This Article is written by Magizhini M of The Tamilnadu Dr. Ambedkar Law University, School of Excellence in Law, Chennai, an intern under Legal Vidhiya
ABSTRACT
Cryptography has been a new field in its evolution when it is solely evolutionary. However, it has existed for decades. The evolution and the widespread use of it is a newer arena. The researcher aims to categorize the keys used in the cryptographic encryption processes and the key differences between the both. It has been analyzed as that the public key infrastructure is where a public key is used to encrypt the information or communication and a private key is used to decrypt the information. However, in the use of private key cryptography, the same private key is used to encrypt and decrypt the information in both cases the authentication to these keys rests with only specific intended receivers.
The domestic use of cryptography has been restricted in many countries. However, due to the advancement of technology, the internet, and the personal computers thereof, the asymmetrical cryptographic system has become a widespread phenomenon having it installed over the software. The legislation provides a right over the encrypted information to the government and the policemen. In India, it has been granted by Section 69 of the Information Technology Act, 2000. Although thought to be against the civil right now of the people, the restrictive actions are also done with the notion to protect the people against exploitation from the people who intend to create a hassle to the national security. The cryptographic applications have remained confusing as being a double-edged sword, one being against civil rights and the other for the restriction over the same. The Public key, Private key, and public key infrastructures have dealt with the legal issues faced due to them, and the supportive legislations in support and against the same.
KEYWORDS
Cryptography, algorithms, keys, encryption, protection, decryption
INTRODUCTION
Cryptography is a word that was derived from the Greek word ‘Kryptos’ meaning hidden[1]. Crypt means ‘hidden’ and graphy means ‘to write.[2]’ Cryptography is simultaneously used with the word cryptology. The proficient one in the field is known to be a cryptologist. In the era of modern knowledge and growth, cryptography is the technique that is used to protect information and communication for third parties, in the form of codes that could be opened and read by only the intended readers or receivers. It is a security mechanism for the protection of information. Such a mechanism aims to protect the privacy, integrity, and security of the data from adversarial entities whose aim is to rupture the aim of cryptologists.
In the dictionary of cryptologists, an adversarial entity would be any person who might be considered the enemy or the opponent of their activities. These people indulge in activities such as corrupting the data to look at unauthorized data and falsifying to spoof the identity of the sender or the receiver to take the identity of the supposedly other party to have an illegitimate advantage over the data and enter into the data. In the computer security literature context, such people are known as the attackers.
Cryptography is the construction of a mechanism that would prevent third parties from reading or getting access to private information. This is what the users of modern apps demand, and the providers ought to provide the same for the protection and multiplied use of their systems and applications. This is the management of protocols for the very purpose of protection of data. Many applications are ensuring their terms to maintain and provide end-to-end encryptions of their communications to protect them from outsiders. Only the sender and the receiver are authorized to read and look into the messages. The scope of cryptography includes computer science, electrical engineering, information security, e-commerce, system passwords, and confidential passage of information such as defense and governmental information transmission[3].
Cryptography existed at earlier times, as an encryption and decryption process, like lock and key, where the information sent is converted into non-sense text, and this could be made readable only through the procedure of decryption which is shared by the sender to the receiver only[4]. Secretive codes are used in place of the original text to prevent it from adversaries. Many such techniques were also employed during the World War for the transmission of secret information with the decryption of them by the opposing powers.
Cryptography, from being used in the form of codes, is now being transformed into complex algorithms, where support is provided to it by mathematical theory and computer science-based advancements. The pillars of such theories led to the formation of algorithms which are rigorous instructions, that are understandable only by professionals or by those who intend to read the information as they are provided with the proper instructions to provide the proper key for the complex algorithms. These algorithms are the barricades against adversaries. When they are constructed computationally, they are hard to break.
There exists a combination of keys to make the cryptography work, the keys may be public keys or private keys. The cryptographic technology also has led to many legal issues in the coming age, with increasing prohibitions on its usage and application.
OBJECTIVES
- To understand how cryptography works in the era of modern technological innovation and growth.
- To present how the cryptographic infrastructure has led to the formation of the current scenario where they pose issues at instances.
- To understand the public key and the private key infrastructure.
- To understand the legal issues and restrictions imposed on the cryptographic technologies.
