How does secure socket layer (SSL/TLS) work? Why do retail websites require https?

To answer what is secure socket layer and how it keeps websites secure it is important to understand the making of the Internet. The internet in turn is an abstract concept meaning the interconnected network of computers across the globe. Computers interact with each other to create services necessary for us.

To start off, you just need to know that there has to be a physical cable between two computers for interaction to happen between them.

Continue reading “How does secure socket layer (SSL/TLS) work? Why do retail websites require https?”

A brief history of the internet, cryptography, cryptanalysis and encryption laws of India

The internet

Thanks to the internet you are reading this article right now. How did the internet get to where it is right today?
There is so much history we cannot possibly get it together in this short article.

The internet actually got a start about 50 years ago, and computers at that time filled up entire rooms. Scientists and researchers used these to do research work in the field of physics, mathematics, statistics among other subjects.

In 1962, a scientist at the ARPA1 named J C R Licklider proposed the idea of linking computers with physical cables. According to him computers would be able to ‘talk’ to each other.

In 1969, the first message was sent from one computer to another through a cable. One computer was placed at University of California, Los Angeles and another was at Stanford University. The cable was laid by ARPA and was called the ARPANET. The message was simply the word ‘LOGIN’ which was received incompletely as ‘LO’.

By the end of the year 1969, there were only four computers connected on ARPANET. But news of this development spread far and wide to Latin America and Europe leading to development of similar computer networks.

By 1971 the University of Aloha in Hawaii started its own network, followed by networks in London and Norway.

In 1971, Ray Tomlinson was working at the ARPA to create a messaging system where computers connected with each other could send and receive electronic ‘mails’, later shortened to e-mails.

However, Ray’s work would not have been possible without another system created by Vinton Cerf, who was also working at the ARPA in 1980. He invented a way in which computers across the globe irrespective of their networking structure would be able to connect and discover each other. This invention of Vinton helped computer users connect via long distance cables, recognise each other and be able to communicate through an intricate system of digital signals. This invention was called Transmission Control Protocol (TCP). It was soon followed by the Internet Protocol (IP) in 1983.2 The rest of the 80s revolved around the IP and e-mail. A standardisation which guaranteed compatibility between networks irrespective of the make or brand of computers.

Telecommunication was well developed by then and telephone lines could carry analog electrical waves over long distances. For computers to be able to exploit the already established telephone lines, data had to be modulated into analog signals and then demodulated after being transferred. However, only 56,000 bits per second could be transferred through this medium. This was referred to as the 56K connection. To use the internet through telephone lines one had to ‘dial up’ the local telephone exchange and request internet access. Once granted, a telephone line could connect two computers through their respective modems (modulator and demodulator).

Computers which are specifically designed for serving information on a network are called servers. Computers accessing information are called clients.

In 1991, British Scientist Tim Berners-Lee who was working at the CERN laboratory submitted a proposal named:  Information Management in March 1989.3 This was the groundwork behind organising text into an easily readable format and a code through which computers could exchange it. He invented what we call the Hypertext Transfer Protocol (HTTP) and coined the term ‘world wide web’. This protocol enabled one to many network connections. This was the first time when the distinction between client and server took place.

Tim also built the first ever prototype of a web browser which ran on a client computer connected through the HTTP to a server. Called the ENQUIRE it could send queries to a server and receive replies.

However, the most important development happened when four Finnish students created the first web browser to be able to download image files, it was named ERWISE (a wordplay on ‘otherwise’).

Soon after in 1993, Mosaic followed ERWISE into the web space. Although Mosaic influenced the public on what a web browser should look like, the current look of web browsers with back, forward, history and address bar was established by Netscape Navigator in 1994.

All of these developments were possible because of corporations like America Online (AOL) and Compuserve. They were popularising and massively advertising the oncoming of the internet. Advertisements of electronic mails, file transfers, instant messaging and online directories made their ways to television. By the fall of 1990 there were 313,000 computers hooked onto the internet.

In those times the monitors on a screen could only show text, therefore a highly skilled operator with expert knowledge was required for researchers to manage their data.

Tim however developed all the three things: HTTP protocol, web server and web browser, away from American influence. He decided to give away his inventions for free to the masses, he did not want regulatory control or stifled growth of this technology.

By 1995, Jeff Bezos started selling books out of his garage. And by 1998, Google had already indexed 25 million internet pages.

As of now the Internet Protocol Version 4 (IPv4) 4 is the most prevalent method of global information dissemination. This protocol requires a specific numerical address called an IP Address to locate a server (analogous to a cellphone number). One server may have multiple IP Addresses.

