UNIT-2

COMPUTERIZATION IN TOURISM INDUSTRY

The hospitality and tourism industry is growing and the process of its growth has seen many challenges and
complexities in terms of operation.Despite of the challenges and complexity of the industry,today many of
its arms are interconnected by technology .Computer systems now allow people to reserve airline tickets
,rental cars, hotel rooms,and tours –all at the same time .These computer systems are called computer
reservation systems (CRSs) or Global distribution systems(GDSs).Decision support systems,management
information systems (MIS) ,Property management systems (PMS),etc. provide hotel managers with
mechanisms for efficacious management of hotels. Computers have found use in various operational and
functional units of the hotel and other tourism organizations. These include front office,marketing and sales
,purchasing ,F &B service ,security surveillance ,HRM etc. It is evident that the advent of computers and
the continuous development in computing significantly impacts the operations of the hospitality and
tourism industry. The most valuable commodity for effectiveness and efficient operation in the hospitality
business is reliable up to date information.Computers provide benefits in information, storage
,manipulation and communication.

There are so many applications and technologies developed as a result of integrating the generic
applications to suit the needs of an establishment and help it achieve its objectives. In the hospitality and
tourism industry, such technologies include property management systems (PMS), computer reservation
systems (CRS), global distribution systems (GDS), management information systems (MIS), point of sale systems
(POS), etc

Some of the software which have aided the development and also of benefit to the hospitality industry are:
a) Electronic point of sale (EPOS): The electronic point of sale system is used in recording the details of
transaction.
b) Computer reservation system (CRS): CRS are used to reserve rooms, restaurant seats, airline seats etc. by the
client either online or by the reservationist at the hospitality facility.
c) Event management system: These are packages targeted at the hotels and conferences centre designed to deal
with all element of taking booking and managing events such as conferences, meeting, expositions, conventions
weddings, banquets, seminars, workshops etc.

d)Food and beverage management system: Food and beverage management system takes the concept of stock
control one stage further. They add a control frame work when correctly implemented, gives greatly improved level
of management control.
e) Menu engineering: This technique utilizes the computer modelling of data which holds data about sales volume,
cost and profit of each dish on the menu. This is achieved by creating a menu offering the optimum balance
between popularity and maximum profit.

f) Dietary analysis: Information and communication technology used to systematically analyse the nutritional
content of the menu. Many people are conscious of what they eat, customers requires more dietary
information which gives details of composition of individual food or complete dishes at the touch of a
button.

g) Global distribution system (GDS): reservation channel used by travel agents to book hotel rooms,
restaurant seats, meals, airline seats, train, cruise etc. for clients.

Property Management Systems (PMS)

In the hospitality industry, a property management system is a computerized system used to manage
guest bookings, online reservations, point of sale, telephone and other amenities. Hotel property
management systems may interface with central reservation systems and revenue or yield management
systems, front office, back office and point of sale systems. There are many different types of property
management systems available (e.g. Oracle, Opera, etc.), but a user/business will want to work with the
different companies to determine which property management system best fits their needs.
PMS Functions
As an umbrella system in the hospitality and tourism industry, PMS may be interfaced and integrated with
other systems to perform the following functions:

a)Reservation : The reservationist can make reservation via the PMS and CRS interface or reservation
module at the front office. The reservation module will have the options for rooms or product
availability/forecasting, access to reservation records and reservation confirmations.
b)Rooms’ management: It is possible to manage rooms by the housekeeping and front office department
through PMS. When interfaced with rooms management module, room status for all the rooms in the
establishment can be obtained or viewed easily, registration of guests and room assignment is fast with
highest level of efficiency.
c)Guest accounting: PMS makes guest accounting process to be faster, effective and efficient through the
Guest Accounting Module. The guest accounting module in the PMS allows for folio management, credit
monitoring and transaction tracking .

Common PMS Interfaces

Other functions that PMS can achieve are associated with the following PMS interfaces:
 Central reservation system (CRS)
 Internet
 Sales and catering
 Point-of-sale
 Electronic payment processing
 Revenue management
 Back office accounting
 Call accounting
 Electronic locking systems
 Energy management
 Auxiliary guest service devices
 Self-service devices

Impacts of PMS in Hospitality Industry

a)Ease of work load : It has maximized the efficiency of staff and guest services, and increase
management's control of all aspects of the front office operations. A centralized view of guest behaviour
and reservation performance gives the necessary insight to quickly adapt future business strategies.
b) Yield Management Dynamic Rate Tiers : This yield management tool automatically increases room
rates based on current availability. When availability is high, the system will automatically provide the
lower rate; when your availability is low, the system will automatically provide the higher rate.
c) Streamlined Reservations: Reservations are being entered quickly and easily from Repeat Guest
History, existing guests and reservations, condominium accounts, prospects, and wait lists, minimizing
redundant data entry.
d) Comprehensive Reservations Screen: From one single database you can access inventory and
availability for all properties within your brand and make instant reservations for sister properties: cross-
selling brings additional revenue by keeping that guest within your group one is also able to Store and
access all of your data in one central location.

e) Automatic Rate Selection : There are pre-defined room rates based on management-created codes for
groups, corporate rates, market segments, package plans, and or standard room rates, preventing
reservationists from selecting an incorrect rate during the reservation process.
f) Web reservations Subsystem Interface: This allows customers to easily access real-time availability at a
given property and to book a reservation from an existing website directly to the hotels Front Office
System.

g) Cashier reconciliation: Provision of an audit trail of transactions at the end of each cashier's shift for
cashier balancing.

h) Special requests: The software tracks and reports guest special requests, and alerts the staff about late
sleepers, extra towel requirements, in-room pets, and whatever user-defined requests the hotel wish to
track.

i) Inquiry searches and printing: When a guest asks for specific information, the concierge or bell stand
may search the System for the attraction, retrieve details, and print the information to hand to the guest.

j) Housekeeping Features: Housekeepers can change a room's housekeeping status using the phone
extension. Once the room is clean, the housekeeper simply picks up the room phone and punches in a
code that will immediately change the room's Housekeeping Status in the Front Office System. The code
may be that the room is now clean, dirty, or needs inspection, depending on policies.

k) Shared guest control: The system handles unlimited shared guests per reservation, splitting rates
throughout the stay even if shared guests arrive and depart on different dates. Shared reservations may
split the folio equally or route transactions to separate folios as desired.

Computer Reservation System (CRS)

Computerised networks and electronic distribution systems (EDS) in tourism emerged in the early 1970s,
through internal CRSs in the airline industry. They became central to the distribution mix and strategy of
airlines. CRSs are widely regarded as the critical initiators of the electronic age, as they formulated a new
travel marketing and distribution system.

Types of Reservation Systems

There are four principle types of reservation system systems used in the hospitality and tourism industry
which has given the industry a face lift.
a) Single property based system- this system deals with the recording of accommodation sales for a
single property.
b) Central reservation system- this kind of system deals with hotels affiliated to one group. This provides
a single point of contact for prospective guest and ensures that sales are maximized.
c) Global distribution system(G.D.S): this type of reservation is based on airline this in turn are linked to
the central reservation systems and travel agent and thus allow direct selling and reservation to take
place.
d) World Wide Web- currently they are number of agencies offering the hospitality industry the
opportunity to market hotels in the World Wide Web. This system also offers the opportunity to make
direct reservation of hotel accommodation. The benefit of this approach is that is available to anyone
having access to the internet everything about reservation is being simplified.

Importance of CRSs
a) A CRS is essentially a database which manages the inventory of a tourism enterprise, whilst it
distributes it electronically to remote sales offices and external partners. Intermediaries and
consumers can access the inventory and they can make and confirm reservations.
b) CRSs enable principals to control, promote and sell their products globally, while facilitating their
yield management. In addition, they integrate the entire range of business functions, and thus can
contribute to principals‘ profitability and long
 term prosperity.
c) CRSs often charge competitive commission rates in comparison with other distribution options,
whilst enabling flexible pricing and capacity alterations in order to adjust supply to demand
fluctuations.
d) CRSs also reduce communication costs, while providing intelligence information on demand
patterns or the position of partners and competitors.
Hence, CRSs contribute enormously to both the operational and strategic
management of the industry.

Global Distribution Systems (GDSs)

Global Distribution System (GDS) is Worldwide computerized reservation network used as a single point
of access for reserving airline seats, hotel rooms, rental cars, and other travel related items by travel
agents, online reservation sites, and large corporations. GDS is also called automated reservation system
(ARS) or computerized reservation system (CRS). The GDS or Global Distribution System is a means of
electronic booking airlines seats, car hire hotel rooms and ship cruises only by Travel Professionals
(mostly agents). IDS or Internet Distribution System on the other hand is a means of booking the above
services by channelling potential end user bookers (self-bookers) via the existing GDS or directly through
the internet system. These two (GDS & IDS) forms part of the Electronic Distribution System (EDS). Other
EDS include e-commerce and call centres (with Call Centre Reservation and Support Services) for hotels
without PMS.

