WannaCry: What is a Ransomware and how does it work?

A ransomware is a software which scrambles information stored on a computer system to make it inaccessible. The process of scrambling is done through known methods of encryption. The purpose is to then ask for an amount of money to decrypt valuable information.

So how does ransomware work?

How does it get through?

Imagine you hired the best architects and got a palace built for your yourself. Little known to you or the architects, there exists a weak wall near your garage. This can be broken by application of minimal force and people can get in through that and steal your expensive car. They can also disrupt your telephone and gas lines to cause you further harm. Or worse even, plant a bomb below your bedroom. Scary isn’t it?

Continue reading “WannaCry: What is a Ransomware and how does it work?”

How does secure socket layer (SSL/TLS) work? Why do retail websites require https?

To answer what is secure socket layer and how it keeps websites secure it is important to understand the making of the Internet. The internet in turn is an abstract concept meaning the interconnected network of computers across the globe. Computers interact with each other to create services necessary for us.

To start off, you just need to know that there has to be a physical cable between two computers for interaction to happen between them.

Continue reading “How does secure socket layer (SSL/TLS) work? Why do retail websites require https?”

A brief history of the internet, cryptography, cryptanalysis and encryption laws of India

The internet

Thanks to the internet you are reading this article right now. How did the internet get to where it is right today?
There is so much history we cannot possibly get it together in this short article.

The internet actually got a start about 50 years ago, and computers at that time filled up entire rooms. Scientists and researchers used these to do research work in the field of physics, mathematics, statistics among other subjects.

In 1962, a scientist at the ARPA1 named J C R Licklider proposed the idea of linking computers with physical cables. According to him computers would be able to ‘talk’ to each other.

In 1969, the first message was sent from one computer to another through a cable. One computer was placed at University of California, Los Angeles and another was at Stanford University. The cable was laid by ARPA and was called the ARPANET. The message was simply the word ‘LOGIN’ which was received incompletely as ‘LO’.

By the end of the year 1969, there were only four computers connected on ARPANET. But news of this development spread far and wide to Latin America and Europe leading to development of similar computer networks.

By 1971 the University of Aloha in Hawaii started its own network, followed by networks in London and Norway.

In 1971, Ray Tomlinson was working at the ARPA to create a messaging system where computers connected with each other could send and receive electronic ‘mails’, later shortened to e-mails.

However, Ray’s work would not have been possible without another system created by Vinton Cerf, who was also working at the ARPA in 1980. He invented a way in which computers across the globe irrespective of their networking structure would be able to connect and discover each other. This invention of Vinton helped computer users connect via long distance cables, recognise each other and be able to communicate through an intricate system of digital signals. This invention was called Transmission Control Protocol (TCP). It was soon followed by the Internet Protocol (IP) in 1983.2 The rest of the 80s revolved around the IP and e-mail. A standardisation which guaranteed compatibility between networks irrespective of the make or brand of computers.

Telecommunication was well developed by then and telephone lines could carry analog electrical waves over long distances. For computers to be able to exploit the already established telephone lines, data had to be modulated into analog signals and then demodulated after being transferred. However, only 56,000 bits per second could be transferred through this medium. This was referred to as the 56K connection. To use the internet through telephone lines one had to ‘dial up’ the local telephone exchange and request internet access. Once granted, a telephone line could connect two computers through their respective modems (modulator and demodulator).

Computers which are specifically designed for serving information on a network are called servers. Computers accessing information are called clients.

In 1991, British Scientist Tim Berners-Lee who was working at the CERN laboratory submitted a proposal named:  Information Management in March 1989.3 This was the groundwork behind organising text into an easily readable format and a code through which computers could exchange it. He invented what we call the Hypertext Transfer Protocol (HTTP) and coined the term ‘world wide web’. This protocol enabled one to many network connections. This was the first time when the distinction between client and server took place.

Tim also built the first ever prototype of a web browser which ran on a client computer connected through the HTTP to a server. Called the ENQUIRE it could send queries to a server and receive replies.

However, the most important development happened when four Finnish students created the first web browser to be able to download image files, it was named ERWISE (a wordplay on ‘otherwise’).

Soon after in 1993, Mosaic followed ERWISE into the web space. Although Mosaic influenced the public on what a web browser should look like, the current look of web browsers with back, forward, history and address bar was established by Netscape Navigator in 1994.

All of these developments were possible because of corporations like America Online (AOL) and Compuserve. They were popularising and massively advertising the oncoming of the internet. Advertisements of electronic mails, file transfers, instant messaging and online directories made their ways to television. By the fall of 1990 there were 313,000 computers hooked onto the internet.

In those times the monitors on a screen could only show text, therefore a highly skilled operator with expert knowledge was required for researchers to manage their data.

Tim however developed all the three things: HTTP protocol, web server and web browser, away from American influence. He decided to give away his inventions for free to the masses, he did not want regulatory control or stifled growth of this technology.

By 1995, Jeff Bezos started selling books out of his garage. And by 1998, Google had already indexed 25 million internet pages.

As of now the Internet Protocol Version 4 (IPv4) 4 is the most prevalent method of global information dissemination. This protocol requires a specific numerical address called an IP Address to locate a server (analogous to a cellphone number). One server may have multiple IP Addresses.

For e.g. the IP Address which I mostly get to use to access Google is: 216.58.220.206. If you put this IPv4 Address on the address bar of your browser it would take you to the Google website.

Although IPv6 is out since a long time the vast majority of telecom operators still use legacy devices which have not yet progressed to this new protocol. You can test if your operator supports IPv6 here on a Google’s testing tool.

Once we connect with a server using their IP Address, it is up to the server how they treat our connection request. Some may deny access to their files (you will see error code ‘403 Forbidden’), some may lead you to an index of all files stored on them (like this Enrique Iglesias Music Collection), and some may show you a HTML document to easily guide you and help you find relevant information quickly.

For e.g.: This website Alcohol. And this David Prati. These are the simplest kinds of websites where only text is publicly available.

 

Cryptography and Cryptanalysis

Cryptography and Cryptanalysis are the hallmark of each other. While cryptography is the science of encryption, cryptanalysis is the science of decryption. Since the beginning of communication itself people have tried many ingenuous methods to gain privacy over conversations only to get intercepted and decrypted.

You can find everything about Encryption and Symmetric Cryptography in under ten minutes in this article: Encryption and Symmetric Cryptography – How is data secured electronically?

In the case of modern day internet information has to be transferred through physical cables across the world. Telephone companies who were skinny dipping into billions in profits suddenly had access to petabytes of data. All those companies who dealt in cable networks and telecommunications had direct access to the bulk of information which go through the cables they had laid.

And yes needless to say, browsing history, search history, emails, instant messages, every bit of data which go through the cables were accessible to the ones who owned them.

Steve Wozniak invented the blue box, it was capable of dialing and connecting to any telephone globally.

Information could be put to any use. Eavesdropping and blackmailing were the least of them. Politicians could use this data to gain advantage, massive surveillance could take away individual liberty.

