factors of the number 143, it would take me at least 5 seconds to guess that it is divisible by 13 and returns the whole number 11. The time would be required to try dividing the number 143 by every number starting from 1 until 11 is found as a perfect divisor. In comparison it would not take even a split second to calculate 13*11=143.

It gets more difficult to factor higher prime numbers, say, 1431431431 (17123, 83597). Similarly, if the number to be factored is 100 digits long, even the fastest computers would take more than 30 years. And a 200 digit long number would require at least 8 million years for the latest binary computers.5

In comparison multiplication of two 100 digit prime numbers would only take 56 seconds.

This one way difficulty in mathematical calculation is exploited by the RSA Algorithm to create a one-way encryption method. Decrypting the cipher would require guessing the prime factors of a very long number.

 

Formula and Calculation

m^e mod n = c
means, if m^e is divided by n it would leave remainder c
encrypt: m^e mod n = c
decrypt: c^d mod n = m

Where m is the message;
(e,n) is the the encryption key;
c is the cipher;
d is the decryption key;
n is the RSA modulus

The public key used to encrypt a message is the combination (e,n). While the private key used to decrypt the message is (d).

The relation between the numbers e, n and d are very critical to maintain the data integrity. The calculation of e, n, d therefore is more complex. To keep it simple we will take a very small message and small keys.

Step 1. Select two, large, random, prime numbers, p and q. Calculating the RSA modulus n by multiplying p and q.

So for p I pick 11
and for q I pick 5.
Therefore n is 55.

Step 2. Calculate the totient t of the modulus n.

The totient function, also called Euler’s totient function, is defined as the number of positive integers, that do not have any common factor with n other than 1.

Totient is multiplicative. Therefore totient of n is the multiplication of the totient of p and q. Also, the totient of any prime number is the number itself minus one.

So if,
t(n) =t(p)*t(q)
t(n) = (p-1)*(q-1)

totient of n = (11-1)*(5-1) = 40

Step 3. Select number e (relatively prime to and less than t)

One number is relatively prime to another when they do not share any factors except for 1.

So e can be 3, 7, 9, 11, 13, 17, …

I will take e as 7

Step 4. We have to find d which is the Modular Multiplicative Inverse of integer e with respect to modulo t.

In other words, e*d mod t = 1
We have 7*d mod 40 = 1,
we have to solve for d.

In mathematics, the Euclidean algorithm, is a clean way for finding out the GCD of two numbers. I will request you to watch this video on Euclidean algorithm and I would take the liberty of not explaining it. ‘7d mod 40 = 1’ means that if 7d is divided by 40 it would leave remainder 1.

In other words we have to first find the greatest common divisor (GCD) of 40 and 7. And we would be using the Extended Euclidean Algorithm to do that.

The GCD of 40 and 7 is 1. A modular inverse is possible only when the GCD is 1.

And the Modular Multiplicative Inverse of 40 and 7 is 23.6

Finally, d is found to be 23.

 

Encryption and Decryption

We now have the public key e,n (7,55). The private key d (23).  Let’s take ‘*’ the asterisk as the message.

The ‘*’ in ASCII convention is ’42’7

Encryption

encrypt: m^e mod n = c

Let’s encrypt the message ’42’ using RSA Algorithm:
42^7 mod 55 = 488 

We can now publish or broadcast the message 48 publicly, only the person with the private key can decipher it.

Decryption

decrypt: c^d mod n = c

Let’s now decrypt the cipher ’48’:
48^23 mod 55 = 429

 

Broadcast

Once the private and public keys are created by the recipient, the recipient will publish the public key globally. The recipient may now ask the sender to broadcast the encrypted messages. These can be received by anyone but can be decrypted only by the recipient’s private key.

 

Drawbacks

Practical usage

Asymmetric cryptography being a more complex mathematical function than symmetric cryptography causes computation to take more time.

It is therefore hardly ever used to encrypt stored data and mostly used for electronic communication. It proves useful in technologies where verifying and ascertaining identity is required among multiple peers in a common network.

For e.g.: HTTPS protocol for online transactions, BitCoins, Chatrooms, etc.

 

Banking

You might have seen banking websites advertising 128/256 bit encryption transactions.

What do they actually mean? Is it enough? How long would it take a hacker to crack the network?