Historical Development of GDS

Initially, airlines used to operate their own CRS because passengers were relatively few. As demand for air
travel increased and schedules grew more complex, this process became impractical. GDS technology has
been utilized since the 1940s and has been enhanced and perfected over the decades. The first Global
Distribution System called the experimental electromechanical Reservisor was introduced by American
Airlines in 1946. The development and perfection of GDS continued and it was not until mid-1980s, that
concrete GDSs that could be utilized by almost every airline with bigger geographical coverage came up.
Range of tourism products such as accommodation, car rentals, train and ferry ticketing, entertainment
and other provisions were incorporated. Global Distribution System technology today is commonly
utilized by airlines, travel agencies and travel-booking websites. The System technology is also employed
by several passenger train companies and hotel chains so clients can make multiple bookings for various
tickets and locations.

GDS Performance
A Global Distribution System holds all pertinent data relating to travel information. It stores a client‘s
name, ticket details, fare tariffs, and a schedule of flights. This information is entered into a company's
system and is then automatically sent to the Global Distribution System. Global Distribution Systems also
allows airlines and hotels to market themselves. By entering available flights or rooms into the system,
those unsold tickets are immediately brought to the attention of thousands of customers. This effective
technology allows business owners to reach new clients with relatively little footwork. Global Distribution
System technology is simple to use. When an individual or business enters travel details, such as dates
and cities, the system automatically pulls up a list of available tickets and ticket classes for purchase. If a
flight is not direct and requires a change of planes, the system will find corresponding connecting flights
from a selection of carriers. The user can then select and purchase flights. In addition to storing passenger
data, the system also makes a record of special service requests, such as meal preferences or seating
requirements; additional data, such as a customer's membership details in a loyalty program, are typically
stored as well. The Global Distribution System (GDS) helps small businesses to compete on an equal
footing with large hotel chains.

Premier GDS
The premier GDS are: Amadeus, Galileo, Sabre, and Worldspan owned and operated as joint ventures
by major airlines, car rental firms, and hotel groups. Other GDSes include Abacus, PARS, Travelsky, Patheo,
KIU and Shares.

a)Amadeus: Amadeus was founded in 1987 by Air France, Iberia, Lufthansa, and SAS. It is the youngest
of the four GDS companies and has a large European representation. It has a comprehensive data
network and database, among the largest of their kind in Europe, serve more than 57,000 travel agency
locations and more than 10,500 airline sales offices in some 200 markets worldwide. 400 airlines,
55,000 hotel properties, 52 car rental companies, 9 cruise lines, 33 railroads, and 229 tour operators. It
provides access to approximately 58,000 hotels and 50 car rental companies serving some 24,000
locations. Having acquired e-Travel, Inc. from Oracle Corporation in July of 2001, Amadeus now has a new
business unit dedicated to delivering solutions to e-commerce players worldwide.

b) Galileo: Galileo International was founded in 1993 by 11 major North American and European
airlines. In October of 2001, Cendant Corporation acquired Galileo International for approximately $1.8
billion in common stock and cash. It serves travel agencies at approximately 45,000 locations i.e. 500
airlines, 227 hotel companies, 33 car rental companies and 368 tour operators in North America, Europe,
the Middle East, Africa, and the Asia/Pacific region.

c)Sabre: Sabre was founded in the mid 1960‘s by 4 major North American Airlines... most predominantly
American Airlines. It is represented in 45 countries as a leading provider of technology for the travel
industry. In July of 1996, Sabre became a separate legal entity of AMR (parent company of American
Airlines). Sabre connects more than 60,000 travel agency locations around the world including 400
airlines, 55,000 hotel properties, 52 car rental companies, 9 cruise lines, 33 railroads, and 229 tour
operators.

d) Worldspan: Worldspan was founded in February 7, 1990. It was originally owned by affiliates of
Delta Air Lines, Inc., Northwest Airlines, and TWA. Worldspan has successfully developed the strategies,
solutions, and services to ensure the company‘s long-term success in the new web-based world of travel
distribution. Worldspan currently serves 20,021 travel agencies in nearly 90 countries and territories. It
connects approximately 421 airlines, 210 hotel companies, 40 car rental companies, 39 tour and vacation
operators, and 44 special travel service suppliers.

IT for achieving competitive edge in tourism industry

INTRODUCTION
Accompanying the technological revolution of the 1990s there are many new opportunities and challenges for the
tourism and hospitality industries. Since tourism, global industry information is its life-blood and technology has
become fundamental to the ability of the industry to operate effectively and competitively. Poon (1993) suggests
that the whole system of information technologies is being rapidly diffused throughout the tourism and hospitality
industry and no player will escape information technologies impacts.

Importance of IT in tourism Sector

Information is the blood in the supply chain of tourism. In the so-called ‘new economy’, information is
digitalized and provided over large networks IT has revolutionalized supply-chain management, for
example by providing consumers information about tourist destinations and their main attractions.

IT is a tool for change, providing the opportunity for unprecedented flexibility, collaboration, and speed. It
is a perfect platform for the travel and tourism industry to bring information about tourism
products/services to the customers all over the world, in a direct, cost minimizing, and time effective way.
Market wisdom today suggests that hospitality companies must embrace technology to compete against
traditional competitors, as well as entrants that build their businesses with the latest technology. In this
changing environment, new models of distribution must be designed to lead the charge. A strategic
information management function should facilitate the business mission of its enterprise through managed
information, managed processes, and managed Information Technology (IT).

Broadly, current applications of computer technology in the tourism and hospitality industries can be
grouped into three main areas, operational, guest services and management information. The overall
functionality of these applications is similar across a range of different hospitality organisations though the
technology used to support them may vary. Large, city-centre hotels, for instance, tend to use
minicomputers for their property management system (PMS) work. Microcomputers are employed
elsewhere.

The diffusion of the system of information technologies in tourism and hospitality will increase the
efficiency, quality and flexibility with which travel services are supplied. It has already led to the
generation of new services, such as online brochures and interactive videotext. Technology has the greatest
impact on the marketing and distribution of travel but leaves relatively untouched the human-intensive
areas of guest-host relations and supplier-consumer relationships. Information technologies applied to the
tourism system will increase the efficiency and quality of services provided and leads to new combinations
of tourism services. All this could not be achieved without changing the manifest human high touch
content of travel. It is the systematic use of the system of information technologies by all tourism suppliers,
together with its profound impact on the travel industry, which creates the foundation for a new tourism
best practice and a total system of wealth creation.

Information and communication technology can be used not only for operational purposes, but also for
tactical and strategic management. This empowers tourism and hospitality enterprises to communicate
directly and more efficiently with prospective customers and suppliers as well as to achieve competitive
advantage.

IT has transformed distribution of the tourism product to form an electronic market-place where access to
information is instantly achievable. Principals and consumers continue to experience unprecedented
interactivity. The dramatic ongoing development of the Internet has resulted in the re-engineering of the
entire production and distribution process for tourism products. As a consequence of this technological
explosion, the packaging of tourism is becoming much more individualistic, leading inevitably to a certain
degree of channel disintermediation, a process that will offer new opportunities and threats to all tourism
partners.

Skill Upgradation and redeployment of staff as result of computerisation

A Proactive approach to training need assessment for any organization has to clearly look
into the training requirements from a future perspective and not merely to deal with day-
to-day performance problems of the employees.The long-term vision of an organization
may envisage plans for expansion ,modernization ,technology upgradation ,improvement
in systems and procedures ,etc.Such developments over the years would require
considerable inputs/services from various functions or departments. The following aspects
are generally considered important by many organizations in todays competitive
environment:

 Reviewing and updating individual and departmental objectives.

 Re-training and re-deployment for effective utilization of man-power.
 Training for computerization .
 Multi-skilling for flexibility of Re-deployment.
 Appraising and helping employees to improve their performance.
 Career development prospects and opportunities for the employees.
 Training and continuous learning experience.
 Developing team skills and empowerment for improved performance.
 Encouraging employee participation for maintaining harmonious industrial relations.

IT Outsourcing

IT outsourcing, or buying IT-related functions as a service from a third-party instead of performing the
functions in-house, is one way organizations can reduce the time and money spent on infrastructure and
operations and dedicate more resources to strategic business initiatives.

The point of IT outsourcing is to get the best possible technology and service at the lowest possible cost.

What IT can be outsourced?