The growth of the Internet and electronic commerce have brought to the forefront the issue of privacy in electronic communication. Large volumes of personal and sensitive information are electronically transmitted and stored every day. What guarantees does one have that a message sent to another person is not intercepted and read without their knowledge or consent? Tools to ensure the privacy and confidentiality of paper-based communication have existed for a long time.5 Similar tools exist in the electronic communications arena.

Encryption is the standard method for making a communication private. Anyone wanting to send a private message to another user encrypts (enciphers) the message before transmitting it. Only the intended recipient knows how to correctly decrypt (decipher) the message. Anyone who was “eavesdropping” on the communication would only see the encrypted message. Because they would not know how to decrypt it successfully, the message would make no sense to them. As such, privacy can be ensured in electronic communication.

Privacy and security quickly became a public issue. Soon the telecom industry started using encryption while transferring information in their cables. Although a lesser evil, telecom companies still had continued access to data and would frequently allow the government and other interested parties to snoop into it.

In further developments internet companies like Google, AOL, Amazon etc. started using their own layer of encryption. To their amusement these newly established businesses had access to the information, the burden of which big telecom companies were having to carry.

However, in the race towards information the government also wanted its own share. Back in 1952, President Harry Truman signed the National Security Agency (NSA) into the United States. It was an assemble of the best cryptanalysis experts in the world. Although an American agency, it was tasked to intercept and decrypt information from across the globe.

By the advent of asymmetric cryptography and the RSA algorithm the situation changed a bit. You may please read this short article on Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm.

Let’s find out what changed.

While Cryptography is the science of encryption methods, three types of algorithms exist:

  1. Hashing/ Digital Fingerprinting/ Digest/ Message Digest
  2. Symmetric Cryptography or Secret Key Cryptography
  3. Asymmetric Cryptography or Public Key Cryptography

Hashing/ Digital Fingerprinting/ Digest/ Message Digest

Hashing is the generation of a fixed length string of characters from another string of random length called hash or message digests. Hashing is a one-way encryption which uses no key. This makes it impossible for either the contents or length of the original string to be recovered.

E.g.: 7778889990 = 7+7+7+8+8+8+9+9+9+0 = 72
The hash of 7778889990 is 72.

You can learn about hashing in this short and succinct article: What is digital fingerprint and hashing? And how is it generated?

 

Symmetric Cryptography or Secret Key Cryptography

Symmetric Cryptography is where a single key is used to both encrypt or decrypt a message. This is made possible by converting any text first to numbers, and then further applying complex mathematical functions.

For e.g. if I were asked to securely broadcast the message:
‘Bomb Xanadu at 0930’.

I would first change it to ASCII:
’66 111 109 98 32 88 97 110 97 100 117 32 97 116 32 48 57 51 48′

and multiply all the numbers with 777743 (key) to get the ciphertext:
‘51331038 86329473 84773987 76218814 24887776 68441384 75441071 85551730 75441071 77774300 90995931 24887776 75441071 90218188 24887776 37331664 44331351 39664893 37331664’

The key therefore would be the prime number 777743. If you know the key you can divide the values and get the original message once you receive the encrypted message. More lengthier the key better the protection.

There’s a lot of different SC algorithms you can choose from—the popular symmetric algorithms include Twofish, Serpent, AES (Rijndael), Blowfish, CAST5, RC4, TDES, and IDEA. All of which probably have been compromised by the NSA.6

Gain an insight into Encryption and Symmetric Cryptography in under ten minutes from this article: Encryption and Symmetric Cryptography – How is data secured electronically?

 

Asymmetric Cryptography

This is a two-key crypto system in which two parties could engage in a secure communication over a non-secure communications channel without having to physically share any key.

In this method two different keys are used, one for encrypting the message and another for decrypting the message. The key used to write and encrypt a message is called a public key and it is kept publicly available, while the one used to decrypt and read a message is called a private key this is kept a secret.

Every recipient has to generate this set of two keys. Both the keys are mathematically linked in such a way that messages encrypted with a public key can be decrypted only by the private key.

Rivest-Shamir-Adleman from Left to Right

The invention of the RSA algorithm in 1978 made it possible for people to hold fully online communication without a physical key exchange.7 You can read more on Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm.

There was rapid growth in the usage of the RSA algorithm, and many other asymmetric cryptography algorithms appeared. Research in Motion the company behind Blackberry held another patent on elliptic curves. By August 2013, Blackberry held 130 patents in cryptographic algorithms.8

However, this proved to be difficult to crack than any other encryption method. The difficulty of the keys in RSA algorithm depends on prime factorisation of very large numbers. It is therefore estimated, that standard desktop computing power would take 4,294,967,296 x 1.5 million years to break a 2048-bit encryption. Or, in other words, a little over 6.4 quadrillion years.9

Still it would be naive to think that our communications are secure. The first factorization of a 512-bit RSA modulus was reported a decade and a half ago.10 On December 12, 2009 a group of researchers successfully factored a 768 bit, 232 digit semi-prime number.11 And Lenstra warned, “Thus, it would be prudent to phase out usage of 1024-bit RSA within the next three to four years (2013-2014)“.

But even now in 2017, banks use 256 bit RSA algorithm proudly claiming: “OnlineSBI allows you to transact over a completely secure medium, Protected by the most stringent security systems. All your transactions travel via an SSL encrypted medium (minimum of 128-bit to maximum of 256-bit SSL tunnel), the highest level of security (emphasis added) on the internet.”12

This huge lapse in security is due to governments’ desire to harvest information and at the same time struggling to keep up with global weapons race for data security.

 

Encryption Laws of India

Why does the government want to control and regulate encryption?

As much as encryption is desirable and instrumental in free communication, it also brings in a plethora of abuse cases.

On December 11, 1994 the Philippines Airlines Flight 434 got severely damaged midair by a bomb. It was going from Cebu to Tokyo on a Boeing 747-283B. The pilot of the flight, with his experience somehow managed to land it.

Later on January 6, 1995, police responded to an apartment fire in Manila, Philippines. They found a Toshiba Laptop along with some chemicals and materials used in bomb making. An open file on the laptop which referred to the bombing of Philippines Airlines Flight 434.

While other files in the laptop were encrypted it created a sense of mind-numbing fear. The Philippines Police with assistance from the NSA decrypted some of the files successfully revealing several bomb making recipes. And all evidences pointed towards a suspect from the 1993 World Trade Center bombing, Ramzi Yousef.

Yousef’s plan to bomb Flight 434 was properly documented through the evidence collected. He was soon tracked down and put into US custody within six weeks. This event stirred the media globally and immediately legal cryptanalysis gained public confidence.

High levels of encryption make it difficult for law enforcement agencies to collect and analyse electronic evidence. While low levels of encryption is harmful for online activities such as e-commerce. A middle ground is therefore desirable which leads us to legal regulations on encryption.

 

Information Technology Act

In India, the Information Technology (Amendment) Act, 2008 provides for encryption under Section 84A, which is as follows:

84A. The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption.

