How blockchain is changing the finance industry: Triple Entry Accounting

The blockchain technology brings in yet another revelation, this time in accounting principles. Enter the Triple Entry Accounting system. Compared to the traditional double entry accounting, triple entry brings in another dimension in the accounting process. In this article we will first clarify what is double entry accounting and how blockchain technology introduces the triple entry accounting.

To gain a better understanding of this article, I recommend you to go through the previous articles on:

Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm

Digital signatures? Signing and verification – Relevant Indian Laws

Bitcoins, cryptocurrency and the blockchain – what is so different than fiat money?

How blockchain is changing the legal industry: Smart Contracts

 

Double Entry systems

Modern accounting originated about 500 years ago in 1494 through Luca Paciolo. Paciolo was a close aide of Leonardo Da Vinci and a Franciscan by religious order. Paciolo developed an accounting equation which in its simplicity means:

Assets = Liabilities + Equity
– Luca Paciolo

In other words for every transaction there has to be a credit and debit. Two accounting books need to be maintained for every transaction. At the end of a financial year the accounting procedure would make sure the debit balances the credit. Any mismatch in the two ledgers would tell the managers that they should not trust their own books.

Double Entry Bookkeeping or double entry accounting (‘DEA’) meant this system of maintaining two books for every transaction. It marked the Renaissance in accounting procedure compared to earlier, when only one ledger maintained accounts under the single entry system. Accountants needed to go through the entire accounting period counting every transaction to ascertain accuracy. DEA did away with this trouble, if the debit and credit balances matched it meant proper accounting.

 

The issue of ‘trust’

However, even with the introduction of DEA the quagmire of human accountability did not seem to resolve. Although the DEA kept company managers confident about their own books, outside stakeholders, such as investors, lenders and the state could not still trust the company’s books. Why would they? It was very easy to make bogus entries and still keep the debit and credit balanced.

PwC Satyam scam (7800 crore in 2009), five independent auditors, all affiliates of PwC, were guilty of collusion.1

DEA saw the appointment of a so called ‘independent auditor’. The company appoints and pays the auditor as a legal requirement, and he makes sure that the accounting is proper for the benefit of the stakeholders. The auditor donned the role of an independent guarantor of financial information.

If a company has prepared inaccurate financial statements and has a good story to support them, it becomes very difficult for auditors to detect the misstatements (even if the auditors were not collusive).

A big issue in law of agency arise out of this: Do auditors work for the company who appoints and pays them or for the outside stakeholders who rely on their integrity in order to make decisions?

Even if auditors do their work with full integrity, the amount of accounting ranges from obscene to astronomical. The accounting bill in itself causes a displacement of lakhs of rupees in even a medium sized enterprise.

All of these elements together places a lot of ‘trust’ in the company and the auditor. Consequently, it often proves to be detrimental to the general public.

 

Enter the Triple Entry Accounting system

The global popularity and massive circulation of bitcoins and the blockchain enabled technologies is solely because of this new method of accounting. New vistas have opened in trade both domestic and international. The element of trust is surgically being discarded.

In comparison to the traditional two columns maintained in the DEA, the triple entry accounting (‘TEA’) requires managing a third column. In the coming paragraphs I will explain the job of this third column.

 

The blockchain network

It is important at this juncture to understand how the bitcoin and blockchain works. I would recommend you to go through my earlier post on What are bitcoins / cryptocurrency / blockchain – what is so different than fiat money?

In jargon-free simple terms bitcoins are numbers stored on a public database. One can send bitcoins to another by digitally signing the transaction. Digital signatures ascertain authenticity of the sender’s identity. Furthermore, every transaction is stored as an immutable block in a linear chronological fashion called the blockchain. Finally, reading the blockchain would ascertain who owns how much bitcoins.

 

The third column

Remember how the DEA is a representation of two accounts? Now take these two accounts and give them a wallet address. Every movement of value debits one wallet and credits another. The account sending the value digitally signs the transaction, and this digital signature is stored in the third column. Consequently, the third column forms the blockchain and the integrity of every transaction is ascertained by reading the blockchain.

 

More Security

If you know about digital signatures and how they work,2 you would understand the role of a Digital Signature Certificate Authority (‘DSCA’).

The job of the authority is to maintain a public database of all public keys or encryption keys of digital signatures along with their legally identified owner. To effect this, the state legally enables only the DSCA to issue digital signature certificates.

All transactions which happen on the TEA requires a public key and a private key to digitally sign the transaction, the DSCA may now verify the identity of the signatory every time.

All of it creates an undeniable, immutable and future proof record of transactions. No matter how voluminous the transactions of a company have been, reading the very last record on a blockchain based TEA system would draw a clear picture every time.

 

Legal validity of Triple Entry Accounting

In India the Companies (Indian Accounting Standards) Rules, 2015 specify accounting standards. The Ministry of Corporate Affairs issued G.S.R. 111(E) making the Indian Accounting Standards (Ind AS) a mandate to be followed by various classes of companies. The Ind AS in turn heavily relies on Double Entry Accounting.

While, no country has made Triple Entry Accounting a mandate. Reports of Credit Suisse in 2016 on Blockchain3 and Delloite 4 explain and show how blockchain can be used in financial auditing through the TEA. They also place reliance on the current ongoing practices at the Big4 to show their future applicability.

Seems like it is only a matter of time nations across the world appreciate the Big4 practices and accord legal recognition to it.

How blockchain is changing the legal industry: Smart Contracts

A smart contract is a self-regulated software which has it’s own impeccable sense of time, it is used to send automated electronic messages, either periodically or conditionally.

Periods are based on specific intervals of time and conditions are reference to objective facts around us. The electronic messages sent are transactional in nature which change account balances of two or more parties.

The software takes in conditions and functions in a high level programming language and translates them into a machine-readable form called bytecode. This bytecode can then be permanently stored in a read-only form called a block. The blocks are further stored in a chronological order on a decentralised database system called a blockchain.

You can read more about What are bitcoins / cryptocurrency / blockchain – what is so different than fiat money? To get a better idea about the blockchain and its application on bitcoin.

 

Why smart contracts?

For a moment let’s understand why would we ever want to enter a contract. It can be two reasons out of many others.
Either, because we respect law and want to keep our transactions publicly recorded,
or, we clarify our intentions through the contract and enter relations which benefit us.

If you chose the latter, it is because the basis of all contracts is not in law itself or any social validation. Certainly, no one cares about the legality or the illegality of the contracts they enter. What interests us in every contract is the transfer of value from one person to another. This transfer of value (i.e. consideration) from one to the other is so important and intrinsic in even legal relations that the lack of it renders a contract void, and the mere presence of it can turn an agreement into a contract.1

 

Because it is automatic!

In smart contracts, the software automatically executes a transaction without any requirement of manual enforcement. The transaction is either made to an account directly or to an escrow account created specifically for the transaction. The advantage of smart contracts is that it will definitely be executed irrespective of it being legal or illegal.

Smart contracts have a self-executing deterministic nature. There is no way out of a contract, it is mathematically impossible to breach a contract. Even efficient breach is not allowed. Due to this deterministic nature of smart contracts there would be no requirement of a third party!

Now if contracts could be given a life of their own in which they automatically execute, who would not want this panacea of legal disputes?

 

Because it has every element of pure capitalism

The primary reason behind the massive success of smart contracts is the fact that the the blockchain network provides for a complete ecosystem of a capitalist nation, including banking, a transparent marketplace, a secure and private messaging system and infinite identities.

 

Because it does not require your trust

We would soon be taking the word trust out of businesses. Businesses fail because of trust issues, a lot of enterprises never scale because of lack of trust.

The only bane of capitalism was the word ‘trust’. Internet had already done away with a lot of third party elements, independent parties felt more confident to make peer-to-peer transactions. But still, we always needed a central bank to approve of our transactions.

Blockchain having its own currency system does not require a bank to maintain our accounts or do our transactions. The exchange of currency and accounting would be totally done according to the code in the software. Gone would be the days when fractional reserve banking would be used to create an unlimited source of magic money.

Smart contract systems would bring in a whole lot of confidence by providing for autonomy. Any middleman be it a book publisher, music distributor, cab aggregator or a broker, would have to find greener pastures. Transaction costs would drastically reduce giving us a better half of the 21st century.

 

But why do I trust the system and the software?

You do not have to trust the system and the software. Because there is no system and software!

Blockchain is not primarily a software, it is an idea. There is no proprietary system or software which claims to have built the blockchain, neither has a patent been claimed. This idea was recorded in an anonymous research paper titled: Bitcoin: A Peer-to-Peer Electronic Cash System by Satoshi Nakamoto2 and widely publicised for people and businesses to learn and implement. It is a mathematical concept which like mathematics itself is undeniable logic.

You are free to make your own software on this idea and still connect with the global network. Hire a developer and order your software now!

Thousands of corporations across the world have implemented their own versions of this idea to hold internal transactions, specifically transactions which needed to be at arm’s length.

For others, there were some fast moving developers in this domain, and the open-source softwares they have developed are really popular as of now. It is better to just download a free open-source version of the most popular blockchain network softwares, it will save a lot of costs.

If you still have an issue downloading an open source blockchain software, you need to understand that these open-source resources are just like academic research papers continuously being scrutinised and challenged. If one developer builds something, thousands of others would develop on it and invest millions of man hours to perfect it. At this stage, you would not be trusting the software or the underlying code, you would be trusting humanity and mathematics.

Even after all of that, a smart contract is actually a software on its own, the blockchain system has no say in what a smart contract can do or not do. The job of the open-source software, that you would use, is to just translate the contents of a smart contract and make it machine readable. So ultimately the trust is put on the contract which you yourself have created 🙂

 

So how it is done?

The Ethereum network

The Ethereum Foundation based out of Switzerland, founded by Vitalik Buterin,3 launched an open source software called the Ethereum. You can use Ethereum to either create a private network or join the already existing global network. The Ethereum network stores data in a distributed format and takes actions automatically. It is akin to one unified global computer and therefore it is called the Ethereum Virtual Machine (“EVM”).

You can download your own copy of the Ethereum software freely from this github link.

This EVM has it’s own cryptocurrency called the ether, which is going at the rate of 18.59539 USD as of now. The best part is that the EVM can also be used to create new cryptocurrencies (or digital tokens) of your choice. You can actually run a currency in your name, the strength of which would depend on how others value the worth of it.