Computer or Internet-related work such as:

 Software development
 Help desk – on-site or remote via phone or web
 Email
 Virus, spam and other online threat protection
 Website hosting
 Managed server hosting or managed application hosting
 Infrastructure — i.e., hardware, software and network installation and support
 Disaster recovery
 Data center functions like data processing and storage
 Data back-up, recovery and transfers
 Strategic planning and asset management

Types of IT outsourcing
These five types of IT outsourcing offer businesses a number of options when contemplating outsourcing
some or all of their IT functions:

1. Offshore outsourcing – sending IT-related work to a company in a foreign country that offers political
stability, lower labor costs and tax savings; India, China and the Philippines are popular offshore
outsourcing countries.
2. Nearshore outsourcing – sending IT-related work to a company in a country that shares a border with your
own; presumably, it is easier to travel between the two and for the company and the provider to
communicate with one another.
 3. Onshore or domestic outsourcing – contracting with a third party located in the same country to provide IT-
related work, off-site or in-house.
4. Cloud Computing – contracting with a third party to provide IT-related functions over the Internet or a
proprietary network. Examples include Infrastructure-as-a-Service, Platform-as-a-Service and Software-as-
a-Service.
5. Managed Services – contracting with a third party to provide network management functions including IP
telephony, messaging and call centers, virtual private networks (VPNs), firewalls, and the monitoring of and
reporting on network activity. In this type of outsourcing arrangement, a special emphasis is placed on the
integration and certification of Internet security.

Reasons for IT Outsourcing

According to the Outsourcing Institute's Outsourcing Index 2000, there are many reasons why companies
outsource. Here are some of the top reasons:

1. Reduce and control operating costs. When you outsource, you eliminate the costs associated with
hiring an employee, such as management oversight, training, health insurance, employment taxes,
retirement plans etc.
2. Improve company focus. It is neither practical, nor possible to be a jack of all trades. Outsourcing
lets you focus on your core competencies while another company focuses on theirs.
3. Gain access to exceptional capabilities. Your return on investment is so much greater when you
outsource information technology to a firm that specializes in the areas you need. Instead of just the
knowledge of one person, you benefit from the collective experience of a team of IT professionals.
Outsourced IT companies usually require their IT staff to have proper industry training and
certifications as well.
4. Free internal resources for other purposes. You may have someone in your office that is pretty
good with computers or accounting, but most likely these were not the jobs he or she was hired to
do. If they are spending time taking care of these things, who is doing what they were hired to do?
Outsourcing allows you to retain employees for their highest and best use, rather than wasting their
time on things that may take them longer than someone who is trained in these specific areas.
5. Resources are not available internally. On the flip side, maybe you don't have anyone in your
company who can manage your IT needs, and hiring a new employee is not in the budget.
Outsourcing can be a feasible alternative, both for the interim and for the long-term.
6. Maximize restructuring benefits. When you are restructuring your company to improve costs,
quality, service, or speed, your non-core business functions may get pushed aside. They still need to
be handled, however, and outsourcing is an optimal way to do this. Don't sabotage your
restructuring efforts by failing to keep up with non-core needs.
7. Function difficult to manage or out of control. This is definitely a scenario when outsourcing to
experts can make a big difference. But don't make the mistake of thinking you can forget about the
problem now that it's being "handled." You still need to be involved even after control is regained.
8. Make capital funds available. By outsourcing non-core business functions, you can spend your
capital funds on items that are directly related to your product or your customers.
9. Reduce Risk. Keeping up with technology required to run your business is expensive and time
consuming. Because professional outsourced IT providers work with multiple clients and need to
keep up on industry best practices, they typically know what is right and what is not. This kind of
knowledge and experience dramatically reduces your risk of implementing a costly wrong decision.

Advantages of IT outsourcing
The benefits of IT outsourcing listed below help companies free up internal resources and redirect them
toward growth opportunities.

 Reduced costs resulting from fewer capital investments and staffing requirements, less overhead,
volume price breaks, and leasing options
  On-demand access to the latest technology
 Higher level of service as defined in the contract
 Predictable expenses from flat fees and subscription-based pricing models, and
 Faster product launches due to increased focus and accessibility of technology needed to bring
products to market.
 Access to the latest and greatest in technology. You may have noticed how rapidly software and
hardware becomes obsolete in this industry. How is one staff person going to keep up-to-date with
everything? Outsourcing gives you the benefit of having more than just one IT professional. And
since it's the core competency of the company, they can give you sound advice to put your IT
dollars to work for you.
 Cost savings. Outsourcing your IT services provides financial benefits such as leaner overhead,
bulk purchasing and leasing options for hardware and software, and software licenses, as well as
potential compliance with government regulations.
 High quality of staff. Since it's their core competency, outsourced IT vendors look to hire staff
with specific qualifications and certifications. You may not know what to look for if you're hiring
someone to be on staff full-time, so you may hire the wrong person for the job.
 Flexibility. Vendors have multiple resources available to them, while internal staff may have
limited resources and capabilities.
 Job security and burnout reduction for regular employees. Using an outsourced IT company
removes the burden from your staff who has taken on more than he or she was hired for because
"someone needs to do it." You will establish a better relationship with your employees when you let
them do what they do best and what they were hired to do.


Disadvantages of IT outsourcing
While the cost savings and other potential benefits of outsourcing can be a great temptation, it’s wise to be
cautious. Rushing into an agreement may mean trouble down the line. Here are some pitfalls to be aware
of:

 High turnover on project teams

 Possibility of rushing in unprepared when lured by the prospect of saving money
 Loss of institutional knowledge
 Loss of direct control over project management
 Exposure of sensitive data
 Increased liability for and difficulty establishing regulatory compliance
 Possible delays caused by the physical distance between client and service provider, and
 Verbal and written communication barriers if outsourcing to a foreign company.

Understanding the pros and cons of IT outsourcing and the ramifications of sending a job outside the
organization are both vitally important. Before making the final decision, consider whether outsourcing
critical IT functions will actually resolve any issues the company may be having, and investigate the risks
associated with outsourcing these functions.

IT outsourcing trends
While IT outsourcing is a business strategy that has been around for years, increasingly businesses are
multi-sourcing, or contracting with more than one company to provide IT-related functions. A multi-
vendor approach helps them get the most value for their money and the highest level of service possible.

Additionally, the popularity of cloud computing has grown rapidly in recent years. It is yet another type of
outsourcing made possible by advancements in technology – namely virtualization. It is particularly
advantageous for software companies – who can access development tools without shelling out a lot of
cash – and for companies with massive data storage requirements and large mobile workforces that need to
access that data while off-site.
 CYBER CRIME AND CYBER LAW
What is a cyber crime?
Cyber crime is a generic term that refers to all criminal activities done using the medium of computers,
the Internet, cyber space and the worldwide web.There isn’t really a fixed definition for cyber crime. The
Indian Law has not given any definition to the term ‘cyber crime’. In fact, the Indian Penal Code does not
use the term ‘cyber crime’ at any point even after its amendment by the Information Technology
(amendment) Act 2008, the Indian Cyber law. But “Cyber Security” is defined under Section (2) (b) means
protecting information, equipment, devices computer, computer resource, communication device and
information stored therein from unauthorized access, use, disclosure, disruption, modification or
destruction.

A generalized definition of cyber crime may be “Unlawful acts wherein the computer is either a tool or
target or both”.
Cyber Criminal is a person who commits an illegal act with a guilty intention or commits a crime in context
to cyber crime. Cyber criminal can be motivated criminals, organised hackers, organised hackers,
discontented employees, cyber terrorists. Cyber crime can include everything from non-delivery of goods
or services and computer intrusions (hacking) to intellectual property rights abuses, economic espionage
(theft of trade secrets), online extortion, international money laundering, identity theft, and a growing list
of other Internet-facilitated offenses.

The crime that involves and uses computer devices and Internet, is known as cybercrime.
Cybercrime can be committed against an individual or a group; it can also be committed against
government and private organizations. It may be intended to harm someone’s reputation, physical harm, or
even mental harm.

Cybercrime can cause direct harm or indirect harm to whoever the victim is.

However, the largest threat of cybercrime is on the financial security of an individual as well as the
government.

Cybercrime causes loss of billions of USD every year.

CYBER LAW

What is Cyber Law?

Cyber law is a term used to describe the legal issues related to use of communications technology,
particularly “cyberspace”, i.e. the Internet. It is less of a distinct field of law in the way that property or
contract are, as it is an intersection of many legal fields, including intellectual property, privacy, freedom
of expression, and jurisdiction. In essence, cyber law is an attempt to apply laws designed for the physical
world, to human activity on the Internet. In India, The IT Act, 2000 as amended by The IT (Amendment)
Act, 2008 is known as the Cyber law. The Information Technology Act,2000 is the Mother legislation that
deals with issues related to use of computers,computer systems ,computer networks and the Internet. It
has a separate chapter XI entitled “Offences” in which various cyber crimes have been declared as penal
offences punishable with imprisonment and fine.
 Cyberlaw is the area of law that deals with the Internet's relationship to technological and electronic
elements, including computers, software, hardware and information systems (IS).

Cyberlaw is also known as Cyber Law or Internet Law.

Cyberlaws prevent or reduce large scale damage from cybercriminal activities by protecting information
access, privacy, communications, intellectual property (IP) and freedom of speech related to the use of the
Internet, websites, email, computers, cell phones, software and hardware, such as data storage devices.

The increase in Internet traffic has led to a higher proportion of legal issues worldwide. Because cyberlaws
vary by jurisdiction and country, enforcement is challenging, and restitution ranges from fines to
imprisonment.