This section permits the Central Government to prescribe encryption standards and methods to secure electronic communications, and promote e-governance & e-commerce. There is no dedicated law on encryption methods or standards. The sectoral regulations in the banking, finance and telecom industries define minimum standards to be used in transactions.

The Government has also been granted the power to gain access to means of decryption or simply, decrypted information under Section 69(1) of the IT Act. It says

69(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.

and the entire literature of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 provides for the legal mechanism in which the government may deem itself responsible to legally cryptanalyse the contents of any message.

 

Draft National Encryption Policy

On 21 September 2015 a draft National Policy on Encryption under S. 84A was published and the general public was invited for comments. The Central Government sought to specify and notify the encryption protocols and technologies that can be used by industries and general populace.

However, it was withdrawn two days later as there were reactions across the industry indicating that Indians do not want government regulations dictating encryption standards.

A large amount of criticisms from businesses, IT sector, users and civil society advocacy groups were leveled against the policy:

  • The policy called for storage of plain text copies of encrypted communications for 90 days by users and businesses.
  • Registration for foreign service providers like WhatsApp, Facebook or Google before they establish services to the Indian population.
  • Heightened security concerns associated with storage of plain text copies for 90 days.
  • The key length, methods and algorithms to be used in encryption were to be prescribed and restriction on the maximum standard of encryption were also to be maintained. The policy did not leave any room for discretion of a user to use higher or different security standards.
  • Foreign service providers like WhatsApp, Facebook or Google were directed to store plain text copies of communications and release when sought by a law enforcement agency.

Other sectoral laws

Department of Telecommunication (DoT) License with Internet Service Providers (ISPs)13

Clause 2.2 (vii) of the ISP License:

The Licensee shall ensure that Bulk Encryption is not deployed by ISPs. Further, Individuals/ Groups/ Organizations are permitted to use encryption up to 40 bit key length in the symmetric key algorithms or its equivalent in other algorithms without obtaining permission from the Licensor. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organizations shall obtain prior written permission of the Licensor and deposit the decryption key, split into two parts, with the Licensor.

This permits the use of up to 40 bit encryption key in the symmetric algorithms or its equivalent in others. This restriction is applicable not only on ISPs but also all individuals, groups and organisations that use encryption. Prior permission from the DoT is to be taken and the decryption key must be deposited with the DoT if encryption above 40 bit is to be used.

While Clause 22 and 22 of the same ISP License states:

22.1 The Licensee shall provide on demand the details of the technology proposed to be deployed for operation of the service.

23.1 The LICENSEE shall furnish to the Licensor or its authorized representative(s), in such manner and at such times as may be required, complete technical details with all calculations for engineering, planning and dimensioning of the system/network, concerned relevant literature, drawings, installation materials regarding the applicable system.

While the words decryption or any such method is not expressly laid down, at the same time the words have been cleverly used in a way that a decryption order can not be ruled out.

RBI guidelines on Internet Banking14

RBI released internet banking guidelines on April 29, 2011. It mandated the use of a minimum of 128 bit encryption on all banking sites and warned against the constantly increasing cryptanalysis capability of computers.

The Certifying Authority Rules15

The most ahead of all encryption laws are the CA Rules. The rules allow and prescribe usage of 2048 bit RSA encryption for digital signatures. I guess, decryption of digital signatures is not much useful, the government would not care so much to impersonate private citizens.

 

The WhatsApp debacle

Earlier WhatsApp was quite hackable as security protocols were absent. Anyone using the same wifi connection could intercept the connection and send and receive messages. Only last April (2016) WhatsApp enabled end to end encryption using a fairly new algorithm called the Signal Protocol. This algorithm only encrypts the content of the message, however identity and time of message is stored as plaintext on WhatsApp servers.

The end to end encryption uses a 256 bit (60 digit) key. Although fairly crackable by all governments, it is safe to say that this level of security is optimum for public usage. The limit of 40 bit encryption is not applicable on WhatsApp as it does not fall under ISPs and is instead classified as over the top (OTT) service, which is not regulated as of now.

On 29th June, 2016 a Gurugram based activist Sudhir Yadav filed a PIL at the Supreme Court alleging national security lapses. A bench of Chief Justice T S Thakur and Justice A M Khanwilkar rejected the PIL, and directed him to approach the government or the TRAI.16

 

Conclusion

Over all the expectation of privacy from public channels is very low. If one has to communicate super sensitive messages it is best to do it through custom made softwares or apps. Hoping that with more and more sensitisation in these topics, situation shall improve.

 

If you liked the article please like and share it with your followers. If you have doubts or questions about any part of this article, please feel free to leave a comment below or ask questions directly to the author here: Ask Questions.


 

What are digital signatures? Signing and verification – Relevant Indian Laws

Digital Signatures are considered to be more secure than the traditional ink signatures we all are used to. This is because ink signatures can be copied manually and exact duplicates can also be created through various ways. However, digital signatures can not be extracted, copied, or even stored. This immutability of digital signatures accords them a more secure status than all prevalent modes.

In this article we will see what is a digital signature, how it is generated and verified, and what are the concerning legalities.

 

What constitutes a signature?

Anything which ascertains the identity of an individual is a signature. The prime application of signature is to authenticate and bind parties into an agreement. The signature is also a major component which enables honor of an agreement at a future date. Signatures can link documents to their authors, proving helpful in ascertaining legal liability.

For long the handwritten signatures of an individual were considered to be unique and irreproducible, however, we all know nothing creates more disputes than a dead man’s will.

 

What is a digital signature?

Many of us still think that taking a photo of our handwritten signature and pasting it on a word document will suffice as a digital signature. This is totally wrong. This keeps happening with computer terminologies as almost all of them are loanwords from English.

To understand how digital signatures work we would need to revisit my previous articles on:

  1. What is digital information and how does the computer work? For a lawyer
  2. What is digital fingerprint and hashing? And how is it generated?
  3. Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm

in the given order. These are very short and focused articles which may help you in understanding the technological and mathematical background.

A digital signature verified by a Certificate Authority on a PDF document

Digital signatures are digital codes which are generated and verified using hashing and asymmetric cryptography. It is attached to an electronically transmitted document to ascertain its contents and the sender’s identity. While the document is being transferred a certificate authority can verify the codes and link it with the legal identity of the owner. Just for the idea you need to know what it looks like.

This is what one actually looks like: 7t418gpx7ms74j9g6kf0xbvyka4n17qz

This code will be transmitted along with the document. Once it reaches the recipient, he will use a software which will read it and validate it. On validation by the software the document file will show an image and some text (like the one above, with details of location, day and time).

Digital Signatures are never constant, they keep changing with every document signed. Digital Signatures are therefore meaningless if they are copied or stored for later use. They can prove useful to verify only the document with which they are linked.

 

Generating a Digital Signature

Please go ahead only if you are in terms with asymmetric cryptography.

