Analyzing and providing feedback on GOIs draft policies

[disha]

The current GOI has been very open about its proposals and policies. For example the GOI solicits ideas and feedback via MyGov.in. It has also been noticed that actionable feedback via MyGov.in has been acted upon.

In similar efforts the Department of Electronics and Information TechnologY (DEITY) has put together several proposals on its website at http://deity.gov.in/blog and with intent of soliciting open public opinion.

First of all, this attempt to open up its proposal and solicit public feedback is laudable. Second it is important and imperative for the public to provide its critical but objective feedback to those proposals.

This thread is to track each proposal of the GoI and critically but more importantly objectively analyze the proposal and hopefully draft an objective feedback to GOI.

There is no return for the hard work and the toil that the forum members put in to objectively evaluate GOIs proposal and there is no guarantee that the feedback may even be incorporated., however great it might be. My minimum expectation is that the posts will be less of rancor and more of evaluation of a proposal that befits the professional lives of the forum members.

Further any criticism of the policies from the media will also be evaluated. That is, the criticisms of the media itself will be under scanner and the media will also be criticized - particularly if they deviate from an objective analysis. Note that the media journos are journalist firsts and subject matter expert last. And they tend to move in groups creating its own echo chambers. So if this thread can bring some sanity to such echo chambers., that will be a good outcome.

The initials proposal that kick'ed this thread is the following policy:

DRAFT NATIONAL ENCRYPTION POLICY

My belief is that the media journos should be the last people to criticize the above since they are not subject matter experts. Unless the article appearing in media itself is from a known subject matter expert.

As noted the above 6 page PDF is a draft policy and its feedback is due by October 16, 2015.

The next sections I will try to take the policy and deconstruct it.

A background on myself., I am NOT a "known" subject matter expert in Computer Security and Cryptography. However my background is Computer Security. I obtained my master's thesis on two separate areas - evaluating Generic Security Services API for object oriented languages and researching transcendental numbers for one-way hash functions*. Of course, writing DES algorithm or creating pseudo-Kerberos systems or implementing elliptic-curve algorithms are par for the course.

The reason I am putting up my background is simple., I believe that given the background - I am more qualified than an average journalist without any grounding in Comp Sec/IT Sec or experience dealing with Comp Sec/IT Sec on commenting on the draft security policy linked above.

*Side note: If the second part of the research had gone through to its conclusion, I would have been a "known" subject matter expert.

A request to mods., I understand that this thread increases your case load. However please let this thread continue. The goal is to provide an objective feedback to GOI on its policy.

As the stress is on objective feedback., I hope there is less (or none of rancor) and more of "agree to disagree" in case of conflicts. And I do humbly accept that my analysis may be completely off the mark and I may stand corrected by other more esteemed members.

[disha]

Analyzing the preamble of the DRAFT NATIONAL ENCRYPTION POLICY

From the PDF linked above:

This policy is not applicable to sensitive departments / agencies of the government designated for performing sensitive and strategic roles. This policy is applicable to all Central and State Government Departments (including sensitive Departments / Agencies while performing nonstrategic
& non-operational role), all statutory organizations, executive bodies, business and commercial establishments, including public sector undertakings and academic institutions and all citizens (including Personnel of Government / Business performing non-official / personal functions).

The above statement is important since it clearly states where this policy is applicable. In general and in a broad sense., this policy is applicable to "every Indian citizen or entity" not in a sensitive or strategic role. So is this policy effective on say ISRO and RAW. No. Is this policy effective on you as a person if you are using whatsapp? The answer is most likely.

However the above statement is a preamble which establishes a general scope and further sections establish a more specific scope. Hence the purpose of the preamble is to "narrow down the scope". And the scope for this policy is all non-strategic roles and entities.

In Section IV - Strategies., the policy lays down the scope better:

Category of Users: Based on the nature of transactions that require encryption the users in
the Policy are classified as:

G Govt. – All Central and State Government Departments (including sensitive departments / agencies while performing non-strategic and non-operational role).

B All statutory organizations, executive bodies, business and commercial establishments, including all Public Sector Undertakings, Academic institutions.

C All citizens (including personnel of Government / Business (G/B) performing nonofficial/ personal functions).

