With the US having strict rules regarding encryption technology exports, many Indian firms are trying to fill the gap by developing indigenously-developed products. Srikanth R P tries to identify Indian firms involved in the field of encryption software and the opportunities and challenges faced by them

In the future, encryption will be as ubiquitous as information itself, because the information’s value would compel it to be secured in an encrypted form to prevent its disclosure or modification, says Felix Mohan

The year was 1999. The Indian Defence and Research Organisation (DRDO) had issued a red alert against all network security software developed in the US because it believed US companies were selling software which could be easily hacked. The organisation was angry—US companies were selling communication software to critical national agencies without highlighting the fact that US laws did not permit export of encryption software stronger than 64-bit encryption. This effectively meant that Indian financial institutions or even government agencies had to rely on software which could easily be broken into by the US National Security Agency. In other words, only insecure software could be exported.

The DRDO then followed up with a warning saying that it was considering making it mandatory for all Indian banks and financial institutions to buy software developed only in India. While this did not exactly set off all the Indian software companies running helter-skelter for alternative encryption software, it triggered some Indian firms into thinking about developing encryption software themselves. The main inspiration came from the fact that Indian companies could indigenously develop encryption software that could have higher standards than those set by the US, and need not go in for encryption software which was insecure from the US point of view. A case in point is Mumbai-based SecureSoft, which developed a 448-bit encryption software christened ‘Cypherix’.

Says Abhay Mehta, CTO and co-founder, SecureSoft, “The main impetus to develop an encryption engine emerged from the fact that the US bans the export of strong encryption products, since these are regarded on par with strategic arms. The only companies that have been developing encryption software of any serious nature were located in the US or Western Europe. However, I, as an Indian citizen, cannot buy this encryption software since all these countries are signatories of the Wassenaar Agreement, which regards strong encryption on par with munitions or missiles and bans its export. What a buyer in India could get was a 64-bit encryption software which was easy to hack into.” Mehta claims that it would take all the computing power in the world working together for 1032 years to hack into a file encrypted by ‘Cypherix.’

The importance of encryption software
Before we get down to efforts by Indians in the field of encryption software, it is also important to understand the importance of such software. The primary aim of encryption software is to transform data in such a way that even if a third party gets hold of it, he or she will not be able to decipher it. In other words, only a person having a specific key will be able to read the information and decode the data back into an intelligible form. Take World War II for instance, when countries tried to hack into rival countries’ systems. Britain employed mathematicians and computer scientists to get into the task of breaking the German encrypted codes. Similarly, the US managed to discover the intentions of the Japanese by working on the Japanese encrypted codes. This was one of the first instances when the success of a war was crucially dependent on intelligence from decoded messages.

While strategically encryption software is treated at par with the military and is of great significance to the country’s defence, even non-military applications of encryption are crucial. For example, if the enemy manages to hack into financial systems of profound importance such as the RBI, the impact would be catastrophic and have the capability of bringing India’s economy to its knees. This is why indigenously-developed software is of vital importance.

While indigenously-developed encryption software will prove to be of strategic importance in areas such as defence and the government, there will be a host of other sectors like banking and finance that need to protect information. Says Felix Mohan, CEO, Secure Synergy and a well known expert on the security scene in India, “In the future, encryption will be as ubiquitous as information itself, because the information’s value would compel it to be secured in an encrypted form to prevent its disclosure or modification. Encryption software-driven processes and applications will be the pillars of domestic and international e-commerce. In India, encryption software will have immense benefits in the financial and securities industries. For example, NSDL is putting strong encryption into all depository transactions. The government sector, especially defence, will also be a big adopter of indigenously-made encryption software.”

Another big industry that has a lot of potential is the banking industry. Even Internet banking players could benefit from the use of encryption software. Agrees Rajeev Wadhwa, COO, Global E-secure, “Throughout the country, Internet banking is in a nascent stage. Only 8 percent of Indian banks offer facilities such as online funds transfer, transactions and cash management services. Primarily, the view is that online transactions are not secure. With strong encryption software, more and more banks can offer this facility.”

Indian efforts in encryption software
In India, there have been notable examples in the field of companies developing encryption software. The Institute for Development and Research in Banking Technology (IDRBT) established INFINET in the year 1999 to provide a reliable communication backbone for the banking and financial industry. In a joint effort with TCS, the organisation developed a messaging solution based on smart card-based PKI. Christened as ‘Structured Financial Messaging Solution’, the solution promised a secure way for banks to send financial information via the INFINET. Also notable are the efforts of the Centre for Development of Advanced Computing (C-DAC). The organisation has been working on the development of core network security technologies, which include products like C-Crypto and C-VPN. DRDO on its part has been playing a huge role in integrating security mechanisms in the Indian Army’s radio engineering network and Army Static Switch Communication network. The Indian Institute of Technology (IIT), Kanpur in collaboration with the Indian Navy, has developed a 128-bit algorithm christened Trinetra, which can be used in naval communications. Encryption software using this algorithm has already been developed.

Though there have been efforts from the government in the field of encryption software, there are a couple of Indian companies that have made their mark in this space. Mumbai-based Secure Soft is one such company, which has developed products like Cryptainer that can encrypt data in a jiffy. For the network, the company has developed Cryptunnel which secures peer-to-peer connectivity between any two IP addresses. Another successful company is Cynapse India, which has developed encryption products like Infocryptor and MailCryptor. Both players have proved to be successful in their domains. For instance, Secure Soft today exports its products to more than 20 countries and has dealers in more than nine. The company has also bagged a few big domestic orders in the government sector. Similarly, Cynapse India has also sold more than 650 copies of its product in a short span of two months in countries like the US, Germany and Malaysia.