For e.g. the IP Address which I mostly get to use to access Google is: If you put this IPv4 Address on the address bar of your browser it would take you to the Google website.

Although IPv6 is out since a long time the vast majority of telecom operators still use legacy devices which have not yet progressed to this new protocol. You can test if your operator supports IPv6 here on a Google’s testing tool.

Once we connect with a server using their IP Address, it is up to the server how they treat our connection request. Some may deny access to their files (you will see error code ‘403 Forbidden’), some may lead you to an index of all files stored on them (like this Enrique Iglesias Music Collection), and some may show you a HTML document to easily guide you and help you find relevant information quickly.

For e.g.: This website Alcohol. And this David Prati. These are the simplest kinds of websites where only text is publicly available.


Cryptography and Cryptanalysis

Cryptography and Cryptanalysis are the hallmark of each other. While cryptography is the science of encryption, cryptanalysis is the science of decryption. Since the beginning of communication itself people have tried many ingenuous methods to gain privacy over conversations only to get intercepted and decrypted.

You can find everything about Encryption and Symmetric Cryptography in under ten minutes in this article: Encryption and Symmetric Cryptography – How is data secured electronically?

In the case of modern day internet information has to be transferred through physical cables across the world. Telephone companies who were skinny dipping into billions in profits suddenly had access to petabytes of data. All those companies who dealt in cable networks and telecommunications had direct access to the bulk of information which go through the cables they had laid.

And yes needless to say, browsing history, search history, emails, instant messages, every bit of data which go through the cables were accessible to the ones who owned them.

Steve Wozniak invented the blue box, it was capable of dialing and connecting to any telephone globally.

Information could be put to any use. Eavesdropping and blackmailing were the least of them. Politicians could use this data to gain advantage, massive surveillance could take away individual liberty.

The growth of the Internet and electronic commerce have brought to the forefront the issue of privacy in electronic communication. Large volumes of personal and sensitive information are electronically transmitted and stored every day. What guarantees does one have that a message sent to another person is not intercepted and read without their knowledge or consent? Tools to ensure the privacy and confidentiality of paper-based communication have existed for a long time.5 Similar tools exist in the electronic communications arena.

Encryption is the standard method for making a communication private. Anyone wanting to send a private message to another user encrypts (enciphers) the message before transmitting it. Only the intended recipient knows how to correctly decrypt (decipher) the message. Anyone who was “eavesdropping” on the communication would only see the encrypted message. Because they would not know how to decrypt it successfully, the message would make no sense to them. As such, privacy can be ensured in electronic communication.

Privacy and security quickly became a public issue. Soon the telecom industry started using encryption while transferring information in their cables. Although a lesser evil, telecom companies still had continued access to data and would frequently allow the government and other interested parties to snoop into it.

In further developments internet companies like Google, AOL, Amazon etc. started using their own layer of encryption. To their amusement these newly established businesses had access to the information, the burden of which big telecom companies were having to carry.

However, in the race towards information the government also wanted its own share. Back in 1952, President Harry Truman signed the National Security Agency (NSA) into the United States. It was an assemble of the best cryptanalysis experts in the world. Although an American agency, it was tasked to intercept and decrypt information from across the globe.

By the advent of asymmetric cryptography and the RSA algorithm the situation changed a bit. You may please read this short article on Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm.

Let’s find out what changed.

While Cryptography is the science of encryption methods, three types of algorithms exist:

  1. Hashing/ Digital Fingerprinting/ Digest/ Message Digest
  2. Symmetric Cryptography or Secret Key Cryptography
  3. Asymmetric Cryptography or Public Key Cryptography

Hashing/ Digital Fingerprinting/ Digest/ Message Digest

Hashing is the generation of a fixed length string of characters from another string of random length called hash or message digests. Hashing is a one-way encryption which uses no key. This makes it impossible for either the contents or length of the original string to be recovered.

E.g.: 7778889990 = 7+7+7+8+8+8+9+9+9+0 = 72
The hash of 7778889990 is 72.

You can learn about hashing in this short and succinct article: What is digital fingerprint and hashing? And how is it generated?


Symmetric Cryptography or Secret Key Cryptography

Symmetric Cryptography is where a single key is used to both encrypt or decrypt a message. This is made possible by converting any text first to numbers, and then further applying complex mathematical functions.

For e.g. if I were asked to securely broadcast the message:
‘Bomb Xanadu at 0930’.

