slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
KOBIL eBanking authentication experiences with a Turkish Bank PowerPoint Presentation
Download Presentation
KOBIL eBanking authentication experiences with a Turkish Bank

Loading in 2 Seconds...

play fullscreen
1 / 20

KOBIL eBanking authentication experiences with a Turkish Bank - PowerPoint PPT Presentation


  • 141 Views
  • Uploaded on

KOBIL eBanking authentication experiences with a Turkish Bank. Markus Tak, Product Manager. Overview. KOBIL Systems – the Company Who we are and what we do Banking authentication in KocBank / Isbank Flexible Banking authentication solution Smartcard Middleware Features and Design Background.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'KOBIL eBanking authentication experiences with a Turkish Bank' - melba


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide2

Overview

  • KOBIL Systems – the CompanyWho we are and what we do
  • Banking authentication in KocBank / IsbankFlexible Banking authentication solution
  • Smartcard Middleware Features and Design Background
slide3

KOBIL Systems – the Company

  • Founded in 1986
  • Headquaters in Worms / Germany45 minutes from Frankfurt
  • 65 Employees
  • 35% of staff working in R&D
  • Cooperation with cryptographic researchinstitutes
  • All Products „Made in Germany“
  • Production Sites in Europe und Asia
  • Certified Company according to DIN EN ISO 9001: 2000
slide4

Product Philosophy

KOBIL SecOVID

Strong Authentication

based on One Time

Passwords (OTP)

slide5

Product Philosophy

KOBIL Smart Key

Certificate- and Smartcard-

based Authentication and

Data Security

slide6

Product Philosophy

Smart Card Terminals Classes 1 - 4

slide7

Product Philosophy

KOBIL mIDentity

Mobile Identity

Mobile Data Safe

Mobile Office

slide8

Bankingauthentication in KocBank / Isbank

  • Requirements:
  • Strong Authentication Internet Banking Strong user authentication using certificates onsmartcard and/or One-Time-Passwords (OTP)
  • Inhouse PKI and OTP managementMicrosoft Certification Authority, SecOVID Server
  • Centralized ManagementSmart Card Rollout and Management
  • Seemless Integrationinto Banking Backend-Systemsand Microsoft Plattform
slide9

Internet Banking Customers

  • Commercial / Institutional Customers:
  • Smart Card based authenticationSSL client authentication with IE
  • Other PKI enabled applicationsFile Encryption, Email Security, ...
  • Individual / Private Customers:
  • One Time Password authenticationEnables also mobile telephone bankingOTP-Token or mobile Smart Card Reader
  • No installation neededReduced Help Desk Costs
  • No Token expirationReplaceable Batteries protect investment
slide10

Bankingauthentication – the Big Picture

İŞBANK

Root

CA

Customer DB

LDAP Server

Application

FILTER

KOBIL Certificate

Registration

Authority

Sub CA

Sub CA

. PIN / PUK

. PKCS12

. OTP

....

IIS

SecOVID

Server

Backup DB

Log DB

Secure

Channel

INTERNET

. PIN / PUK

. PKCS12

. OTP

....

PROVUS Card

Issuing Software

PROVUS

Client

slide11

Advantages of this Solution

  • Combination of PKI and OTP technologiesenables flexible authentication scenarios for desktop and mobile end users
  • Seemless Integration into Backend-Systemsbased on international Standards like RADIUS / TACAS, MS-CHAP, X.509, PC/SC etc.
  • Strong CryptographyAuthentication based on 3DES (168 Bit key strength) andRSA 1024 Bit
  • No Token expirationreplaceable Standard Batteries reduce operating costs
  • PerformanceOTP authentication > 1000 requests/secondCertificate based authentication uses HSM accelerator
  • ExtensibilityOther applications can easily added later
slide12

