1 / 20

KOBIL eBanking authentication experiences with a Turkish Bank

KOBIL eBanking authentication experiences with a Turkish Bank. Markus Tak, Product Manager. Overview. KOBIL Systems – the Company Who we are and what we do Banking authentication in KocBank / Isbank Flexible Banking authentication solution Smartcard Middleware Features and Design Background.

melba
Download Presentation

KOBIL eBanking authentication experiences with a Turkish Bank

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. KOBIL eBanking authenticationexperiences with a Turkish Bank Markus Tak, Product Manager

  2. Overview • KOBIL Systems – the CompanyWho we are and what we do • Banking authentication in KocBank / IsbankFlexible Banking authentication solution • Smartcard Middleware Features and Design Background

  3. KOBIL Systems – the Company • Founded in 1986 • Headquaters in Worms / Germany45 minutes from Frankfurt • 65 Employees • 35% of staff working in R&D • Cooperation with cryptographic researchinstitutes • All Products „Made in Germany“ • Production Sites in Europe und Asia • Certified Company according to DIN EN ISO 9001: 2000

  4. Product Philosophy KOBIL SecOVID Strong Authentication based on One Time Passwords (OTP)

  5. Product Philosophy KOBIL Smart Key Certificate- and Smartcard- based Authentication and Data Security

  6. Product Philosophy Smart Card Terminals Classes 1 - 4

  7. Product Philosophy KOBIL mIDentity Mobile Identity Mobile Data Safe Mobile Office

  8. Bankingauthentication in KocBank / Isbank • Requirements: • Strong Authentication Internet Banking Strong user authentication using certificates onsmartcard and/or One-Time-Passwords (OTP) • Inhouse PKI and OTP managementMicrosoft Certification Authority, SecOVID Server • Centralized ManagementSmart Card Rollout and Management • Seemless Integrationinto Banking Backend-Systemsand Microsoft Plattform

  9. Internet Banking Customers • Commercial / Institutional Customers: • Smart Card based authenticationSSL client authentication with IE • Other PKI enabled applicationsFile Encryption, Email Security, ... • Individual / Private Customers: • One Time Password authenticationEnables also mobile telephone bankingOTP-Token or mobile Smart Card Reader • No installation neededReduced Help Desk Costs • No Token expirationReplaceable Batteries protect investment

  10. Bankingauthentication – the Big Picture İŞBANK Root CA Customer DB LDAP Server Application FILTER KOBIL Certificate Registration Authority Sub CA Sub CA . PIN / PUK . PKCS12 . OTP .... IIS SecOVID Server Backup DB Log DB Secure Channel INTERNET . PIN / PUK . PKCS12 . OTP .... PROVUS Card Issuing Software PROVUS Client

  11. Advantages of this Solution • Combination of PKI and OTP technologiesenables flexible authentication scenarios for desktop and mobile end users • Seemless Integration into Backend-Systemsbased on international Standards like RADIUS / TACAS, MS-CHAP, X.509, PC/SC etc. • Strong CryptographyAuthentication based on 3DES (168 Bit key strength) andRSA 1024 Bit • No Token expirationreplaceable Standard Batteries reduce operating costs • PerformanceOTP authentication > 1000 requests/secondCertificate based authentication uses HSM accelerator • ExtensibilityOther applications can easily added later

  12. Smart Card Middleware • Enabling Smart Cards to be used for PKI-based applications: • Electronic Signatures for e-mails and filesIntegrity protection against unauthorized data modificationProof of authorship („who is the originator of this email?“) • Encryption for e-mails, files and hard disk (Container)Confidential data are kept secret, access only with appropriate smart card (Private Key) and PIN code • Windows Smart Card LogonStrong two-factor Authentication (Possesion and Knowledge)Also for Terminal Servers and Remote Desktop applications • SAP R/3 SecurityAuthentication, Session Encryption and Message Integrity for SAPGui / SAPServer, often running on Terminal Servers • VPN-Authentification in Intranet & ExtranetSensitive data are protected even if transferred over public networks

  13. Integration into Microsoft Platform Microsoft CryptoAPI links Applications and Smart Cards Standard-Software KOBIL Smart Key Outlook Internet Explorer MS Office Microsoft CryptoAPI Certificate Validation WindowsCertificateManager KOBILSigG CSP Microsoft-CSP KOBILCSP otherCSP‘s Private Key stored in Registry e.g. Gemplus, Schlumberger etc.

  14. Terminal Server Integration PC/SC-based App‘s Smartcard Logon RDP Terminal Applications Terminal Server (W2003, Citrix) Windows Domain Controller ADS CryptoAPI PC/SC Forwarding via RDP/ICA Protokoll Terminal Client Windows 2000/XP Only PC/SC driver Installation required!

  15. CSP Middleware Design Background • The Cryptographic Service Provider (CSP) is called from: • Winlogon / LSASSWindows Logon screen. Very restricted access policy, no dialog boxes are allowed. Runs with SYSTEM privileges • Microsoft VPN ClientNo dialog boxes are allowed. Direct Access to the Smart Card. • Applications (Outlook, Internet Explorer etc.)GUI integration („please insert card“, „please enter PIN“). Certificate registration in Windows Explorer required. • Windows & Citrix Terminal ServicesCSP running on the Terminal Server accesses local PC/SC readers on the client („PC/SC Forwarding“). Support for Thin Clients • Windows 2000/2003 CA Certificate Enrollment, AutoEnrollment, Key Backup

  16. CSP Middleware Design Background • CSP implementation requirements • Multiple Application AccessAs more than one application may want to access the CSP at the same time (e.g. Winlogon, Outlook, CardManagement Tool etc).A synchronization mechanism needs to be implemented. • PIN-cachingMicrosoft did not know about secure PINPad readers when CryptoAPI was designed. A strict PIN caching strategy is required from CSP implementors. • Smart Card PersonalizationA CSP must be able to initialize an empty smart card from scratch, create file structure and PIN files on card, generate Private and Public Key and write it to the card. Handle multiple certificates on the card. Support Windows 2003 CA key backup feature.

  17. Internal Structure Applications Card Management Tool (CMT)* CSP File Security KSKUI PKCS#11 Dialog‘s* Explorer Shell Extension card-specific commands card personalization configuration card.lib Win 9x/NT Linux, SunOS Win 2000 XP, 2003 PCSC Bridge reader mapping Windows PCSC Layer KOBIL CT-API KOBIL PC/SC Driver

  18. Qualified Signatures using CryptoAPI Development of a certified CSP for qualified Signatures Cooperation with KOBIL, Datev and MicrosoftAllowing Standard Applications to use qualifiedSignatures based on Microsoft CryptoAPI.Easy and fast integration for individual applications Seperate CSP Module Only for signatures, being evaluated according to CC EAL 3+ as required for qualified accredited signatures by German FederalOffice for Information Security (BSI) Available for a big variety of e-ID signature cardsDeutsche Telekom PKS, ZKA Seccos, Datev, Signtrust, ...Further cards can easily be added Certificate online validation Using OCSP standard through CryptoAPI

  19. CSP quality assurance • Microsoft / Veritest „Verified for Windows XP“ Logo • Worldwide the only CSP certifiedwith „Verified for Windows XP“ logo • SetupVerification of proper installation / deinstallation process • StabilityStable performance • Windows XP features testedRemote Desktop, Fast User Switching • Conformance with Microsoft Software GuidelinesVersioning, UI appearance, design

  20. References Thank you

More Related