A Glance at Cryptographic Techniques used in Indian Banks

Mukta Sharma Neha Sabharwal

Research Scholar, TMU Assistant Professor, DIRD
m.mukta19@gmail.com nehasabharwal15@gmail.com

Abstract:

We live in an age of terror and growing fear. Spam, viruses, denial of service attack, intellectual property theft, and
transactional fraud are already at all time highs. The internet has become the medium for spreading fear and
laundering money. Many terrorist attacks are happening all over the world-using internet as a medium to connect,
communicate & execute the thing. In this paper, we discuss the classification of network security techniques such as
(PAIN) Privacy, Authenticity, Integrity and Non-repudiation of data. This paper introduces Cryptography “The
science of protecting data” and Network Security “keeping information private and Secure from unauthorized
Users”. Security has become a necessity and in order to achieve it multiple techniques are available. The privacy
techniques can be achieved using cryptography. Cryptography is a way to have secure transactions, encrypt/encode
data so that only the users involved in the transactions can read it. The paper highlights the use of cryptography by
various banks.

Cryptography is the science of providing security for information. It has been used historically as a means of
providing secure communication between individuals, government agencies, and military forces. Today,
cryptography is a cornerstone of the modern security technologies used to protect information and resources on both
open and closed networks.

Keywords:-

Plaintext, Cipher text Cipher, Encipher, Decipher, Cryptanalysis, Cryptology, Secret Key Cryptography

Introduction:

During the last few decades, there is a tremendous development in information and communication technology.
Therefore, security in communication through internet has become a concern. Network security problems can be
categorized roughly into four areas: secrecy, authentication, non-repudiation and integrity control [1]. Public key
Infrastructure (PKI) creates the ability to authenticate users, maintain privacy, ensure data integrity, and process
transactions without the risk of repudiation. It satisfies the following four e-security needs:-

Privacy/confidentiality: Ensuring that no one can read the message except the intended receiver. In short, it shields
communication from unauthorized viewing or access.

Authentication: Identifies or verifies that the sender of messages are, in fact, who they claim to be.

Integrity: Assuring the receiver that the received message has not been altered in any way from the original.

Non-repudiation: Prevents sender and vendor in a transaction or communication activity from later falsely denying
that the transaction occurred. We can also say that it is a mechanism to prove that the sender really sent this
message.

IMS, Ghaziabad International Conference 22nd & 23rd March, 2013

In Greek, cryptography means “secret writing,” which is the science of communication over untrusted
communication channels. [2] Encryption is the way to transform a message so that only the sender and recipient can
read, see or understand it. The mechanism is based on the use of mathematical procedures to scramble data so that it
is extremely difficult for anyone else to recover the original message.

Basic Terminology

• Plain text - the original message

• Cipher text - the coded message
• Cipher - algorithm for transforming plaintext to cipher text
• Key - info used in cipher known only to sender/receiver
• Encipher (encrypt) - converting plaintext to cipher text
• Decipher (decrypt) - recovering cipher text from plaintext
• Cryptography - study of encryption principles/methods
• Cryptanalysis is (code breaking) - the study of principles/ methods of deciphering cipher text without
knowing key
• Cryptology - the field of both cryptography and Cryptanalysis

Cryptography is the art of combining some input data, called the plaintext, with a user-specified password to
generate an encrypted output, called cipher text, in such a way that, given the cipher text, it is extremely difficult to
recover the original plaintext without the encryption password in a reasonable amount of time. The algorithms that
combine the keys and plaintext are called ciphers. There are two classes of key-based algorithms: secret key or
symmetric key and public key or Asymmetric key.

Secret key or Symmetric key- In this sender and receiver possess the same single key, which can lead to two
problems. One, the key must be delivered securely to the two parties. Second problem is that if a business has 10
business vendors, it needs 10 different keys to interact with individual vendors. Symmetric algorithms can be
divided into stream ciphers and block ciphers. Stream cipher encrypts a single bit of plain text at a time, where
as block cipher encrypts a number of bits as a single unit.