The EVM can run automated softwares (smart contracts) which can effect changes to the cryptocurrencies which have been launched on it. Smart contracts can be written in high-level programming languages such as Solidity, Serpent and Viper (derivatives of Python).

 

What does it look like?

A smart contract looks like this:

contract MyToken {
 /* This creates an array with all balances */
 mapping (address => uint256) public balanceOf;

 /* Initializes contract with initial supply tokens to the creator of the contract */
 function MyToken() {
 balanceOf[msg.sender] = 10000;
 }

 /* Send coins */
 function transfer(address _to, uint256 _value) {
 if (balanceOf[msg.sender] < _value) throw; // Check if the sender has enough
 if (balanceOf[_to] + _value < balanceOf[_to]) throw; // Check for overflows
 balanceOf[msg.sender] -= _value; // Subtract from the sender
 balanceOf[_to] += _value; // Add the same to the recipient
 }
}

This smart contract of only ten lines is written in Solidity. It generates 10,000 tokens for the initiator of the contract. To create the tokens the initiator would either need to have his own computer which can mine the tokens or he will need to hire a computer or he can just outsource it to the global network for a much cheaper cost.

These tokens are the minimum tradeable unit and cannot be subdivided, so owning a single token could be represented in shares (say 10 tokens is 0.01% of the total of 1,00,000 tokens).

The above lines of code will be compiled to bytecode which is a string of 0s and 1s by the Ethereum software and would be deployed to run on the network. This simple contract just allows the initiator to create new digital tokens and send them from one account to another.

 

It costs

One important thing about smart contracts is that it costs to execute a contract. Every movement of the contract costs, and the costs are quantified in ‘gas’ units. This example contract would at most need 20,000 gas, which is around 0.0002 ether, equivalent to a very negligible cost in money, about 20 paise in INR.

This cost is due to the complex mining process which requires huge computational power to hash the bytecode and write it to the blockchain.

The nodes which do the hashing are called mines and they are rewarded for their work in maintaining the blockchain. The nodes are paid in ether. The ether is deducted from the account which initiates the contract. Although uploading a contract on the network is very cheap as of now, it still provides a much needed incentive to write minimal code.

 

Use cases of a smart contract

Automated monthly payments or EMIs

A small smart contract can be written to send 100 ether to a specific account on the third of every month for twelve months. This will create a deterministic relation between two parties. The receiver would not have to worry for payment on the third of every month, and the sender does not need to remember it. Obviously, till the moment there is enough ether in the sender’s account. In addition, to employ more security to the contract an escrow account can also be created containing 1200 ether.

Music Industry

An artist can write a smart contract which deducts a specific amount of ether every time one plays his music. To play the music the smart contract shall ask for the ethereum public key of the player’s account and make it available only on the EVM in an asymmetrically encrypted form. The user can login only by using his ethereum private key. R.I.P. Piracy.

Gold and Diamond Trade

Gold or diamond merchants globally can issue virtual cryptocurrencies redeemable against real physical gold or diamond. It can be named GoldCoins and traded freely on the EVM. The speed of large transactions would do away with the current lag in international settlement systems and bring transparency to the movement of gold.

Diamond is already being transacted on the blockchain technology by a company named Everledger. They are using digital locks to keep diamonds, the locks can be opened only through the internet using a blockchain network.

Real Estate

Real physical property can be equated into a fixed number of tokens and then traded on the EVM. A plot of land of 100 acres can be divided into 10,00,000 LandCoins and then transacted with. The issue and movement of LandCoins would be traceable for the infinite future reducing all forms of land disputes and presenting a clear picture of every property.

Furthermore, drones or GPS transmitting fences can be used to determine land ownership and the data can be stored in an immutable form on a blockchain network for transactions. This would provide for an immutable and undeniable record of land rights.

Securities Market

A company can issue digital tokens against it’s shareholding and sell the tokens on the EVM from time to time. The worth of the company would depend on how much others would value the digital tokens. It will make international securities trade faster than ever before. Currently settlement in international markets take two working days, this can be reduced to 10 minutes or lesser. As a result, ownership pattern of all companies would be transparent and violation of securities law would be easily detectable.

The Euroclear Bankchain is using blockchain to effect immediate settlement.

Cab services

I can write a smart contract which reads my GPS coordinates. This contract would pay in ether from my account to the account of a cab driver the moment I reach my destination. The payment modalities can be thoroughly kept peer to peer without any involvement of a third party. No subsidies or coupons, pure market forces.

Anything…

Every legal contract, in some way or the other, is nothing but a transfer or an exchange of value from one party to another. True, that they would now be needed to be looked at from a different perspective, but, yes, they hold the future of all contracts.

 

Legal Industry

The civil and corporate domains of law would receive a huge jolt. It would be impossible to have a dispute on the possession of cryptocurrencies on the EVM. There would be sea changes in the legal industry due to the onset of smart contracts.

 

Contract

A contract between two parties is written in code into the blockchain. The individuals may prefer to remain confidential but the contract is public.

 

Smart Contract

A triggering event like time or a strike price is taken into account and the contract executes itself according to the code.

 

ethereum

Regulators can use the blockchain records to see the nature of the contracts while maintaining complete anonymity of party identity.

 

 

Do not take the simplicity of smart contracts for granted. Smart contracts can be made into very lengthy and complex software, while the working of which two persons need to agree on.

The legal status of smart contracts is already under consideration. The lower chamber of Arizona’s legislature has already tabled the HB 2417 bill which seeks to confer legal recognition to blockchain signatures. The bill has been forwarded with an unanimous vote as of today (1 March 2017).4

In the words of the Arizona Legislature:

“Blockchain Technology” means distributed ledger technology that uses a distributed, decentralized, shared and replicated ledger, which may be public or private, permissioned or permissionless, or driven by tokenized crypto economics or tokenless. The data on the ledger is protected with cryptography, is immutable and auditable and provides an uncensored truth.5

 

And David Cameron is rooting for wider use of blockchain technology to fight corruption in government tenders.6

“… most excites me is, the potential that your technology [blockchain] has to fight corruption and to deal with failures of governance and governments and the rule of law all over the world.”
– David Cameron

 

Seems like, law enforcement and judiciary would now get the much required break to focus on criminal law.

 


 

If you liked the article please like and share it with your followers. If you have doubts or questions about any part of this article, please feel free to leave a comment below or ask questions directly to the author here: Ask Questions.

A brief history of the internet, cryptography, cryptanalysis and encryption laws of India

The internet

Thanks to the internet you are reading this article right now. How did the internet get to where it is right today?
There is so much history we cannot possibly get it together in this short article.

The internet actually got a start about 50 years ago, and computers at that time filled up entire rooms. Scientists and researchers used these to do research work in the field of physics, mathematics, statistics among other subjects.

In 1962, a scientist at the ARPA1 named J C R Licklider proposed the idea of linking computers with physical cables. According to him computers would be able to ‘talk’ to each other.

In 1969, the first message was sent from one computer to another through a cable. One computer was placed at University of California, Los Angeles and another was at Stanford University. The cable was laid by ARPA and was called the ARPANET. The message was simply the word ‘LOGIN’ which was received incompletely as ‘LO’.

By the end of the year 1969, there were only four computers connected on ARPANET. But news of this development spread far and wide to Latin America and Europe leading to development of similar computer networks.

By 1971 the University of Aloha in Hawaii started its own network, followed by networks in London and Norway.

In 1971, Ray Tomlinson was working at the ARPA to create a messaging system where computers connected with each other could send and receive electronic ‘mails’, later shortened to e-mails.

However, Ray’s work would not have been possible without another system created by Vinton Cerf, who was also working at the ARPA in 1980. He invented a way in which computers across the globe irrespective of their networking structure would be able to connect and discover each other. This invention of Vinton helped computer users connect via long distance cables, recognise each other and be able to communicate through an intricate system of digital signals. This invention was called Transmission Control Protocol (TCP). It was soon followed by the Internet Protocol (IP) in 1983.2 The rest of the 80s revolved around the IP and e-mail. A standardisation which guaranteed compatibility between networks irrespective of the make or brand of computers.

Telecommunication was well developed by then and telephone lines could carry analog electrical waves over long distances. For computers to be able to exploit the already established telephone lines, data had to be modulated into analog signals and then demodulated after being transferred. However, only 56,000 bits per second could be transferred through this medium. This was referred to as the 56K connection. To use the internet through telephone lines one had to ‘dial up’ the local telephone exchange and request internet access. Once granted, a telephone line could connect two computers through their respective modems (modulator and demodulator).

Computers which are specifically designed for serving information on a network are called servers. Computers accessing information are called clients.

In 1991, British Scientist Tim Berners-Lee who was working at the CERN laboratory submitted a proposal named:  Information Management in March 1989.3 This was the groundwork behind organising text into an easily readable format and a code through which computers could exchange it. He invented what we call the Hypertext Transfer Protocol (HTTP) and coined the term ‘world wide web’. This protocol enabled one to many network connections. This was the first time when the distinction between client and server took place.

Tim also built the first ever prototype of a web browser which ran on a client computer connected through the HTTP to a server. Called the ENQUIRE it could send queries to a server and receive replies.

However, the most important development happened when four Finnish students created the first web browser to be able to download image files, it was named ERWISE (a wordplay on ‘otherwise’).

Soon after in 1993, Mosaic followed ERWISE into the web space. Although Mosaic influenced the public on what a web browser should look like, the current look of web browsers with back, forward, history and address bar was established by Netscape Navigator in 1994.

All of these developments were possible because of corporations like America Online (AOL) and Compuserve. They were popularising and massively advertising the oncoming of the internet. Advertisements of electronic mails, file transfers, instant messaging and online directories made their ways to television. By the fall of 1990 there were 313,000 computers hooked onto the internet.

In those times the monitors on a screen could only show text, therefore a highly skilled operator with expert knowledge was required for researchers to manage their data.

Tim however developed all the three things: HTTP protocol, web server and web browser, away from American influence. He decided to give away his inventions for free to the masses, he did not want regulatory control or stifled growth of this technology.

By 1995, Jeff Bezos started selling books out of his garage. And by 1998, Google had already indexed 25 million internet pages.

As of now the Internet Protocol Version 4 (IPv4) 4 is the most prevalent method of global information dissemination. This protocol requires a specific numerical address called an IP Address to locate a server (analogous to a cellphone number). One server may have multiple IP Addresses.