Also notable are the efforts of Apostle Embedded Systems which has invented a new 128-bit block cipher, believed to be the first such Indian cipher comparable to international standards like RSA Lab and IBM. Encryption algorithms are nothing but a mathematical formula using which a given text is encrypted. Simply put, encryption software has two basic parts—the algorithm, which is a pre-defined set of rules for the encryption and the application itself, which uses the algorithm to provide the encryption functionality.

Dr Vijay Jha says the primary goal at Apostle was to produce algorithms like MARS and RC6 at lower cost without decreasing the strength so that a suitable algorithm could be made available for low-end smart cards

While developing encryption software based on a particular algorithm is tough enough, it is even tougher to develop one’s own algorithm. Once algorithms are standardised, they can be used in numerous applications. Some of the commonly used algorithms are RSA, DSA and Rjandel. The importance of an ndian company developing its own algorithm stems from the fact that RSA, a well known player in the global space, derives a major chunk of its revenues accrued from royalty on its RSA algorithm.

Says Dr Vijay Jha, director, Apostle Embedded Systems, “Compared to developing encryption software, developing encryption algorithms is tougher. Presently, we have developed a 128-bit block cipher that can compete with the best names internationally. Our cipher has been compared point-to-point to one of the best 128-bit block cipher RC6 of the RSA Lab and we found it stronger for the same speed. We also compared it to IBM’s MARS and the present Advanced Encryption Standard (AES) - Rjandel, and found it better on some platforms. Our primary goal was to remove the costly operations of algorithms such as MARS and RC6 without decreasing the strength, so that a suitable algorithm could be made available for low-end smart cards.” Jha is so confident about the performance of this algorithm that he has put the entire technical document on his website, offering a prize of Rs 2 lakh to anyone who cracks it.

Realising the importance of such software, the government is also making efforts to promote indigenous capability in this field. Says Mohan, “Initiatives like getting indigenous encryption software accredited for use in government departments, and setting up bodies like the Society for Electronic Transaction and Security is a positive move in this direction.” Jha puts forward a very valid point when he says, “Encryption software can be used to realise the policies of e-governance. For example, often government officers get away by stating that they had no role to play in a particular fraud as there is no documentary evidence. If by the use of encryption software, officers are made accountable for every paper signed by them, leakage of information would be difficult thereby bringing down the chances for corruption. In addition, our forces and intelligence can have stronger ciphers for secret communications, and the problem of lack of co-ordination of sensitive information—as noted by the Subramanium Committee during the Kargil War—could be effectively solved.”

Technology
While the public key infrastructure or asymmetric type of technology is more popular and used in digital certificates, there is a debate on the use of both the technologies. In a symmetric algorithm, both parties share the same key for encryption and decryption. To provide privacy, this key needs to be kept secret.

Meanwhile, asymmetric algorithms use pairs of keys. One is used for encryption and the other for decryption. The decryption key is typically kept secret and therefore called the private key, while the encryption key is available in the public domain and is called public key. Anyone having the public key is able to send encrypted messages to the owner of the secret key. While asymmetric technologies seem ideally suited for real world applications, as the private key does not have to be shared, it is also known to be much slower than the symmetric ones. Symmetric algorithms have the advantage of not consuming too much computing power. Well known examples of symmetric algorithms are DES, Blowfish and CAST5. In fact, the two Indian firms, Cypherix and Cynapse have developed products based on the Blowfish algorithm. As both technologies offer significant advantages, the best way is to use a combination of both the algorithms. For instance, the transfer of the ‘key’ between two parties is a problem in the case of symmetric algorithms. In this case, asymmetric technology can be used for exchanging the key used in encryption by symmetric methods. This way the advantages of both algorithms can be used.

It is also a common myth that the key strength of the encryption algorithm is always directly proportional to the security level offered by the algorithm. Apurva Roy Choudhury, CEO, Cynapse India explains this misconception: “Although a lot of companies develop applications using algorithms which are freely available in the public domain, each and every application developed using the same algorithm seldom match each other. While the key strength is one of the main factors in determining the security level, it is not always the only determining criterion. For example, a 1,600-bit encryption cipher could well be weaker than a 448-bit cipher depending on the cryptography logic behind it.”

Abhay Mehta says that the US ban on export of strong encryption products was the main impetus for Indian firms to develop an encryption engine

Current Scenario
Until recently, US export laws did not allow export of high-end cryptography products. But after protests from encryption companies like RSA, the US government relaxed its policy in January 2000. While the current US policy allows US companies to ship their software up to 128-bit encryption, there is a small caveat here; the products being exported have to obtain a one-time clearance. And Indian financial institutions say that obtaining clearances sometimes takes months.

In addition to the domestic opportunity, Indian market players are eyeing the global encryption market. Both the product companies—Secure Soft and Cynapse—are targeting the global market aggressively. The only problem that both the companies face, is that while both have the required technical expertise, marketing efforts are subdued due to lack of funds. But one thing is crystal clear—no company wants to emulate the majority of the Indian software industry for which IT means low-end services. Undoubtedly, the potential is huge as encryption has assumed more significance, especially in the current scenario.

This view point is best summed up by Mohan when he says, “Cryptography or encryption software has emerged as the foundation of modern-day digital security—be it IPSec, SSL, Kerberos—all use encryption technologies in their core. Thus encryption software that encompasses the functionality of crypto-based security has a critical role to play in the ongoing IT revolution. In this context, the field of encryption software has a growing and sustainable market for Indian businesses.”

And while India’s home-grown encryption firms will face a number of hurdles—there is definitely a lot of potential if the companies play their cards right.