Figure 1.1

Public key or Asymmetric key- Involves two related keys called a key-pair: one public key known to anyone and
one private key that only the owner knows.

IMS, Ghaziabad International Conference 22nd & 23rd March, 2013

 Figure 1.2

CRYPTOGRAPHIC ALGORITHMS

IMS, Ghaziabad International Conference 22nd & 23rd March, 2013

Symmetric En-/ Asymmetric En-/ Cryptographic Hash
Decryption Decryption Functions
AES RSA SHA-1

DES ECC MD5

Figure 1.3

CATEGORIES OF CRYPTOGRAPHIC ALGORITHMS:

 Symmetric cryptography using 1 key for en-/decryption or signing/checking

 Asymmetric cryptography using 2 different keys for en-/decryption or signing/checking
 Cryptographic hash functions using 0 keys (the “key” is not a separate input but “appended” to or “mixed”
with the data).

Symmetric Encryption

Symmetric encryption may also be referred to as shared key or shared secret encryption. In symmetric encryption, a
single key is used both to encrypt and decrypt traffic. Common symmetric encryption algorithms
include DES, 3DES, AES, and RC4. 3DES and AES are commonly used in IPsec and other types of VPNs. RC4 has
seen wide deployment on wireless networks as the base encryption used by WEP and WPA version 1. Symmetric
encryption algorithms can be extremely fast, and their relatively low complexity allows for easy implementation in
hardware. However, they require that all hosts participating in the encryption have already been configured with the
secret key through some external means.

Substitution Technique- Is one in which the letters of plaintext are replaced by other number or letter

Transposition Technique - A very different kind of mapping is achieved by performing some sort of permutation
on the plaintext. This technique is referred to as Transposition. The simplest transposition cipher is rail fence
technique.

 Caesar Cipher- The earliest use of a substitution cipher was given by Julius ceaser. She has tried to
replace an alphabet or a letter standing x places down the alphabet.

Plain text:- Welcome to IMS

Key is suppose 3

A will be replaced with D and so on

IMS, Ghaziabad International Conference 22nd & 23rd March, 2013

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

Figure 1.4

Cipher Text- Zhofrph wr lpv (Encrypted data)

C=E(P)= (P+K) mod 26

C=Cipher Text, P= Plain text
D(C)=(C-K) mod 26
E= Encryption, D= Decryption,

K= Key (1 to 25), 26 (a-z)

 Playfair Cipher- The best known multiple letter encryption is based on 5*5 matrix of letters constructed
using a keyword. Example- keyword is Monarchy

M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z

Figure 1.5

Rules

1. Plaintext letters that fall in the same row are replaced by the letters to the right, with the first element
circularly following the last. For instance, AR is encrypted as RM.
2. Plaintext letters that fall in the same column are replaced by the letters to beneath, with top element of
row circularly followed the last. MU is encrypted as CM.
3. Plaintext is replaced by the letter that lies in its own row & column occupied by other text. For
instance, HS becomes BP and EA is encrypted as IM/JM.
4. Repeating plaintext letters that fall as a pain are separated with a filler letter such as x, ballroom would
be treated as ba, lx,lr,ox,om.

 DES- Data Encryption Standard. The Goal of DES is to completely scramble the data and key so that every
bit of cipher text depends on every bit of data and every bit of key. It is a block Cipher Algorithm, encodes
plaintext in 64 bit chunks, One parity bit for each of the 8 bytes thus it reduces to 56 bits. It is the most used
algorithm. DES developed by IBM in the early 1970s. Standard approved by US National Bureau of
Standards for Commercial and no classified US government use in 1993. DES is an iterated block cipher,
iterated means multiple repetitions of a simple encryption algorithm. DES has 16 rounds. Where Block
cipher encrypts in fixed-size blocks, DES uses 64-bit (&byte) blocks. At its simplest level, DES is a
combination of the two basic techniques of cryptography: confusion and diffusion. DES follows strict
avalanche criteria. Every bit of the key and every bit of the plaintext affects every bit of the cipher text. It
has different keys for encryption and decryption. Eavesdropper sees the cipher text and one of the keys. All
of the security is in one key; there is none in the algorithm or in the second key.
 AES- The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data
established by the U.S. National Institute of Standards and Technology (NIST) in 2001. Originally
called Rijndael, the cipher was developed by two Belgian cryptographers, Joan Daemen and Vincent