A 256 bit key can hold a 32 digit long modulus. Which would take around 3 minutes to crack open (factorised to its prime factors).10 A 512 bit key would take about 12 days. While the RSA Security website itself instructs to use a minimum of 1024 bits.

 

Unauthorised decryption by hackers

Anyone who is using the same wifi connection as you do, can listen to the radio signals sent out by your wifi module of your computer. The numerical messages broadcasted by your wifi module can be intercepted.

Based on the public key anyone can find out the private key by factorising the modulus of the public key. The only difficulty is the prime factorisation of the modulus. Smaller modulus of 32 digits as present in 256 bit encryption can be factorised in under 3 minutes. Once the private key is derived from the factors of the modulus, the numerical messages you broadcasted can be read. Someone may also decide to forge your identity.

The need is not to drop the RSA Security standard but to use it with all the available guidelines. Encryptions need to be at the least of 1024 bits.

Our security systems are quite outdated, and regulators are oblivious to the dangers. The more you learn and know about these intricacies the better are my chances of getting better security.

 

Encryption and Symmetric Cryptography – How is data secured electronically?

Computers got popular mostly as a mode of storage and communication. And as the relevance of computers grew in everyday life there arose the need to secure stored data.

Encryption is not the creation or function of the internet or of computers. Encryption has existed since humans invented communication. A text written in Mandarin is analogous to an encrypted English text with the same information. People speaking foreign languages may appear cryptic to us as we are unable to make sense of what they say.

While encryption is the method of securing data, Cryptography is the science of encryption methods.

We will deal with electronic encryption as the scope of this article. We will draw analogies from the real world and keep this article simple enough to understand the fundamentals of cryptography in under ten minutes.

 

Origins of encryption

Encryption has been going for long since the Greeks and Romans invented secret messages by substituting letters with numbers and further decipherable with a secret key.

Scytale

The Greeks used a device called a scytale. It uses a long piece of paper wound like a ribbon around a cylindrical object. The message could be written on it and on unwinding the paper would not make sense.

Scytale unwound

Julius Caesar tried using an encryption technique known as Caesar’s cipher. In this method encryption could be done by shifting each letter of the alphabet to the right or left by a number of positions—. For instance, you’d write “GEEK” as “JHHN”.

During the world wars it became very necessary to have much more difficult encryption standards. The Germans created the Enigma machine to pass encrypted transmissions which the Polish eventually cracked. Consider the fact that the cracking of the Enigma was a key advantage for victory of the allied forces.

 

Encryption

Information in digital world exist as binary numbers.

For e.g. ‘India’ is ‘01001001 01001110 01000100 01001001 01000001’.

For more clarity on how information can exist as ‘only’ numbers please read this short and simple article: What is digital information and how does the computer work? For a lawyer.

Security is thus accorded to online communication by rearranging the binary numbers through highly complex mathematical functions. This process of rearrangement of data is called encryption. The resultant encrypted text is called “ciphertext” or “cipher”.

Cryptography can be done through three different types of algorithms: hashing and symmetric and asymmetric cryptography.

In this article we would explore Symmetric Cryptography or Secret Key Cryptography in depth.

 

Symmetric/Secret Key Cryptography (“SKC”)

Imagine a locker containing lots of confidential files. All the files inside are protected through the application of a lock and key mechanism required to open and close the locker. Thus security to the locker is accorded by the security of the key.

If Bimal wants to send a message safely to Narendra, he would put the message in a bank locker, lock it, go away, deliver the key to Narendra, and ask him to access the locker.

Symmetric cryptography is akin to such bank lockers. In SKC the same key is used to encrypt and decrypt a message. The sender uses the key to encrypt the plaintext and sends the ciphertext to the receiver. The receiver applies the same key to decrypt the cipher and recover the plain text. Because a single key is used for both functions, secret key cryptography is also called symmetric encryption.

 

Simple Mathematics behind encryption

In SKC a key is selected randomly, multiplied with the numbers of the secret message, and the product is publicly broadcasted.

For e.g. if I were asked to securely broadcast the message:
‘Bomb Xanadu at 0930’.

I would first change it to ASCII:
’66 111 109 98 32 88 97 110 97 100 117 32 97 116 32 48 57 51 48′

and multiply all the numbers with 777743 (key) to get the ciphertext:
‘51331038 86329473 84773987 76218814 24887776 68441384 75441071 85551730 75441071 77774300 90995931 24887776 75441071 90218188 24887776 37331664 44331351 39664893 37331664’

Therefore, the key would be the prime number 777743. While, your knowledge of the the key can help you divide the values and get the original message out of the encrypted message, lengthier keys accord better protection.

