Information Technology Act,

2000
Cyber Laws
Meaning
Law that provides legal recognition of
transactions carried out by means of
electronic data interchange and other
means of electronic communication.
Commonly referred to as electronic
commerce or E-Commerce, involves
an alternative to paper-based methods
of communication and storage of
information.

Access: Gaining entry into, instructing or
communicating with the logical, arithmetical,
or memory function of a computer, system or
network;
Computer Network: It is interconnection of
one or more computers through the use of
satellite, microwave, or terrestrial line;
and terminals consisting of 2 or more
interconnected computers whether or not the
interconnection is continuously maintained.



Asymmetric crypto system: Also
known as Asymmetric Encryption. It is a
system of a secure key pair consisting
of a private key for creating a digital
signature and a public key to verify the
digital signature.
Asymmetric Encryption is a form of
Encryption where keys come in pairs.
What one key encrypts, only the other
can decrypt.


Asymmetric Encryption is also known as Public
Key Cryptography, since users typically create a
matching key pair, and make one public while
keeping the other secret.
Users can "sign" messages by encrypting them
with their private keys. This is effective since any
message recipient can verify that the user's
public key can decrypt the message, proving
that the user's secret key was used to encrypt it.
If the user's secret key is, in fact, secret, then it
follows that the user, and not some impostor,
really sent the message.


Users can send secret messages by
encrypting a message with the recipient's
public key. In this case, only the intended
recipient can decrypt the message, since
only that user should have access to the
required secret key.
The key to successful use of Asymmetric
Encryption is a Key Management system,
which implements a Public Key
Infrastructure. Without this, it is difficult to
establish the reliability of public keys, or
even to conveniently find suitable ones.

Public Key Infrastructure is a set of
servers, software, protocols and
application programs used to
manage the Private Key's and
Public Key's of a group of users.
Users are generally able to create
and update their own key pairs, and
a Certificate Authority is used to
sign new Public Key's.

Computer System: A device or collection
of devices, including input and output
support devices and excluding calculators
which are not programmable and capable
of being used in conjunction with external
files, which contain computer programmes,
electronic instructions, input data and
output data, that performs logic, arithmetic,
data storage and retrieval, communication
control and other functions;
Cyber Appellate Tribunal: The Cyber
Regulations Appellate Tribunal established
under sub-section (1) of section 48;

Digital signature: An electronic signature that
can be used to authenticate the identity of the
sender of a message or the signer of a
document, and possibly to ensure that the
original content of the message or document
that has been sent is unchanged.
Digital Signature Certificate: A Digital
Signature Certificate issued under sub-section
(4) of section 35.
Electronic form with reference to information
means any information generated, sent,
received or stored in media, magnetic, optical,
computer memory, micro film, computer
generated micro fiche or similar device.

Key Pair, in an asymmetric crypto system,
means a private key and its mathematically
related public key, which are so related that
the public key can verify a digital signature
created by the private key;
Private Key means the key of a key pair
used to create a digital signature. It is a
secret key, used in Asymmetric Encryption.
It is mathematically equivalent to a Public
Key, but is kept secret.
Public Key means the key of a key pair
used to verify a digital signature and listed in
the Digital Signature Certificate.


A Public Key is a publicly distributed key,
used in Asymmetric Encryption. It is
mathematically equivalent to a Private Key,
but is widely distributed. Public Key's are
frequently certified by a Certificate
Authority, so that users of this key can
verify its authenticity.
Originator means a person who sends,
generates, stores or transmits any
electronic message or causes any
electronic message to be sent, generated,
stored or transmitted to any other person
but does not include an intermediary.

Secure system: Computer hardware,
software, and procedure that-
(a) are reasonably secure from unauthorized access and
misuse;
(b) provide a reasonable level of reliability and correct
operation;
(c) are reasonably suited to performing the intended
functions; and
(d) adhere to generally accepted security procedures;
Security procedure: The security
procedure prescribed under section 16 by
the Central Government.
Subscriber: A person in whose name the
Digital Signature Certificate is issued.