IMS, Ghaziabad International Conference 22nd & 23rd March, 2013

 Rijmen, who submitted a proposal, which was evaluated by the NIST during the AES selection process.
AES has been adopted by the U.S. government and is now used worldwide. AES is a privacy transform for
IPSec and Internet Key Exchange (IKE) and has been developed to reinstate the Data Encryption Standard
(DES). While the AES is intended to protect sensitive information in federal computing systems, it is
adopted widely by the private sector and the financial services industry. AES is designed to be more secure
than DES. AES offers a larger key size, while ensuring that the only known approach to decrypt a message
is for an intruder to try every possible key. AES has a variable key length —the algorithm can specify a
128-bit key (the default), a 192-bit key, or a 256-bit key.AES able to process six times faster compared
with the triple DES for The same processing capacity.

The National Institute of Standards and Technology had selected Rijndael as the AES algorithm because of its
combination of security, performance, efficiency, ease of implementation and flexibility (Stallings and Brown,
2008). Rijndael algorithm deals with five units of data in the encryption scheme:

(1) Bit: a binary digit with a value of 0 or 1.

(2) Byte: a group of 8 bits.

(3) Word: a group of 32 bits.

(4) Block: a block in AES is defined to be 128, 192 or 256 bits.

(5) State: the data block is known as a STATE, and it is made up of 4 X4 matrix of

16 bytes (128 bits).

Asymmetric Encryption

Asymmetric encryption is also known as public-key cryptography. Asymmetric encryption differs from symmetric
encryption primarily in that two keys are used one for encryption and one for decryption. The most common
asymmetric encryption algorithm is RSA. Compared to symmetric encryption, asymmetric encryption imposes a
high computational burden, and tends to be much slower. Thus, it is not typically employed to protect payload data.
Instead, its major strength is its ability to establish a secure channel over a non-secure medium (for example, the
Internet). This is accomplished by the exchange of public keys, which can only be used to encrypt data. The
complementary private key, which is never shared, is used to decrypt. Robust encryption solutions such as IPSec
implement the strengths of both symmetric and asymmetric encryption. First, two endpoints exchange public keys,
which allows for the setup of a slow but secure channel. Then the two hosts decide on and exchange shared
symmetric encryption keys to construct much faster symmetric encryption channels for data.

 RSA- One public key encryption algorithm developed by Rivest, Shamir & Adelman. In this method one
party uses a public key Kp, another party uses a secret key Ks.

Plaintext Ciphertext Plaintext

Customer
Customer C=PKP mod N P=CKs mod N Bank

Figure 1.6
Mo Mo
1. First choose two prime no

IMS, Ghaziabad International Conference 22nd & 23rd March, 2013

 2. Calculate N=P*Q
3. Calculate K= (P-1)(Q-1)
4. Select Kp such that it is not a factor of (P-1)(Q-1)
5. Ks=Kp*Ks mod K=1

 ECC- Elliptic Curve Cryptography (ECC) is a public key cryptography. In public key cryptography each
user or the device taking part in the communication generally have a pair of keys, a public key and a private
key, and a set of operations associated with the keys to do the cryptographic operations. Only the particular
user knows the private key whereas the public key is distributed to all users taking part in the
communication. Some public key algorithm may require a set of predefined constants to be known by all
the devices taking part in the communication. ‘Domain parameters’ in ECC is an example of such
constants. Public key cryptography, unlike private key cryptography, does not require any shared secret
between the communicating parties but it is much slower than the private key cryptography.