For e.g. the IP Address which I mostly get to use to access Google is: 216.58.220.206. If you put this IPv4 Address on the address bar of your browser it would take you to the Google website.

Although IPv6 is out since a long time the vast majority of telecom operators still use legacy devices which have not yet progressed to this new protocol. You can test if your operator supports IPv6 here on a Google’s testing tool.

Once we connect with a server using their IP Address, it is up to the server how they treat our connection request. Some may deny access to their files (you will see error code ‘403 Forbidden’), some may lead you to an index of all files stored on them (like this Enrique Iglesias Music Collection), and some may show you a HTML document to easily guide you and help you find relevant information quickly.

For e.g.: This website Alcohol. And this David Prati. These are the simplest kinds of websites where only text is publicly available.

 

Cryptography and Cryptanalysis

Cryptography and Cryptanalysis are the hallmark of each other. While cryptography is the science of encryption, cryptanalysis is the science of decryption. Since the beginning of communication itself people have tried many ingenuous methods to gain privacy over conversations only to get intercepted and decrypted.

You can find everything about Encryption and Symmetric Cryptography in under ten minutes in this article: Encryption and Symmetric Cryptography – How is data secured electronically?

In the case of modern day internet information has to be transferred through physical cables across the world. Telephone companies who were skinny dipping into billions in profits suddenly had access to petabytes of data. All those companies who dealt in cable networks and telecommunications had direct access to the bulk of information which go through the cables they had laid.

And yes needless to say, browsing history, search history, emails, instant messages, every bit of data which go through the cables were accessible to the ones who owned them.

Steve Wozniak invented the blue box, it was capable of dialing and connecting to any telephone globally.

Information could be put to any use. Eavesdropping and blackmailing were the least of them. Politicians could use this data to gain advantage, massive surveillance could take away individual liberty.

The growth of the Internet and electronic commerce have brought to the forefront the issue of privacy in electronic communication. Large volumes of personal and sensitive information are electronically transmitted and stored every day. What guarantees does one have that a message sent to another person is not intercepted and read without their knowledge or consent? Tools to ensure the privacy and confidentiality of paper-based communication have existed for a long time.5 Similar tools exist in the electronic communications arena.

Encryption is the standard method for making a communication private. Anyone wanting to send a private message to another user encrypts (enciphers) the message before transmitting it. Only the intended recipient knows how to correctly decrypt (decipher) the message. Anyone who was “eavesdropping” on the communication would only see the encrypted message. Because they would not know how to decrypt it successfully, the message would make no sense to them. As such, privacy can be ensured in electronic communication.

Privacy and security quickly became a public issue. Soon the telecom industry started using encryption while transferring information in their cables. Although a lesser evil, telecom companies still had continued access to data and would frequently allow the government and other interested parties to snoop into it.

In further developments internet companies like Google, AOL, Amazon etc. started using their own layer of encryption. To their amusement these newly established businesses had access to the information, the burden of which big telecom companies were having to carry.

However, in the race towards information the government also wanted its own share. Back in 1952, President Harry Truman signed the National Security Agency (NSA) into the United States. It was an assemble of the best cryptanalysis experts in the world. Although an American agency, it was tasked to intercept and decrypt information from across the globe.

By the advent of asymmetric cryptography and the RSA algorithm the situation changed a bit. You may please read this short article on Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm.

Let’s find out what changed.

While Cryptography is the science of encryption methods, three types of algorithms exist:

  1. Hashing/ Digital Fingerprinting/ Digest/ Message Digest
  2. Symmetric Cryptography or Secret Key Cryptography
  3. Asymmetric Cryptography or Public Key Cryptography

Hashing/ Digital Fingerprinting/ Digest/ Message Digest

Hashing is the generation of a fixed length string of characters from another string of random length called hash or message digests. Hashing is a one-way encryption which uses no key. This makes it impossible for either the contents or length of the original string to be recovered.

E.g.: 7778889990 = 7+7+7+8+8+8+9+9+9+0 = 72
The hash of 7778889990 is 72.

You can learn about hashing in this short and succinct article: What is digital fingerprint and hashing? And how is it generated?

 

Symmetric Cryptography or Secret Key Cryptography

Symmetric Cryptography is where a single key is used to both encrypt or decrypt a message. This is made possible by converting any text first to numbers, and then further applying complex mathematical functions.

For e.g. if I were asked to securely broadcast the message:
‘Bomb Xanadu at 0930’.

I would first change it to ASCII:
’66 111 109 98 32 88 97 110 97 100 117 32 97 116 32 48 57 51 48′

and multiply all the numbers with 777743 (key) to get the ciphertext:
‘51331038 86329473 84773987 76218814 24887776 68441384 75441071 85551730 75441071 77774300 90995931 24887776 75441071 90218188 24887776 37331664 44331351 39664893 37331664’

The key therefore would be the prime number 777743. If you know the key you can divide the values and get the original message once you receive the encrypted message. More lengthier the key better the protection.

There’s a lot of different SC algorithms you can choose from—the popular symmetric algorithms include Twofish, Serpent, AES (Rijndael), Blowfish, CAST5, RC4, TDES, and IDEA. All of which probably have been compromised by the NSA.6

Gain an insight into Encryption and Symmetric Cryptography in under ten minutes from this article: Encryption and Symmetric Cryptography – How is data secured electronically?

 

Asymmetric Cryptography

This is a two-key crypto system in which two parties could engage in a secure communication over a non-secure communications channel without having to physically share any key.

In this method two different keys are used, one for encrypting the message and another for decrypting the message. The key used to write and encrypt a message is called a public key and it is kept publicly available, while the one used to decrypt and read a message is called a private key this is kept a secret.

Every recipient has to generate this set of two keys. Both the keys are mathematically linked in such a way that messages encrypted with a public key can be decrypted only by the private key.

Rivest-Shamir-Adleman from Left to Right

The invention of the RSA algorithm in 1978 made it possible for people to hold fully online communication without a physical key exchange.7 You can read more on Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm.

There was rapid growth in the usage of the RSA algorithm, and many other asymmetric cryptography algorithms appeared. Research in Motion the company behind Blackberry held another patent on elliptic curves. By August 2013, Blackberry held 130 patents in cryptographic algorithms.8

However, this proved to be difficult to crack than any other encryption method. The difficulty of the keys in RSA algorithm depends on prime factorisation of very large numbers. It is therefore estimated, that standard desktop computing power would take 4,294,967,296 x 1.5 million years to break a 2048-bit encryption. Or, in other words, a little over 6.4 quadrillion years.9

Still it would be naive to think that our communications are secure. The first factorization of a 512-bit RSA modulus was reported a decade and a half ago.10 On December 12, 2009 a group of researchers successfully factored a 768 bit, 232 digit semi-prime number.11 And Lenstra warned, “Thus, it would be prudent to phase out usage of 1024-bit RSA within the next three to four years (2013-2014)“.

But even now in 2017, banks use 256 bit RSA algorithm proudly claiming: “OnlineSBI allows you to transact over a completely secure medium, Protected by the most stringent security systems. All your transactions travel via an SSL encrypted medium (minimum of 128-bit to maximum of 256-bit SSL tunnel), the highest level of security (emphasis added) on the internet.”12

This huge lapse in security is due to governments’ desire to harvest information and at the same time struggling to keep up with global weapons race for data security.

 

Encryption Laws of India

Why does the government want to control and regulate encryption?

As much as encryption is desirable and instrumental in free communication, it also brings in a plethora of abuse cases.

On December 11, 1994 the Philippines Airlines Flight 434 got severely damaged midair by a bomb. It was going from Cebu to Tokyo on a Boeing 747-283B. The pilot of the flight, with his experience somehow managed to land it.

Later on January 6, 1995, police responded to an apartment fire in Manila, Philippines. They found a Toshiba Laptop along with some chemicals and materials used in bomb making. An open file on the laptop which referred to the bombing of Philippines Airlines Flight 434.

While other files in the laptop were encrypted it created a sense of mind-numbing fear. The Philippines Police with assistance from the NSA decrypted some of the files successfully revealing several bomb making recipes. And all evidences pointed towards a suspect from the 1993 World Trade Center bombing, Ramzi Yousef.

Yousef’s plan to bomb Flight 434 was properly documented through the evidence collected. He was soon tracked down and put into US custody within six weeks. This event stirred the media globally and immediately legal cryptanalysis gained public confidence.

High levels of encryption make it difficult for law enforcement agencies to collect and analyse electronic evidence. While low levels of encryption is harmful for online activities such as e-commerce. A middle ground is therefore desirable which leads us to legal regulations on encryption.

 

Information Technology Act

In India, the Information Technology (Amendment) Act, 2008 provides for encryption under Section 84A, which is as follows:

84A. The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption.

This section permits the Central Government to prescribe encryption standards and methods to secure electronic communications, and promote e-governance & e-commerce. There is no dedicated law on encryption methods or standards. The sectoral regulations in the banking, finance and telecom industries define minimum standards to be used in transactions.

The Government has also been granted the power to gain access to means of decryption or simply, decrypted information under Section 69(1) of the IT Act. It says

69(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.

and the entire literature of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 provides for the legal mechanism in which the government may deem itself responsible to legally cryptanalyse the contents of any message.

 

Draft National Encryption Policy

On 21 September 2015 a draft National Policy on Encryption under S. 84A was published and the general public was invited for comments. The Central Government sought to specify and notify the encryption protocols and technologies that can be used by industries and general populace.

However, it was withdrawn two days later as there were reactions across the industry indicating that Indians do not want government regulations dictating encryption standards.

A large amount of criticisms from businesses, IT sector, users and civil society advocacy groups were leveled against the policy:

  • The policy called for storage of plain text copies of encrypted communications for 90 days by users and businesses.
  • Registration for foreign service providers like WhatsApp, Facebook or Google before they establish services to the Indian population.
  • Heightened security concerns associated with storage of plain text copies for 90 days.
  • The key length, methods and algorithms to be used in encryption were to be prescribed and restriction on the maximum standard of encryption were also to be maintained. The policy did not leave any room for discretion of a user to use higher or different security standards.
  • Foreign service providers like WhatsApp, Facebook or Google were directed to store plain text copies of communications and release when sought by a law enforcement agency.