I would first change it to ASCII:
’66 111 109 98 32 88 97 110 97 100 117 32 97 116 32 48 57 51 48′

and multiply all the numbers with 777743 (key) to get the ciphertext:
‘51331038 86329473 84773987 76218814 24887776 68441384 75441071 85551730 75441071 77774300 90995931 24887776 75441071 90218188 24887776 37331664 44331351 39664893 37331664’

The key therefore would be the prime number 777743. If you know the key you can divide the values and get the original message once you receive the encrypted message. More lengthier the key better the protection.

There’s a lot of different SC algorithms you can choose from—the popular symmetric algorithms include Twofish, Serpent, AES (Rijndael), Blowfish, CAST5, RC4, TDES, and IDEA. All of which probably have been compromised by the NSA.6

Gain an insight into Encryption and Symmetric Cryptography in under ten minutes from this article: Encryption and Symmetric Cryptography – How is data secured electronically?


Asymmetric Cryptography

This is a two-key crypto system in which two parties could engage in a secure communication over a non-secure communications channel without having to physically share any key.

In this method two different keys are used, one for encrypting the message and another for decrypting the message. The key used to write and encrypt a message is called a public key and it is kept publicly available, while the one used to decrypt and read a message is called a private key this is kept a secret.

Every recipient has to generate this set of two keys. Both the keys are mathematically linked in such a way that messages encrypted with a public key can be decrypted only by the private key.

Rivest-Shamir-Adleman from Left to Right

The invention of the RSA algorithm in 1978 made it possible for people to hold fully online communication without a physical key exchange.7 You can read more on Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm.

There was rapid growth in the usage of the RSA algorithm, and many other asymmetric cryptography algorithms appeared. Research in Motion the company behind Blackberry held another patent on elliptic curves. By August 2013, Blackberry held 130 patents in cryptographic algorithms.8

However, this proved to be difficult to crack than any other encryption method. The difficulty of the keys in RSA algorithm depends on prime factorisation of very large numbers. It is therefore estimated, that standard desktop computing power would take 4,294,967,296 x 1.5 million years to break a 2048-bit encryption. Or, in other words, a little over 6.4 quadrillion years.9

Still it would be naive to think that our communications are secure. The first factorization of a 512-bit RSA modulus was reported a decade and a half ago.10 On December 12, 2009 a group of researchers successfully factored a 768 bit, 232 digit semi-prime number.11 And Lenstra warned, “Thus, it would be prudent to phase out usage of 1024-bit RSA within the next three to four years (2013-2014)“.

But even now in 2017, banks use 256 bit RSA algorithm proudly claiming: “OnlineSBI allows you to transact over a completely secure medium, Protected by the most stringent security systems. All your transactions travel via an SSL encrypted medium (minimum of 128-bit to maximum of 256-bit SSL tunnel), the highest level of security (emphasis added) on the internet.”12

This huge lapse in security is due to governments’ desire to harvest information and at the same time struggling to keep up with global weapons race for data security.


Encryption Laws of India

Why does the government want to control and regulate encryption?

As much as encryption is desirable and instrumental in free communication, it also brings in a plethora of abuse cases.

On December 11, 1994 the Philippines Airlines Flight 434 got severely damaged midair by a bomb. It was going from Cebu to Tokyo on a Boeing 747-283B. The pilot of the flight, with his experience somehow managed to land it.

Later on January 6, 1995, police responded to an apartment fire in Manila, Philippines. They found a Toshiba Laptop along with some chemicals and materials used in bomb making. An open file on the laptop which referred to the bombing of Philippines Airlines Flight 434.

While other files in the laptop were encrypted it created a sense of mind-numbing fear. The Philippines Police with assistance from the NSA decrypted some of the files successfully revealing several bomb making recipes. And all evidences pointed towards a suspect from the 1993 World Trade Center bombing, Ramzi Yousef.

Yousef’s plan to bomb Flight 434 was properly documented through the evidence collected. He was soon tracked down and put into US custody within six weeks. This event stirred the media globally and immediately legal cryptanalysis gained public confidence.

High levels of encryption make it difficult for law enforcement agencies to collect and analyse electronic evidence. While low levels of encryption is harmful for online activities such as e-commerce. A middle ground is therefore desirable which leads us to legal regulations on encryption.


Information Technology Act

In India, the Information Technology (Amendment) Act, 2008 provides for encryption under Section 84A, which is as follows:

84A. The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption.

This section permits the Central Government to prescribe encryption standards and methods to secure electronic communications, and promote e-governance & e-commerce. There is no dedicated law on encryption methods or standards. The sectoral regulations in the banking, finance and telecom industries define minimum standards to be used in transactions.