The mathematical operations of ECC is defined over the elliptic curve y2 = x3 + ax + b, where 4a3 +
27b2 ≠ 0. Each value of the ‘a’ and ‘b’ gives a different elliptic curve. All points (x, y) which satisfies the
above equation plus a point at infinity lies on the elliptic curve. The public key is a point in the curve and
the private key is a random number. The public key is obtained by multiplying the private key with the
generator point G in the curve. The generator point G, the curve parameters ‘a’ and ‘b’, together with few
more constants constitutes the domain parameter of ECC. One main advantage of ECC is its small key size.
A 160-bit key in ECC is considered to be as secured as 1024-bit key in RSA.

Hashing

Finally, hashing is a form of cryptographic security which differs from encryption. Whereas encryption is a two step
process used to first encrypt and then decrypt a message, hashing condenses a message into an irreversible fixed-
length value, or hash. Two of the most common hashing algorithms seen in networking are MD5 and SHA-1.

Figure 1.7

Hashing is used only to verify data; the original message cannot be retrieved from a hash. When used to authenticate
secure communications, a hash is typically the result of the original message plus a secret key. Hashing algorithms
are also commonly used without a secret key simply for error checking. You can use
the md5sum and sha1sum utilities on a Linux or Unix machine to experiment with hashing. Hashing is used for
Digital Signatures.

We have seen four security aspects:-

Privacy, Authenticity, integrity & Non- Repudiation. Privacy can be achieved by cryptography. The other 3 can be
achieved using Digital Signature. The idea of digital signature is similar to signing of a document and can be done in
two ways:-

IMS, Ghaziabad International Conference 22nd & 23rd March, 2013

 1. We can sign the entire document
2. We can sign a digest (condensed version) of the document.

Signing the Whole document- In digital signature the private key is used for encryption & public key is used for
decryption.

A’s Public Key

A’s Private key

plaintext ciphertext plaintext

A Encryption Network Decryption
Algorithm Algorithm
Figure 1.8

Signing the Digest- Public key encryption is efficient if the message is short, it is inefficient to forward a long
message. The solution to this problem is sender signs a digest instead of signing the whole document. Sender creates
a miniature of document & signs it and receiver checks the signature. To create a digest we use hash function. The
two most common hash functions are:-

 MD-5 – Message Digest-5 produces 120 bits digest

 SHA-I– Secure hash algo-1 produces 160 bit digest.

Hash function must have two properties:

 Hashing is one way (digest can be created from message vice-versa is not allowed)
 Hashing is a one-one function, therefore the digest should be the same.

IMS, Ghaziabad International Conference 22nd & 23rd March, 2013

 Calculate
Message d

Hash

Message + Sent thru’ Internet

Message
signature
+
if

Signatur
COMPA
OK
Hash Signed RE
e
Message
Signatures
SIGN hash
Ha verified
With sh
Sender’s
Decrypt
Private key
Signature
Sender Receiver
With Sender’s

Public Key

Figure 1.9

ENCRYPTION POLICY IN INDIA

Encryption technology is widely used for many legitimate personal and business purposes. In fact many crucial
public services cannot be safely and effectively performed if encryption is not deployed and used. Encryption policy
of India is long overdue but India has been slow in formulating this much needed policy. At the same time
encryption is also a controversial issue in India that requires a balancing of conflicting interests of law enforcement
requirements and personal privacy and security. Provisions pertaining to encryption usage in India are scattered in
various laws, rules and regulations of India. We do not have a centralized or dedicated legal framework for
encryption related matters and this is hindering proper usage and innovation in the field of encryption in India. The
cyber law of India, as applicable through information technology act 2000 (IT Act 2000) has a single provisions in
this regard. Section 84A of IT Act 2000 says that the Central Government may prescribe the modes or methods of
encryption. Till now the Central Government has not prescribed any “modes or methods” of encryption usage in
India. For instance, we cannot safely and securely conduct online banking transactions without effective use of
encryption methodology.
We have no National Encryption Policy of India and in the absence of any such Policy Encryption, related issues
cannot be effectively managed in India. Further, we also need dedicated Cyber Security Laws of India . Use of
Encryption in India has never been smooth. Intelligence Agencies in general and Central Home Ministry of India in
particular are very much concerned about use of Encryption beyond 40 bits. However, what Home Ministry is not
realizing is that anything below 128 bits of encryption is definitely “Unsafe” and anything below 256 is “Potentially
Unsafe”. The Stakeholders that need “Higher Encryption Level Protection” includes Banks, Stock Exchanges, E-
Mail Service Providers, Corporate Communications, Sensitive Government Communications, etc. It is “Not
Feasible” to ask for Encryption Level below 256 bits. However, RBI has only prescribed that –“the use of at least
128-bit SSL for securing browser to web server communications and, in addition, encryption of sensitive data like
passwords in transit within the enterprise itself”. (Para 6.4.5 of Internet banking Guidelines of RBI)