Other sectoral laws

Department of Telecommunication (DoT) License with Internet Service Providers (ISPs)13

Clause 2.2 (vii) of the ISP License:

The Licensee shall ensure that Bulk Encryption is not deployed by ISPs. Further, Individuals/ Groups/ Organizations are permitted to use encryption up to 40 bit key length in the symmetric key algorithms or its equivalent in other algorithms without obtaining permission from the Licensor. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organizations shall obtain prior written permission of the Licensor and deposit the decryption key, split into two parts, with the Licensor.

This permits the use of up to 40 bit encryption key in the symmetric algorithms or its equivalent in others. This restriction is applicable not only on ISPs but also all individuals, groups and organisations that use encryption. Prior permission from the DoT is to be taken and the decryption key must be deposited with the DoT if encryption above 40 bit is to be used.

While Clause 22 and 22 of the same ISP License states:

22.1 The Licensee shall provide on demand the details of the technology proposed to be deployed for operation of the service.

23.1 The LICENSEE shall furnish to the Licensor or its authorized representative(s), in such manner and at such times as may be required, complete technical details with all calculations for engineering, planning and dimensioning of the system/network, concerned relevant literature, drawings, installation materials regarding the applicable system.

While the words decryption or any such method is not expressly laid down, at the same time the words have been cleverly used in a way that a decryption order can not be ruled out.

RBI guidelines on Internet Banking14

RBI released internet banking guidelines on April 29, 2011. It mandated the use of a minimum of 128 bit encryption on all banking sites and warned against the constantly increasing cryptanalysis capability of computers.

The Certifying Authority Rules15

The most ahead of all encryption laws are the CA Rules. The rules allow and prescribe usage of 2048 bit RSA encryption for digital signatures. I guess, decryption of digital signatures is not much useful, the government would not care so much to impersonate private citizens.

 

The WhatsApp debacle

Earlier WhatsApp was quite hackable as security protocols were absent. Anyone using the same wifi connection could intercept the connection and send and receive messages. Only last April (2016) WhatsApp enabled end to end encryption using a fairly new algorithm called the Signal Protocol. This algorithm only encrypts the content of the message, however identity and time of message is stored as plaintext on WhatsApp servers.

The end to end encryption uses a 256 bit (60 digit) key. Although fairly crackable by all governments, it is safe to say that this level of security is optimum for public usage. The limit of 40 bit encryption is not applicable on WhatsApp as it does not fall under ISPs and is instead classified as over the top (OTT) service, which is not regulated as of now.

On 29th June, 2016 a Gurugram based activist Sudhir Yadav filed a PIL at the Supreme Court alleging national security lapses. A bench of Chief Justice T S Thakur and Justice A M Khanwilkar rejected the PIL, and directed him to approach the government or the TRAI.16

 

Conclusion

Over all the expectation of privacy from public channels is very low. If one has to communicate super sensitive messages it is best to do it through custom made softwares or apps. Hoping that with more and more sensitisation in these topics, situation shall improve.

 

If you liked the article please like and share it with your followers. If you have doubts or questions about any part of this article, please feel free to leave a comment below or ask questions directly to the author here: Ask Questions.


 

What is SBI doing with Blockchain technology? Intro to Bankchain

As per the latest reports, State Bank of India along with ten other commercial banks, is taking the lead in building the country’s first financial blockchain framework. Reportedly, Axis Bank, Central Bank of India, DCB Bank, Deutsche Bank, HDFC Bank, ICICI Bank, IDBI, Kotak Mahindra Bank and Saraswat Bank are the other players in this consortium. This framework built upon the blockchain technology is being developed for SBI by global technology giants IBM, Microsoft and KPMG, among others.1

 

What is blockchain?

Blockchain is a decentralised transactional record management system where exchange of value is independently managed by participants of the network.

The technology behind blockchain relies on the undeniable proof of mathematics. Identity and authority to make transactions on the blockchain medium is ascertained by mathematical functions.

As of now the most popular use case of blockchain is bitcoin. Currently, the publicly available ledger of bitcoin records each bitcoin transaction with little or no cost, and stores them permanently on an immutable chain of records called the blockchain. It provides for a traceable history of all transactions till the very beginning. This offers an ironclad proof of ownership. As there is no single trusted authority to maintain the database it is not susceptible to hacking and accounting errors.

However, blockchain can be used to transact in any goods or services. Like diamond2 and gold instead of bitcoins.

You may read quickly about bitcoin and the underlying technology blockchain in this detailed article: What are bitcoins / cryptocurrency / blockchain – what is so different than fiat money?

 

What is Bankchain?

The blockchain’s new found use case in the clearing and settlement of financial transactions is being taken seriously from the past 18 months. According to the consulting firm Oliver Wyman, clearing and settlement alone costs the global financial industry a whopping USD 50 billion annually.3 The structural inefficiencies and the traditional delay associated with clearing houses make for an industry ripe for disruption.

Initially started out as a secretive consensus-based ledger system exclusively for financial institutions, Bankchain is a project of industry leading bitcoin exchange – ItBit.

Chad Cascarilla, CEO, itBit

itBit was started by CEO Chad Cascarilla in 2012 as an early stage growth fund directed at bitcoin/digital currency-related startups. itBit was possible as Chad was a highly experienced manager and co-founder of the hedge fund Cedar Hill Capital Partners.

ItBit invited almost 100 participants including major banks, brokers and stock exchanges of the USA to its “Bankchain Discovery Summit” at Washington, D.C. on 27th April, 2015. This summit was especially closed to the press.

In later stages ItBit formed a product named Bankchain, a custom technology to meet the specific needs of the financial world. Bankchain then joined hands with Euroclear to create the Euroclear Bankchain4 which was to be specifically used in international gold transaction.

Euroclear group is a consortium of Euroclear banks. It is rated AA+ by Fitch Ratings and AA by Standard & Poor’s. The consortium includes Euroclear Belgium, Euroclear Finland, Euroclear France, Euroclear Nederland, Euroclear Sweden and Euroclear UK & Ireland. The group settled an equivalent of EUR 675 trillion in securities transactions in 2015, representing 191 million domestic and cross-border transactions. By December 2015, the group held EUR 27.5 trillion in assets for clients.

On December 20, 2016 a good number of participants performed 600 mock London bullion trade transactions in a pilot project with Bankchain. It was ascertained that Bankchain helped lower trade risk and simplify post-trade process. The next pilot and live service is scheduled to happen in 2017.

 

The technology behind itBit’s Bankchain

Bankchain is built upon protocols derived from the blockchain technology but not purely the same thing. It is built on some proprietary algorithms developed by itBit to create a permissioned blockchain where members require special permissions to transact.

“It’s a private network. You know who everyone is. You can sign legal agreements among everyone involved that lay out the rules, and create a variety of ways to establish trust among the known participants. This allows you to reach a much speedier consensus not based on work, but on the fact [that] you are in the system.” – Chad Cascarilla

Unlike blockchain which relies on public creation of tokens (bitcoins) through a mix of cryptography and economics, Bankchain is not open to public and can be populated only by verified actors and tokens. Here the incentive is not in mining or maintaining the blockchain for rewards, it is the simple need of cost savings, which faster processing speeds and reduced red tape bring.

Bankchain does not rely on proof of work like the blockchain did. Unlike solving difficult math puzzles Bankchain relies on a variety of ways to establish trust. In a private network where the identities of the parties are established, trust can be easily created by consensus.

Also in place of the original token on blockchain, Euroclear Bankchain tokenizes physical gold. Digitised gold tokens are standardised to an unit of physical gold. These units are redeemable against gold coins amongst each other.

Instead of bitcoins, digital gold tokens are issued and these units can then be traded against. For e.g. instead of 100 BTC I may hold 100 DGT (digital gold tokens). I would be then able to buy 100 Gold coins worth of goods and services from the members of the same network who will honor the agreement. The ingress and egress of the DGTs is also based on a mutually agreed method.

This helps in dynamic reduction of time taken for international settlement of trade. As of now it takes about two working days for Bombay Stock Exchange to settle a transaction, on this technology it would be instantaneous.

However, this altered version of blockchain still uses the most of the original technology to create inviolable and immutable transaction records which take effect instantly! Participants get to control their own data without any central point of failure. Ultimately, the core difference is control, something critical to financial institutions with fiduciary concerns.

 

SBI Bankchain – meaning for India

RBI’s research wing Institute for Development and Research in Banking Technology released a White Paper on Blockchain Technology – IDRBT on 6th January, 2017.

It talks about the technology and the mathematics behind bitcoins and presents use cases of the blockchain technology after explaining various concepts in bitcoin terminology. And finally, in chapter five it concludes with favourably putting the application of blockchain to Indian Banking and Finance.

Fast enough on 26th January, Dy Managing Director and CIO of State Bank of India, Mrutyunjay Mahapatra confirmed that 15 of India’s largest bank is coming together to make an interbank blockchain platform.

This platform would serve heavily in subverting scams like the ones of Harshad Mehta where a few banks issued bogus Bank receipts not backed by any security. An unified credit record can be established which would help in reducing Credit Card fraud. Current mechanisms like NEFT, IMPS cost banks a lot of money spent in interoperability, with Bankchain such problems would be non-existent.

However, Bankchain is only the probable technology they may use, the usage of the word in context to SBI does not mean they have settled upon the use of the proprietary technology owned by itBit. As of now, they have only invited technology companies and other banks to come together and devise ingenious ways to solve the Indian market conditions using blockchain.

 

If you liked the article please like and share it with your followers. If you have doubts or questions about any part of this article, please feel free to leave a comment below or ask questions directly to the author here: Ask Questions.

What are bitcoins / cryptocurrency / blockchain – what is so different than fiat money?

Bitcoins are all set to disrupt financial exchanges globally. In just one year the value of all bitcoins together have risen from USD 6 billion to USD 16 billion.1 At this rate I am sure by 2020 bitcoins will have a global value of at least USD 500 billion. Just like Potato Chips are a subset of Chips in general, bitcoin is a subset of cryptocurrency. There are other variants of cryptocurrency which are equally doing well in global markets. Litecoin, Titcoin, Zetacoin, so on and so forth.

Bitcoins are a form of cryptocurrency, and cryptocurrency is an application of the blockchain technology. In this article we would find out what are bitcoins made up of, what provides for the force behind cryptocurrencies, and what is blockchain.

To understand the working of bitcoins you would need to understand:

In any case I will be providing a brief overview of the concepts when they come up for discussion.