G2G Government to Government users
G2B,G2C,B2G & C2G Government to Business & Government to Citizen users
B2B Business to Business users
B2C & C2B Business to Citizen users

The above clearly stratifies Indian entities into three broad class. All the entities (like you and me) come under the "C" Class (and not the B Class or the G Class).

Directly jumping to point 5

B / C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. On demand, the user shall reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B / C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. In case of communication with foreign entity, the primary responsibility of providing readable plaintext along with the corresponding Encrypted information shall rest on entity (B or C) located
in India

It basically means that you as a business or consumer (under B or C class) may use the security policy. So your personal whatsapp communication to say a business entity like your share trading services can (or may) use the security policies.

[Note: need to stop here., the above para will require some more parsing]

[chaanakya]

Whether other countries have similar National Encryption Policy??

Any correlation with FIPS and FISMA of USA?

I believe US has very specific information processing code for Govt related information. and They also insist for compliance certification for any applications with FISMA.

Are they also applicable to private individuals' information?

[nandakumar]

The draft encryption policy document is no longer available on the Government website. Is there a copy available somewhere? If I understand correctly, the draft policy said that if I, as an individual user of WhatApp software, post a message in an encrypted form to a closed user group consisting of say, members of the family and they in turn post messages in the same encryption code so that only those with access to the key will be able to read it, then there is a legal obligation on my part to preserve somewhere both the message in plain text and the encryption for a period of 90 days. The idea being that the Government can look at the messsage if considserations of law enforcement demanded it and also be able to satisfy that the encryption key really generate the text that is identical to the preserved copy in text format. Can someone clarify?

[disha]

Whether other countries have similar National Encryption Policy??

Any correlation with FIPS and FISMA of USA?

I believe US has very specific information processing code for Govt related information. and They also insist for compliance certification for any applications with FISMA.

Are they also applicable to private individuals' information?

All developed countries have similar policies. FIPS is a standard given a policy. That is., some policy was drafted which was legislated into FISMA and FIPS is a standard that enables such legislation.

To your second part., FISMA even though is NOT applicable to a private individual's information., a private individual is still affected by FISMA. For example., a hospital that contains patient records.

However since FISMA is a widely studied and known., a business entity or even private individuals can implement certain protocols of FISMA for example the interchange of data.

[disha]

GOI under pressure has withdrawn the draft policy. And it is no longer available on DIETy website. I saved a raw text and reproducing it verbatim here:

DRAFT NATIONAL ENCRYPTION POLICY

Under Section 84A of Information Technology Act, 2000 Rules are to be framed to prescribe modes or methods for encryption. In this regard, a draft National Encryption Policy as given under has been formulated by an Expert Group setup by DeitY based on which the Rules would be framed. Comments from the public are invited on the draft Policy. You can send your comments by 16/10/2015 to Shri A. S. A. Krishnan, Scientist ‘G’, Department of Electronics and Information Technology, Electronics Niketan, 6, CGO Complex, Lodhi Road, New Delhi: 110003, Email: akrishnan@deity.gov.in.

Preamble

Cryptography has emerged as a powerful tool that can help to assure the confidentiality, non-repudiability and integrity of information in transit and storage as well as to authenticate the asserted identity of individuals and computer systems. Encryption technology was traditionally deployed most widely to protect the confidentiality of military and diplomatic communication. With the advent of computer and Internet revolution and online applications as well as the recent innovations in the science of encryption, a new market for cryptographic products in E-commerce & E-Governance civilian applications has rapidly developed. Communication and E-commerce applications such as electronic mail and electronic fund transfer, which require secure means of communication, make extensive use of encryption for securing the information and authentication. The recognition of the need to protect privacy and increase the security of the Internet and associated information systems have resulted in the development of policies that favour the spread of encryption worldwide. The Information Technology Act 2000 provides for prescribing modes or methods for encryption (Section 84A) and for decryption (Section 69). Taking into account the need to protect information assets, international trends and concerns of national security, the cryptographic policy for domestic use supports the broad use of cryptography in ways that facilitates individual / businesses privacy, international economic competitiveness in all sectors including Government.