Secure electronic record: Where any security
procedure has been applied to an electronic record
at a specific point of time, then such record shall
be deemed to be a secure electronic record from
such point of time to the time of verification.
Secure digital signature: If, by application of a
security procedure agreed by parties concerned, it
can be verified that a digital signature, at the time it
was affixed, was-
(a) unique to the subscriber affixing it;
(b) capable of identifying such subscriber;
(c) created in a manner or using a means under
the exclusive control of the subscriber and is linked
to the electronic record to which if the electronic
record was altered, the digital signature would be
invalidated, then such digital signature shall be
deemed to be a secure digital signature.

Verify (Verification of Digital Signature) in
relation to a digital signature, electronic record
or public key, with its grammatical variations
and cognate expressions means to determine
whether-
(a) the initial electronic record was affixed with the digital signature by the
use of private key corresponding to the public key of the subscriber;
(b) the initial electronic record is retained intact or has been altered since
such electronic record was so affixed with the digital signature.
Electronic record means data, record or data
generated, image or sound stored, received or
sent in an electronic form or micro film or
computer generated micro fiche.


Electronic Governance
Legal recognition of electronic records.
Legal recognition of digital signatures.
Use of electronic records and digital
signatures in Government and its
agencies.
Retention of electronic records.
Publication of rule, regulation, etc., in
Electronic Gazette.
Power to make rules by Central
Government in respect of digital signature.


Certifying Authorities
A Certificate (or Certifying) Authority is a
trusted third party, which certifies Public Key's
to truly belong to their claimed owners. It is a
key part of any Public Key Infrastructure,
since it allows users to Trust that a given
Public Key is the one they wish to use, either
to send a private message to its owner or to
verify the signature on a message sent by
that owner.

Regulation of Certifying Authorities
Appointment of Controller and other officers.
(1) The Central Government may, by notification in
the Official Gazette, appoint a Controller of
Certifying Authorities for the purposes of this Act
and may also by the same or subsequent
notification appoint such number of Deputy
Controllers & Assistant Controllers as it deems fit.
(2) The Controller shall discharge his functions
under this Act subject to the general control and
directions of the Central Government.

Functions of Controller
The Controller may perform all or any of the following
functions, namely:

(a) exercising supervision over the activities of the
Certifying Authorities;

(b) certifying public keys of the Certifying Authorities;

(c) laying down the standards to be maintained by the
Certifying Authorities;

(d) specifying the qualifications and experience which
employees of the Certifying Authorities should possess;

(e) specifying the conditions subject to which the Certifying
Authorities shall conduct their business;

(f) specifying the contents of written, printed or visual
materials and advertisements that may be distributed or
used in respect of a Digital Signature Certificate and the
public key;

(g) specifying the form and content of a Digital Signature
Certificate and the key,

(h) specifying the form and manner in which accounts
shall be maintained by the Certifying Authorities;

(i) specifying the terms and conditions subject to which
auditors may be appointed and the remuneration to be
paid to them;

(j) facilitating the establishment of any electronic system
by a Certifying Authority either solely or jointly with other
Certifying Authorities and regulation of such systems.

Controller to act as repository.
(1) The Controller shall be the repository of all
Digital Signature Certificates issued under this Act.
(2) The Controller shall-
(a) make use of hardware, software and
procedures that are secure from intrusion and
misuse;
(b) observe such other standards as may be
prescribed by the Central Government, to ensure
that the secrecy and security of the digital
signatures are assured.
(3) The Controller shall maintain a computerized
data base of all public keys in such a manner that
such data base and the public keys are available to
any member of the public.

Digital Signature: How it Works
A digital signature can be used with any
kind of message, whether it is encrypted
or not, simply so that the receiver can be
sure of the sender's identity and that the
message arrived intact.
A digital certificate contains the digital
signature of the certificate-issuing
authority so that anyone can verify that
the certificate is real.

How It Works
Assume you were going to send the draft of a
contract to your lawyer in another town. You give
your lawyer the assurance that it was
unchanged from what you sent and that it is
really from you.
You copy-and-paste the contract (it's a short
one!) into an e-mail note.
Using special software, you obtain a message
hash (mathematical summary) of the contract.
You then use a private key that you have
previously obtained from a public-private key
authority to encrypt the hash.


The encrypted hash becomes your digital
signature of the message. (Note that it will
be different each time you send a
message.)
At the other end, your lawyer receives the
message.
To make sure it's intact and from you,
your lawyer makes a hash of the received
message.
Your lawyer then uses your public key to
decrypt the message hash or summary.
If the hashes match, the received
message is valid.

