Cyber Laws: Need for Certifying Authority

‘Hacking’ and ‘Cyber theft’ are popular buzzwords on the Internet. Remember, most Internet security measures have to go beyond anti-virus, firewall, spy-ware and anti-malware programs and encompass many concepts that ordinary Internet users may not even think of. Welcome to the world of cyber laws, digital signatures, public and private keys and of course, the cyber laws that govern them. Remember, most hackers are professional, smart geeks. They know how to impersonate as legitimate online business entity. Then, they hack the visitors’ information. Let’s understand why this is done.

Cyber Laws: How Unlawful Withdrawal or Misuse of Sums of Money Happens Online

Numerous cyber law cases pertain to unlawful withdrawal of sums of money from online accounts without lawful consent and verification. This continues to happen on the Internet. Here is a simpler example to explain the concept.

Suppose, Raju wants to transfer money online to his brother’s account from his ABC bank account. He would encrypt his private key with the bank’s public key. Now, the bank can decrypt the transaction with the secret key that it holds. However, Tom, a hacker,  may act as an imposter and replace the bank’s public key with his. So, when Raju is decrypting his private key with a false key, Tom can extract Raju’s account information and re-encrypt Raju’s key with the bank’s key. Such things happen so confidentially that neither Raju nor the Bank are likely to detect that the transaction has been intercepted even if they are online.

For the same reason, it is not practical for companies to send their public key to their clients via courier, telephone or diskettes. This dilemma can be attributed to the tremendous increase in the number of clients that companies have to cater to on a daily basis.

Further, due to the incessant growth of the Internet, online communications are taking place multilaterally as well as bilaterally. As all the parties to the communication do not know each other, it becomes more difficult for companies and online consumers to communicate or conduct transactions. This is where a certifying authority comes into the picture.

Cyber Laws: What is a Certifying Authority and what does it do?

In cyber laws, a Certifying Authority is an entity that is relied upon by both online businesses and their clients for securing communication. The Certifying Authority acts as a third party and issues digital signatures to businesses that are operating online. The authority vouches for the identity of these businesses and assures their clients on the issue of security. So, these clients, in turn, can share their personal information without worries. The information usually includes details such as the name, phone number, address, bank records, and credit/debit card number or medical records.

It is important to note that this information is traded between the parties in an encrypted form. Therefore, any disputes or legal issues pertaining to digital signatures are governed by the Information Technology Act, 2000, that was enacted by the Indian Parliament. In India, the IDRBT CA is an entity that issues certificates to the financial institutions and banks for RBI's PKI enabled applications including NEFT, PDO-NDS, RTGS and SFMS. This aspect fortifies an online buyer’s confidence to go ahead with the online transactions using the secured keys.