This policy is not applicable to sensitive departments / agencies of the government designated for performing sensitive and strategic roles. This policy is applicable to all Central and State Government Departments (including sensitive Departments / Agencies while performing nonstrategic & non-operational role), all statutory organizations, executive bodies, business and commercial establishments, including public sector undertakings and academic institutions and all citizens (including Personnel of Government / Business performing non-official / personal functions).

I. Vision

To enable information security environment and secure transactions in Cyber Space for individuals, businesses, Government including nationally critical information systems and networks.

II. Mission

To provide confidentiality of information in cyber space for individuals, protection of sensitive or proprietary information for individuals & businesses, ensuring continuing reliability and integrity of nationally critical information systems and networks.

III. Objectives

i) To synchronize with the emerging global digital economy / network society and use of Encryption for ensuring the Security / confidentiality of data and to protect privacy in information and communication infrastructure without unduly affecting public safety and National Security.

ii) To encourage wider usage of Digital Signature by all entities including Government for trusted communication, transactions and authentication.

iii) To encourage the adoption of information security best practices by all entities and Stakeholders in the Government, public & private sector and citizens that are consistent with industry practice.

IV. Strategies

1. Category of Users: Based on the nature of transactions that require encryption the users in
the Policy are classified as:

G Govt. – All Central and State Government Departments (including sensitive
departments / agencies while performing non-strategic and non-operational role).

B All statutory organizations, executive bodies, business and commercial
establishments, including all Public Sector Undertakings, Academic institutions.

C All citizens (including personnel of Government / Business (G/B) performing nonofficial
/ personal functions).

G2G Government to Government users
G2B,G2C,B2G & C2G Government to Business & Government to Citizen users
B2B Business to Business users
B2C & C2B Business to Citizen users

2. Use of Encryption technology for storage and communication within G group of users with
protocols & algorithms for Encryption, key exchange, Digital Signature and hashing will be
as specified through notification by the Government from time to time.

3. Use of Encryption technology for communications between G group and B / C groups (i.e.
G2B and G2C sectors) with protocols and algorithms for encryption, key exchange, Digital
Signature and hashing will be as specified through notification by the Government from
time to time.

4. Users / Organizations within B group (i.e. B2B Sector) may use Encryption for storage and
communication. Encryption algorithms and key sizes shall be prescribed by the
Government through Notifications from time to time. On demand, the user shall be able to
reproduce the same Plain text and encrypted text pairs using the software / hardware used to
produce the encrypted text from the given plain text. Such plain text information shall be
stored by the user/organisation/agency for 90 days from the date of transaction and made
available to Law Enforcement Agencies as and when demanded in line with the provisions
of the laws of the country.

5. B / C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication.
Encryption algorithms and key sizes will be prescribed by the Government through
Notification from time to time. On demand, the user shall reproduce the same Plain text and
encrypted text pairs using the software / hardware used to produce the encrypted text from
the given plain text. All information shall be stored by the concerned B / C entity for 90
days from the date of transaction and made available to Law Enforcement Agencies as and
when demanded in line with the provisions of the laws of the country. In case of
communication with foreign entity, the primary responsibility of providing readable plaintext
along with the corresponding Encrypted information shall rest on entity (B or C) located
in India.

6. Service Providers located within and outside India, using Encryption technology for
providing any type of services in India must enter into an agreement with the Government
for providing such services in India. Government will designate an appropriate agency for
entering into such an agreement with the Service provider located within and outside India.
The users of any group G,B or C taking such services from Service Providers . are also
responsible to provide plain text when demanded.

7. Users within C group (i.e. C2C Sector) may use Encryption for storage and communication.
Encryption algorithms and key sizes will be prescribed by the Government through
Notification from time to time. All citizens (C), including personnel of Government /
Business (G/B) performing non-official / personal functions, are required to store the
plaintexts of the corresponding encrypted information for 90 days from the date of
transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and
when required as per the provision of the laws of the country.

8. Algorithms and key sizes for Encryption as notified under the provisions in this Policy only
will be used by all categories of users.