Once you are done with asymmetric cryptography there is a small but very important difference you need to know. You just need to remember that the public key as given in the RSA algorithm shall be referred to as the encryption key here, and the private key shall be referred to as the decryption key.

 

The Document

The document can be anything it can be a video file, a word or PDF document, or it can be also just a series of numbers.

Every document undergoes a transformation through which it is rendered into a series of alphanumeric characters. This is done to store the data in the computer memory.

 

Signing

Key Generation

The Signing requires asymmetric generation of two cryptographic keys, viz. an encryption key and a decryption key.1 The RSA algorithm can be used to generate both the keys.

Hashing of the document

A digital fingerprint or hash of the document2 being transmitted shall be required.

Encryption

The hash of the document will then be encrypted with the encryption key of the sender3 This encrypted hash of the document is called the digital signature.

Broadcasted or Stored

The digital signature can now be transmitted to the intended recipient or stored for later reference along with the document. The digital signature would also be accompanied by the decryption key while being presented for verification. In this method the private key is actually published and public key is kept safely.

Verification

The validity of the signature can be verified by decrypting the digital signature using the decryption key. The hash of the document revealed from the decryption shall be compared against the hash of the file, if the hashes match it proves a lot of things.

Firstly, only the sender of the document could encrypt it using the encryption key of the key pair. This is simple to understand as anything decryptable with the decryption key needs to be mathematically linked with the encryption key. And the mathematical link gives it an assurance on which governments and banks are ready to bet millions of dollars in insurance.

Food for thought an SSL certificate bought at 175 USD carries an insurance of 1.75 Million USD. 4

Secondly, if the decrypted hash matches with the hash of the received document it would mean that the document has not been tampered with during storage or transmission. It would therefore mean that the clauses in the document have not been changed. This irrefutable form of agreement gives electronic contracts an advantage over traditional forms, called non-repudiation.

 

Digital Certificate Authority (“DCA”)

Digital Signatures are and can be used in secret dealings without any involvement of a third party. However, in order to provide for a legal sanction the encryption and decryption key need to be owned by a person against whom the signature and all legal liabilities may be executed. The necessity of a third party then comes into picture.

The job of a public notary is to verify and attest that a signature on a piece of paper has been made by the same person as is claimed. Similarly, the DCA acts just like a notary attesting the validity of a digital signature.

While the decryption and the encryption keys are pure alphanumeric characters it is very difficult to assign a human name to it unless the signatory himself acknowledges. Thus it was pertinent to maintain a record of all encryption and decryption keys and their respective owners. This record of keys is maintained by an entity called the Digital Certificate Authority. DCAs need heightened security and enjoy government protection in multiple cases.

These DCAs ascertain the validity of a signature and testify ownership of a signature. The institution, management and modalities of a DCA are provided by the law. DCAs issue certificates called Digital Signature Certificate (“DSC”) which is a proof of having a registered pair of encryption and decryption key.

 

Application

Digital Signatures are necessary to sign digital documents. Digital Documents mostly in use and in popular business parlance are different e-filing documents required by the Ministry of Corporate Affairs and other ministries.

Documentation

This is what Digital Signature USB Drives look like

To be able to sign a document with your digital signature you will need to install a software given by the DCA on a USB thumbdrive. This software will merge with your Microsoft Office and Adobe Reader and will enable an option to digitally sign. This thumbdrive contains your pre-generated key pair.5

In your lifetime you will neither want to or get to know your encryption and decryption key, both your keys will remain secret in your USB Thumbdrive. Yet, every time you would plug the USB Thumbdrive in to digitally sign a document, the same key pair will be used to mathematically generate a digital signature specific to that document and append it to the document.

On reception of the same document the signature will require validation of ownership as much as the mathematical computation to find the link between the decryption key and the hash, as discussed earlier. Once the file is opened it would automatically verify the document and show a small representative image of verification (mostly a green tick or the signatory’s manual signature) on any part of the document.

Banking

Financial Transactions can be authorised over the internet using digital signature. Electronic wallets can use digital signature in future to go cashless (BitCoin).

World War III

Digital signatures will be used to authorise nuclear warfare.

 

Legalities

Global

The ESIGN Act of the United States6 and a similar directive in the European Union7 along with other legislations in most developed nations support the validity of digital signatures and regulate them.

India

The IT Act of India quite comprehensively covers the legalities of DSCs and DCAs. Section 5 of the IT Act gives digital signatures their legal character.8 It is therefore that digital signatures are lawful and binding in nature. Section 15, of the Act describes digital signatures by their usage.

Certifying Authority as provided in Section (2(1)(g)). “Means a person who has been granted a licence to issue a Digital Signature Certificate under Section 24 (issuance of certificates by Controller).”

The Ministry of Corporate Affairs launched the MCA-21 programme leading to a large scale increase in usage of digital signatures. It made E-filing mandatory for most of the documents required to be filed under the Companies Act and under the Limited Liability Partnership Act 2008.

Soon after this electronic filing of IT returns was made compulsory by the Income tax department. The Central Excise Act and Finance Act 1994 (dealing with service tax) also provides schemes for E-filing. Similarly, under the Foreign Contribution Regulations Act, application for registration is to made electronically.

Department of Commercial Taxes in Kerala has mandated e-filing of returns using digital signatures under the Kerala Value Added Tax Act 2003. C forms and F forms available on the website of the Department of Commercial Taxes can be filed using digital signatures. Other states are also following suit in amending VAT laws to make E-filing mandatory.

The Partnership Act 1932 provides that registration application for a new firm is to be filed electronically.

The Evidence Act was amended to include “electronic records” in definition of “evidence”.9 The opinion of a DCA as to the electronic signature of any person is a relevant fact10 and the court may also refer to the relevant DCA for forming an opinion.11

Section 67A waives the burden of proof of establishing ownership of a specific digital signature (secure electronic signature).

 


Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm

Encryption as explained earlier1 is simply substitution of letters with numbers and then using complex mathematical functions to alter the pattern of numbers. This article is about understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm.

Encryption has been there from a long time and symmetric key or secret key cryptography had a monopoly over all communications. Symmetric key meant using the same key to encrypt or decrypt a message. You can read this short article to understand basics of encryption in under ten minutes: Encryption and Symmetric Cryptography – How is data secured electronically?

 

Asymmetric Cryptography or Public Key Cryptography

Till the end of World War II humanity was suffering this problem where secure communication between nations could be established only by physically sharing encryption keys and risking adverse situations. It was impossible to hold fully wireless communication. Spies and agents were the sole key exchange mechanism.

Prior to WWII, cryptographic keys had to be transmitted in physical form such as this list of keys for the German Enigma cipher machine.

The concept of modern Asymmetric Cryptography or Public Key Cryptography (“PKC”) was published in a Mathematics paper titled, “New directions in cryptography” by a Stanford University professor Martin Hellman and a graduate student Whitfield Diffie in 1976. 2

They described the mechanism as a two-key cryptosystem in which two parties could engage in a secure communication over a non-secure communications channel without having to physically share a secret key chart.