 

Background of blockchain

How do computers work?

To understand how computers work you have to (and I insist) read on how information can be stored digitally.6

If you are too lazy here it is:

Information is stored in the form of text, converted to numbers, say T is 084, and U is 085.7. These numbers are further converted to hexadecimal and then to binary numbers.8 The binary can now be stored directly on a USB Drive which has billions of transistors. Each transistor can hold two bits of information (0 or 1). Together they hold billions of bits. An 8 GB Flash drive has 32 billion transistors which hold 64 billion bits. Eight bits make a byte. 64 billion bits make 8 billion bytes or 8 gigabytes.

 

What is hashing?

To understand what is hashing and how digital fingerprints work you have to (and I insist) read on What is digital fingerprint and hashing? And how is it generated?

Hashing is reduction of information into a fixed set of characters. A huge chunk of binary numbers is taken and converted to a specific set of alphanumeric characters. The thing about hashing is that it can be done only one way. Once a piece of information is hashed it is impossible to retrieve the original data. Also, a hash changes radically with the inclusion or exclusion of even one bit of information.

For e.g.:
Donnie = 6f171d413bee711762beff4276595068 
Donni  = 02d5a92d1fc9b4903bb8ed51bcb6fd3b

Therefore just by comparing the hash of two files one can assert if the files are same or different. Hashing is therefore mainly use to check file integrity and malware infection.

 

What is asymmetric cryptography?

If you have not already then you have to (and I insist) read on asymmetric encryption and cryptography.9

Unlike symmetric cryptography10 (which uses the same key to encrypt and decrypt), asymmetric cryptography (also called public key cryptography) uses two different keys belonging to a pair.

We can encrypt a piece of information with one key and decrypt using the other. It is impossible to generate one without the other as they are mathematically linked. The keys can be found only by using complex maths.

If a piece of information is decrypted by using a decryption key, it would mean that whoever has the encryption key is the sole person to have encrypted it. If one of the keys is lost it is impossible to generate it solely on the basis of the other key.

 

What is a digital signature?

Digital signatures are here to gain advantage over handwritten signatures. Please read on What are digital signatures? Signing and verification – Relevant Indian Laws.

This is what a digital signature looks like: 7t418gpx7ms74j9g6kf0xbvyka4n17qz

This digital signature would be sent along with a document such as a word or PDF document.

This is nothing but the hash of the document asymmetrically encrypted using the encryption key. This can be verified only by decrypting the signature by the linked decryption key. The signature is decrypted and the hash is compared with the hash of the document to find out if it was the same document which was signed.

The presence of a digital signature affirms the integrity of the document and that it was the same document which was signed digitally by the one who encrypted it.

 

—x—

What is blockchain?

In order to record global transactions a list of all global transactional events happening in a fixed period of time are processed into single immutable read-only record files, called blocks. The blocks are added one after one in a linear chronological chain of blocks called a blockchain.

The blockchain is made publicly available for anyone with a computer system to download and analyze. Also anyone can add new transactions to a blockchain just by broadcasting a message. This renders banks and law enforcement agencies redundant. As a result, payments cannot be prevented and accounts cannot be seized.

 

Application

As explained earlier a blockchain is nothing but a chain of transactional events stored in an immutable form. Anything you can imagine as transactional in nature where one party provides and another party accepts can be secured through the application of this technology.

For e.g. Diamond trade in the world is nothing but exchange of diamonds from one party to another. Every new transaction from now on till infinity can be stored on a blockchain. This innovation can do a lot to fully prevent disputes from manifesting in the first place.

As of now, blockchain has already found application in legal contracts (one party transfers goods or services to another), insurance, diamond trade11, etc. Quirky applications can be like organ transplants, vehicle or apartment renting,  etc. so on and so forth. Basically anything.

In the coming paragraphs I would discuss the most important and prevalent application of blockchain with which this technology found place in popular notion. Bitcoins. It was in fact other way round that bitcoins introduced blockchain in an anonymous paper titled: Bitcoin: A Peer-to-Peer Electronic Cash System by Satoshi Nakamoto

Although I would be explaining the working of bitcoins, you may please try and substitute it with anything of interest to you during the course of reading. Maybe real chocolates instead of bitcoins. Read on..

 

Bitcoins (BTC)

Bitcoins are nothing but simple numbers beside public keys (for the easiness of this article we shall substitute public keys with names). The names of the owners and the respective numbers are stored in a ledger format.

Donnie 5.777784
Bimal 70
Narendra 90.06

These numbers can be used just like fiat money to make transactions. After every transaction the balance of a transferor shall decrease and the balance of the transferee shall increase.

For e.g. If Narendra pays Bimal 5.4 BTC. The ledger will reflect the change and become:

Donnie 5.777784
Bimal 75.4
Narendra 84.66

However, in order to be used at par with fiat money BTC has to solve problems which money faces in general. In the coming paragraphs we will analyze each of the problems and find out how BTC uses the blockchain technology to solve them.

 

First problem: everyone should be able to read the ledger

To ascertain who owns how much, it is necessary that a copy of the ledger should be available globally.

This problem is solved by active nodes12 which continuously broadcast a copy of the BTC ledger. The copies of the ledger quickly spread across the internet and every node ultimately hosts a copy of the ledger.

This common storage of the ledger gives it a character of a public database, thereby establishing an irrefutable and indisputable clarity of ownership patterns.

Even if one node is dormant, other nodes on the network which are live would be able to store and continuously broadcast a copy of the ledger. In the most unlikely event of a global catastrophe, failure of internet across nations would only prevent registration of new transactions.

 

Second problem: fraudulent entries should be prevented

It is of prime concern to prevent malicious or fraudulent changes to the ledger. Random entries therefore should be prevented at all costs.

To solve this, the technology behind BTC – blockchain uses a concept called proof of stake. It basically means that only the stakeholders of a transaction should be able to make a transaction.

Therefore, only the transferor is allowed to make an entry (that too) on events of change of ownership of the BTC he holds. The only way to effect change in ownership is to transact.

To transact one has to broadcast a message containing

  • transferor’s name (however, in practice public keys are used)
  • transferee’s name
  • amount of BTC
Bimal -> 7 -> Narendra

Whoever receives the message can now update his own ledger. This updation would require calculation of the transaction w.r.t to the previous state of the ledger. The result would be:

Donnie 5.777784
Bimal 75.4-7 = 68.4
Narendra 84.66+7 = 91.66

 

Third problem: ascertaining authenticity of the message

If making a transaction were that simple then anyone could send transactional messages, or spoof it as if it were coming from a transferor. To avoid this, the message would simply be digitally signed by the transferor, and asymmetrically encrypted with his private key, to prove authenticity.

 

Fourth problem: dubious ownership

What will happen if the person sending the message does not in effect own the BTC? Disputes and eventual crash of the economy.

Solution: All transactional messages ever broadcasted are to be stored forever. The state of ownership pattern is then determined by every node independently. This is done by continuously calculating all the transactions that has taken place since the initial ledger.

Thus, every bit of it is kept accountable and traceable to the epoch of transactions. Every BTC transacted even in fractions and pieces can now be traced to the original BTC at any point of time.

Also, there cannot be negative BTC balances – blockchain does not allow anyone to pay what he does not have. Figuring out one’s own balance requires iterating through every transaction ever made and adding up the unspent inputs.

 

Fifth problem: the issue of double-spending

One may transmit two different messages transferring the same BTC twice to two different people. It would basically mean that the person is transferring something which he does not have by refuting an earlier transaction.

To ascertain immutability of previous transactions, new transactions carry the hash of the previous transaction. Every transaction is thus linked with the previous one and is in turn linked to the epoch of the transactions. This irrefutable link of all transactions is called a transaction chain.

For e.g.
Narendra -> 12.143 -> Bimal #a507a3a558f1e1858945e112a05bcee9 (hash of previous transaction Bimal -> 7 -> Narendra)
Bimal -> 2.0001 -> Amit     #0a931b4a58b7169e8e36ed4f6c2e6089 (hash of previous transaction Narendra -> 12.143 -> Bimal)
Amit -> 1.564 -> Naresh     #82ed03b2e546ebd51845507914deec39 (hash of previous transaction Bimal -> 2.0001 -> Amit)
Naresh -> 3 -> Donnie       #e50ac779f7bc9e6a2e6acf3eace05fc8 (hash of previous transaction Amit -> 1.564 -> Naresh)

Transaction chain:
a507a3a558f1e1858945e112a05bcee9 <-> 0a931b4a58b7169e8e36ed4f6c2e6089 <-> 82ed03b2e546ebd51845507914deec39 <-> e50ac779f7bc9e6a2e6acf3eace05fc8

 

Sixth problem: the issue of global syncing

Many transaction chains may quickly branch out from a single high volume transaction. Transaction chains are created by nodes who deal closely. They are sometimes country specific or industry specific. The different chains encounter different network and threat conditions globally. Computers may crash, hackers may manipulate, and networks may delay reporting of transactions.

To defeat these anomalies all transaction chains globally are queued for hashing. The longest available chain is hashed at the first followed by smaller chains.

One single transaction chain is hashed into a single file called a block. Blocks are permanent indisputable records of transactions. The block is then stored along with the current time and the hash of the previous block in a linear chronological arrangement called a blockchain. Every block is globally broadcasted and everyone updates their copy of the ledger.

 

Seventh problem: issues of data security, ingress and egress of BTC, centralisation of computational power

Generating a block after processing a transaction chain is an easy task and does not require much effort, anyone can generate a block. This creates a security threat from malicious users having huge computational power.

If it were true that only the best computers could manage blockchains then Google and Facebook would have been controlling the global BTC economy. To prevent such centralisation of computational power the blockchain works on a system of a mathematical lottery.

To be able to add a block to the end of a blockchain the publisher needs to solve a mathematical problem every time. This problem involves generating a 256 bit hexadecimal hash with a value lower than the specification set by the blockchain.

When a hash is generated it is mathematically random. Try generating the hash of your name here. Generating a hash within a given specification is very difficult and is akin to a lottery. If the hash generated is larger than the required value, 0s are appended to the beginning of the block to try and get a different hash. This is done with a hope that the random hash value generated would be lower than the specification set.

Lower the specification of the hash set by the blockchain, the more difficult it is to solve. The difficulty level of a blockchain keeps increasing over time as total computation power of the network increases (more and more nodes enter the network).