Cyber law can be considered as a part of the overall legal system that deals with the Internet, E-commerce,
digital contracts, electronic evidence, cyberspace, and their respective legal issues. Cyber law covers a
fairly broad area, encompassing several subtopics including freedom of expression, data protection, data
security, digital transactions, electronic communication, access to and usage of the Internet, and online
privacy.

The Indian Information Technology Act was passed in 2000 (“IT Act”). On the other hand most of the
companies are still uninformed of the strict provisions of the law. The rising use of Information and
Communication Technology has given go up to serious compliance concerns, which if unnoticed may
attract various civil and criminal sanctions.

All the companies who are connected cyber business are required to fulfill with the requirements of the
law. There are quite a few cyber law firms in India that has given so much for the growth and development
of cyber law of India.

Importance of Cyberlaw

Cyberlaw is vital because it touches almost all aspects of transactions and behavior on and concerning the
Internet, the World Wide Web and Cyberspace. Primarily it may seem that Cyberlaws is a very technical
field and that it does not have any attitude to most activities in Cyberspace. But the actual fact is that
nothing could be further than the truth. Whether we realise it or not, every work and every reaction in
Cyberspace has some legal and Cyber legal perspectives.

India introduced the law recently and every law needs some time to mature and grow. It was understood
that over a period of occasion it will produce and further amendments will be bring to make it well-
matched with the International standards. It is significant to realize that we need “qualitative law” and not
“quantitative laws”.

Such crimes may threaten a nation’s security and financial health. Issues surrounding this type of crime has
become high-profile, mainly those surrounding cracking, copyright infringement. There are problems of
privacy when private information is lost or intercepted, lawfully or otherwise.

Cyber crimes can involve criminal activities that are traditional in nature, such as fraud, forgery, theft,
mischief and defamation all of which are subject to the Indian Penal Code. The abuse of computers has
also given birth to a range of new age crimes that are addressed by the Information Technology Act, 2000.

THE INFORMATION TECHNOLOGY ACT, 2000 - INDIA 'S FIRST CYBERLAW

THE ACT PROVIDE FOR :-

Ø Legal recognition of Electronic Document.

Ø Legal Recognition of Electronic Commerce transition.

Ø Admissibility of electric Data/evidence in a court of law.(Also see artciles on Admissibility &

Enforcement of Electronic Evidence)

Ø Legal acceptance of digital signatures.

Ø Punishment for cyber obscenity and crimes.

Ø Establishment of Cyber regulation advisory committee and the cyber regulations appellate tribunals.

Ø Facilitation of electronic filing maintenance of electronic records.

Objectives of IT Act, 2000

 It is objective of I.T. Act 2000 to give legal recognition to any transaction which is done by electronic way or
use of internet.
 To give legal recognition to digital signature for accepting any agreement via computer.
 To provide facility of filling document online relating to school admission or registration in employment
exchange.
 According to I.T. Act 2000, any company can store their data in electronic storage.
 To stop computer crime and protect privacy of internet users.
 To give legal recognition for keeping books of accounts by bankers and other companies in electronic form.
 To make more power to IPO, RBI and Indian Evidence act for restricting electronic crime.
 ACCORDING TO THE INDIAN IT ACT , 2000 THEVARIOUS CYBER OFFFENCES

ARE :-

 · Tampering with computer source documents.

 · Hacking with computer system.

 · Publishing of information which is obscene in electronic form.

 · Not to obey the direction of controller.

 · Directions of controller to a subscriber extend facilitate to decrypt information.

 · Intrusion into protected instrument.

 · Penal action for misrepresentation.

 · Breach of confidentiality and privacy.

 · Publishing digital signature certificate false in certain particular etc.

 · Act to apply for offence or contravention committed outside India and

 · Confiscation.

 THE IT ACT 2000 - POSITIVE ASPECTS

 Legality of Email
  · E-mail will now be a valid and legal form of communication in our country.

 · Can be duly produced and proved in a court of law.

 India’s strategy for prevention of computer crimes

 · Stipulating the offence which would constitute computer crimes.

 · Identification of domestic criminal law for possible amendment to meet the requirements of

prevention of computer related crimes.

 · Improving international collaboration.

 · Effective prosecution under the existing criminal law.

 · Adaption and classification of OECD [14](organization of economic cooperation and

development) guidelines.

 · Development of security guidelines and manuals for implementation of such guidelines.

 Crimes prevention under the IT Act

 · Chapter IX provides for penalties and adjudication

 · Chapter XI provides for offence.

Three Major Categories of Cyber crimes

Cyber crimes against persons

Crimes that happen in the Cyber space against persons include various crimes such as transmission of
child-pornography, cyber harassment, cyber stalking, cyber bullying, cyber defamation, revenge porn,
email spoofing, cracking, carding, sms spoofing, pornography, credit card frauds, online libel / slander,
cyber smearing, trafficking, financial frauds, identity theft, etc.

Cyber crimes against property

Cyber crimes against property includes computer vandalism, IPR violations, cyber squatting, typo
squatting, cyber trespass, DDOS attacks, worm attacks, hacking, transmitting viruses, intellectual property
theft, infringement, etc.

Cyber crimes against government

Cyber crimes against government are serious in nature as it is considered as an act of war against the
Sovereignty. Cyber crimes such as cyber terrorism, cyber warfare, pirated software, possessing of
unauthorised information, hacking into confidential military data are some of the real dangers that
Governments face these days.

The various offences related to internet which have been made punishable under the IT Act and the IPC are
enumerated below:

1. Cyber crimes under the IT Act, 2000:

 Tampering with Computer source documents – Sec.65

  Hacking with Computer systems, Data alteration – Sec.66
 Publishing obscene information – Sec.67
 Un-authorised access to protected system Sec.70 Breach of Confidentiality and Privacy – Sec.72
 Publishing false digital signature certificates – Sec.73

2. Cyber Crimes under IPC and Special Laws:

 Indian Penal Code (IPC) Sec. 503 – Sending threatening messages by email
 Indian Penal Code (IPC) Sec. 499 – Sending defamatory messages by email
 Indian Penal Code (IPC) Sec. 463 – Forgery of electronic records
 Indian Penal Code (IPC) Sec. 420 – Bogus websites, cyber frauds
 Indian Penal Code (IPC) Sec. 463 – Email spoofing
 Indian Penal Code (IPC) Sec. 383 – Web-Jacking
 Indian Penal Code (IPC) Sec. 500 – E-Mail Abuse

3. Cyber Crimes under the Special Acts:

 Online sale of Arms under Arms Act, 1959

 Online sale of Drugs under Narcotic Drugs and Psychotropic Substances Act, 1985

Types of Cyber Crimes & Cyber Law in India

Types of Cybercrime
Let us now discuss the major types of cybercrime −

Hacking

It is an illegal practice by which a hacker breaches the computer’s security system of someone for personal
interest.

Unwarranted mass-surveillance

Mass surveillance means surveillance of a substantial fraction of a group of people by the authority
especially for the security purpose, but if someone does it for personal interest, it is considered as
cybercrime.

Child pornography

It is one of the most heinous crimes that is brazenly practiced across the world. Children are sexually
abused and videos are being made and uploaded on the Internet.

Child grooming

It is the practice of establishing an emotional connection with a child especially for the purpose of child-
trafficking and child prostitution.

Copyright infringement

If someone infringes someone’s protected copyright without permission and publishes that with his own
name, is known as copyright infringement.
Money laundering

Illegal possession of money by an individual or an organization is known as money laundering. It typically

involves transfers of money through foreign banks and/or legitimate business. In other words, it is the
practice of transforming illegitimately earned money into the legitimate financial system.

Cyber-extortion

When a hacker hacks someone’s email server, or computer system and demands money to reinstate the
system, it is known as cyber-extortion.

Cyber-terrorism

Normally, when someone hacks government’s security system or intimidates government or such a big
organization to advance his political or social objectives by invading the security system through computer
networks, it is known as cyber-terrorism.

Cyber Security
Cyber security is a potential activity by which information and other communication systems are protected
from and/or defended against the unauthorized use or modification or exploitation or even theft.

Likewise, cyber security is a well-designed technique to protect computers, networks, different programs,
personal data, etc., from unauthorized access.

All sorts of data whether it is government, corporate, or personal need high security; however, some of the
data, which belongs to the government defense system, banks, defense research and development
organization, etc. are highly confidential and even small amount of negligence to these data may cause
great damage to the whole nation. Therefore, such data need security at a very high level.

How to Secure Data?

Let us now discuss how to secure data. In order to make your security system strong, you need to pay
attention to the following −

 Security Architecture
 Network Diagram
 Security Assessment Procedure
 Security Policies
 Risk Management Policy
 Backup and Restore Procedures
 Disaster Recovery Plan
 Risk Assessment Procedures

Once you have a complete blueprint of the points mentioned above, you can put better security system to
your data and can also retrieve your data if something goes wrong.

