My TechnoBlogs

For those who can create wonders with Technology……

Archive for the ‘Cyber Crime’ Category

FAQs of Controller of Certificate Authorty

Posted by Ravi shankar on March 3, 2009


How do I get a Digital Signature Certificate?
The Office of Controller of Certifying Authorities (CCA), issues Certificate only to Certifying Authorities.CA issue Digital Signature Certificate to end-user. You can approach any one of the seven CAs for getting Digital Signature Certificate. The website addresses are given below.

Who are the CAs licensed by the CCA?
a. Safescrypt
b. NIC
d. TCS
e. MtnlTrustline
f. iCertCA
g. e-MudhraCA

What is the function of the Root certificate?
The RCAI Root certificate is the highest level of certification in India. It is used to sign the public keys of the Licensed CAs in India. The RCAI root certificate is a self-signed certificate.

Where do I get CCAs Root Certificate?
CCAs Root certificate can be downloaded from CCAs web site

Is Root Certificate free?
Yes, it can be downloaded from CCA website.

What are the different classes of Digital Signature Certificates?
In addition to four classes of certificates given below, the Certifying Authority may issue more classes of Public Key Certificates, but these must be explicitly defined including the purpose for which each class is used and the verification methods underlying the issuance of the certificate. The suggested four classes are the following :-
Class 0 Certificate: This certificate shall be issued only for demonstration/ test purposes.
Class 1 Certificate: Class 1 certificates shall be issued to individuals/private subscribers. These certificates will confirm that user’s name (or alias) and E-mail address form an unambiguous subject within the Certifying Authorities database.
Class 2 Certificate: These certificates will be issued for both business personnel and private individuals use. These certificates will confirm that the information in the application provided by the subscriber does not conflict with the information in well-recognized consumer databases.
Class 3 Certificate: This certificate will be issued to individuals as well as organizations. As these are high assurance certificates, primarily intended for e-commerce applications, they shall be issued to individuals only on their personal (physical) appearance before the Certifying Authorities.

Does a person require multiple Digital Signatures Certificates for different places or organizations
It is not mandatory. However, certificates could be issued for different purposes to the same individual. e.g. by the bank where the individual has an account, by the government to the individual as a citizen etc.

How does cross-border inter-operability work in relation to digital signatures?
Clearly, all certificates, not to mention technology applications, cannot and would not be issued by a single CA. Multiple CA’s do and must exist. Inter operability between CAs- national and cross-border – has been addressed as Cross Certification. As per Information Technology (Certifying Authority) Rules, 2000
The licensed CA shall have arrangement for cross certification with other licensed CAs within India, which shall be submitted to the Controller before the commencement of their operations as per rule 20. Disputes arising as a result of such arrangements shall be submitted to CCA, India for arbitration or resolution.
The arrangement for cross certification by the licensed CA with a foreign CA along with the application shall be submitted to CCA, India. The licensed CA shall not commence cross certification operations unless it has obtained the written or digital signature approval from CCA, India.

How often is auditing done? (Auditing Cycle Period)? Whether it is continuous process?
Yes, auditing is a continuous process. According to the Rules under the IT Act 2000.
a. The CA shall get its operations audited annually by an auditor and such audit shall include security policy and planning, physical security, technology evaluation, CA’s services administration, compliance to CPS, contracts/agreements, regulation prescribed by CCA, policy requirement of CA Rules, 2000.
The CA shall conduct –
b. half yearly internal audit of security policy, physical security and planning of its operation,

What types of measures are being executed by CCA for licensing a CA?
Detailed information, financial, technical and procedural is obtained from the CA as part of the application for license . These are examined and audited. Additionally, the following are done: – Supervision of activities of CAs. – Auditing of CPS – Auditing Hardware/Software – Certifying public key of CA. – Laying down standards to be maintained by CAs to ensure continues compliance to the requirements of the IT ACT 2000

What is CPS?
CPS (Certification Practice Statement): A statement of the practices, which a certification authority employs in issuing and managing certificates. A CPS may take the form of a declaration by the CA of the details of its trustworthy system and the practices it employs in its operations and in support of issuance of a certificate. General CPS framework is given in the guidelines.

Whether CPS differs for one CA to another CA?