In this method two different keys are used, one for encrypting the message, another for decrypting the message. The key used to encrypt a message is called a public key, while the one used to decrypt it is called a private key. The values of these keys are mathematically linked. It is impossible to carry out encryption and decryption without this functional link.

Every recipient has to generate this set of two keys. The encryption key or the public key would be made available publicly. And the decryption key or the private key would be privately stored.

Therefore only the intended recipient can decrypt the message. However, the sender may not decide to reveal his identity.

There are multiple asymmetric cryptography algorithms.

We will discuss RSA asymmetric algorithm. The RSA algorithm is the most widely used encryption algorithm in the world.

 

RSA algorithm (Rivest-Shamir-Adleman)

Ron, Adie and Leonard from Left to Right

Soon after the publication of Hellman and Diffie on asymmetric key exchange mechanism, three scientists at the MIT Lab. for Computer Science and Department of Mathematics, Ron Rivest, Adi Shamir and Leonard Adleman published another paper titled:

A Method for Obtaining Digital Signatures and Public-Key Cryptosystems3

The algorithm was made popular by the company of the same name – RSA Security. The company was owned by Ron, Adie and Leonard and it jointly held the US Patent No. US 4405829 A.4

Clifford Cocks, an English mathematician working at the English intelligence agency GCHQ, had developed an equivalent system in 1973, but it was not declassified until 1997.

 

The mathematics behind RSA algorithm

This algorithm uses a set of complex mathematics rules to find out the encryption and decryption key. The required mathematics for this include: prime factorisation, Euler totient function, Euclidean algorithm (for finding GCD) and modulus. The strength of the algorithm relies on the time difficulty required to solve prime factorisation of very large numbers.

 

Time Complexity

While it takes not even a fraction of a second to multiply two large prime numbers, it takes an awfully long time to find the prime factors from the product.

For e.g. if I were asked to find the prime factors of the number 143, it would take me at least 5 seconds to guess that it is divisible by 13 and returns the whole number 11. The time would be required to try dividing the number 143 by every number starting from 1 until 11 is found as a perfect divisor. In comparison it would not take even a split second to calculate 13*11=143.

It gets more difficult to factor higher prime numbers, say, 1431431431 (17123, 83597). Similarly, if the number to be factored is 100 digits long, even the fastest computers would take more than 30 years. And a 200 digit long number would require at least 8 million years for the latest binary computers.5

In comparison multiplication of two 100 digit prime numbers would only take 56 seconds.

This one way difficulty in mathematical calculation is exploited by the RSA Algorithm to create a one-way encryption method. Decrypting the cipher would require guessing the prime factors of a very long number.

 

Formula and Calculation

m^e mod n = c
means, if m^e is divided by n it would leave remainder c
encrypt: m^e mod n = c
decrypt: c^d mod n = m

Where m is the message;
(e,n) is the the encryption key;
c is the cipher;
d is the decryption key;
n is the RSA modulus

The public key used to encrypt a message is the combination (e,n). While the private key used to decrypt the message is (d).

The relation between the numbers e, n and d are very critical to maintain the data integrity. The calculation of e, n, d therefore is more complex. To keep it simple we will take a very small message and small keys.

Step 1. Select two, large, random, prime numbers, p and q. Calculating the RSA modulus n by multiplying p and q.

So for p I pick 11
and for q I pick 5.
Therefore n is 55.

Step 2. Calculate the totient t of the modulus n.

The totient function, also called Euler’s totient function, is defined as the number of positive integers, that do not have any common factor with n other than 1.

Totient is multiplicative. Therefore totient of n is the multiplication of the totient of p and q. Also, the totient of any prime number is the number itself minus one.

So if,
t(n) =t(p)*t(q)
t(n) = (p-1)*(q-1)

totient of n = (11-1)*(5-1) = 40

Step 3. Select number e (relatively prime to and less than t)

One number is relatively prime to another when they do not share any factors except for 1.

So e can be 3, 7, 9, 11, 13, 17, …

I will take e as 7

Step 4. We have to find d which is the Modular Multiplicative Inverse of integer e with respect to modulo t.

In other words, e*d mod t = 1
We have 7*d mod 40 = 1,
we have to solve for d.

In mathematics, the Euclidean algorithm, is a clean way for finding out the GCD of two numbers. I will request you to watch this video on Euclidean algorithm and I would take the liberty of not explaining it. ‘7d mod 40 = 1’ means that if 7d is divided by 40 it would leave remainder 1.

In other words we have to first find the greatest common divisor (GCD) of 40 and 7. And we would be using the Extended Euclidean Algorithm to do that.

The GCD of 40 and 7 is 1. A modular inverse is possible only when the GCD is 1.

And the Modular Multiplicative Inverse of 40 and 7 is 23.6

Finally, d is found to be 23.

 

Encryption and Decryption

We now have the public key e,n (7,55). The private key d (23).  Let’s take ‘*’ the asterisk as the message.

The ‘*’ in ASCII convention is ’42’7

Encryption

encrypt: m^e mod n = c

Let’s encrypt the message ’42’ using RSA Algorithm:
42^7 mod 55 = 488 

We can now publish or broadcast the message 48 publicly, only the person with the private key can decipher it.

Decryption

decrypt: c^d mod n = c

Let’s now decrypt the cipher ’48’:
48^23 mod 55 = 429

 

Broadcast

Once the private and public keys are created by the recipient, the recipient will publish the public key globally. The recipient may now ask the sender to broadcast the encrypted messages. These can be received by anyone but can be decrypted only by the recipient’s private key.

 

Drawbacks

Practical usage

Asymmetric cryptography being a more complex mathematical function than symmetric cryptography causes computation to take more time.

It is therefore hardly ever used to encrypt stored data and mostly used for electronic communication. It proves useful in technologies where verifying and ascertaining identity is required among multiple peers in a common network.

For e.g.: HTTPS protocol for online transactions, BitCoins, Chatrooms, etc.

 

Banking

You might have seen banking websites advertising 128/256 bit encryption transactions.

What do they actually mean? Is it enough? How long would it take a hacker to crack the network?

A 256 bit key can hold a 32 digit long modulus. Which would take around 3 minutes to crack open (factorised to its prime factors).10 A 512 bit key would take about 12 days. While the RSA Security website itself instructs to use a minimum of 1024 bits.

 

Unauthorised decryption by hackers

Anyone who is using the same wifi connection as you do, can listen to the radio signals sent out by your wifi module of your computer. The numerical messages broadcasted by your wifi module can be intercepted.

Based on the public key anyone can find out the private key by factorising the modulus of the public key. The only difficulty is the prime factorisation of the modulus. Smaller modulus of 32 digits as present in 256 bit encryption can be factorised in under 3 minutes. Once the private key is derived from the factors of the modulus, the numerical messages you broadcasted can be read. Someone may also decide to forge your identity.

The need is not to drop the RSA Security standard but to use it with all the available guidelines. Encryptions need to be at the least of 1024 bits.