This oversimplified encryption algorithm may be named the Ashok Division Algorithm (“ADA”), published in a journal, and globally used. However, much has already been done on the intricacies of encryption algorithms. There are a lot of much better SC algorithms you can choose from—the popular ones include Twofish, Serpent, AES (Rijndael) (for more information read this article on AES), Blowfish, CAST5, RC4, TDES, and IDEA.

Cellular technologies like GSM 1 and GPRS 2 are also global encryption conventions of mobile telephony.

 

Transfer of encryption key

The transfer of the encryption keys (777743 in the example above) takes effect in physical world, due to which agents and spies are often tasked with exchanging envelopes in a style akin to spy movies.

During WWII, cryptographic keys had to be transmitted in physical form such as this list of keys for the German Enigma cipher machine.

 

Indian Law

Section 84A of the Information Technology (Amendment) Act, 2008 permits the Central Government to prescribe encryption standards and methods to secure electronic communications, and promote e-governance & e-commerce. There is no dedicated law on encryption methods or standards. The sectoral regulations in the banking, finance and telecom industries define minimum standards to be used in transactions.

 

In the next post we head towards Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm where I show you how secure communication can take place without any key exchange. If you have doubts or questions about the technology or the law please feel free to post it here: Questions.

What is digital fingerprint and hashing? And how is it generated?

To start with digital fingerprints or hashing you need to understand what is a fingerprint and what is digital (no kidding).

 

What is a fingerprint?

Normally a fingerprint in biology and biometrics is the unique pattern of whorls and lines on the fingertip of a human being. For a while forget all that.

Just consider a fingerprint as a unique pattern.

A unique pattern so unique that an almost infinite or a very high number of separate patterns can be generated without any correlation. Imagine a world full of numbers, where every item you see, every sound you hear, and every other perceptions, are all numbers. The requirements from a fingerprint then is distinction from each other and similarity of some sort.

For e.g. if you have to compare two human beings, you have to take their fingerprints, which has the same characteristics but totally distinct.

 

What is digital?

In computers, all information is stored as binary numbers. For more clarity on how everything can be stored as 1s and 0s you may read this short article here: What is digital information and how does the computer work? For a lawyer

Binary information is then stored as small packets on the storage device as files. Files are always of variable length. The word ‘India’ will take 5 bytes to store on a hard drive as a text file while the entire Ramayana would take about three and a half million bytes or 3.5 MBs.

 

What is a digital fingerprint?

While electronic file sizes are of variable length, the files are all made up of a similar structure of 0s and 1s.

The required distinction is the pattern in their composition of 0s and 1s, and the required similarity is that they are made up of patterns of 0s and 1s.

Digital Fingerprint is a set of characters and numbers unique to every file. It is of a specific length. It is generated on the basis of the binary data of each file.

The words ‘digital fingerprint’, ‘message digest’, ‘digest’, ‘checksum’ and ‘hash’ are used interchangeably.

Hashing

A mathematical function called hashing is then used to convert this long strings of binary data into a prescribed number of characters, say a specific set of 32, 64 or 128 numbers.

This mathematical function just works one way and it is mathematically and logically impossible to find out the source data by using the digital fingerprint.

For e.g. if I were told to reduce a string of numbers into a digital fingerprint of two characters, I would break the original string of numbers into their individual components and add the components till I reach two digits.

7778889990 = 7+7+7+8+8+8+9+9+9+0 = 72

It would be then impossible to work back the number 72 to 7778889990

Similarly the text:

“Internet developed rapidly leaving little or no scope for its terminologies to develop. Most internet terms and phrases are English loanwords most analogous to the concept being described.”

can be first changed to a string of binary numbers (you can read about it here1) and then a mathematical function can be used to reduce the string to a specific set of numbers.

This reduction of a large file into a fixed set of numbers is called hashing. You can visit this site MD5 Online Generator to generate the MD5 hash of any text.

Properties of a hash

The hash of any file generated therefore:

  • is a one way encryption result
  • is quicker to transfer than their original source files
  • changes extensively even with a small change to the input
  • appears uncorrelated with any other hash value
  • cannot be recreated using different inputs
  • is always the same with the same input

 

What is the use of hashing?