What is the legal sanctity of a certificate issued by outside CA (CA of a foreign country)?
The sanctity of such a certificate will be as per the agreement between outside CA and a licensed CA in India. Such an agreement has to be approved by the CCA.

Can CA have sub CA? Or can there be a concept of root CA, CA and sub CA?
No. As per IT Act, 2000 there is no provision of a sub CA. All CAs must be granted license by CCA, India. In case of any dispute, the CA licensed by CCA will be answerable.

If a person is transferred from one post to another (say in govt. department), the digital signature will also change (yes/no)? Please explain?
Yes. On moving from one department to another, if the procedures in place so demand, then the existing certificate will be revoked and a new one issued. In any case, the digital signature generated is different each time, even if the same key has been used.

In what format the public key should be given to CA for certification?
In PKCS #10 format

In paper world, date and the place where the paper has been signed is recorded and court proceedings are followed on that basis. What mechanism is being followed for dispute settlements in the case of digital signatures?
Under the IT Act, 2000 Digital Signatures are at par with hand written signatures. Therefore, similar court proceedings will be followed.

What is the extent of liability of a CA in case of anti-national activities performed by a subscriber using digital signature and secure encrypted communication?
CA has no liability, since CA is only facilitating end-to-end secure communication using digital signature.

Can a person have two digital signatures say one for official use and other one for personal use?

One can sign a paper without the knowledge of a signer. Is it possible in digital signature also?
It depends upon the how the subscriber has kept his private keys. If private key is not stored securely, then it can be misused without the knowledge of the owner of the private key.

Is there a “Specimen Digital Signature” like paper signature?
No. The Digital signature changes with content of the message.

Can digital signature be employed in wireless network?

Does one require multiple certificates for different banks?
Ideally, not within the same class.

What is the difference between RA(Registration Authority) and CA(Certifying Authority)?
RA interacts with the subscribers for providing CA services. The RA is subsumed in the CA, which takes total responsibility for all actions of the RA.

If somebody uses others computer, instead of his own computer, then is there any possibility of threat to the security of the owners/users digital signature?
No, there is no threat to the security of the owner / users digital signature, if the private key lies on the smartcard /crypto token and does not leave the SmartCard/cryptotoken.

Does CCA enforce Disaster Recovery Centre for CAs?
Yes, it is a mandatory requirement under IT Act 2000

If CA is out of business then if the subscriber is told to move to another CA then the subscriber has to get a new digital certificate. What happens to his/her earlier transactions ? Does this not create a legal and financial problem?
Prior to cessation of operations the CA has to follow procedures as laid down under the IT Act. Such problems should not therefore exist.

When you cancel an earlier communication you can get it back, how does this work in e-environment?
A new message saying that the current message supersedes the earlier one can be sent to the recipient(s). This assumes that  all messages are  time stamped

Posted in Cyber Crime, Cyber Law, Digital Certificate | Tagged: , , | Leave a Comment »

Evolution of Cyber Crime

Posted by Ravi shankar on March 2, 2009

Cyber crime can involve criminal activities that are traditional in nature, such as theft, fraud, forgery, defamation and mischief. The new age crimes such as hacking, web defacement, cybe stalking, web jacking etc.

Cyber crime is a unlawful acts wherin the computer is either a tool or a target or both.

The computer includes the laptop, desktop, PDA, cell phones, watches, car and host of gadgets.

The prominent types of Cyber Crime such as :

FInancial Crimes, Cyber Pornography, Sale of Illegal Articles, Online gambling, Intellectual Property Crimes, Email Spoofing, Forgery, Cyber Defamation, Cyber stalking, Web defacement, Email bombing, Data diddling, DOS attack, Virus.Worm Attacks, Internet Time Theft, Web Jacking, Email Frauds, Cyber Terrorism.

Financial Crimes: include cyber cheating, credit card frauds, money laundering, hacking into bank servers, computer manipulation, accounting scams etc.

Cyber POrnography: It covers pornographic websites, pornographic magazines produced using the computer and the internet to download and transmit pornographic pictures, photos, writings etc.

Sales of Illegal Articles: Cases where the sales of illegal articles such as narcotics drugs, weapons, wildlife etc is being facilitated by the internet, Information about the availability of the product fro the sale is being posted on auction websitesm, bullitien boards etc.

