What are the regulations governing the use of cryptography and the
development of cryptographic software in India? The answer is either
"there aren't any" or "nobody really knows".
One of the few official documents to discuss the subject is
("Guidelines and general information for setting up of international
gateways for internet") published by the Department of
Telecommunications (DoT) in 2001. It is not clear why an informative
document inviting proposals from ISPs to set up international gateways
should have anything to say about the use of cryptography in general, or
whether this amounts to a rule, but here's the relevant section:
II. LEVEL OF ENCRYPTION
Individuals/Groups/Organisations are permitted to use encryption
upto 40 bit key length in the RSA algorithms or its equivalent in
other algorithms without having to obtain permission. However, if
encryption equipments higher than this limit are to be deployed,
individuals/groups/organisations shall do so with the permission
of the Telecom Authority and deposit the decryption key, split
into two parts, with the Telecom Authority.
There has been plenty of criticism of this section as being "too weak",
but the real problem is that it's stupid and wrong (as I have
explained in email one too many times; hence this post).
First, a "40 bit key length" is ridiculous when applied to RSA. The
number is clearly a reference to the US export restrictions on crypto
(now long gone). But that key length was prescribed for DES, not RSA.
DES is a symmetric encryption algorithm, while RSA is asymmetric; the
latter typically needs much longer keys for the same level of security.
A 40-bit DES key is roughly equivalent to a 384-bit RSA key, but 40-bit
RSA keys are laughably insecure, and have never been used anywhere to
protect anything. Even 40-bit and 56-bit DES are considered trivial to
crack today. Most symmetric ciphers use a key length of at least 128
bits, and the recommended RSA key length today is 2048 bits.
Second, "deposit the decryption key, split into two parts" is clearly a
reference to key escrow… but that is now how it's supposed to work. The
idea is to deposit one part of your key, to make it easier for
the authorities to recover the other part by brute force, given a court
order (in theory). If you have to deposit both parts, why split it in
the first place?
Even if we look at the intent of the rule rather than its wording, there
are many practical problems. The RBI and SEBI guidelines mandate 128-bit
(symmetric) encryption for online banking, and that is the minimum level
supported by browsers now. Most users don't know that their browser uses
strong encryption, and even if they did, browsers negotiate new keys for
each SSL/TLS session and there is no way to recover the keys for escrow.
In any case, the keys will never be reused, so there is little point to
depositing them… and we have no infrastructure for key escrow anyway.
(Also, key escrow has never been successfully implemented anywhere.)
It is clear to anyone familiar with cryptography that the section quoted
above was written without sufficient research by someone who had only a
superficial knowledge of (then-)current best practices.
Of course, even if they were specified correctly, 40-bit DES and key
escrow would be stupid and utterly impractical restrictions.