Draft National Encryption Policy
The Department of Electronics and Information Technology (DeitY) released a draft Encryption Policy in PDF. They also released an addendum to the draft to clarify about what was exempt from the purview.
Everyone has time till the 16th of October to reply to the draft and share their opinions with DeitY. You can email your comments/feedback/objections etc. to akrishnan@deity.gov.in.
What is encryption and decryption?
Encryption is simply a way to store information in such a way(algorithms) that only authorised users(someone who has the key) can read it.
Plain text which can be read by anyone just by looking at it is converted to cipher text using an encryption algorithm. This generated cipher text can become plain text if the key used to encrypt is used to decrypt.
Why should you care?
The draft encryption policy dictates different things for different kinds of users. In this article we will focus on Consumers(C) and Businesses(B). The exchange of data between them can be listed as follows
| Type of Users | Example Application | Encryption Requirement |
|---|---|---|
| B2B | Sharing a contract | Contract may be digitally signed |
| B2C | Online Shopping | Password information, confidential comms |
| C2B | Provide Payment information | Credit card number, CVV |
| C2C | Sending messages to each other individually or in groups |
Data at Rest and Data in Motion
Data or information needs to be protected when it is stored(rest) and not doing anything and it also needs to be protected when it is travelling(motion).
How does one protect data?
Data is of use when it is accurate, easily available and doesn't become bad over time. Data that we think is sensitive needs to be hidden from others as well. Depending on the type of sensitivity, we might want to share somethings with our friends, colleagues, family, doctor or maybe the government (fingerprints maybe).
So if the data is in your computer/smart phone/server and it is in plain text there is no way for you to be sure that someone else hasn't had a peek at it. If they did, you would have no way of knowing as your data is still accurate, available to you and worth something.
The only way one can be absoutely sure that our data is not visible to anyone who we don't want to share it with is by encrypting it and storing the key safely. This is similar to storing your cash and valuables in a safe and making sure only you know the combination to open that safe.
Key management is an important albiet a complex problem to solve. If the cipher text will be decrypted by the same key, then that key needs to shared in advance in a safe manner with all those who should be able to see the data. If the cipher text can be encrypted with one key of a pair and decrypted with another, then the decryption key can be shared easily.
What does the draft policy say about this?
The draft policy wants to forego commonly known wisdom and knowledge about secure ways of doing this and wants
What does the draft policy say about this
Why is this a problem
What doesn't work
TBD
Things which are un clear
TBD
References and Other links
Authors and Contributors
Akash Mahajan (@makash) founder and community manager of null - The Open Security Community
Support or Contact
You can chat with me on twitter