IMS, Ghaziabad International Conference 22nd & 23rd March, 2013

Encryption used in Indian banks

CANARA BANK

In the application-based service, all messages originating from the mobile phone are Encrypted and travel to the
Mobile Banking Server in secured mode. The encryption methodology used is 128-bit AES technology. In the WAP
based service, the site is VeriSign Certified.

UCO BANK

The Bank maintains the highest standards as far as security technology is concerned, some of which are: 128 bit SSL
encryption - This is the highest level of security available for communication and transactions on the Internet. SSL
encryption allows the Bank to encrypt information, so that when it travels through the internet, it is encrypted and
cannot be accessed by anyone. SSL also ensures that information is sent to the correct place and that it is not
tampered with.

ICICI

ICICI Bank uses 128-bit encryption, for the transmission of the information, which is currently the permitted level
of encryption in India. When the information provided by the Customers is not transmitted through this encryption,
the Customers' system (if configured accordingly) will display an appropriate message ensuring the best level of
confidentiality for the Customer's information.

DENA BANK

Your data and message travel in a 128-bit SSL mode encryption technique required for secure e-commerce and
confidential communications. This is the highest level of security available for communication and transactions on
the Internet. SSL also ensures information is sent to the correct place and that it is not tampered with. Dena Bank
Internet banking site is VeriSign certified. VeriSign, Inc. is the leading provider of trusted infrastructure services to
websites, enterprises, electronic commerce service providers and individuals.

HDFC

It uses AES-256 bit or aaccess to the customers are provided through a secure webpage that encrypts the session
between the customer's computer and the webpage using 128-bit encryption so that the communication between the
customer's computers and the webpage cannot be intercepted by anyone over the internet. HDFC Bank systems time
out the customer's login sessions to his Net Banking account upon prolonged inactivity for protection against
misuse.

SYNDICATE BANK

For accessing Internet Banking use of only internet Explorer 7 or above is suggested, which supports the security
feature of 256-bit encryption. If accessing Internet banking through older version of Internet Explorer (example IE6,
IE5.5 etc) may encounter errors relating to SSL certificate.

STATE BANK OF INDIA

Bank will make reasonable use of available technology to ensure security and to prevent unauthorised access to any
of these services. The Online SBI service is VERISIGN certified which guarantees, that it is a secure site. It means
that

IMS, Ghaziabad International Conference 22nd & 23rd March, 2013

 1. You are dealing with SBI at that moment.
2. The two-way communication is secured with 256-bit SSL encryption technology, which ensures
the confidentiality of the data during transmission.

These together with access control methods designed on the site would afford a high level of security to the
transactions you conduct. SBI will soon be implementing PKI/Digital Signature.

PUNJAB NATIONAL BANK

It supports strong encryption, including AES-256 or 3DES-168 (The headed device must have a strong-crypto
license enabled.). A minimum of 128 bit should be installed on the network. It provides Secure access to corporate
resources while traveling or working remotely. Full IPSec VPN connectivity for strong authentication and data
integrity. Endpoint compliance scanning protects from malware and intrusions. Seamless roaming between networks
and automatic session configuration. Re-establishes lost connections by automatically switching connection modes.
It is centrally-managed the endpoint solution. Re-establish lost connections by automatically switching connection
modes. It should eliminate the need for users to re-authenticate.