File or Email transfer

The use of hashing is mostly due to internet communication, where one party needs to send a file securely to another party.

For e.g. Bimal wants to download a file from Amazon, and wants to be sure it is the same file and that it has not been infected with any malware while being transferred. He requests Amazon to deliver the MD5 hash of the file in a separate arrangement. After downloading and before using the file, Bimal computes the MD5 hash of the file and compares it with the hash that Amazon provided. If they are the same then it is definite that the file has not been tampered with and that it is safe to use.

Password Verification

Every password verification form you have filled up ever, takes your input password, hashes it and compares it with the hash stored on its database, if the hash matches then the access is granted.

Why hash it? Storing all user passwords in a text file can result in a massive security breach if the password file itself is compromised.

 

If you would like to know more about hashing or digital fingerprints please leave your comments below.

 

What is Phishing or Spoofing? Affixing legal liability through Indian Laws

Internet developed rapidly leaving little or no scope for its terminologies to develop. Most internet terms and phrases are English loanwords most analogous to the concept being described. Phishing as a concept is analogous to fishing where predators wait for unsuspecting victims to fall prey to fraudulent offers.

 

Phishing in English

Phishing requires three independent parties:

  • The victim whose computer system has been compromised
  • The offender who violates all privacy norms and causes disruption with losses
  • The Service Provider whose service to the victim has been affected by the offender

Phishing (as you might have already related it to fishing) is a fraudulent activity where offenders create websites or webpages replicating a popular third-party website.

After the creation of such similar content they wait for an unsuspecting user to mistake the fake website for the real one and enter sensitive data. Probability has it that 5% 1 of the people would fall for it and give their username and password details to the fake site.

Once the sensitive data is extracted from the user the offender would use the same data to login to the real site and make unauthorised requests resulting in either monetary loss or privacy lapse.

For e.g. if I had to login to your Facebook account, I would create a website which would look exactly like Facebook. I would then send the link of the new site to you. Once you receive the link, assuming it to be Facebook, you would be actually submitting your credentials to me. I would then use your username and password to login to your Facebook account.

 

How bad is it?

In 2009, a group of fraudsters (about 100 people, 53 from USA and 47 from Egypt) were sentenced to Twenty years imprisonment. FBI officials nabbed them in the operation named “Phish Phry” after a manhunt of almost two years. The fraudsters were charged of phishing $1.5 million through fake credit card and banking websites.

“This international phishing ring had a significant impact on two banks and caused huge headaches for hundreds, perhaps thousands of bank customers,”
– Acting US Attorney George S. Cardona, in a statement.

India has been a prime target of a plethora of phishing scams. Indian netizens being new and unaccustomed to the internet fall for these scams easily. India lost $53 million to phishing activities in the third quarter of 2013, and have been regularly in the top five countries by volume of scams.2

 

Different methods of phishing:

URL Obfuscation attacks

This is the most generic form of phishing. Where the victim has been taken to a misleading URL. For e.g.: https://gmail.co.pk instead of https://gmail.com

The offending website stands in the middle, accepts information from the user, stores the information and relays it to the original website. Therefore the user never gets to know if he is on the correct URL.

This is most easily done by sending fraudulent emails offering gifts or other incentives if the user clicks on a link. The user is then taken to a website which looks like the trusted entity and is asked to submit their username and password.

Man in the middle attacks

This is an advanced method where the attack is on the victim’s side. The virtual host file is a normal text file which has a list of URLs and their specific IP addresses:

Google.com 216.58.220.206
Facebook.com 31.13.78.35

So when we try to reach google.com, our computer first checks the list of IP Addresses in the virtual hosts file, if not found it looks up the internet to find their IP Addresses and then take us to the IP Addresses.

In this form of attack the virtual hosts file of the victims are targeted. A specialised malware can change the virtual host record of an user’s computer. If somehow this file can be changed by a malware, the computer can be fooled into visiting a different IP Address it never wanted to. These malware are mostly found on torrent sites and other free  download sites, the advertisements are of very low quality as they target unsophisticated users.

Once the change has been made by the malware, it is very difficult to notice the change. Good antivirus and anti malware softwares are recommended to deal with such attacks.