CRYPTOGRAPHY
Cryptography was originally meant as an encrypting method, as seen as a method of converting the piece of information into text in an unreadable form, where this is decrypted again to be made into readable form. This conversion is controlled thereby by the cipher which refers to the pair of algorithms. Keys are the string of characters that are required for the process of decryption. Keys were the processing units in the cryptographic technologies.
Cryptosystems are of two types, symmetric and asymmetric (public-key cryptography). These systems use public keys to encrypt and related private keys to decrypt the data[5]. Cryptography is restricted in use but the term cryptology includes the study of cryptography and cryptanalysis. The main aim of cryptography is to protect the confidentiality of messages and information from eavesdroppers and adversaries. This has now been used to include many other applications, such as identity authentication, security, and integrity checking, proofing of digital signatures, etc., Traditionally, this was undertaken in the form of rearranging the words. Stenography has been invented and now has been learned by many even in the modern age for various purposes. Examples of stenography include the use of microdots, watermarks, etc., to keep the information secretive.
The application of cryptography was earlier limited, but it now includes many applications, and this has been studied as a branch of engineering. Computers have led to greater development in cryptographic innovations such as being operated with the use of binary bit sequences which are capable of breaking complex characters. Cryptography is applied in internet-oriented systems to protect the data of the users. Private keys are used in the transmission process to ensure the secrecy of the data communicated. Cryptography has been employed in programs such as WhatsApp and Telegram to ensure end-to-end encryption of their users. This type of protection means that the information can be accessed by only the authorized sender and the receiver. No third party is capable of entering into the strong encrypted force.
This system is used in the programs that encrypt their users’ data from being accessed unauthorisedly by usernames and passwords. The system opens only when the user inputs the correct password credentials and when these pass through the stored information in the cryptographic function and become matched with the source stored. These are widely used by web browsers to secure the user’s data and restrict unauthorized users from accessing it. The Hash keys as part of cryptographic techniques are used in storing passwords, and these can be accessed only by legitimate users[6]. These were also used to introduce a new financial venture of crypto-economics, which is a combination of economics and digital technology that are safe on the data-encryption end. Cryptocurrencies also have their reliability by the application of these techniques.
The objectives of the cryptography include,
- Confidentiality, where the data is understood only by the intended authorized users,
- Integrity, where the data cannot be changed or altered in storage,
- Non-repudiation, the communication of the information cannot be estopped of its communication and
- Authentication, the identity of the sender and the receiver can be checked through and verified[7].
PUBLIC-KEY CRYPTOGRAPHY
Public-key cryptography is also known as asymmetric cryptography, where a combination of public and private keys is used. This may also be referred to as key pairs where both the keys were used in combination, with them being generated by the algorithms based on them and generated with resultant to the mathematical problems. These key pairs are complex functions, where the methodology of usage of one-way functions is used where the input of the data once provided and protected shall be difficult to revert. This mechanism serves the very purpose of the cryptographic technology.
Under public-key cryptography, any person can encrypt messages with the use of a public key[8]. However, the decryption can be done by only the person who has the authorization to the private key. The protection and secrecy of the information depends the most on the security provided to the private key. The construction of public-key cryptography depends upon the various models and theories associated with it. This method conceals the message in ciphertext which could be decrypted only with the person who has the private key. For example, by using a digital signature as the private key in the transmission of the messages, the receiver can validate the authenticity of the messages by the signatures if communicated, any other person such as the eavesdropper may not have adequate knowledge as to the encryption provided on to the messages by way of signatures would not have been known to him/her.
These key pairs ensure the fundamental security of the applications and provide reassurance as to the data’s authenticity, reliability, confidentiality, and reputability. Diffie-Hellman Key Exchange is a famous provider of key distribution systems. The authorization over the digital signatures is managed by the Digital Signature Algorithm. The asymmetric systems are far slower than that of symmetric systems.
The applications of public-key cryptography include the maintenance of confidentiality, digital signature for authentication, digital encashment, password-authenticated key, time-stamping services, and non-repudiation protocols[9]. The hindrances to the application of public-key cryptography include the insufficient maintenance of the secrecy of the private key, where the data gets exposed to unauthorized people. The algorithms may get exposed to attacks thus spoiling the authenticity of the data.
Examples of public-key cryptography include,
- RSA algorithm used in internet,
- Elliptic Curve Digital Signature Algorithm used by Bitcoins,
- DSA used by the National Institute of Standards and Technology for digital signatures, and
- Diffie-Hellman key exchange used by key distribution provider.