CONCLUSION

Cryptography is about communication in the presence of an adversary. The most ancient and basic problem of
cryptography is secure communication over an insecure channel. Cryptography protects users by providing
functionality for the encryption of data and authentication of other users. This technology lets the receiver of an
electronic message verify the sender, ensures that a message can be read only by the intended person, and assures
the recipient that a message has not be altered in transit. This paper describes the cryptographic concepts of
symmetric-key encryption, public-key encryption, and types of encryption algorithms, hash algorithms, digital
signatures, and key exchange. This paper also highlights various encryption techniques used by the banks for online
transaction. It also covers how using these methods banking industries can secure their data with ATM and bank
server transmission.

It was seen that all the banks use latest technology for the online security feature but still they have small loop holes.
Now the time has come where customers/users also have to increase their awareness level because, this is not only
the responsibility of the banks to secure their customers. Using these encryption methods, AES is safer for data
security and mostly banks are using AES to protect their data from Crackers (Hackers). One of the attention-
grabbing things is that in future these technologies will increase rapidly. It means user will have to use these
facilities therefore; we need to make our systems more robust regarding the safety mechanism.

References

1. A.S. Tanenbaum. ( 2006). Computer Networks, Pearson Education Fourth Edition.

2. Elias, M. Awad.( 2007). Electronic commerce, Pearson Education Third Edition.

3. Er. Kumar Saurabh, Sukhpreet Singh. (2012). Providing Security in Data Aggregation using RSA
Algorithm. International Journal of Computers & Technology, Volume 3. No. 1, ISSN: 2277-3061.

4. Gandharba Swain, Saroj Kumar Lanka. A Quick review of Network Security and Steganography. (2012).
International Journal of Electronics and Computer Science Engineering, ISSN: 2277-1956.

5. How safe is DenaiConnect –Internet banking? retrieved from

http://www.denabank.com/viewsection.jsp?lang=0&id=0,9,347,433

6. ICICI Bank – Privacy Commitment retrieved from http://www.icicibank.com/privacy.html

IMS, Ghaziabad International Conference 22nd & 23rd March, 2013

 7. Maria Akhtar Mufti, Aihab Khan, Malik Sikandar Hayat Khiyal and Asim Munir, (2012).Transmitting
Cryptographic data through Steganography. IJCSI International Journal of Computer Science Issues, Vol.
9, Issue 2, No 3, ISSN (Online): 1694-0814.

8. Mohiuddin Ahmed, T. M. Shahriar Sazzad , Md. Elias Mollah (2012).Cryptography and State-of-the-art
Techniques. IJCSI International Journal of Computer Science Issues, Vol. 9, Issue 2, No 3, ISSN (Online):
1694-0814.

9. Neha Gupta, Dr. Manish Shrivastava, Dr. Aditya Goel. (2012).Survey paper on different approaches of
Threshold Cryptography. International Journal of Advanced Computer Research, Volume-2 Number-3
Issue-5 ,(ISSN (print): 2249-7277 ISSN (online): 2277-7970).

10. Prof ML Sharma. (2011). Er. Sheetal Atri . A Review on Cryptography Mechanisms. Int. J. Comp. Tech.
Appl., Vol 2 (4), 1048-1050, ISSN:2229-6093.

11. Rajeev Sobti, G.Geetha, (2012).Cryptographic Hash Functions: A Review. IJCSI International Journal of
Computer Science Issues, Vol. 9, Issue 2, No 2, ISSN (Online): 1694-0814.

12. Shilpa Mehta, u Eranna, K. Soundararajan. (2013). Data Security in Communications: A Study of
Cryptography and Steganography Techniques. International Journal of Electronics and Computer Science
Engineering, ISSN- 2277-1956.

13. State Bank of India – terms of use retrieved from

https://www.onlinesbi.com/corporate/corp_termsofuse.html

14. UCO E Banking retrieved from https://www.ucoebanking.com/RetailFaqtop.htm#4`

IMS, Ghaziabad International Conference 22nd & 23rd March, 2013