Electronic and digital signatures under the IT Act, 2000

Digital signature means authentication of any electronic record by a subscriber by means of an electronic
method. Electronic signature has also been dealt with under Section 3A of the IT Act, 2000. A subscriber
can authenticate any electronic record by such electronic signature or electronic authentication technique
which is considered reliable.

Intellectual property

According to Wikipedia, “Intellectual property (IP) rights are the legally recognized exclusive rights to
creations of the mind.[1] Under intellectual property law, owners are granted certain exclusive rights to a
variety of intangible assets, such as musical, literary, and artistic works; discoveries and inventions; and
words, phrases, symbols, and designs. Common types of intellectual property rights include copyright,
trademarks, patents, industrial design rights, trade dress, and in some jurisdictions trade secrets”.

Data protection and privacy

The Section 43-A, dealing with compensation for failure to protect data was introduced in the ITAA -2008.
As per this Section, where a body corporate is negligent in implementing reasonable security practices and
thereby causes wrongful loss or gain to any person, such body corporate shall be liable to pay damages by
way of compensation to the person so affected.

Sensitive personal data or information consists of information relating to;-

 password;
 financial information such as Bank account or credit card or debit card or other payment instrument details
;
 physical, physiological and mental health condition;
 sexual orientation;
 any detail relating to the above clauses as provided to body corporate for providing service
 medical records and history;
 any of the information received under above clauses by body corporate for processing, stored or processed
under lawful contract
 Biometric information;

COMPUTER VIRUS

“A Computer Virus is a malicious software program “Malware” that can infect a

computer by modifying or deleting data files, boot sector of a hard disk drive
or causes a software program to work in an unexpected manner”.

 A computer virus resides on a host computer and can replicate itself when
executed. Virus can steal user data, delete or modify files & documents, records
keystrokes & web sessions of a user. It can also steal or damage hard disk space,
it can slowdown CPU processing.

Definition of Computer Virus

“A computer virus is a program that may disturb the normal working of a

computer system”. Virus attaches itself to files stored on floppy disks, USBs, email
attachments and hard disks. A file containing a virus is called infected file. If this file is
copied to a computer, virus is also copied to the computer.
Activation of Virus

When the computer virus starts working, it is called the activation of virus. A virus
normally runs all the time in the computer. Different viruses are activated in different
ways. Many viruses are activated on a certain data. For example, a popular virus “Friday,
the 13th” is activated only if the date is 13 and the day is Friday.

According to Wikipedia “Computer viruses cause billions of dollars’ worth of

economic damage each year, due to causing systems failure, wasting
computer resources, corrupting data, increasing maintenance costs, etc”.

Damages caused by virus

Computer virus cannot damage computer hardware. IT may cause many damages to a
computer system. A virus can:

1. A computer virus can damage data or software on the computer.

2. It can delete some or all files on the computer system.
3. It can destroy all the data by formatting hard drive.
4. It may display a political or false message very few times.

Causes of Computer Virus

The following are the main causes of a Computer Virus.

Infected Flash Drives or Disks

Flash drives and disks are the main cause of spreading viruses. Flash drives and disks are used to transfer
data from one computer to other. A virus can also be copied from one computer to other when the user
copies infected files using flash drives and disks.

Email Attachments

Most of the viruses spread through emails. Email attachment is a file that is sent along with an email. An
email may contain an infected file attachment. Virus can spread if the users opens and downloads an
email attachment. It may harm the computer when it is activated. It may destroy files on the hard disk or
may send the virus automatically to all email addresses saved in the address book.

Infected / Pornography websites

Thousands of insecure websites can infect computer with viruses. Most of the websites with
pornographic materials are infected, so by visiting these websites the user’s computer also gets infected
by virus. These websites are developed to spread viruses or other unethical material. The virus is
transferred to the user’s computer when this material is downloaded. These websites may access the
computer automatically when the users visit them.

Networks
Virus can spread if an infected computer is connected to a network. The internet is an example of such
network. When a user downloads a file infected with virus from the internet, the virus is copied to the
computer. It may infect the files stored on the computer.

Pirated Software

An illegal copy of software is called pirated software. Virus can spread if user installs pirated software that
contains a virus. A variety of pirated software is available in CDs and from the internet. Some companies
intentionally add virus in the software. The virus is automatically activated if the user uses the software
without purchasing license.

Types of Computer Virus

The following are some well-known viruses.

CodeRed

It is a worm that infects a computer running Microsoft IIS server. This virus launched DOS attack on White
House’s website. It allows the hacker to access the infected computer remotely.

Nimba

It is a worm that spreads itself using different methods. IT damages computer in different ways. It
modified files, alters security settings and degrades performance.

SirCam

It is distributed as an email attachment. It may delete files, degrade performance and send the files to
anyone.

Melisa

It is a virus that is distributed as an email attachment. IT disables different safeguards in MS Word. It

sends itself to 50 people if Microsoft Outlook is installed..

Ripper

It corrupts data from the hard disk.

MDMA

It is transferred from one MS Word file to other if both files are in memory.

Concept

It is also transferred as an email attachment. It saves the file in template directory instead of its original
location.

One_Half

It encrypts hard disk so only the virus may read the data. It displays One_Half on the screen when the
encryption is half completed.

Protection from Computer Virus

Virus infects computer system if latest and updated version of an Antivirus program is not installed. Latest
Antivirus software should be installed on Computer to protect it from viruses. A computer system can be
protected from virus by following these precautions.

1. The latest and updated version of Anti-Virus and firewall should be installed on the computer.
2. The Anti-Virus software must be upgraded regularly.
3. USB drives should be scanned for viruses, and should not be used on infected computers.
4. Junk or unknown emails should not be opened and must be deleted straightaway.
5. Unauthorized or pirated software should not be installed on the computer.
6. An important way of protection against virus is the use of back up of data. The backup is used if
the virus deletes data or modifies it. So back-up your data on regular basis. There are some great
softwares that can back up your data automatically.
7. Freeware and shareware software from the internet normally contain viruses. It is important to
check the software before using them.
8. Your best protection is your common sense. Never click on suspicious links, never download
songs, videos or files from suspicious websites. Never share your personal data with people you
don’t know over the internet.

CRYPTOGRAPHY

Human being from ages had two inherent needs − (a) to communicate and share information and (b) to
communicate selectively. These two needs gave rise to the art of coding the messages in such a way that
only the intended people could have access to the information. Unauthorized people could not extract any
information, even if the scrambled messages fell in their hand.
The art and science of concealing the messages to introduce secrecy in information security is recognized
as cryptography.
The word ‘cryptography’ was coined by combining two Greek words, ‘Krypto’ meaning hidden and
‘graphene’ meaning writing.
History of Cryptography
The art of cryptography is considered to be born along with the art of writing. As civilizations evolved,
human beings got organized in tribes, groups, and kingdoms. This led to the emergence of ideas such as
power, battles, supremacy, and politics. These ideas further fuelled the natural need of people to
communicate secretly with selective recipient which in turn ensured the continuous evolution of
cryptography as well.
The roots of cryptography are found in Roman and Egyptian civilizations.
Hieroglyph − The Oldest Cryptographic Technique
The first known evidence of cryptography can be traced to the use of ‘hieroglyph’. Some 4000 years ago,
the Egyptians used to communicate by messages written in hieroglyph. This code was the secret known
only to the scribes who used to transmit messages on behalf of the kings. One such hieroglyph is shown
below.

Later, the scholars moved on to using simple mono-alphabetic substitution ciphers during 500 to 600 BC.
This involved replacing alphabets of message with other alphabets with some secret rule. This rule became
a key to retrieve the message back from the garbled message.
The earlier Roman method of cryptography, popularly known as the Caesar Shift Cipher, relies on
shifting the letters of a message by an agreed number (three was a common choice), the recipient of this
message would then shift the letters back by the same number and obtain the original message.

Steganography
Steganography is similar but adds another dimension to Cryptography. In this method, people not only
want to protect the secrecy of an information by concealing it, but they also want to make sure any
unauthorized person gets no evidence that the information even exists. For example, invisible
watermarking.
In steganography, an unintended recipient or an intruder is unaware of the fact that observed data contains
hidden information. In cryptography, an intruder is normally aware that data is being communicated,
because they can see the coded/scrambled message.