The Government has also been granted the power to gain access to means of decryption or simply, decrypted information under Section 69(1) of the IT Act. It says

69(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.

and the entire literature of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 provides for the legal mechanism in which the government may deem itself responsible to legally cryptanalyse the contents of any message.


Draft National Encryption Policy

On 21 September 2015 a draft National Policy on Encryption under S. 84A was published and the general public was invited for comments. The Central Government sought to specify and notify the encryption protocols and technologies that can be used by industries and general populace.

However, it was withdrawn two days later as there were reactions across the industry indicating that Indians do not want government regulations dictating encryption standards.

A large amount of criticisms from businesses, IT sector, users and civil society advocacy groups were leveled against the policy:

  • The policy called for storage of plain text copies of encrypted communications for 90 days by users and businesses.
  • Registration for foreign service providers like WhatsApp, Facebook or Google before they establish services to the Indian population.
  • Heightened security concerns associated with storage of plain text copies for 90 days.
  • The key length, methods and algorithms to be used in encryption were to be prescribed and restriction on the maximum standard of encryption were also to be maintained. The policy did not leave any room for discretion of a user to use higher or different security standards.
  • Foreign service providers like WhatsApp, Facebook or Google were directed to store plain text copies of communications and release when sought by a law enforcement agency.

Other sectoral laws

Department of Telecommunication (DoT) License with Internet Service Providers (ISPs)13

Clause 2.2 (vii) of the ISP License:

The Licensee shall ensure that Bulk Encryption is not deployed by ISPs. Further, Individuals/ Groups/ Organizations are permitted to use encryption up to 40 bit key length in the symmetric key algorithms or its equivalent in other algorithms without obtaining permission from the Licensor. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organizations shall obtain prior written permission of the Licensor and deposit the decryption key, split into two parts, with the Licensor.

This permits the use of up to 40 bit encryption key in the symmetric algorithms or its equivalent in others. This restriction is applicable not only on ISPs but also all individuals, groups and organisations that use encryption. Prior permission from the DoT is to be taken and the decryption key must be deposited with the DoT if encryption above 40 bit is to be used.

While Clause 22 and 22 of the same ISP License states:

22.1 The Licensee shall provide on demand the details of the technology proposed to be deployed for operation of the service.

23.1 The LICENSEE shall furnish to the Licensor or its authorized representative(s), in such manner and at such times as may be required, complete technical details with all calculations for engineering, planning and dimensioning of the system/network, concerned relevant literature, drawings, installation materials regarding the applicable system.

While the words decryption or any such method is not expressly laid down, at the same time the words have been cleverly used in a way that a decryption order can not be ruled out.

RBI guidelines on Internet Banking14

RBI released internet banking guidelines on April 29, 2011. It mandated the use of a minimum of 128 bit encryption on all banking sites and warned against the constantly increasing cryptanalysis capability of computers.

The Certifying Authority Rules15

The most ahead of all encryption laws are the CA Rules. The rules allow and prescribe usage of 2048 bit RSA encryption for digital signatures. I guess, decryption of digital signatures is not much useful, the government would not care so much to impersonate private citizens.


The WhatsApp debacle

Earlier WhatsApp was quite hackable as security protocols were absent. Anyone using the same wifi connection could intercept the connection and send and receive messages. Only last April (2016) WhatsApp enabled end to end encryption using a fairly new algorithm called the Signal Protocol. This algorithm only encrypts the content of the message, however identity and time of message is stored as plaintext on WhatsApp servers.

The end to end encryption uses a 256 bit (60 digit) key. Although fairly crackable by all governments, it is safe to say that this level of security is optimum for public usage. The limit of 40 bit encryption is not applicable on WhatsApp as it does not fall under ISPs and is instead classified as over the top (OTT) service, which is not regulated as of now.

On 29th June, 2016 a Gurugram based activist Sudhir Yadav filed a PIL at the Supreme Court alleging national security lapses. A bench of Chief Justice T S Thakur and Justice A M Khanwilkar rejected the PIL, and directed him to approach the government or the TRAI.16



Over all the expectation of privacy from public channels is very low. If one has to communicate super sensitive messages it is best to do it through custom made softwares or apps. Hoping that with more and more sensitisation in these topics, situation shall improve.


If you liked the article please like and share it with your followers. If you have doubts or questions about any part of this article, please feel free to leave a comment below or ask questions directly to the author here: Ask Questions.


Encryption and Symmetric Cryptography – How is data secured electronically?

Computers got popular mostly as a mode of storage and communication. And as the relevance of computers grew in everyday life there arose the need to secure stored data.