Cross Site Scripting (XSS) attack

As you might have noticed the X stands for Cross. This attack is done on the server’s computer. Specialised queries made to a server can make it reveal sensitive data.

This vulnerability especially is of a time when novice users would program servers and due to the vulnerable programming an advanced user could manipulate the server. However this is very rare and almost non-existent as of now.

 

Legalities

There has been a litany of cases filed by victims of phishing scams mostly against their banks. The grounds are filed under the Sections 43, 43A and 72A of the Information Technology Act, 2008 (amended). Depending on where the phishing activity has taken place, IT Act provides for different liabilities.

Section 43 (Penalty and Compensation for damage to computer, computer system, etc).

Section 43 (a), (b), (c), (h) and (i) talk about different liabilities for the offender.

Section 43 A Compensation for failure to protect data (Inserted vide ITAA 2006)

This whole section was introduced to affix liability on the Service Provider whose services have been compromised due to the attack (for e.g. the bank). A compensation has also been fixed which is not exceeding five crore rupees.

Section 66 Punishment for violation of Section 43

This section provides for punishment which may extend to three years and fine of five lakh rupees.

Section 66A(c)

This can be attracted in case of fraudulent emails. The words ‘to deceive or to mislead the addressee’ would carry the same punishment as in Section 66.

Section 66B, 66C, 66D, 66E

These different sections cover for the entire aspect of Phishing, identity theft, cheating, impersonation, violation of privacy, etc.

Section 72 A Punishment for Disclosure of information in breach of lawful contract

This section provides for punishment of the Service Provider who had an obligation to observe safe practices and network systems in order to prevent such attacks.

and Section 420 of Indian Penal Code

Apart from the IT Act, Cheating under the IPC can also be considered.

 

What is digital information and how does the computer work? For a lawyer

The entire gamut of Indian Technology Law contains references to “digital information”, “digital signatures”, “cryptography”, “public key”, “private key”, etc.

And without clarity at the origin it gets much difficult at later stages to understand more technical and quirkier concepts like “blockchain”, “cryptocurrency”, etc.

This article therefore explains to you how information is actually stored on a physical hard drive and how it is used for functional equivalence with real world elements.

Forget everything you know about computers and read on..

 

What is so digital?

A machine

Have you ever thought that “the clock is so amazing, it knows the time and shows it to us”? This article is for all those who thought otherwise.

A machine does not know anything, it is designed in a way to return something of value when an input is submitted. The mechanical parts of a clock would act repeatedly in a certain way on being provided an electric source. Even after that, a clock can show us the correct time only when the starting time was correctly entered.

So in a mechanical clock, there are three ingredients, the machinery inside, the correct time as an input, and a constant energy supply (mechanical or electric).

The clock is designed to show a textual representation of information readable and useful to us.

 

Saving data

Imagine a clock which instead of numbers shows text and has 26 characters of the alphabet on the edges. You can store one character of English Alphabet on such a clock by using the hour hand to point toward the character.

So now if you want to store the word “INDIA”, you can store it as “9-14-4-9-1” pointed by hour hands of five such clocks. 

You can save the entire “The Ramayana of Valmiki, translated by Hari Prasad Shastri – 3 Volumes Combined” in upper case letters. It would take you only about 3.4 million similar clocks.

Save the data and stash the 3.4 million clocks somewhere, it will be data saved.

 

Binary Data

While it was difficult to store the data (3.4 million clocks) in such a way, it could be done so electronically in a very small space. But in order to take the advantage of electronic storage, we need to translate that data into Binary.

Electronics exist in only two states, ‘on’ or ‘off’. While ‘on’ can be represented by ‘1’, ‘off’ can be represented by ‘0’.

All you need to do now is change the data into their binary representations. 

 

Numbers in Binary

Decimal to Binary is quite simple, divide by two and write the remainder. Repeat this process until you cannot divide by 2 anymore, for example let’s take the decimal value 157:

157 ÷ 2 = 78
78 ÷ 2 = 39
39 ÷ 2 = 19
19 ÷ 2 = 9
9 ÷ 2 = 4
4 ÷ 2 = 2
2 ÷ 2 = 1
1 ÷ 2 = 0
with a remainder of 1
with a remainder of 0
with a remainder of 1
with a remainder of 1
with a remainder of 1
with a remainder of 0
with a remainder of 0
with a remainder of 1
<— to convert write this remainder first.