PRIVATE-KEY CRYPTOGRAPHY
A private key is used as a connection in the process of encryption and decryption. The authorization over the private key is only entitled to the end-authenticated user. This renders explicit protection over the usage of data. This authentication is provided only to those who are authorized to decrypt the data. The structure of the private key is such that, this is pseudo-random which makes this unguessable and unpredictable. The secrecy of the keys ensures the operational efficiency and security of the information and communication. These private keys are at large stored in the software, operating system, or in the hardware known as the hardware security module. This is because these systems provide high levels of security and trust.
The private keys are used in both private and public key encryption systems. Private key encryption is also known as the symmetric system. The working of this system means using the private keys in both the encryption and decryption process. The use of private keys ensures a faster transmission process. Private key cryptography is only utilized when the data is stored and transmitted between two users and is to be encrypted and decrypted. The same key is used for encryption and decryption, if any authorized party gets access to the data, the data gets exploited easily. The difference between the systems has its differentiation in the way the keys are distributed. A system could use only a public key or private key or a combination of both. Examples of private-key cryptography[10] include,
- Block ciphers where the data is stored in encrypted form as fixed-size blocks.
- Stream ciphers encrypt the data in a continuous form where these are used for real-time communication such as video conferencing.
- Hash functions where the functions are performed and generated in the form of fixed-sized output which ensures the integrity of the data.
The general functions of private-key cryptography include security of the storage, key rotation, authorized control, and key destruction. The advantages of the private key are, that it is easier to implement than the public key, for easier authentication of the recipient, and for the protection against tampering which would happen during the transmission. The private key is symmetrical as only one key exists, and the public key is asymmetrical as there are two. In private key, the performance testing checks the reliability, scalability, and speed of the system[11].
PUBLIC-KEY INFRASTRUCTURES
A public key infrastructure refers to the system of hardware, software, policies, and procedures that are required to create, manage, distribute, use, store, and revoke digital certificates[12]. This infrastructure is important to managing the secrecy of public-key encryption. This well-structured infrastructure is used where the information being communicated is of utmost importance and confidential such as the Internet banking credentials, and e-commerce activities etc., It is applied to activities where the regular simple passwords are inadequate.
This infrastructure connects the key pairs with the users which may be the people or the organizations. This binds the public keys and this is established by way of registration where they are recognized by the certificates. To ensure the assurance of the structure, although the entirety is an automation process, this is carried out with a supervision process. These public key infrastructures are bound to be certified by the Certification Authority (CA). The public key infrastructures act with the aim of Trust services which includes the goals of confidentiality ensuring its secrecy, integrity making it tamper-free, and authenticity making it legitimate and reliable. The aim serves to protect the public network. The components of the public structure infrastructure may include the Certification Authority, the registration authority, the central directory, the certificate management system, and the certificate policy[13].
The criticism posed towards the public key infrastructures would include the purchasing of these certificates for the websites is a costly venture, which would not be viable for every other small venture. There has been a continuous progression on this issue with the introduction of free certification authorities. Many authorities are now pre-installed in the software, if any key is compromised, the certificates are liable to be revoked.
LEGAL ISSUES
Cryptography has become a concern for law enforcement agencies when secret communications were used as an initiation of criminal activities. Civil rights supporters have a huge interest in cryptographic activities as this results in the secrecy and privacy of individuals. The introduction of personal computers and similar systems has led to the rise of legal concerns at a larger juncture.
The domestic use of cryptography is highly restricted in many countries such as Kazakhstan, Pakistan, Mongolia, Vietnam, Singapore, etc., However, in some countries such as the United States, the domestic use of cryptography is legal. But, as the concern towards national security arose, forcing these countries to impose restrictions on the use of cryptography.
Export of the cryptographic materials was restricted due to being largely against national security. There were restrictions on the export of cryptography but these were relaxed due to the innovation of the technology in support of protection against the use of cryptography. In the case of Bernstein v. United States[14], the decision upheld was that the printed cryptographic codes and algorithms were protected by the freedom of speech of their constitution. In the case of United States v. Fricosu[15], the question as to the production of unencrypted evidence arose before the courts of law as this would violate the protection against self-incrimination, where the court held that, according to the All Writs Act, only unencrypted evidence should be presented before the court of law.