In practicality, billions of hashes need to be generated in order to get lucky and be able to add a block. As this is a lottery it does not matter what kind of computer you are using. This process of solving a mathematical challenge to add a block to a blockchain is called mining.

To incentivise mining and maintenance of the blocks, every addition to the block is automatically awarded by crediting the miner with new BTC. As a result the entry of new BTCs in global economy is intrinsically related to a real phenomenon of investing energy resources (electricity required to run nodes) in mining. This provides for a predictable, regular and stable growth of BTCs.

 

Cryptocurrency differences with fiat currency

Decentralised:

The management of cryptocurrency is decentralised. There would be no public policy affecting inflation or deflation in the economy. This nature of cryptocurrency also promotes cross border free trade and freedom to transfer and hold without any fees. Law enforcements agencies or governments will have no control over the currency.

Privacy safeguards:

In Bitcoin, only the public key and the amount is mentioned, making it impossible to affix a business or person’s name. At the same time the ledgers are publicly maintained rendering extreme clarity on ownership. One can have multiple bitcoin accounts to receive funds for multiple reasons.

Quality:

Bitcoin meets all the criteria of currency more than extant currencies. It cannot be forged, manipulated, created or destroyed unless as provided in the algorithm.

 

Overall Blockchain provides for the best medium to store and transfer intrinsic value. Instead of printing paper or plastic money if Rupees were to be printed digitally the blockchain medium has to be used.

For a good and long aftertaste of this article please watch this video:

 


 

What are digital signatures? Signing and verification – Relevant Indian Laws

Digital Signatures are considered to be more secure than the traditional ink signatures we all are used to. This is because ink signatures can be copied manually and exact duplicates can also be created through various ways. However, digital signatures can not be extracted, copied, or even stored. This immutability of digital signatures accords them a more secure status than all prevalent modes.

In this article we will see what is a digital signature, how it is generated and verified, and what are the concerning legalities.

 

What constitutes a signature?

Anything which ascertains the identity of an individual is a signature. The prime application of signature is to authenticate and bind parties into an agreement. The signature is also a major component which enables honor of an agreement at a future date. Signatures can link documents to their authors, proving helpful in ascertaining legal liability.

For long the handwritten signatures of an individual were considered to be unique and irreproducible, however, we all know nothing creates more disputes than a dead man’s will.

 

What is a digital signature?

Many of us still think that taking a photo of our handwritten signature and pasting it on a word document will suffice as a digital signature. This is totally wrong. This keeps happening with computer terminologies as almost all of them are loanwords from English.

To understand how digital signatures work we would need to revisit my previous articles on:

  1. What is digital information and how does the computer work? For a lawyer
  2. What is digital fingerprint and hashing? And how is it generated?
  3. Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm

in the given order. These are very short and focused articles which may help you in understanding the technological and mathematical background.

A digital signature verified by a Certificate Authority on a PDF document

Digital signatures are digital codes which are generated and verified using hashing and asymmetric cryptography. It is attached to an electronically transmitted document to ascertain its contents and the sender’s identity. While the document is being transferred a certificate authority can verify the codes and link it with the legal identity of the owner. Just for the idea you need to know what it looks like.

This is what one actually looks like: 7t418gpx7ms74j9g6kf0xbvyka4n17qz

This code will be transmitted along with the document. Once it reaches the recipient, he will use a software which will read it and validate it. On validation by the software the document file will show an image and some text (like the one above, with details of location, day and time).

Digital Signatures are never constant, they keep changing with every document signed. Digital Signatures are therefore meaningless if they are copied or stored for later use. They can prove useful to verify only the document with which they are linked.

 

Generating a Digital Signature

Please go ahead only if you are in terms with asymmetric cryptography.

Once you are done with asymmetric cryptography there is a small but very important difference you need to know. You just need to remember that the public key as given in the RSA algorithm shall be referred to as the encryption key here, and the private key shall be referred to as the decryption key.

 

The Document

The document can be anything it can be a video file, a word or PDF document, or it can be also just a series of numbers.

Every document undergoes a transformation through which it is rendered into a series of alphanumeric characters. This is done to store the data in the computer memory.

 

Signing

Key Generation

The Signing requires asymmetric generation of two cryptographic keys, viz. an encryption key and a decryption key.1 The RSA algorithm can be used to generate both the keys.

Hashing of the document

A digital fingerprint or hash of the document2 being transmitted shall be required.

Encryption

The hash of the document will then be encrypted with the encryption key of the sender3 This encrypted hash of the document is called the digital signature.

Broadcasted or Stored

The digital signature can now be transmitted to the intended recipient or stored for later reference along with the document. The digital signature would also be accompanied by the decryption key while being presented for verification. In this method the private key is actually published and public key is kept safely.

Verification

The validity of the signature can be verified by decrypting the digital signature using the decryption key. The hash of the document revealed from the decryption shall be compared against the hash of the file, if the hashes match it proves a lot of things.

Firstly, only the sender of the document could encrypt it using the encryption key of the key pair. This is simple to understand as anything decryptable with the decryption key needs to be mathematically linked with the encryption key. And the mathematical link gives it an assurance on which governments and banks are ready to bet millions of dollars in insurance.

Food for thought an SSL certificate bought at 175 USD carries an insurance of 1.75 Million USD. 4

Secondly, if the decrypted hash matches with the hash of the received document it would mean that the document has not been tampered with during storage or transmission. It would therefore mean that the clauses in the document have not been changed. This irrefutable form of agreement gives electronic contracts an advantage over traditional forms, called non-repudiation.

 

Digital Certificate Authority (“DCA”)

Digital Signatures are and can be used in secret dealings without any involvement of a third party. However, in order to provide for a legal sanction the encryption and decryption key need to be owned by a person against whom the signature and all legal liabilities may be executed. The necessity of a third party then comes into picture.

The job of a public notary is to verify and attest that a signature on a piece of paper has been made by the same person as is claimed. Similarly, the DCA acts just like a notary attesting the validity of a digital signature.

While the decryption and the encryption keys are pure alphanumeric characters it is very difficult to assign a human name to it unless the signatory himself acknowledges. Thus it was pertinent to maintain a record of all encryption and decryption keys and their respective owners. This record of keys is maintained by an entity called the Digital Certificate Authority. DCAs need heightened security and enjoy government protection in multiple cases.

These DCAs ascertain the validity of a signature and testify ownership of a signature. The institution, management and modalities of a DCA are provided by the law. DCAs issue certificates called Digital Signature Certificate (“DSC”) which is a proof of having a registered pair of encryption and decryption key.

 

Application

Digital Signatures are necessary to sign digital documents. Digital Documents mostly in use and in popular business parlance are different e-filing documents required by the Ministry of Corporate Affairs and other ministries.

Documentation

This is what Digital Signature USB Drives look like

To be able to sign a document with your digital signature you will need to install a software given by the DCA on a USB thumbdrive. This software will merge with your Microsoft Office and Adobe Reader and will enable an option to digitally sign. This thumbdrive contains your pre-generated key pair.5

In your lifetime you will neither want to or get to know your encryption and decryption key, both your keys will remain secret in your USB Thumbdrive. Yet, every time you would plug the USB Thumbdrive in to digitally sign a document, the same key pair will be used to mathematically generate a digital signature specific to that document and append it to the document.

On reception of the same document the signature will require validation of ownership as much as the mathematical computation to find the link between the decryption key and the hash, as discussed earlier. Once the file is opened it would automatically verify the document and show a small representative image of verification (mostly a green tick or the signatory’s manual signature) on any part of the document.

Banking

Financial Transactions can be authorised over the internet using digital signature. Electronic wallets can use digital signature in future to go cashless (BitCoin).

World War III

Digital signatures will be used to authorise nuclear warfare.

 

Legalities

Global

The ESIGN Act of the United States6 and a similar directive in the European Union7 along with other legislations in most developed nations support the validity of digital signatures and regulate them.

India

The IT Act of India quite comprehensively covers the legalities of DSCs and DCAs. Section 5 of the IT Act gives digital signatures their legal character.8 It is therefore that digital signatures are lawful and binding in nature. Section 15, of the Act describes digital signatures by their usage.

Certifying Authority as provided in Section (2(1)(g)). “Means a person who has been granted a licence to issue a Digital Signature Certificate under Section 24 (issuance of certificates by Controller).”

The Ministry of Corporate Affairs launched the MCA-21 programme leading to a large scale increase in usage of digital signatures. It made E-filing mandatory for most of the documents required to be filed under the Companies Act and under the Limited Liability Partnership Act 2008.

Soon after this electronic filing of IT returns was made compulsory by the Income tax department. The Central Excise Act and Finance Act 1994 (dealing with service tax) also provides schemes for E-filing. Similarly, under the Foreign Contribution Regulations Act, application for registration is to made electronically.

Department of Commercial Taxes in Kerala has mandated e-filing of returns using digital signatures under the Kerala Value Added Tax Act 2003. C forms and F forms available on the website of the Department of Commercial Taxes can be filed using digital signatures. Other states are also following suit in amending VAT laws to make E-filing mandatory.

The Partnership Act 1932 provides that registration application for a new firm is to be filed electronically.

The Evidence Act was amended to include “electronic records” in definition of “evidence”.9 The opinion of a DCA as to the electronic signature of any person is a relevant fact10 and the court may also refer to the relevant DCA for forming an opinion.11

Section 67A waives the burden of proof of establishing ownership of a specific digital signature (secure electronic signature).

 


Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm

Encryption as explained earlier1 is simply substitution of letters with numbers and then using complex mathematical functions to alter the pattern of numbers. This article is about understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm.

Encryption has been there from a long time and symmetric key or secret key cryptography had a monopoly over all communications. Symmetric key meant using the same key to encrypt or decrypt a message. You can read this short article to understand basics of encryption in under ten minutes: Encryption and Symmetric Cryptography – How is data secured electronically?

 

Asymmetric Cryptography or Public Key Cryptography

Till the end of World War II humanity was suffering this problem where secure communication between nations could be established only by physically sharing encryption keys and risking adverse situations. It was impossible to hold fully wireless communication. Spies and agents were the sole key exchange mechanism.

Prior to WWII, cryptographic keys had to be transmitted in physical form such as this list of keys for the German Enigma cipher machine.