Evolution of Cryptography
It is during and after the European Renaissance, various Italian and Papal states led the rapid proliferation
of cryptographic techniques. Various analysis and attack techniques were researched in this era to break the
secret codes.
 Improved coding techniques such as Vigenere Coding came into existence in the 15th century,
which offered moving letters in the message with a number of variable places instead of moving
them the same number of places.
 Only after the 19th century, cryptography evolved from the ad hoc approaches to encryption to the
more sophisticated art and science of information security.
 In the early 20th century, the invention of mechanical and electromechanical machines, such as the
Enigma rotor machine, provided more advanced and efficient means of coding the information.
 During the period of World War II, both cryptography and cryptanalysis became excessively
mathematical.
With the advances taking place in this field, government organizations, military units, and some corporate
houses started adopting the applications of cryptography. They used cryptography to guard their secrets
from others. Now, the arrival of computers and the Internet has brought effective cryptography within the
reach of common people.
MODERN CRYPTOGRAPHY is the cornerstone of computer and communications security. Its
foundation is based on various concepts of mathematics such as number theory, computational-complexity
theory, and probability theory.
Characteristics of Modern Cryptography
There are three major characteristics that separate modern cryptography from the classical approach.
Classic Cryptography Modern Cryptography
It manipulates traditional characters, i.e., letters and
It operates on binary bit sequences.
digits directly.
It relies on publicly known mathematical algorithms
for coding the information. Secrecy is obtained
It is mainly based on ‘security through obscurity’. through a secrete key which is used as the seed for
The techniques employed for coding were kept the algorithms. The computational difficulty of
secret and only the parties involved in algorithms, absence of secret key, etc., make it
communication knew about them. impossible for an attacker to obtain the original
information even if he knows the algorithm used for
coding.
Modern cryptography requires parties interested in
It requires the entire cryptosystem for
secure communication to possess the secret key
communicating confidentially.
only.
Context of Cryptography
Cryptology, the study of cryptosystems, can be subdivided into two branches −
  Cryptography
 Cryptanalysis

What is Cryptography?
Cryptography is the art and science of making a cryptosystem that is capable of providing information
security.
Cryptography deals with the actual securing of digital data. It refers to the design of mechanisms based on
mathematical algorithms that provide fundamental information security services. You can think of
cryptography as the establishment of a large toolkit containing different techniques in security applications.
What is Cryptanalysis?
The art and science of breaking the cipher text is known as cryptanalysis.
Cryptanalysis is the sister branch of cryptography and they both co-exist. The cryptographic process results
in the cipher text for transmission or storage. It involves the study of cryptographic mechanism with the
intention to break them. Cryptanalysis is also used during the design of the new cryptographic techniques
to test their security strengths.
Note − Cryptography concerns with the design of cryptosystems, while cryptanalysis studies the breaking
of cryptosystems.
Security Services of Cryptography
The primary objective of using cryptography is to provide the following four fundamental information
security services. Let us now see the possible goals intended to be fulfilled by cryptography.
Confidentiality
Confidentiality is the fundamental security service provided by cryptography. It is a security service that
keeps the information from an unauthorized person. It is sometimes referred to as privacy or secrecy.
Confidentiality can be achieved through numerous means starting from physical securing to the use of
mathematical algorithms for data encryption.
Data Integrity
It is security service that deals with identifying any alteration to the data. The data may get modified by an
unauthorized entity intentionally or accidently. Integrity service confirms that whether data is intact or not
since it was last created, transmitted, or stored by an authorized user.
Data integrity cannot prevent the alteration of data, but provides a means for detecting whether data has
been manipulated in an unauthorized manner.
Authentication
Authentication provides the identification of the originator. It confirms to the receiver that the data received
has been sent only by an identified and verified sender.
Authentication service has two variants −
 Message authentication identifies the originator of the message without any regard router or
system that has sent the message.
 Entity authentication is assurance that data has been received from a specific entity, say a
particular website.
Apart from the originator, authentication may also provide assurance about other parameters related to data
such as the date and time of creation/transmission.
Non-repudiation
It is a security service that ensures that an entity cannot refuse the ownership of a previous commitment or
an action. It is an assurance that the original creator of the data cannot deny the creation or transmission of
the said data to a recipient or third party.
Non-repudiation is a property that is most desirable in situations where there are chances of a dispute over
the exchange of data. For example, once an order is placed electronically, a purchaser cannot deny the
purchase order, if non-repudiation service was enabled in this transaction.
Cryptography Primitives
Cryptography primitives are nothing but the tools and techniques in Cryptography that can be selectively
used to provide a set of desired security services −
 Encryption
 Hash functions
 Message Authentication codes (MAC)
 Digital Signatures
The following table shows the primitives that can achieve a particular security service on their own.

Note − Cryptographic primitives are intricately related and they are often combined to achieve a set of
desired security services from a cryptosystem.

Nowadays, the networks have gone global and information has taken the digital form of bits and bytes.
Critical information now gets stored, processed and transmitted in digital form on computer systems and
open communication channels.
Since information plays such a vital role, adversaries are targeting the computer systems and open
communication channels to either steal the sensitive information or to disrupt the critical information
system.
Modern cryptography provides a robust set of techniques to ensure that the malevolent intentions of the
adversary are thwarted while ensuring the legitimate users get access to information. Here in this chapter,
we will discuss the benefits that we draw from cryptography, its limitations, as well as the future of
cryptography.
Cryptography – Benefits
Cryptography is an essential information security tool. It provides the four most basic services of
information security −
 Confidentiality − Encryption technique can guard the information and communication from
unauthorized revelation and access of information.
 Authentication − The cryptographic techniques such as MAC and digital signatures can protect
information against spoofing and forgeries.
 Data Integrity − The cryptographic hash functions are playing vital role in assuring the users about
the data integrity.
 Non-repudiation − The digital signature provides the non-repudiation service to guard against the
dispute that may arise due to denial of passing message by the sender.
All these fundamental services offered by cryptography has enabled the conduct of business over the
networks using the computer systems in extremely efficient and effective manner.
Cryptography – Drawbacks
Apart from the four fundamental elements of information security, there are other issues that affect the
effective use of information −
 A strongly encrypted, authentic, and digitally signed information can be difficult to access even for
a legitimate user at a crucial time of decision-making. The network or the computer system can be
attacked and rendered non-functional by an intruder.
 High availability, one of the fundamental aspects of information security, cannot be ensured
through the use of cryptography. Other methods are needed to guard against the threats such as
denial of service or complete breakdown of information system.
 Another fundamental need of information security of selective access control also cannot be
realized through the use of cryptography. Administrative controls and procedures are required to be
exercised for the same.
 Cryptography does not guard against the vulnerabilities and threats that emerge from the poor
design of systems, protocols, and procedures. These need to be fixed through proper design and
setting up of a defensive infrastructure.
 Cryptography comes at cost. The cost is in terms of time and money −
o Addition of cryptographic techniques in the information processing leads to delay.
 o The use of public key cryptography requires setting up and maintenance of public key
infrastructure requiring the handsome financial budget.
 The security of cryptographic technique is based on the computational difficulty of mathematical
problems. Any breakthrough in solving such mathematical problems or increasing the computing
power can render a cryptographic technique vulnerable.
Future of Cryptography
Elliptic Curve Cryptography (ECC) has already been invented but its advantages and disadvantages are
not yet fully understood. ECC allows to perform encryption and decryption in a drastically lesser time, thus
allowing a higher amount of data to be passed with equal security. However, as other methods of
encryption, ECC must also be tested and proven secure before it is accepted for governmental, commercial,
and private use.
Quantum computation is the new phenomenon. While modern computers store data using a binary format
called a "bit" in which a "1" or a "0" can be stored; a quantum computer stores data using a quantum
superposition of multiple states. These multiple valued states are stored in "quantum bits" or "qubits". This
allows the computation of numbers to be several orders of magnitude faster than traditional transistor
processors.
To comprehend the power of quantum computer, consider RSA-640, a number with 193 digits, which can
be factored by eighty 2.2GHz computers over the span of 5 months, one quantum computer would factor in
less than 17 seconds. Numbers that would typically take billions of years to compute could only take a
matter of hours or even minutes with a fully developed quantum computer.
In view of these facts, modern cryptography will have to look for computationally harder problems or
devise completely new techniques of archiving the goals presently served by modern cryptography.

Cryptosystems

A cryptosystem is an implementation of cryptographic techniques and their accompanying infrastructure to

provide information security services. A cryptosystem is also referred to as a cipher system.

Let us discuss a simple model of a cryptosystem that provides confidentiality to the information being
transmitted. This basic model is depicted in the illustration below −
The illustration shows a sender who wants to transfer some sensitive data to a receiver in such a way that
any party intercepting or eavesdropping on the communication channel cannot extract the data.

The objective of this simple cryptosystem is that at the end of the process, only the sender and the receiver
will know the plaintext.

Components of a Cryptosystem
The various components of a basic cryptosystem are as follows −

 Plaintext. It is the data to be protected during transmission.

 Encryption Algorithm. It is a mathematical process that produces a ciphertext for any given
plaintext and encryption key. It is a cryptographic algorithm that takes plaintext and an encryption
key as input and produces a ciphertext.
 Ciphertext. It is the scrambled version of the plaintext produced by the encryption algorithm using
a specific the encryption key. The ciphertext is not guarded. It flows on public channel. It can be
intercepted or compromised by anyone who has access to the communication channel.
 Decryption Algorithm, It is a mathematical process, that produces a unique plaintext for any given
ciphertext and decryption key. It is a cryptographic algorithm that takes a ciphertext and a
decryption key as input, and outputs a plaintext. The decryption algorithm essentially reverses the
encryption algorithm and is thus closely related to it.
 Encryption Key. It is a value that is known to the sender. The sender inputs the encryption key into
the encryption algorithm along with the plaintext in order to compute the ciphertext.
 Decryption Key. It is a value that is known to the receiver. The decryption key is related to the
encryption key, but is not always identical to it. The receiver inputs the decryption key into the
decryption algorithm along with the ciphertext in order to compute the plaintext.