What would be the protection against these issues, many countries have implemented many legislations as to the protection against these cryptographic offenses. In the year of 1996, The Wassenaar Arrangement was signed between countries, to prevent the transmission of arms in the context of dual-use technologies such as cryptography. In the United States, there exists the legislation of International Traffic in Arms Regulation which restricts the export of cryptography. France has legislation in the name of Law for trust in the digital economy that both regulated and liberalized the use of cryptography from the year 2004.
As far as India is concerned, according to Section 69 of the Information Technology Act, of 2000, government officials and policemen are authorized to listen to calls, read messages, and monitor websites without any authorization and the government can be authorized to compel anyone to decrypt the information[16]. ISP license holders are allowed to hold and use the encryption keys. However, they are forced to deposit the keys and obtain written permission from the Department of Telecommunications. The Securities Exchange Board of India is allowed it use encryption keys to maintain the reliability and confidentiality of the websites. The banks are also issued guidelines to use encryption keys to protect and prevent their websites from tamperers. Certain cryptographic electronics are regulated by the Foreign Trade (Development & Regulation Act), 1992.
CONCLUSION
Cryptography has been made and operated to maintain the secrecy, authenticity, reliability, and confidentiality of the data stored in the database. But this has now been subjected to be used as a criminal initiative subjecting threat to national security. Protection of the Privacy of the people has turned to the protection of the transmission of illicit and unruly offender information. Cryptography laws seem to be as insufficient as any other due to the implementation procedures associated with them. There exists a lack of awareness among many as to how they are looted. The information in many cases seems to be untouched, even though it has been previously decrypted. The protection towards the cryptographic algorithms and codes is a two-sided sword, the protection towards it is valid and vulnerable at the same time. Only the balance between the both would facilitate the use of cryptography for the right purposes for which it was meant to be. The proper balance is still a question of law as to what the balancing rod between the both. As the analysis would conclude, interpretations and understanding with regards to the cryptographic algorithms would provide a better validated and balanced use of it.
REFERENCES
- Kathleen Richards, TechTarget, https://www.techtarget.com/searchsecurity/definition/cryptography (Mar. 5, 2024).
- Cryptography, Wikipedia, https://en.m.wikipedia.org/wiki/Cryptography (Mar. 5, 2024).
- Adversary, Wikipedia, https://en.m.wikipedia.org/wiki/Adversary_(cryptography (Mar. 5, 2024).
- Geeksforgeeks, https://www.geeksforgeeks.org/difference-between-private-key-and-public-key/(Mar. 5, 2024).
- Austin Chamberlain, Applications of Cryptography, https://blogs.ucl.ac.uk/infosec/2017/03/12/applications-of-cryptography/(Mar. 5, 2024).
- Public Key Infrastructure, Wikipedia, https://en.m.wikipedia.org/wiki/Public_key_infrastructure (Mar. 5, 2024).
[1] Kathleen Richards, TechTarget, https://www.techtarget.com/searchsecurity/definition/cryptography (Mar. 5, 2024).
[2] Id.
[3] Cryptography, Wikipedia, https://en.m.wikipedia.org/wiki/Cryptography (Mar. 5, 2024).
[4] Adversary, Wikipedia, https://en.m.wikipedia.org/wiki/Adversary_(cryptography (Mar. 5, 2024).
[5] Id. at 3.
[6] Id. at 1.
[7] Id. At 1.
[8] Geeksforgeeks, https://www.geeksforgeeks.org/difference-between-private-key-and-public-key/(Mar. 5, 2024).
[9] Austin Chamberlain, Applications of Cryptography, https://blogs.ucl.ac.uk/infosec/2017/03/12/applications-of-cryptography/(Mar. 5, 2024).
[10] Id.
[11] Id. At 1.
[12] Public Key Infrastructure, Wikipedia, https://en.m.wikipedia.org/wiki/Public_key_infrastructure (Mar. 5, 2024).
[13] Id.
[14] 945 F. Supp. 1279.
[15] 945 F. Supp. 1279.841 F. Supp. 2d 1232 (D. Col 2012).
[16] Id. At 3.
Disclaimer: The materials provided herein are intended solely for informational purposes. Accessing or using the site or the materials does not establish an attorney-client relationship. The information presented on this site is not to be construed as legal or professional advice, and it should not be relied upon for such purposes or used as a substitute for advice from a licensed attorney in your state. Additionally, the viewpoint presented by the author is of a personal nature.