The concept of modern Asymmetric Cryptography or Public Key Cryptography (“PKC”) was published in a Mathematics paper titled, “New directions in cryptography” by a Stanford University professor Martin Hellman and a graduate student Whitfield Diffie in 1976. 2

They described the mechanism as a two-key cryptosystem in which two parties could engage in a secure communication over a non-secure communications channel without having to physically share a secret key chart.

In this method two different keys are used, one for encrypting the message, another for decrypting the message. The key used to encrypt a message is called a public key, while the one used to decrypt it is called a private key. The values of these keys are mathematically linked. It is impossible to carry out encryption and decryption without this functional link.

Every recipient has to generate this set of two keys. The encryption key or the public key would be made available publicly. And the decryption key or the private key would be privately stored.

Therefore only the intended recipient can decrypt the message. However, the sender may not decide to reveal his identity.

There are multiple asymmetric cryptography algorithms.

We will discuss RSA asymmetric algorithm. The RSA algorithm is the most widely used encryption algorithm in the world.

 

RSA algorithm (Rivest-Shamir-Adleman)

Ron, Adie and Leonard from Left to Right

Soon after the publication of Hellman and Diffie on asymmetric key exchange mechanism, three scientists at the MIT Lab. for Computer Science and Department of Mathematics, Ron Rivest, Adi Shamir and Leonard Adleman published another paper titled:

A Method for Obtaining Digital Signatures and Public-Key Cryptosystems3

The algorithm was made popular by the company of the same name – RSA Security. The company was owned by Ron, Adie and Leonard and it jointly held the US Patent No. US 4405829 A.4

Clifford Cocks, an English mathematician working at the English intelligence agency GCHQ, had developed an equivalent system in 1973, but it was not declassified until 1997.

 

The mathematics behind RSA algorithm

This algorithm uses a set of complex mathematics rules to find out the encryption and decryption key. The required mathematics for this include: prime factorisation, Euler totient function, Euclidean algorithm (for finding GCD) and modulus. The strength of the algorithm relies on the time difficulty required to solve prime factorisation of very large numbers.

 

Time Complexity

While it takes not even a fraction of a second to multiply two large prime numbers, it takes an awfully long time to find the prime factors from the product.

For e.g. if I were asked to find the prime factors of the number 143, it would take me at least 5 seconds to guess that it is divisible by 13 and returns the whole number 11. The time would be required to try dividing the number 143 by every number starting from 1 until 11 is found as a perfect divisor. In comparison it would not take even a split second to calculate 13*11=143.

It gets more difficult to factor higher prime numbers, say, 1431431431 (17123, 83597). Similarly, if the number to be factored is 100 digits long, even the fastest computers would take more than 30 years. And a 200 digit long number would require at least 8 million years for the latest binary computers.5

In comparison multiplication of two 100 digit prime numbers would only take 56 seconds.

This one way difficulty in mathematical calculation is exploited by the RSA Algorithm to create a one-way encryption method. Decrypting the cipher would require guessing the prime factors of a very long number.

 

Formula and Calculation

m^e mod n = c
means, if m^e is divided by n it would leave remainder c
encrypt: m^e mod n = c
decrypt: c^d mod n = m

Where m is the message;
(e,n) is the the encryption key;
c is the cipher;
d is the decryption key;
n is the RSA modulus

The public key used to encrypt a message is the combination (e,n). While the private key used to decrypt the message is (d).

The relation between the numbers e, n and d are very critical to maintain the data integrity. The calculation of e, n, d therefore is more complex. To keep it simple we will take a very small message and small keys.

Step 1. Select two, large, random, prime numbers, p and q. Calculating the RSA modulus n by multiplying p and q.

So for p I pick 11
and for q I pick 5.
Therefore n is 55.

Step 2. Calculate the totient t of the modulus n.

The totient function, also called Euler’s totient function, is defined as the number of positive integers, that do not have any common factor with n other than 1.

Totient is multiplicative. Therefore totient of n is the multiplication of the totient of p and q. Also, the totient of any prime number is the number itself minus one.

So if,
t(n) =t(p)*t(q)
t(n) = (p-1)*(q-1)

totient of n = (11-1)*(5-1) = 40

Step 3. Select number e (relatively prime to and less than t)

One number is relatively prime to another when they do not share any factors except for 1.

So e can be 3, 7, 9, 11, 13, 17, …

I will take e as 7

Step 4. We have to find d which is the Modular Multiplicative Inverse of integer e with respect to modulo t.

In other words, e*d mod t = 1
We have 7*d mod 40 = 1,
we have to solve for d.

In mathematics, the Euclidean algorithm, is a clean way for finding out the GCD of two numbers. I will request you to watch this video on Euclidean algorithm and I would take the liberty of not explaining it. ‘7d mod 40 = 1’ means that if 7d is divided by 40 it would leave remainder 1.

In other words we have to first find the greatest common divisor (GCD) of 40 and 7. And we would be using the Extended Euclidean Algorithm to do that.

The GCD of 40 and 7 is 1. A modular inverse is possible only when the GCD is 1.

And the Modular Multiplicative Inverse of 40 and 7 is 23.6

Finally, d is found to be 23.

 

Encryption and Decryption

We now have the public key e,n (7,55). The private key d (23).  Let’s take ‘*’ the asterisk as the message.

The ‘*’ in ASCII convention is ’42’7

Encryption

encrypt: m^e mod n = c

Let’s encrypt the message ’42’ using RSA Algorithm:
42^7 mod 55 = 488 

We can now publish or broadcast the message 48 publicly, only the person with the private key can decipher it.

Decryption

decrypt: c^d mod n = c

Let’s now decrypt the cipher ’48’:
48^23 mod 55 = 429

 

Broadcast

Once the private and public keys are created by the recipient, the recipient will publish the public key globally. The recipient may now ask the sender to broadcast the encrypted messages. These can be received by anyone but can be decrypted only by the recipient’s private key.

 

Drawbacks

Practical usage

Asymmetric cryptography being a more complex mathematical function than symmetric cryptography causes computation to take more time.

It is therefore hardly ever used to encrypt stored data and mostly used for electronic communication. It proves useful in technologies where verifying and ascertaining identity is required among multiple peers in a common network.

For e.g.: HTTPS protocol for online transactions, BitCoins, Chatrooms, etc.

 

Banking

You might have seen banking websites advertising 128/256 bit encryption transactions.

What do they actually mean? Is it enough? How long would it take a hacker to crack the network?

A 256 bit key can hold a 32 digit long modulus. Which would take around 3 minutes to crack open (factorised to its prime factors).10 A 512 bit key would take about 12 days. While the RSA Security website itself instructs to use a minimum of 1024 bits.

 

Unauthorised decryption by hackers

Anyone who is using the same wifi connection as you do, can listen to the radio signals sent out by your wifi module of your computer. The numerical messages broadcasted by your wifi module can be intercepted.

Based on the public key anyone can find out the private key by factorising the modulus of the public key. The only difficulty is the prime factorisation of the modulus. Smaller modulus of 32 digits as present in 256 bit encryption can be factorised in under 3 minutes. Once the private key is derived from the factors of the modulus, the numerical messages you broadcasted can be read. Someone may also decide to forge your identity.

The need is not to drop the RSA Security standard but to use it with all the available guidelines. Encryptions need to be at the least of 1024 bits.

Our security systems are quite outdated, and regulators are oblivious to the dangers. The more you learn and know about these intricacies the better are my chances of getting better security.

 

Encryption and Symmetric Cryptography – How is data secured electronically?

Computers got popular mostly as a mode of storage and communication. And as the relevance of computers grew in everyday life there arose the need to secure stored data.

Encryption is not the creation or function of the internet or of computers. Encryption has existed since humans invented communication. A text written in Mandarin is analogous to an encrypted English text with the same information. People speaking foreign languages may appear cryptic to us as we are unable to make sense of what they say.

While encryption is the method of securing data, Cryptography is the science of encryption methods.

We will deal with electronic encryption as the scope of this article. We will draw analogies from the real world and keep this article simple enough to understand the fundamentals of cryptography in under ten minutes.

 

Origins of encryption

Encryption has been going for long since the Greeks and Romans invented secret messages by substituting letters with numbers and further decipherable with a secret key.

Scytale

The Greeks used a device called a scytale. It uses a long piece of paper wound like a ribbon around a cylindrical object. The message could be written on it and on unwinding the paper would not make sense.

Scytale unwound

Julius Caesar tried using an encryption technique known as Caesar’s cipher. In this method encryption could be done by shifting each letter of the alphabet to the right or left by a number of positions—. For instance, you’d write “GEEK” as “JHHN”.

During the world wars it became very necessary to have much more difficult encryption standards. The Germans created the Enigma machine to pass encrypted transmissions which the Polish eventually cracked. Consider the fact that the cracking of the Enigma was a key advantage for victory of the allied forces.

 

Encryption

Information in digital world exist as binary numbers.

For e.g. ‘India’ is ‘01001001 01001110 01000100 01001001 01000001’.

For more clarity on how information can exist as ‘only’ numbers please read this short and simple article: What is digital information and how does the computer work? For a lawyer.

Security is thus accorded to online communication by rearranging the binary numbers through highly complex mathematical functions. This process of rearrangement of data is called encryption. The resultant encrypted text is called “ciphertext” or “cipher”.

Cryptography can be done through three different types of algorithms: hashing and symmetric and asymmetric cryptography.

In this article we would explore Symmetric Cryptography or Secret Key Cryptography in depth.

 

Symmetric/Secret Key Cryptography (“SKC”)

Imagine a locker containing lots of confidential files. All the files inside are protected through the application of a lock and key mechanism required to open and close the locker. Thus security to the locker is accorded by the security of the key.

If Bimal wants to send a message safely to Narendra, he would put the message in a bank locker, lock it, go away, deliver the key to Narendra, and ask him to access the locker.

Symmetric cryptography is akin to such bank lockers. In SKC the same key is used to encrypt and decrypt a message. The sender uses the key to encrypt the plaintext and sends the ciphertext to the receiver. The receiver applies the same key to decrypt the cipher and recover the plain text. Because a single key is used for both functions, secret key cryptography is also called symmetric encryption.

 

Simple Mathematics behind encryption

In SKC a key is selected randomly, multiplied with the numbers of the secret message, and the product is publicly broadcasted.

For e.g. if I were asked to securely broadcast the message:
‘Bomb Xanadu at 0930’.

