Aug 21, 2010
It has been reported in the media that the Indian Government has given an ultimatum to Research In Motion (RIM), the maker of the ubiquitous Blackberry phones, that, unless RIM complies by the rules, it risks being banned in India.
And the ban is imminent.
At the outset, the concerns of the Indian Government seem reasonable enough. India does not want a technology that could give an advantage to the militants.
Media also reports that RIM does not want to give a special treatment to India.
Before agreeing with one or the other party, one needs to understand the basic principles of cyber security.
The principles of cyber security are not complex to understand.
There are essentially three of them.
• The environment must be able to prevent disruption to the availability of services
• The integrity of the information must be guaranteed
• The confidentiality of the information must be assured
The issue between the Indian Government and RIM is on Confidentiality. Confidentiality here would mean the level of encryption applied, and that the security apparatus in India needs to have access to that information – with the hope that it could be decrypted whenever needed.
Encryption is done using various methods. Essentially it comes down to the algorithms used, the key length employed, and the safeguarding of the key – that will determine if someone other than the intended recipient can access the original information.
The Indian Government’s rules require that no Internet Service Provider (ISP) supports encryption using a key-length of greater than 40 bits without seeking the prior approval of the Government.
India’s Home Ministry, tasked with providing internal security, expects that RIM make the encrypted data available to the relevant security agencies.
Regardless of what the rules state and the expectations of the Government might be, it is not possible for RIM to comply with such expectations!
One might wonder why?
The essence of encryption being what it is, in today’s world, the level and complexity of encryption is controlled significantly by the users. And not by the ISPs or the manufacturers of gadgets.
The users of Internet and systems today have the means of acquiring solutions that provide extremely secure communications.
The security of such communication is so strong that only one person in the entire world - the recipient of the information alone – is able to decrypt that information. This is achieved through the usage of the Private Key in the Public Key Infrastructure that is ubiquitous in today’s world.
Possession of copy of that Private Key by another party, including a Government, would defeat the whole notion of cyber security.
But why can’t a Government get hold of the Private Key in the event that they have indeed caught a suspected militant, and want to read all the encrypted information that was exchanged between the suspected militant and his accomplices?
A natural question indeed.
The answer is simple: if the Private Key is still retained by the suspected militant and he is happy to hand it over to the security agencies.
The ISPs and the manufacturers of gadgets unfortunately cannot help. They were not in possession of the Private Key in the first place!
Mere storage of mountains of encrypted data will be of no benefit to the security agencies. Other than, of course, creating an opportunity for some to hire thousands of new workers to manage those mountains.
A far more sensible approach for the Indian Government would be to invest time and effort to understand how it could take advantage of features available in Internet Protocol (IP) version 6 (IPv6) to help with its future cyber security.
But that requires some real hard work. Why would the official babu machinery look for hard work – when there are far simpler, albeit meaningless, solutions around?
It may be fair to assume that, so long as the Indian Government is concerned, IPv6 is at least 20 years away.