Therefore 157 = 10011101. Clear?

 

Text in Binary

There are multiple global conventions of translating letters into binary for storage. We will take the ASCII (American Standard Code for Information Interchange) convention for discussion. It is the most prevalent form of text encoding, and has also been a foundation for other conventions.

ASCII

The ASCII chart has 127 characters including lowercase and uppercase alphabet, numbers and some special characters.1

Each character (a, b, g, z, etc.) is represented by a number from 0-127 (128 total).

Capital T is 084.

Hexadecimal

Each number is converted to a pair of hexadecimal digits. In mathematics and computing, hexadecimal (also base 16, or hex) is a positional numeral system with a radix, or base, of 16. It uses sixteen distinct symbols, most often the symbols 0–9 to represent values zero to nine, and A, B, C, D, E, F (or alternatively a, b, c, d, e, f) to represent values ten to fifteen.2

Do this by dividing the (decimal equivalent of the) left digit by 16, and placing the remainder.

For example for Capital T (084),
084 = (16*5) + 4
which is 54

Binary

Further each one of the hex digits in the pair would be changed to their final binary form.

Here’s a binary:hex conversion chart:

0001 = 1 
0010 = 2 
0011 = 3 
0100 = 4 
0101 = 5
1000 = 8

1001 = 9
1010 = a (the hex number a, not the letter a)
1011 = b
1100 = c
1101 = d
1110 = e
1111 = f

Therefore, 54 = 0101 0100

Finally

T = 01010100 in binary. Similarly you can find out the binary of all characters here.

For instance, the word ‘India’ in Binary is: 01001001 01001110 01000100 01001001 01000001

Each character on the right is called a ‘bit’. Eight of them make a ‘byte’. There are five bytes in the above line.

 

‘India’ would take 5 bytes if you write it on Notepad and save as a text file. For perspective, the Ramayana as mentioned earlier would take 3.5 MBs in text format.

 

What about Music, Pictures and Videos?

Now that you know how text is saved in binary. Let’s see how we can save music, picture and video files.

Pictures

Ever opened a .jpg image file with Notepad? It looks like this:

All ASCII characters in an hellishly unreadable format. Pictures are stored as text which are then in turn stored as numbers, and finally in their equivalent binary format.

Music

Sound is produced on vibration of a medium. This is how the waveform of a music file looks like:

Notice the crests and troughs, they can be plotted on a graph, and the corresponding numbers can be noted down. The numbers are then changed to their hex values and then further to the binary format.

A typical MP3 file plays at 128kbits per second, i.e. in one second the computer processes 32,000 hex values, to give us the effect of listening to a sound. This is what an MP3 file looks like in a hexadecimal editor. 

Video

Videos are moving pictures with sound. A normal video file plays at 24 frames per second (fps) graphics and 128 kbits/sec sound. Therefore a second of video file would mean 24 image files, and one one second long sound file played together. Therefore video files take the most amount of space.

 

Storage Media

Now that it is clear that Data in the form of text, numbers, pictures or videos can be saved as 0s and 1s, let’s see how you can save the data for later use. Taking the case of USB Pen Drives.

USB Pen Drives are made up of a circuit board and a shell. The circuit contains a Flash memory chip which is made up of transistors. Typically there are about 32 billion transistors in an 8 GB USB Pen Drive.

Every transistor is arranged in such a way that it can hold electrical charges like a battery. Binary Data is stored on the transistors. If it is 1 a transistor will store the charge, if is 0 the transistor will not store charge.

Data can be retrieved by reading the charge distribution of the transistors. Data can be written by changing the charge value of the transistors.

 

Computation

Now that you know what are digital objects and digital information, it will be easier to understand that the computer is not a sentient being, but a super-machine which can read and process any kind of information digitally at a very high speed.

It might take you a second to read five binary characters ‘01011’, while any random smartphone can read at speeds of 25 billion binary characters in that same amount of time, and make sense out of such long strings of characters.

The whole Extended Volume of Oxford Dictionary would be only about 70 kilobytes in ASCII text format.

A computer continuously stores data and retrieves data from its storage media. This process is so fundamental about a computer that more frequently it does so more smarter it gets. The frequency of reading and writing on storage media could be as much as three gigahertz.

This high reaction rate of computers give us a perception of an artificial consciousness, whereas it is nothing more than an extremely fast clock with complex rules.