For a given cryptosystem, a collection of all possible decryption keys is called a key space.

An interceptor (an attacker) is an unauthorized entity who attempts to determine the plaintext. He can see
the ciphertext and may know the decryption algorithm. He, however, must never know the decryption key.

Types of Cryptosystems
Fundamentally, there are two types of cryptosystems based on the manner in which encryption-decryption
is carried out in the system −

 Symmetric Key Encryption

 Asymmetric Key Encryption

The main difference between these cryptosystems is the relationship between the encryption and the
decryption key. Logically, in any cryptosystem, both the keys are closely associated. It is practically
impossible to decrypt the ciphertext with the key that is unrelated to the encryption key.

Symmetric Key Encryption

The encryption process where same keys are used for encrypting and decrypting the information is
known as Symmetric Key Encryption.

The study of symmetric cryptosystems is referred to as symmetric cryptography. Symmetric

cryptosystems are also sometimes referred to as secret key cryptosystems.

A few well-known examples of symmetric key encryption methods are − Digital Encryption Standard
(DES), Triple-DES (3DES), IDEA, and BLOWFISH.
Prior to 1970, all cryptosystems employed symmetric key encryption. Even today, its relevance is very
high and it is being used extensively in many cryptosystems. It is very unlikely that this encryption will
fade away, as it has certain advantages over asymmetric key encryption.

The salient features of cryptosystem based on symmetric key encryption are −

 Persons using symmetric key encryption must share a common key prior to exchange of
information.
 Keys are recommended to be changed regularly to prevent any attack on the system.
 A robust mechanism needs to exist to exchange the key between the communicating parties. As
keys are required to be changed regularly, this mechanism becomes expensive and cumbersome.
 In a group of n people, to enable two-party communication between any two persons, the number of
keys required for group is n × (n – 1)/2.
 Length of Key (number of bits) in this encryption is smaller and hence, process of encryption-
decryption is faster than asymmetric key encryption.
 Processing power of computer system required to run symmetric algorithm is less.

Challenge of Symmetric Key Cryptosystem

There are two restrictive challenges of employing symmetric key cryptography.

 Key establishment − Before any communication, both the sender and the receiver need to agree on
a secret symmetric key. It requires a secure key establishment mechanism in place.
 Trust Issue − Since the sender and the receiver use the same symmetric key, there is an implicit
requirement that the sender and the receiver ‘trust’ each other. For example, it may happen that the
receiver has lost the key to an attacker and the sender is not informed.

These two challenges are highly restraining for modern day communication. Today, people need to
exchange information with non-familiar and non-trusted parties. For example, a communication between
online seller and customer. These limitations of symmetric key encryption gave rise to asymmetric key
encryption schemes.

Asymmetric Key Encryption

The encryption process where different keys are used for encrypting and decrypting the information is
known as Asymmetric Key Encryption. Though the keys are different, they are mathematically related and
hence, retrieving the plaintext by decrypting ciphertext is feasible. The process is depicted in the following
illustration −
Asymmetric Key Encryption was invented in the 20th century to come over the necessity of pre-shared
secret key between communicating persons. The salient features of this encryption scheme are as follows −

 Every user in this system needs to have a pair of dissimilar keys, private key and public key.
These keys are mathematically related − when one key is used for encryption, the other can decrypt
the ciphertext back to the original plaintext.
 It requires to put the public key in public repository and the private key as a well-guarded secret.
Hence, this scheme of encryption is also called Public Key Encryption.
 Though public and private keys of the user are related, it is computationally not feasible to find one
from another. This is a strength of this scheme.
 When Host1 needs to send data to Host2, he obtains the public key of Host2 from repository,
encrypts the data, and transmits.
 Host2 uses his private key to extract the plaintext.
 Length of Keys (number of bits) in this encryption is large and hence, the process of encryption-
decryption is slower than symmetric key encryption.
 Processing power of computer system required to run asymmetric algorithm is higher.

Symmetric cryptosystems are a natural concept. In contrast, public-key cryptosystems are quite difficult to
comprehend.

You may think, how can the encryption key and the decryption key are ‘related’, and yet it is impossible to
determine the decryption key from the encryption key? The answer lies in the mathematical concepts. It is
possible to design a cryptosystem whose keys have this property. The concept of public-key cryptography
is relatively new. There are fewer public-key algorithms known than symmetric algorithms.

Challenge of Public Key Cryptosystem

Public-key cryptosystems have one significant challenge − the user needs to trust that the public key that he
is using in communications with a person really is the public key of that person and has not been spoofed
by a malicious third party.

This is usually accomplished through a Public Key Infrastructure (PKI) consisting a trusted third party. The
third party securely manages and attests to the authenticity of public keys. When the third party is
requested to provide the public key for any communicating person X, they are trusted to provide the correct
public key.

The third party satisfies itself about user identity by the process of attestation, notarization, or some other
process − that X is the one and only, or globally unique, X. The most common method of making the
verified public keys available is to embed them in a certificate which is digitally signed by the trusted third
party.

Relation between Encryption Schemes

A summary of basic key properties of two types of cryptosystems is given below −

Symmetric Cryptosystems Public Key Cryptosystems

Relation between Keys Same Different, but mathematically related

Encryption Key Symmetric Public

Decryption Key Symmetric Private

Due to the advantages and disadvantage of both the systems, symmetric key and public-key cryptosystems
are often used together in the practical information security systems.

Kerckhoff’s Principle for Cryptosystem

In the 19th century, a Dutch cryptographer A. Kerckhoff furnished the requirements of a good
cryptosystem. Kerckhoff stated that a cryptographic system should be secure even if everything about the
system, except the key, is public knowledge. The six design principles defined by Kerckhoff for
cryptosystem are −

 The cryptosystem should be unbreakable practically, if not mathematically.

 Falling of the cryptosystem in the hands of an intruder should not lead to any compromise of the
system, preventing any inconvenience to the user.
 The key should be easily communicable, memorable, and changeable.
 The ciphertext should be transmissible by telegraph, an unsecure channel.
 The encryption apparatus and documents should be portable and operable by a single person.
 Finally, it is necessary that the system be easy to use, requiring neither mental strain nor the
knowledge of a long series of rules to observe.

The second rule is currently known as Kerckhoff principle. It is applied in virtually all the contemporary
encryption algorithms such as DES, AES, etc. These public algorithms are considered to be thoroughly
secure. The security of the encrypted message depends solely on the security of the secret encryption key.

Keeping the algorithms secret may act as a significant barrier to cryptanalysis. However, keeping the
algorithms secret is possible only when they are used in a strictly limited circle.

In modern era, cryptography needs to cater to users who are connected to the Internet. In such cases, using
a secret algorithm is not feasible, hence Kerckhoff principles became essential guidelines for designing
algorithms in modern cryptography

Cryptographic Attacks
The basic intention of an attacker is to break a cryptosystem and to find the plaintext from the ciphertext.
To obtain the plaintext, the attacker only needs to find out the secret decryption key, as the algorithm is
already in public domain.

Hence, he applies maximum effort towards finding out the secret key used in the cryptosystem. Once the
attacker is able to determine the key, the attacked system is considered as broken or compromised.

Based on the methodology used, attacks on cryptosystems are categorized as follows −

 Ciphertext Only Attacks (COA) − In this method, the attacker has access to a set of ciphertext(s).
He does not have access to corresponding plaintext. COA is said to be successful when the
corresponding plaintext can be determined from a given set of ciphertext. Occasionally, the
encryption key can be determined from this attack. Modern cryptosystems are guarded against
ciphertext-only attacks.
 Known Plaintext Attack (KPA) − In this method, the attacker knows the plaintext for some parts
of the ciphertext. The task is to decrypt the rest of the ciphertext using this information. This may
be done by determining the key or via some other method. The best example of this attack is linear
cryptanalysis against block ciphers.
 Chosen Plaintext Attack (CPA) − In this method, the attacker has the text of his choice encrypted.
So he has the ciphertext-plaintext pair of his choice. This simplifies his task of determining the
encryption key. An example of this attack is differential cryptanalysis applied against block ciphers
as well as hash functions. A popular public key cryptosystem, RSA is also vulnerable to chosen-
plaintext attacks.
 Dictionary Attack − This attack has many variants, all of which involve compiling a ‘dictionary’.
In simplest method of this attack, attacker builds a dictionary of ciphertexts and corresponding
plaintexts that he has learnt over a period of time. In future, when an attacker gets the ciphertext, he
refers the dictionary to find the corresponding plaintext.
 Brute Force Attack (BFA) − In this method, the attacker tries to determine the key by attempting
all possible keys. If the key is 8 bits long, then the number of possible keys is 28 = 256. The attacker
knows the ciphertext and the algorithm, now he attempts all the 256 keys one by one for decryption.
The time to complete the attack would be very high if the key is long.
 Birthday Attack − This attack is a variant of brute-force technique. It is used against the
cryptographic hash function. When students in a class are asked about their birthdays, the answer is
one of the possible 365 dates. Let us assume the first student's birthdate is 3rd Aug. Then to find the
next student whose birthdate is 3rd Aug, we need to enquire 1.25*√365 ≈ 25 students.