Online gambling: Websites offering online gambling. It is legal in some countries. But when a person residing in a foreign country like india(where such websote is illegal) gamles is a legal issue.

Intellectual Property Crimes: These includes software piracy, copyright infringement, trademarks violations, theft of computer source codes etc.

Email Spoofing: A spoofed email is the one that appear to originate from one source but actually has been sent from another source.

Forgery: Counterfit currency notes, postage and revenue stamps, mark sheets ,academic certificate, etc are made by criminals using sophisticated computer , printers and scanners.

Cyber defamation: It takes place with the help of computer and or internet. The information published in the website or email sent to defame targetting an individual or an organisation.

Cyber stalking: It refers to use of the internet, email , or other electronics communications devices to stalk another person. Stalking invloves harassing, or threatening behaviour that an individual is engaged in repeatedly. Stalking laws requires that the perpetrator make a credible threat of violence against the victim; other includes threat against the victim’s immediate family.

Email Bombing: It refers to sending a large number of emails to the victim resulting in the victims email account or mail server to crashing. It is a type of DOS attack in which flood of information requests is sent to a server, bringing the system to knees and making the server difficult to access.

Data diddling: It is a illegal or unauthorised data alteration. These changes can occur before and during data input or before output.It has affected banks, payrolls, inventory records, credit records, school trnascripts and virtually all other form of data processing know.

Salami Attack: These attacks are used for committing financial crimes. The key here is to make alteration so insignifacant that in a single case it would go completely unnoticed. The attack is called salami attack as it is analogous to slicing the data thinly ,like a salami. For instance the bank employee inserts a program into the bank server that detects a small amount (Rs.2 a month) from the account of every customer. No account holder will probably notice this unauthorised debit, but the bank employee make a sizeable amount of money.

Denial of Service Attack: DOS Attack involve flooding a computer with more request that it can handle. This causes the computer to crash and result in authorized users being unable to access the service offered by the computer. In Distributed Denial of service attack (DDoS) wherin the perpetrators are many and are geographically widespread.

Virus/Worm Attack: Computer viruses are small software programs that are designed to spread from one computer to another and to interfere with computer operation. A virus might corrupt or delete data on the victims computer, use the victims email program to spread itself to other computers, or even erase everything on the victim’s hard disk. Viruses are easily spread through email attachement or instant messages. Viruses can be disguised as attachments of
funny images, greeting cards, or audio and video files.
Worms unlike the viruses do not need the host to attach themselves. They merely make functional copies of themselves and do this repeatedly till they bring the system or a application to halt.

Trojans and Keyloggers: A Trojan is a unauthorized program which functions from inside what seems to be an authorised program, theryby concealing what it is actually doing. It performs undisclosed malicious functions that allow unauthorized access to the host machine, giving them the ability to save files on the users computer or even watch the users screen and control the computer.
Keyloggers: They are regularly used were to log all the strokes a victim makes on the keyboard. They are most commonly found in public computer such as cyber cafe, hotels etc.

Internet Time theft: This connotes the usage by an unauthorized person of the internet hours paid for by another person.

Web jacking: Web Jacking means forcefully taking over the control of the website (by cracking the password and later changing it). The actual owner of the website does not have any more control over what appears on the website.
There are many ways in which a hacker may get to know a password, the most common being the password cracking wherin the cracking software is used to guess a password. Password cracking attacks are most commonly of two types: The dictionary attack where the software will attempt all the word contained in a predefined dictionary of words. The other form is using the ‘Brute Force’. In this attack the software tries to guess the password by trying all possible combination of numbers, symbols, letters till the correct password is found.

Email frauds: or Phishing or Brand spoofing as it is called used fraudulent email messages and websites that look like they are from a legitimate company such as bank, credit card company, online retailer or government agencies. The Email you receive may look real with the company logos and branding but you may actually receive the spam or mass email from criminal.

Computer Terrorism: (Defination by Asian School of cyber Law) Cyber terrorism is the premediated use of disruptive activities or the  threat thereof, in cyber space, with the intention to further social, ideological , religious, political or similar objectivies, or to intimidate any person in furtherance of such activities.

The information is with reference to the website:

Posted in Cyber Crime, Cyber Law | Tagged: , , , , , , , , , , , , , , , , , | Leave a Comment »