I would first change it to ASCII:
’66 111 109 98 32 88 97 110 97 100 117 32 97 116 32 48 57 51 48′

and multiply all the numbers with 777743 (key) to get the ciphertext:
‘51331038 86329473 84773987 76218814 24887776 68441384 75441071 85551730 75441071 77774300 90995931 24887776 75441071 90218188 24887776 37331664 44331351 39664893 37331664’

Therefore, the key would be the prime number 777743. While, your knowledge of the the key can help you divide the values and get the original message out of the encrypted message, lengthier keys accord better protection.

This oversimplified encryption algorithm may be named the Ashok Division Algorithm (“ADA”), published in a journal, and globally used. However, much has already been done on the intricacies of encryption algorithms. There are a lot of much better SC algorithms you can choose from—the popular ones include Twofish, Serpent, AES (Rijndael) (for more information read this article on AES), Blowfish, CAST5, RC4, TDES, and IDEA.

Cellular technologies like GSM 1 and GPRS 2 are also global encryption conventions of mobile telephony.

 

Transfer of encryption key

The transfer of the encryption keys (777743 in the example above) takes effect in physical world, due to which agents and spies are often tasked with exchanging envelopes in a style akin to spy movies.

During WWII, cryptographic keys had to be transmitted in physical form such as this list of keys for the German Enigma cipher machine.

 

Indian Law

Section 84A of the Information Technology (Amendment) Act, 2008 permits the Central Government to prescribe encryption standards and methods to secure electronic communications, and promote e-governance & e-commerce. There is no dedicated law on encryption methods or standards. The sectoral regulations in the banking, finance and telecom industries define minimum standards to be used in transactions.

 

In the next post we head towards Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm where I show you how secure communication can take place without any key exchange. If you have doubts or questions about the technology or the law please feel free to post it here: Questions.

What is digital fingerprint and hashing? And how is it generated?

To start with digital fingerprints or hashing you need to understand what is a fingerprint and what is digital (no kidding).

 

What is a fingerprint?

Normally a fingerprint in biology and biometrics is the unique pattern of whorls and lines on the fingertip of a human being. For a while forget all that.

Just consider a fingerprint as a unique pattern.

A unique pattern so unique that an almost infinite or a very high number of separate patterns can be generated without any correlation. Imagine a world full of numbers, where every item you see, every sound you hear, and every other perceptions, are all numbers. The requirements from a fingerprint then is distinction from each other and similarity of some sort.

For e.g. if you have to compare two human beings, you have to take their fingerprints, which has the same characteristics but totally distinct.

 

What is digital?

In computers, all information is stored as binary numbers. For more clarity on how everything can be stored as 1s and 0s you may read this short article here: What is digital information and how does the computer work? For a lawyer

Binary information is then stored as small packets on the storage device as files. Files are always of variable length. The word ‘India’ will take 5 bytes to store on a hard drive as a text file while the entire Ramayana would take about three and a half million bytes or 3.5 MBs.

 

What is a digital fingerprint?

While electronic file sizes are of variable length, the files are all made up of a similar structure of 0s and 1s.

The required distinction is the pattern in their composition of 0s and 1s, and the required similarity is that they are made up of patterns of 0s and 1s.

Digital Fingerprint is a set of characters and numbers unique to every file. It is of a specific length. It is generated on the basis of the binary data of each file.

The words ‘digital fingerprint’, ‘message digest’, ‘digest’, ‘checksum’ and ‘hash’ are used interchangeably.

Hashing

A mathematical function called hashing is then used to convert this long strings of binary data into a prescribed number of characters, say a specific set of 32, 64 or 128 numbers.

This mathematical function just works one way and it is mathematically and logically impossible to find out the source data by using the digital fingerprint.

For e.g. if I were told to reduce a string of numbers into a digital fingerprint of two characters, I would break the original string of numbers into their individual components and add the components till I reach two digits.

7778889990 = 7+7+7+8+8+8+9+9+9+0 = 72

It would be then impossible to work back the number 72 to 7778889990

Similarly the text:

“Internet developed rapidly leaving little or no scope for its terminologies to develop. Most internet terms and phrases are English loanwords most analogous to the concept being described.”

can be first changed to a string of binary numbers (you can read about it here1) and then a mathematical function can be used to reduce the string to a specific set of numbers.

This reduction of a large file into a fixed set of numbers is called hashing. You can visit this site MD5 Online Generator to generate the MD5 hash of any text.

Properties of a hash

The hash of any file generated therefore:

  • is a one way encryption result
  • is quicker to transfer than their original source files
  • changes extensively even with a small change to the input
  • appears uncorrelated with any other hash value
  • cannot be recreated using different inputs
  • is always the same with the same input

 

What is the use of hashing?

File or Email transfer

The use of hashing is mostly due to internet communication, where one party needs to send a file securely to another party.

For e.g. Bimal wants to download a file from Amazon, and wants to be sure it is the same file and that it has not been infected with any malware while being transferred. He requests Amazon to deliver the MD5 hash of the file in a separate arrangement. After downloading and before using the file, Bimal computes the MD5 hash of the file and compares it with the hash that Amazon provided. If they are the same then it is definite that the file has not been tampered with and that it is safe to use.

Password Verification

Every password verification form you have filled up ever, takes your input password, hashes it and compares it with the hash stored on its database, if the hash matches then the access is granted.

Why hash it? Storing all user passwords in a text file can result in a massive security breach if the password file itself is compromised.

 

If you would like to know more about hashing or digital fingerprints please leave your comments below.

 

What is Phishing or Spoofing? Affixing legal liability through Indian Laws

Internet developed rapidly leaving little or no scope for its terminologies to develop. Most internet terms and phrases are English loanwords most analogous to the concept being described. Phishing as a concept is analogous to fishing where predators wait for unsuspecting victims to fall prey to fraudulent offers.

 

Phishing in English

Phishing requires three independent parties:

  • The victim whose computer system has been compromised
  • The offender who violates all privacy norms and causes disruption with losses
  • The Service Provider whose service to the victim has been affected by the offender

Phishing (as you might have already related it to fishing) is a fraudulent activity where offenders create websites or webpages replicating a popular third-party website.

After the creation of such similar content they wait for an unsuspecting user to mistake the fake website for the real one and enter sensitive data. Probability has it that 5% 1 of the people would fall for it and give their username and password details to the fake site.

Once the sensitive data is extracted from the user the offender would use the same data to login to the real site and make unauthorised requests resulting in either monetary loss or privacy lapse.

For e.g. if I had to login to your Facebook account, I would create a website which would look exactly like Facebook. I would then send the link of the new site to you. Once you receive the link, assuming it to be Facebook, you would be actually submitting your credentials to me. I would then use your username and password to login to your Facebook account.

 

How bad is it?

In 2009, a group of fraudsters (about 100 people, 53 from USA and 47 from Egypt) were sentenced to Twenty years imprisonment. FBI officials nabbed them in the operation named “Phish Phry” after a manhunt of almost two years. The fraudsters were charged of phishing $1.5 million through fake credit card and banking websites.

“This international phishing ring had a significant impact on two banks and caused huge headaches for hundreds, perhaps thousands of bank customers,”
– Acting US Attorney George S. Cardona, in a statement.

India has been a prime target of a plethora of phishing scams. Indian netizens being new and unaccustomed to the internet fall for these scams easily. India lost $53 million to phishing activities in the third quarter of 2013, and have been regularly in the top five countries by volume of scams.2

 

Different methods of phishing:

URL Obfuscation attacks

This is the most generic form of phishing. Where the victim has been taken to a misleading URL. For e.g.: https://gmail.co.pk instead of https://gmail.com

The offending website stands in the middle, accepts information from the user, stores the information and relays it to the original website. Therefore the user never gets to know if he is on the correct URL.

This is most easily done by sending fraudulent emails offering gifts or other incentives if the user clicks on a link. The user is then taken to a website which looks like the trusted entity and is asked to submit their username and password.

Man in the middle attacks

This is an advanced method where the attack is on the victim’s side. The virtual host file is a normal text file which has a list of URLs and their specific IP addresses:

Google.com 216.58.220.206
Facebook.com 31.13.78.35

So when we try to reach google.com, our computer first checks the list of IP Addresses in the virtual hosts file, if not found it looks up the internet to find their IP Addresses and then take us to the IP Addresses.

In this form of attack the virtual hosts file of the victims are targeted. A specialised malware can change the virtual host record of an user’s computer. If somehow this file can be changed by a malware, the computer can be fooled into visiting a different IP Address it never wanted to. These malware are mostly found on torrent sites and other free  download sites, the advertisements are of very low quality as they target unsophisticated users.

Once the change has been made by the malware, it is very difficult to notice the change. Good antivirus and anti malware softwares are recommended to deal with such attacks.

Cross Site Scripting (XSS) attack

As you might have noticed the X stands for Cross. This attack is done on the server’s computer. Specialised queries made to a server can make it reveal sensitive data.

This vulnerability especially is of a time when novice users would program servers and due to the vulnerable programming an advanced user could manipulate the server. However this is very rare and almost non-existent as of now.

 

Legalities

There has been a litany of cases filed by victims of phishing scams mostly against their banks. The grounds are filed under the Sections 43, 43A and 72A of the Information Technology Act, 2008 (amended). Depending on where the phishing activity has taken place, IT Act provides for different liabilities.

Section 43 (Penalty and Compensation for damage to computer, computer system, etc).

Section 43 (a), (b), (c), (h) and (i) talk about different liabilities for the offender.

Section 43 A Compensation for failure to protect data (Inserted vide ITAA 2006)

This whole section was introduced to affix liability on the Service Provider whose services have been compromised due to the attack (for e.g. the bank). A compensation has also been fixed which is not exceeding five crore rupees.

Section 66 Punishment for violation of Section 43

This section provides for punishment which may extend to three years and fine of five lakh rupees.

Section 66A(c)

This can be attracted in case of fraudulent emails. The words ‘to deceive or to mislead the addressee’ would carry the same punishment as in Section 66.

Section 66B, 66C, 66D, 66E

These different sections cover for the entire aspect of Phishing, identity theft, cheating, impersonation, violation of privacy, etc.

Section 72 A Punishment for Disclosure of information in breach of lawful contract

This section provides for punishment of the Service Provider who had an obligation to observe safe practices and network systems in order to prevent such attacks.

and Section 420 of Indian Penal Code

Apart from the IT Act, Cheating under the IPC can also be considered.