Nonsensical DoT crypto restrictions

By Abhijit Menon-Sen <ams@toroid.org>

2010-06-15

What are the regulations governing the use of cryptography and the development of cryptographic software in India? The answer is either "there aren't any" or "nobody really knows".

One of the few official documents to discuss the subject is this one ("Guidelines and general information for setting up of international gateways for internet") published by the Department of Telecommunications (DoT) in 2001. It is not clear why an informative document inviting proposals from ISPs to set up international gateways should have anything to say about the use of cryptography in general, or whether this amounts to a rule, but here's the relevant section:

II. LEVEL OF ENCRYPTION

Individuals/Groups/Organisations are permitted to use encryption upto 40 bit key length in the RSA algorithms or its equivalent in other algorithms without having to obtain permission. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organisations shall do so with the permission of the Telecom Authority and deposit the decryption key, split into two parts, with the Telecom Authority.

There has been plenty of criticism of this section as being "too weak", but the real problem is that it's stupid and wrong (as I have explained in email one too many times; hence this post).

First, a "40 bit key length" is ridiculous when applied to RSA. The number is clearly a reference to the US export restrictions on crypto (now long gone). But that key length was prescribed for DES, not RSA. DES is a symmetric encryption algorithm, while RSA is asymmetric; the latter typically needs much longer keys for the same level of security. A 40-bit DES key is roughly equivalent to a 384-bit RSA key, but 40-bit RSA keys are laughably insecure, and have never been used anywhere to protect anything. Even 40-bit and 56-bit DES are considered trivial to crack today. Most symmetric ciphers use a key length of at least 128 bits, and the recommended RSA key length today is 2048 bits.

Second, "deposit the decryption key, split into two parts" is clearly a reference to key escrow… but that is now how it's supposed to work. The idea is to deposit one part of your key, to make it easier for the authorities to recover the other part by brute force, given a court order (in theory). If you have to deposit both parts, why split it in the first place?

Even if we look at the intent of the rule rather than its wording, there are many practical problems. The RBI and SEBI guidelines mandate 128-bit (symmetric) encryption for online banking, and that is the minimum level supported by browsers now. Most users don't know that their browser uses strong encryption, and even if they did, browsers negotiate new keys for each SSL/TLS session and there is no way to recover the keys for escrow. In any case, the keys will never be reused, so there is little point to depositing them… and we have no infrastructure for key escrow anyway. (Also, key escrow has never been successfully implemented anywhere.)

It is clear to anyone familiar with cryptography that the section quoted above was written without sufficient research by someone who had only a superficial knowledge of (then-)current best practices.

Of course, even if they were specified correctly, 40-bit DES and key escrow would be stupid and utterly impractical restrictions.