Smart Card Middleware

  • Enabling Smart Cards to be used for PKI-based applications:
  • Electronic Signatures for e-mails and filesIntegrity protection against unauthorized data modificationProof of authorship („who is the originator of this email?“)
  • Encryption for e-mails, files and hard disk (Container)Confidential data are kept secret, access only with appropriate smart card (Private Key) and PIN code
  • Windows Smart Card LogonStrong two-factor Authentication (Possesion and Knowledge)Also for Terminal Servers and Remote Desktop applications
  • SAP R/3 SecurityAuthentication, Session Encryption and Message Integrity for SAPGui / SAPServer, often running on Terminal Servers
  • VPN-Authentification in Intranet & ExtranetSensitive data are protected even if transferred over public networks
slide13

Integration into Microsoft Platform

Microsoft CryptoAPI links Applications and Smart Cards

Standard-Software

KOBIL Smart Key

Outlook

Internet Explorer

MS

Office

Microsoft CryptoAPI

Certificate

Validation

WindowsCertificateManager

KOBILSigG CSP

Microsoft-CSP

KOBILCSP

otherCSP‘s

Private Key stored in Registry

e.g. Gemplus,

Schlumberger etc.

slide14

Terminal Server Integration

PC/SC-based App‘s

Smartcard Logon RDP

Terminal Applications

Terminal Server

(W2003, Citrix)

Windows

Domain Controller

ADS

CryptoAPI

PC/SC

Forwarding via RDP/ICA Protokoll

Terminal Client

Windows 2000/XP

Only PC/SC driver

Installation required!

slide15

CSP Middleware Design Background

  • The Cryptographic Service Provider (CSP) is called from:
  • Winlogon / LSASSWindows Logon screen. Very restricted access policy, no dialog boxes are allowed. Runs with SYSTEM privileges
  • Microsoft VPN ClientNo dialog boxes are allowed. Direct Access to the Smart Card.
  • Applications (Outlook, Internet Explorer etc.)GUI integration („please insert card“, „please enter PIN“). Certificate registration in Windows Explorer required.
  • Windows & Citrix Terminal ServicesCSP running on the Terminal Server accesses local PC/SC readers on the client („PC/SC Forwarding“). Support for Thin Clients
  • Windows 2000/2003 CA Certificate Enrollment, AutoEnrollment, Key Backup
slide16

CSP Middleware Design Background

  • CSP implementation requirements
  • Multiple Application AccessAs more than one application may want to access the CSP at the same time (e.g. Winlogon, Outlook, CardManagement Tool etc).A synchronization mechanism needs to be implemented.
  • PIN-cachingMicrosoft did not know about secure PINPad readers when CryptoAPI was designed. A strict PIN caching strategy is required from CSP implementors.
  • Smart Card PersonalizationA CSP must be able to initialize an empty smart card from scratch, create file structure and PIN files on card, generate Private and Public Key and write it to the card. Handle multiple certificates on the card. Support Windows 2003 CA key backup feature.
slide17

Internal Structure

Applications

Card

Management

Tool (CMT)*

CSP

File Security

KSKUI

PKCS#11

Dialog‘s*

Explorer

Shell Extension

card-specific commands

card

personalization

configuration

card.lib

Win 9x/NT

Linux,

SunOS

Win 2000

XP, 2003

PCSC Bridge

reader mapping

Windows PCSC Layer

KOBIL CT-API

KOBIL PC/SC Driver

slide18

Qualified Signatures using CryptoAPI

Development of a certified CSP for qualified Signatures

Cooperation with KOBIL, Datev and MicrosoftAllowing Standard Applications to use qualifiedSignatures based on Microsoft CryptoAPI.Easy and fast integration for individual applications

Seperate CSP Module

Only for signatures, being evaluated according to CC EAL 3+ as required for qualified accredited signatures by German FederalOffice for Information Security (BSI)

Available for a big variety of e-ID signature cardsDeutsche Telekom PKS, ZKA Seccos, Datev, Signtrust, ...Further cards can easily be added

Certificate online validation Using OCSP standard through CryptoAPI

slide19

CSP quality assurance

  • Microsoft / Veritest „Verified for Windows XP“ Logo
  • Worldwide the only CSP certifiedwith „Verified for Windows XP“ logo
  • SetupVerification of proper installation / deinstallation process
  • StabilityStable performance
  • Windows XP features testedRemote Desktop, Fast User Switching
  • Conformance with Microsoft Software GuidelinesVersioning, UI appearance, design
slide20

References

Thank you