Similarly, if the hash function produces 64 bit hash values, the possible hash values are 1.8x1019.
By repeatedly evaluating the function for different inputs, the same output is expected to be
obtained after about 5.1x109 random inputs.

If the attacker is able to find two different inputs that give the same hash value, it is a collision and
that hash function is said to be broken.

 Man in Middle Attack (MIM) − The targets of this attack are mostly public key cryptosystems
where key exchange is involved before communication takes place.
o Host A wants to communicate to host B, hence requests public key of B.
o An attacker intercepts this request and sends his public key instead.
o Thus, whatever host A sends to host B, the attacker is able to read.
o In order to maintain communication, the attacker re-encrypts the data after reading with his
public key and sends to B.
o The attacker sends his public key as A’s public key so that B takes it as if it is taking it from
A.
 Side Channel Attack (SCA) − This type of attack is not against any particular type of
cryptosystem or algorithm. Instead, it is launched to exploit the weakness in physical
implementation of the cryptosystem.
 Timing Attacks − They exploit the fact that different computations take different times to compute
on processor. By measuring such timings, it is be possible to know about a particular computation
 the processor is carrying out. For example, if the encryption takes a longer time, it indicates that the
secret key is long.
 Power Analysis Attacks − These attacks are similar to timing attacks except that the amount of
power consumption is used to obtain information about the nature of the underlying computations.
 Fault analysis Attacks − In these attacks, errors are induced in the cryptosystem and the attacker
studies the resulting output for useful information.

CRYPTOGRAPHY DIGITAL SIGNATURES

Digital signatures are the public-key primitives of message authentication. In the physical world, it
is common to use handwritten signatures on handwritten or typed messages. They are used to bind
signatory to the message.
Similarly, a digital signature is a technique that binds a person/entity to the digital data. This binding can be
independently verified by receiver as well as any third party.
Digital signature is a cryptographic value that is calculated from the data and a secret key known only by
the signer.
In real world, the receiver of message needs assurance that the message belongs to the sender and he
should not be able to repudiate the origination of that message. This requirement is very crucial in business
applications, since likelihood of a dispute over exchanged data is very high.
Model of Digital Signature
As mentioned earlier, the digital signature scheme is based on public key cryptography. The model of
digital signature scheme is depicted in the following illustration −

The following points explain the entire process in detail −

 Each person adopting this scheme has a public-private key pair.
 Generally, the key pairs used for encryption/decryption and signing/verifying are different. The
private key used for signing is referred to as the signature key and the public key as the verification
key.
 Signer feeds data to the hash function and generates hash of data.
 Hash value and signature key are then fed to the signature algorithm which produces the digital
signature on given hash. Signature is appended to the data and then both are sent to the verifier.
 Verifier feeds the digital signature and the verification key into the verification algorithm. The
verification algorithm gives some value as output.
 Verifier also runs same hash function on received data to generate hash value.
 For verification, this hash value and output of verification algorithm are compared. Based on the
comparison result, verifier decides whether the digital signature is valid.
 Since digital signature is created by ‘private’ key of signer and no one else can have this key; the
signer cannot repudiate signing the data in future.
It should be noticed that instead of signing data directly by signing algorithm, usually a hash of data is
created. Since the hash of data is a unique representation of data, it is sufficient to sign the hash in place of
data. The most important reason of using hash instead of data directly for signing is efficiency of the
scheme.
Let us assume RSA is used as the signing algorithm. As discussed in public key encryption chapter, the
encryption/signing process using RSA involves modular exponentiation.
Signing large data through modular exponentiation is computationally expensive and time consuming. The
hash of the data is a relatively small digest of the data, hence signing a hash is more efficient than
signing the entire data.
Importance of Digital Signature
Out of all cryptographic primitives, the digital signature using public key cryptography is considered as
very important and useful tool to achieve information security.
Apart from ability to provide non-repudiation of message, the digital signature also provides message
authentication and data integrity. Let us briefly see how this is achieved by the digital signature −
 Message authentication − When the verifier validates the digital signature using public key of a
sender, he is assured that signature has been created only by sender who possess the corresponding
secret private key and no one else.
 Data Integrity − In case an attacker has access to the data and modifies it, the digital signature
verification at receiver end fails. The hash of modified data and the output provided by the
verification algorithm will not match. Hence, receiver can safely deny the message assuming that
data integrity has been breached.
 Non-repudiation − Since it is assumed that only the signer has the knowledge of the signature key,
he can only create unique signature on a given data. Thus the receiver can present data and the
digital signature to a third party as evidence if any dispute arises in the future.
By adding public-key encryption to digital signature scheme, we can create a cryptosystem that can provide
the four essential elements of security namely − Privacy, Authentication, Integrity, and Non-repudiation.
Encryption with Digital Signature
In many digital communications, it is desirable to exchange an encrypted messages than plaintext to
achieve confidentiality. In public key encryption scheme, a public (encryption) key of sender is available in
open domain, and hence anyone can spoof his identity and send any encrypted message to the receiver.
This makes it essential for users employing PKC for encryption to seek digital signatures along with
encrypted data to be assured of message authentication and non-repudiation.
This can archived by combining digital signatures with encryption scheme. Let us briefly discuss how to
achieve this requirement. There are two possibilities, sign-then-encrypt and encrypt-then-sign.
However, the crypto system based on sign-then-encrypt can be exploited by receiver to spoof identity of
sender and sent that data to third party. Hence, this method is not preferred. The process of encrypt-then-
sign is more reliable and widely adopted. This is depicted in the following illustration −

The receiver after receiving the encrypted data and signature on it, first verifies the signature using sender’s
public key. After ensuring the validity of the signature, he then retrieves the data through decryption using
his private key

Internet
 Internet is a world-wide global system of interconnected computer networks.
 Internet uses the standard Internet Protocol (TCP/IP).
 Every computer in internet is identified by a unique IP address.
 IP Address is a unique set of numbers (such as 110.22.33.114) which identifies a computer location.
 A special computer DNS (Domain Name Server) is used to give name to the IP Address so that user
can locate a computer by a name.
 For example, a DNS server will resolve a name http://www.tutorialspoint.com to a particular IP
address to uniquely identify the computer on which this website is hosted.
 Internet is accessible to every user all over the world.
Internet Evoloution
The concept of Internet was originated in 1969 and has undergone several technological & Infrastructural
changes as discussed below:
 The origin of Internet devised from the concept of Advanced Research Project Agency Network
(ARPANET).
 ARPANET was developed by United States Department of Defense.
 Basic purpose of ARPANET was to provide communication among the various bodies of
government.
 Initially, there were only four nodes, formally called Hosts.
 In 1972, the ARPANET spread over the globe with 23 nodes located at different countries and thus
became known as Internet.
 By the time, with invention of new technologies such as TCP/IP protocols, DNS, WWW, browsers,
scripting languages etc.,Internet provided a medium to publish and access information over the
web.
Internet Advantages
Internet covers almost every aspect of life, one can think of. Here, we will discuss some of the advantages
of Internet:

Internet Disadvantages

Extranet
Extranet refers to network within an organization, using internet to connect to the outsiders in controlled
manner. It helps to connect businesses with their customers and suppliers and therefore allows working in a
collaborative manner.

Extranet Benefits
Extranet proves to be a successful model for all kind of businesses whether small or big. Here are some of
the advantages of extranet for employees, suppliers, business partners, and customers:
Extranet Issues
Apart for advantages there are also some issues associated with extranet. These issues are discussed below:
Hosting
Where the extranet pages will be held i.e. who will host the extranet pages. In this context there are two
choices:
 Host it on your own server.
 Host it with an Internet Service Provider (ISP) in the same way as web pages.
But hosting extranet pages on your own server requires high bandwidth internet connection which is very
costly.
Security
Additional firewall security is required if you host extranet pages on your own server which result in a
complex security mechanism and increase work load.
Accessing Issues
Information can not be accessed without internet connection. However, information can be accessed in
Intranet without internet connection.
Decreased Interaction
It decreases the face to face interaction in the business which results in lack of communication among
customers, business partners and suppliers.
Extranet vs. Intranet
The following table shows differences between Extranet and Intranet:
Extranet Intranet
Internal network that can not be
Internal network that can be accessed externally.
accessed externally.
Extranet is extension of company's Intranet. Only limited users of a company.
For limited external communication between customers, Only for communication within a
suppliers and business partners. company.