Encryption is not the creation or function of the internet or of computers. Encryption has existed since humans invented communication. A text written in Mandarin is analogous to an encrypted English text with the same information. People speaking foreign languages may appear cryptic to us as we are unable to make sense of what they say.

While encryption is the method of securing data, Cryptography is the science of encryption methods.

We will deal with electronic encryption as the scope of this article. We will draw analogies from the real world and keep this article simple enough to understand the fundamentals of cryptography in under ten minutes.


Origins of encryption

Encryption has been going for long since the Greeks and Romans invented secret messages by substituting letters with numbers and further decipherable with a secret key.


The Greeks used a device called a scytale. It uses a long piece of paper wound like a ribbon around a cylindrical object. The message could be written on it and on unwinding the paper would not make sense.

Scytale unwound

Julius Caesar tried using an encryption technique known as Caesar’s cipher. In this method encryption could be done by shifting each letter of the alphabet to the right or left by a number of positions—. For instance, you’d write “GEEK” as “JHHN”.

During the world wars it became very necessary to have much more difficult encryption standards. The Germans created the Enigma machine to pass encrypted transmissions which the Polish eventually cracked. Consider the fact that the cracking of the Enigma was a key advantage for victory of the allied forces.



Information in digital world exist as binary numbers.

For e.g. ‘India’ is ‘01001001 01001110 01000100 01001001 01000001’.

For more clarity on how information can exist as ‘only’ numbers please read this short and simple article: What is digital information and how does the computer work? For a lawyer.

Security is thus accorded to online communication by rearranging the binary numbers through highly complex mathematical functions. This process of rearrangement of data is called encryption. The resultant encrypted text is called “ciphertext” or “cipher”.

Cryptography can be done through three different types of algorithms: hashing and symmetric and asymmetric cryptography.

In this article we would explore Symmetric Cryptography or Secret Key Cryptography in depth.


Symmetric/Secret Key Cryptography (“SKC”)

Imagine a locker containing lots of confidential files. All the files inside are protected through the application of a lock and key mechanism required to open and close the locker. Thus security to the locker is accorded by the security of the key.

If Bimal wants to send a message safely to Narendra, he would put the message in a bank locker, lock it, go away, deliver the key to Narendra, and ask him to access the locker.

Symmetric cryptography is akin to such bank lockers. In SKC the same key is used to encrypt and decrypt a message. The sender uses the key to encrypt the plaintext and sends the ciphertext to the receiver. The receiver applies the same key to decrypt the cipher and recover the plain text. Because a single key is used for both functions, secret key cryptography is also called symmetric encryption.


Simple Mathematics behind encryption

In SKC a key is selected randomly, multiplied with the numbers of the secret message, and the product is publicly broadcasted.

For e.g. if I were asked to securely broadcast the message:
‘Bomb Xanadu at 0930’.

I would first change it to ASCII:
’66 111 109 98 32 88 97 110 97 100 117 32 97 116 32 48 57 51 48′

and multiply all the numbers with 777743 (key) to get the ciphertext:
‘51331038 86329473 84773987 76218814 24887776 68441384 75441071 85551730 75441071 77774300 90995931 24887776 75441071 90218188 24887776 37331664 44331351 39664893 37331664’

Therefore, the key would be the prime number 777743. While, your knowledge of the the key can help you divide the values and get the original message out of the encrypted message, lengthier keys accord better protection.

This oversimplified encryption algorithm may be named the Ashok Division Algorithm (“ADA”), published in a journal, and globally used. However, much has already been done on the intricacies of encryption algorithms. There are a lot of much better SC algorithms you can choose from—the popular ones include Twofish, Serpent, AES (Rijndael) (for more information read this article on AES), Blowfish, CAST5, RC4, TDES, and IDEA.

Cellular technologies like GSM 1 and GPRS 2 are also global encryption conventions of mobile telephony.


Transfer of encryption key

The transfer of the encryption keys (777743 in the example above) takes effect in physical world, due to which agents and spies are often tasked with exchanging envelopes in a style akin to spy movies.

During WWII, cryptographic keys had to be transmitted in physical form such as this list of keys for the German Enigma cipher machine.


Indian Law

Section 84A of the Information Technology (Amendment) Act, 2008 permits the Central Government to prescribe encryption standards and methods to secure electronic communications, and promote e-governance & e-commerce. There is no dedicated law on encryption methods or standards. The sectoral regulations in the banking, finance and telecom industries define minimum standards to be used in transactions.


In the next post we head towards Understanding Asymmetric Cryptography, Public Key, Private Key and the RSA Algorithm where I show you how secure communication can take place without any key exchange. If you have doubts or questions about the technology or the law please feel free to post it here: Questions.