V. Regulatory Framework

1. Registration: All vendors of encryption products shall register their products with the
designated agency of the Government. While seeking registration, the vendors shall submit
working copies of the encryption software / hardware to the Government along with
professional quality documentation, test suites and execution platform environments. The
vendors shall work with the designated Government Agencies in security evaluation of their
encryption products. Complete confidentiality will be maintained in respect of information
shared by the vendors with designated agency. The vendors shall renew their registration as
and when their products are upgraded. Mass use products like SSL / TLS are exempted
from registration.

2. The Government will notify the list of registered encryption products from time to time,
without taking responsibility for security claims made by the vendors.

3. The vendors of encryption products or service providers offering encryption services shall
necessarily register their products / services with Government for conducting business in the
country.

4. Government may review this policy from time to time and also during times of special
situations and concerns.

5. Encryption products may be exported but with prior intimation to the designated agency of
Government of India. Users in India are allowed to use only the products registered in
India.

6. Government reserves the right to take appropriate action as per Law of the country for any
violation of this Policy.

VI. Promotion of Research and Development in Cryptography

1. Research and Development programs will be initiated for the development of indigenous
algorithms and manufacture of indigenous products for Encryption, hashing and other
cryptographic functions. These will be carried out by Public and Private Sector /
Government Agencies and Academia. Continuous intensified R&D activities in the niche
areas of technical analysis and evaluation of Encryption products will be strengthened.

2. Testing and evaluation infrastructure for Encryption products will be set up by the
Government.

3. Technical Advisory Committee: The technology is advancing at a fast pace. New forms
of applications / products are emerging which employ encryption as integral part of the
product. Many newer forms of communications with an intent to hide / protect information
including social network based communication, peer-to-peer communication etc are already
becoming very popular. The encryption deployed in such communication applications /
devices uses both fixed and dynamic key algorithms for key exchanges and Encryption.
Government agencies constantly identify these new forms of communication. A Technical
Advisory Committee will monitor the technology development in the area of Cryptography
to make appropriate recommendations on all aspects of Encryption policies and
technologies. It will carry out a continual follow-up of the National and International
activities in basic and applied research in the science and technology of Encryption.

DRAFT
Annexure

Draft Notification on modes and methods of Encryption prescribed under Section 84A
of Information Technology Act 2000

1. Definitions – In these Rules/Policy, unless the context otherwise requires, -

(a) The following definitions Cryptography, Encryption, Hash, Key, Public Key
Cryptography/Asymmetric Cryptography, the meaning of aforesaid definitions has
already been provided under Information Technology Act 2000, Rules and Regulations
made there under.

(b) Symmetric Encryption is a method of encryption where the same key is used for both
Encryption and Decryption. The key must be kept secret, and is shared by the message
sender and recipient.

2. Symmetric Cryptographic/Encryption products with AES, Triple DES and RC4
encryption algorithms and key sizes up to 256 bits are prescribed by the Government for
use for protecting information by stakeholders.

3. Asymmetric Cryptographic/Encryption products as prescribed under Information
Technology Act 2000, Rules and Regulations made there under shall be used for Digital
Signature purposes by stakeholders.

[Comer]

I think this was the contentious part

5. B / C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication.
Encryption algorithms and key sizes will be prescribed by the Government through
Notification from time to time. On demand, the user shall reproduce the same Plain text and
encrypted text pairs using the software / hardware used to produce the encrypted text from
the given plain text. All information shall be stored by the concerned B / C entity for 90
days from the date of transaction and made available to Law Enforcement Agencies as and
when demanded in line with the provisions of the laws of the country. In case of
communication with foreign entity, the primary responsibility of providing readable plaintext
along with the corresponding Encrypted information shall rest on entity (B or C) located
in India.

Which was clarified in the addendum.

[disha]

:-(( Unable to spend time here... will work over the weekend ...

[Comer]

http://timesofindia.indiatimes.com/tech ... n=toi_tech

A new set of advisory will be issued to all concerned in the departments of electronics and IT (DeitY) and telecom to step out of their silos and ensure sufficient channels of communication between levels, they said. Measures would include ensuring more diligence on matters relating to sensitive issues like national security and privacy, which attract immediate public reactions, especially given the deepening influence of social media. Also, all sensitive matters would need to be vetted at higher levels before being released in public domain, sources said.