Digital Signature Certificate
A digital (signature) certificate is an electronic
"credit card" that establishes your credentials
when doing business or other transactions on
the Web. It is issued by a certification authority
(CA).
It contains your name, a serial number,
expiration dates, a copy of the certificate
holder's public key (used for encrypting
messages and digital signatures), and the
digital signature of the certificate-issuing
authority so that a recipient can verify that the
certificate is real. Some digital certificates
conform to a standard.


Issue of Digital Signature
Certificate
The Certifying Authority is a person who has
been granted a license to issue a DSC.
Any person may apply to the CA for the issue
of DSC in a Form as prescribed by the
Central Government.
Every such application shall be accompanied
by such fee not exceeding Rs.25,000 as
prescribed by Central Government to be paid
to the CA.
Representations upon Issuance
of DSC: CA shall certify
That it has complied with the rules &
regulations of the Act.
That it has published the DSC.
That the subscriber holds the private key
corresponding to public key listed in DSC.
That the above constitute a functioning key
pair.
That the information contained in DSC is
accurate.

Suspension of Digital Signature
Certificate
The CA may suspend the DSC on receipt of a
request from the subscriber listed in DSC.
The CA may also suspend the DSC if it is of
the opinion that the DSC should be
suspended in public interest.
A DSC shall not be suspended for a period
exceeding 15 days unless the subscriber has
been given an opportunity of being heard in
the matter.
Revocation of Digital Signature
Certificate
Where subscriber or any one authorized
by him makes a request to that effect;
Upon death of subscriber;
Upon dissolution of the firm/company
where subscriber is a firm/company;
Where a material fact represented in
DSC is false or has been concealed;
Where a requirement for issuance of
DSC was not satisfied.
Where the CAs private key or security
system was compromised in a manner
materially affecting the DSCs reliability;
Where the subscriber has been declared
insolvent, dead, dissolved as a firm,
wound-up or otherwise cease to exist;
Where there is misuse of DSC;
Where there is misrepresentation or
errors in the DSC; or
Where the DSC is no longer required as
per Rule 30 (1).

Duties of Subscribers
Generating key pair by applying the
security procedure (Secure Digital
Signature).
Acceptance of Digital Signature
Certificate.
Control of private key corresponding to
the public key listed in their Digital
Signature Certificate.
To extend facilities to decrypt information.

Cyber Regulations Appellate Tribunal
Establishment of Cyber Appellate Tribunal.
The Central Government shall, by notification,
establish one or more appellate tribunals to be
known as the Cyber Regulations Appellate
Tribunal.
Composition of Cyber Appellate Tribunal.
A CAT shall consist of one person only (hereinafter
referred to as the Presiding Officer.
Term of office.
Presiding Officer shall hold office for a term of 5
years from the date he enters office or until he
attains the age of 65 years, whichever is earlier.

Staff of the Cyber Appellate Tribunal.
Central Government shall provide such officers
and employees as may thought fit. Officers and
employees shall discharge their functions under
superintendence of the Presiding Officer.
Appeal to Cyber Appellate Tribunal.
Any person aggrieved by an order made by
Controller or an adjudicating officer under this Act
may prefer an appeal to a CAT having jurisdiction
in the matter.
Every appeal shall be filed with prescribed fees
within a period of 25 days from the date on which
a copy of the order made by the Controller or the
adjudicating officer is received by the person
aggrieved.

Procedure & powers of the CAT.
Shall be guided by the principles of natural justice
and, subject to the other provisions of this Act. It
shall have powers to regulate its own procedure
including the place at which it shall have its sittings.
Has same powers as vested in a civil court under
the Code of Civil Procedure, 1908, while trying a
suit, in respect of the following matters, namely:-
(a) summoning and enforcing the attendance of any
person and examining him on oath;
(b) requiring the discovery and production of
documents or other electronic records;
(c) issuing commissions for examining witnesses or
documents;
(e) dismissing an application for default;
(g) any other matter which may be prescribed.

Civil Court: No Jurisdiction
No Court shall have jurisdiction to entertain any
suit or proceeding in respect of any matter which
an adjudicating officer appointed under this Act
or the Cyber Appellate Tribunal is empowered to
determine.
No injunction shall be granted by any Court or
other authority in respect of any action taken or
to be taken in pursuance of any power conferred
by or under the Act.