Our security systems are quite outdated, and regulators are oblivious to the dangers. The more you learn and know about these intricacies the better are my chances of getting better security.

 

Encryption and Symmetric Cryptography – How is data secured electronically?

Computers got popular mostly as a mode of storage and communication. And as the relevance of computers grew in everyday life there arose the need to secure stored data.

Encryption is not the creation or function of the internet or of computers. Encryption has existed since humans invented communication. A text written in Mandarin is analogous to an encrypted English text with the same information. People speaking foreign languages may appear cryptic to us as we are unable to make sense of what they say.

While encryption is the method of securing data, Cryptography is the science of encryption methods.

We will deal with electronic encryption as the scope of this article. We will draw analogies from the real world and keep this article simple enough to understand the fundamentals of cryptography in under ten minutes.

 

Origins of encryption

Encryption has been going for long since the Greeks and Romans invented secret messages by substituting letters with numbers and further decipherable with a secret key.

Scytale

The Greeks used a device called a scytale. It uses a long piece of paper wound like a ribbon around a cylindrical object. The message could be written on it and on unwinding the paper would not make sense.

Scytale unwound

Julius Caesar tried using an encryption technique known as Caesar’s cipher. In this method encryption could be done by shifting each letter of the alphabet to the right or left by a number of positions—. For instance, you’d write “GEEK” as “JHHN”.

During the world wars it became very necessary to have much more difficult encryption standards. The Germans created the Enigma machine to pass encrypted transmissions which the Polish eventually cracked. Consider the fact that the cracking of the Enigma was a key advantage for victory of the allied forces.

 

Encryption

Information in digital world exist as binary numbers.

For e.g. ‘India’ is ‘01001001 01001110 01000100 01001001 01000001’.

For more clarity on how information can exist as ‘only’ numbers please read this short and simple article: What is digital information and how does the computer work? For a lawyer.

Security is thus accorded to online communication by rearranging the binary numbers through highly complex mathematical functions. This process of rearrangement of data is called encryption. The resultant encrypted text is called “ciphertext” or “cipher”.

Cryptography can be done through three different types of algorithms: hashing and symmetric and asymmetric cryptography.

In this article we would explore Symmetric Cryptography or Secret Key Cryptography in depth.

 

Symmetric/Secret Key Cryptography (“SKC”)

Imagine a locker containing lots of confidential files. All the files inside are protected through the application of a lock and key mechanism required to open and close the locker. Thus security to the locker is accorded by the security of the key.

If Bimal wants to send a message safely to Narendra, he would put the message in a bank locker, lock it, go away, deliver the key to Narendra, and ask him to access the locker.

Symmetric cryptography is akin to such bank lockers. In SKC the same key is used to encrypt and decrypt a message. The sender uses the key to encrypt the plaintext and sends the ciphertext to the receiver. The receiver applies the same key to decrypt the cipher and recover the plain text. Because a single key is used for both functions, secret key cryptography is also called symmetric encryption.

 

Simple Mathematics behind encryption

In SKC a key is selected randomly, multiplied with the numbers of the secret message, and the product is publicly broadcasted.

For e.g. if I were asked to securely broadcast the message:
‘Bomb Xanadu at 0930’.

I would first change it to ASCII:
’66 111 109 98 32 88 97 110 97 100 117 32 97 116 32 48 57 51 48′

and multiply all the numbers with 777743 (key) to get the ciphertext:
‘51331038 86329473 84773987 76218814 24887776 68441384 75441071 85551730 75441071 77774300 90995931 24887776 75441071 90218188 24887776 37331664 44331351 39664893 37331664’

Therefore, the key would be the prime number 777743. While, your knowledge of the the key can help you divide the values and get the original message out of the encrypted message, lengthier keys accord better protection.

This oversimplified encryption algorithm may be named the Ashok Division Algorithm (“ADA”), published in a journal, and globally used. However, much has already been done on the intricacies of encryption algorithms. There are a lot of much better SC algorithms you can choose from—the popular ones include Twofish, Serpent, AES (Rijndael) (for more information read this article on AES), Blowfish, CAST5, RC4, TDES, and IDEA.

Cellular technologies like GSM 1 and GPRS 2 are also global encryption conventions of mobile telephony.

 

Transfer of encryption key

The transfer of the encryption keys (777743 in the example above) takes effect in physical world, due to which agents and spies are often tasked with exchanging envelopes in a style akin to spy movies.

During WWII, cryptographic keys had to be transmitted in physical form such as this list of keys for the German Enigma cipher machine.

 

Indian Law

Section 84A of the Information Technology (Amendment) Act, 2008 permits the Central Government to prescribe encryption standards and methods to secure electronic communications, and promote e-governance & e-commerce. There is no dedicated law on encryption methods or standards. The sectoral regulations in the banking, finance and telecom industries define minimum standards to be used in transactions.

 

In the next post we head towards Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm where I show you how secure communication can take place without any key exchange. If you have doubts or questions about the technology or the law please feel free to post it here: Questions.

What is digital fingerprint and hashing? And how is it generated?

To start with digital fingerprints or hashing you need to understand what is a fingerprint and what is digital (no kidding).

 

What is a fingerprint?

Normally a fingerprint in biology and biometrics is the unique pattern of whorls and lines on the fingertip of a human being. For a while forget all that.

Just consider a fingerprint as a unique pattern.

A unique pattern so unique that an almost infinite or a very high number of separate patterns can be generated without any correlation. Imagine a world full of numbers, where every item you see, every sound you hear, and every other perceptions, are all numbers. The requirements from a fingerprint then is distinction from each other and similarity of some sort.

For e.g. if you have to compare two human beings, you have to take their fingerprints, which has the same characteristics but totally distinct.

 

What is digital?

In computers, all information is stored as binary numbers. For more clarity on how everything can be stored as 1s and 0s you may read this short article here: What is digital information and how does the computer work? For a lawyer

Binary information is then stored as small packets on the storage device as files. Files are always of variable length. The word ‘India’ will take 5 bytes to store on a hard drive as a text file while the entire Ramayana would take about three and a half million bytes or 3.5 MBs.

 

What is a digital fingerprint?

While electronic file sizes are of variable length, the files are all made up of a similar structure of 0s and 1s.

The required distinction is the pattern in their composition of 0s and 1s, and the required similarity is that they are made up of patterns of 0s and 1s.

Digital Fingerprint is a set of characters and numbers unique to every file. It is of a specific length. It is generated on the basis of the binary data of each file.

The words ‘digital fingerprint’, ‘message digest’, ‘digest’, ‘checksum’ and ‘hash’ are used interchangeably.

Hashing

A mathematical function called hashing is then used to convert this long strings of binary data into a prescribed number of characters, say a specific set of 32, 64 or 128 numbers.

This mathematical function just works one way and it is mathematically and logically impossible to find out the source data by using the digital fingerprint.

For e.g. if I were told to reduce a string of numbers into a digital fingerprint of two characters, I would break the original string of numbers into their individual components and add the components till I reach two digits.

7778889990 = 7+7+7+8+8+8+9+9+9+0 = 72

It would be then impossible to work back the number 72 to 7778889990

Similarly the text:

“Internet developed rapidly leaving little or no scope for its terminologies to develop. Most internet terms and phrases are English loanwords most analogous to the concept being described.”

can be first changed to a string of binary numbers (you can read about it here1) and then a mathematical function can be used to reduce the string to a specific set of numbers.

This reduction of a large file into a fixed set of numbers is called hashing. You can visit this site MD5 Online Generator to generate the MD5 hash of any text.

Properties of a hash

The hash of any file generated therefore:

  • is a one way encryption result
  • is quicker to transfer than their original source files
  • changes extensively even with a small change to the input
  • appears uncorrelated with any other hash value
  • cannot be recreated using different inputs
  • is always the same with the same input

 

What is the use of hashing?

File or Email transfer

The use of hashing is mostly due to internet communication, where one party needs to send a file securely to another party.

For e.g. Bimal wants to download a file from Amazon, and wants to be sure it is the same file and that it has not been infected with any malware while being transferred. He requests Amazon to deliver the MD5 hash of the file in a separate arrangement. After downloading and before using the file, Bimal computes the MD5 hash of the file and compares it with the hash that Amazon provided. If they are the same then it is definite that the file has not been tampered with and that it is safe to use.

Password Verification

Every password verification form you have filled up ever, takes your input password, hashes it and compares it with the hash stored on its database, if the hash matches then the access is granted.

Why hash it? Storing all user passwords in a text file can result in a massive security breach if the password file itself is compromised.

 

If you would like to know more about hashing or digital fingerprints please leave your comments below.

 

What is Phishing or Spoofing? Affixing legal liability through Indian Laws

Internet developed rapidly leaving little or no scope for its terminologies to develop. Most internet terms and phrases are English loanwords most analogous to the concept being described. Phishing as a concept is analogous to fishing where predators wait for unsuspecting victims to fall prey to fraudulent offers.

 

Phishing in English

Phishing requires three independent parties:

  • The victim whose computer system has been compromised
  • The offender who violates all privacy norms and causes disruption with losses
  • The Service Provider whose service to the victim has been affected by the offender

Phishing (as you might have already related it to fishing) is a fraudulent activity where offenders create websites or webpages replicating a popular third-party website.

After the creation of such similar content they wait for an unsuspecting user to mistake the fake website for the real one and enter sensitive data. Probability has it that 5% 1 of the people would fall for it and give their username and password details to the fake site.

Once the sensitive data is extracted from the user the offender would use the same data to login to the real site and make unauthorised requests resulting in either monetary loss or privacy lapse.

For e.g. if I had to login to your Facebook account, I would create a website which would look exactly like Facebook. I would then send the link of the new site to you. Once you receive the link, assuming it to be Facebook, you would be actually submitting your credentials to me. I would then use your username and password to login to your Facebook account.

 

How bad is it?

In 2009, a group of fraudsters (about 100 people, 53 from USA and 47 from Egypt) were sentenced to Twenty years imprisonment. FBI officials nabbed them in the operation named “Phish Phry” after a manhunt of almost two years. The fraudsters were charged of phishing $1.5 million through fake credit card and banking websites.

“This international phishing ring had a significant impact on two banks and caused huge headaches for hundreds, perhaps thousands of bank customers,”
– Acting US Attorney George S. Cardona, in a statement.

India has been a prime target of a plethora of phishing scams. Indian netizens being new and unaccustomed to the internet fall for these scams easily. India lost $53 million to phishing activities in the third quarter of 2013, and have been regularly in the top five countries by volume of scams.2

 

Different methods of phishing:

URL Obfuscation attacks

This is the most generic form of phishing. Where the victim has been taken to a misleading URL. For e.g.: https://gmail.co.pk instead of https://gmail.com

The offending website stands in the middle, accepts information from the user, stores the information and relays it to the original website. Therefore the user never gets to know if he is on the correct URL.

This is most easily done by sending fraudulent emails offering gifts or other incentives if the user clicks on a link. The user is then taken to a website which looks like the trusted entity and is asked to submit their username and password.

Man in the middle attacks

This is an advanced method where the attack is on the victim’s side. The virtual host file is a normal text file which has a list of URLs and their specific IP addresses:

Google.com 216.58.220.206
Facebook.com 31.13.78.35

So when we try to reach google.com, our computer first checks the list of IP Addresses in the virtual hosts file, if not found it looks up the internet to find their IP Addresses and then take us to the IP Addresses.

In this form of attack the virtual hosts file of the victims are targeted. A specialised malware can change the virtual host record of an user’s computer. If somehow this file can be changed by a malware, the computer can be fooled into visiting a different IP Address it never wanted to. These malware are mostly found on torrent sites and other free  download sites, the advertisements are of very low quality as they target unsophisticated users.

Once the change has been made by the malware, it is very difficult to notice the change. Good antivirus and anti malware softwares are recommended to deal with such attacks.

Cross Site Scripting (XSS) attack

As you might have noticed the X stands for Cross. This attack is done on the server’s computer. Specialised queries made to a server can make it reveal sensitive data.

This vulnerability especially is of a time when novice users would program servers and due to the vulnerable programming an advanced user could manipulate the server. However this is very rare and almost non-existent as of now.

 

Legalities

There has been a litany of cases filed by victims of phishing scams mostly against their banks. The grounds are filed under the Sections 43, 43A and 72A of the Information Technology Act, 2008 (amended). Depending on where the phishing activity has taken place, IT Act provides for different liabilities.

Section 43 (Penalty and Compensation for damage to computer, computer system, etc).

Section 43 (a), (b), (c), (h) and (i) talk about different liabilities for the offender.

Section 43 A Compensation for failure to protect data (Inserted vide ITAA 2006)

This whole section was introduced to affix liability on the Service Provider whose services have been compromised due to the attack (for e.g. the bank). A compensation has also been fixed which is not exceeding five crore rupees.

Section 66 Punishment for violation of Section 43

This section provides for punishment which may extend to three years and fine of five lakh rupees.

Section 66A(c)

This can be attracted in case of fraudulent emails. The words ‘to deceive or to mislead the addressee’ would carry the same punishment as in Section 66.

Section 66B, 66C, 66D, 66E

These different sections cover for the entire aspect of Phishing, identity theft, cheating, impersonation, violation of privacy, etc.

Section 72 A Punishment for Disclosure of information in breach of lawful contract

This section provides for punishment of the Service Provider who had an obligation to observe safe practices and network systems in order to prevent such attacks.

and Section 420 of Indian Penal Code

Apart from the IT Act, Cheating under the IPC can also be considered.

 

Denial of Service (DoS) attack and relevant Indian Laws

What is a DoS (Denial of Service) attack? And how is it committed?

To understand DoS, you will need to have an idea of what is the Service being provided, how someone can deny it to you, and how it can be counted as an attack.

 

What is the Service?

Every website you visit are made up of  files like the ones you have in your Downloads folder. Pictures, Word files, PDF files, MP3 files, Videos, etc. On any given website all these files are organised in a easy to use presentable format called HTML. HTML (Hyper Text Markup Language) is a convention which is used to structure data in a viewer-friendly manner.

You can also make HTML files by using softwares like Microsoft Frontpage (old legacy), Adobe Dreamweaver (contemporaneous), Sublime Text (for advanced users).

Whatever you are looking at right now, even this text, is organised in a specific format and saved as .html files (on my server) which you are accessing and reading now.

The Service part is yet not fully defined.

The other component of the Service is the operation of a server. Believe it or not you have operated at least fifty servers from the morning today.

A server is a highly specialised computer designed only to serve web content. The HTML files which we were discussing about, are stored on these servers and the servers are connected to the internet in the same way you are connected to the internet. This connection to the internet enables anyone else to access the files kept on a server computer.

So for example, if you are watching a video on YouTube, you are accessing an HTML file kept on YouTube’s servers which has an embedded video on it. YouTube lets you access and watch it because then YouTube can show you ads. This transaction is thus complete with a win-win situation for YouTube and you.

The Service is complete when the Server renders the data to an user, and the user is able to access it successfully.

 

How do you then deny it?

Denying it is actually easier than setting up the service. Remember the part where the server is nothing but a super specialised computer? Yes.

And just like all computers (like yours), servers also can slow down to a screeching halt and freeze to lifelessness. Once a server hangs, and until it is restarted, whoever visits the server through the internet will see either a 500 Internal Server Error, a 503 Service Unavailable, or any other error of the codes starting from 500 to 511. I am sure you must have seen quite a few of these.

The way forward then is to visit the target website as many times as possible in a short period of time. A flood of visits to the same website will get the server busier than normal, and slow it down by taking up all the server resources like RAM, CPU and internet bandwidth.

Therefore if your friend wants to deny your access to YouTube, he can do so by artificially bringing YouTube’s servers to a halt or slowing them down.

For him to be able to pull off that feat on a website of that scale, he will mostly need to visit it a whopping 500 million times in under an hour. Once he manages to get YouTube down, congratulations he has broken the law.

 

How is it an attack?

Well if you understood the Service part, the Denial part and the frustration emanating from it, you would not ever want this to happen to YouTube, had you owned it. Even one hour of downtime for YouTube would mean millions of lost business opportunities, and billions of losses ensuing due to lost user confidence. I would personally term any losses above the $100 mark as an attack.

 

How to do it?

There are multiple free, open source and premium softwares which can help you do exactly that. These can be installed on any laptop or computer and put to action in under a minute. The most popular of them all could be Low Orbit Ion Cannon (LOIC) and the High Orbit Ion Cannon (HOIC). Others are also available by the names: Locust, CloudTest, LoadRunner, etc.

If you do not want to dive into all the details, some very easy online softwares are also there by the names of Loader.io, blitz.io, etc.

You can find LOIC here: https://github.com/NewEraCracker/LOIC

The HOIC is the latest version of LOIC, and it is analogous to the Death Star as shown in Star Wars, it can launch parallel attacks on as many as 256 URLs at one go.

 

Why are the softwares freely available?

Just like every other things, softwares are also known to be abused. What started out as a network stress testing tool has quickly become an innovative way to attack and cause harm to others.

Softwares like Locust, CloudTest and LoadRunner and many other open source variants exist simply for use of network administrators who can test different flows of traffic on their networks.

And till the time you are doing it on your own network or on a network you are authorised to, it is totally legal. It is illegal only when it is done with lack of authorisation and with the intention to cause disruption.

 

Different types of attacks. Difference between DoS, DDoS and APDoS

If the offending computer is a single entity it is simply called Denial of Service (DoS), but when such an attack is orchestrated along with multiple other machines parallely  it is called Distributed Denial of Service or DDoS.

And when the attack is made through a large array of computers (tens of millions) and with very sophisticated and advanced methods, it can last for weeks. Such an attack is called advanced persistent DoS or APDoS.

It would be very foolish of anyone to try a DoS attack without adequate measures. The prime characteristic of a DoS attack is repeated similar requests from the same IP Address. It is then easy to block the offending IP Address. However, in the advanced versions of DDoS and APDoS, there are two classes of victims, one whose servers have been targeted and others whose computers have been used without their knowledge to pull off the offense.

In DDoS and APDoS, varieties of malwares and viruses are transferred over the internet to unsuspecting users, and then their computers are used to organise a massive attack on a third party.

The trickiest and the most difficult to diagnose are the Degradation of Service attacks. This type of attacks are highly advanced with algorithms which can detect the victim’s network capacity, on the basis of which attacks are perpetrated not to hang the servers but to increase error rates and slow down the network ingress and egress. This type of attacks can last for weeks before detection and cause the heaviest losses at the least cost.

 

Laws of India on this?

Whether it is a simple disruption, degradation, denial or distributed denial Indian Law has provisions for all of them.

Section 43 (e), (f) and (g) of the The Information Technology Act, 2008

provide for watertight provisions which as of now cover the entire gamut of DoS attacks.

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network

  1. disrupts or causes disruption of any computer, computer system or computer network; (applicable in cases of disruption and degradation)
  2. denies or causes the denial of access to any person authorised to access any computer,
    computer system or computer network by any means; (applicable in cases of denial or distributed denial or advanced persistent denial)
  3. provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder, (applicable in cases of denial or distributed denial or advanced persistent denial)

then such a person can be made liable under the act.

Moreover, there is another clause that covers cyber terrorism which is punishable with life imprisonment.

Section 66F. Punishment for cyber terrorism

  1. Whoever,
    1. with intent to threaten the unity, integrity, security or sovereignty of India or to strike
      terror in the people or any section of the people by –

      1. denying or cause the denial of access to any person authorized to access computer resource; or …
    2. … commits the offence of cyber terrorism.
  2. Whoever commits or conspires to commit cyber terrorism shall be punishable with
    imprisonment which may extend to imprisonment for life’.

 

Pertinent History

The first big ticket DDoS attack happened on the Church of Scientology in 2008. This was organised by the Anonymous group which is apparently the largest hackers’ network in protest to the philosophies and practices of the Church of Scientology.

In June 2014, the Occupy Central movement in Hong Kong was responsible for taking down multiple websites of the Chinese Government, this was too in protest of the Chinese voting system where they have a fixed 1200 member committee which elects new leaders to power.

In April 2015, TRAI released a list of over a million email ids who wrote to TRAI favoring NET Neutrality. TRAI was foolish enough to release the email ids along with the names of the users and their messages. A group of Hackers calling themselves Anonymous India saved the day by DDoSing TRAI’s website so that no one could download the list of email ids. It was supposedly a gold mine for spammers.

The supporters of Wikileaks have been attacking websites of the US Government and other Financial Institutions to the extent that Mr. Assange had to request everyone in a tweet to stop all such activities.