the-south-asian.com July / August 2006
5 of 6
Security and Trust in Internet Banking
First published November
for Retail & Corporate Banking [ B2B] Security Solutions:
PKI [ Asymmetric or Public Key Infrastructure ] is required especially if Multi Million Dollar value Corporate Transactions are to start taking place and provide the speed , efficiency and increase in Global Trade .
What is PKI ?
It is a combination of Software, Encryption Technologies , Services comprising
-- Digital Certificates & Certificate Authorities – CA [ trusted third parties-- see below ].
-- Using Certificate Distribution via LDAP & DAP [ X.500] Management --Lightweight Directory Access Protocols interface services for Computer System Directories [ containing customer & staff name and addresses] ,
-- Public Key Management, Renewing & Revoking Certificates into a total Enterprise–wide Network Security architecture
-- Authentication is used via CAs similar to the Dept. Motor Vehicles Driving Licenses are used to identify a check being cashed .
-- Also CAs are similar to a Passport that identifies travellers entering countries .
PKI Companies: Customers
Baltimore Technologies Wisekey, Identrus [ SWIFT & about 50 major banks ]
Entrust Telia. Royal Mail , Chase Manhattan Bank. Canadian Government. US Patent & Trademark.
Arcot Visa, First Union Bank, Swedish Postal Service, Union PacificRailroad.
Verisign Barclays , Canadian Imperial Bank, GE eXchange Services – 100,000 enterprise customers , Texas Instruments, SEC., Univ.of Pittsburg , N.J. State.
Valicert U.S. Postal Service , U.S. Navy , Treasury , Intelligence.
Problems & Weaknesses of PKI - Public Key Infrastructure [ PKI issues ].
Security as a Chain ; PKI is only as strong as its weakest Link. PKI is based on Cryptography and People. Therefore PKI needs processes & procedures , Trust is involved .Some argue that PKI needs E-Commerce more than E- Commerce needs PKI . Its $ 5 per certificate is a good market for PKI Certificates for the Internet of 100 million users . Some companies naturally want to sell certificates and make a lot of money.
RISK # 1 – Who makes a CA trusted & grant authorization? This is the heart of PKI .
Is the CA a Trusted authority/ third party ?
The CAs role is the same as the IRS , DMV, Post Office .Do these bodies sell your information to marketeers in the USA ?
The Credit Bureau Model is flawed as it sells information to others, etc . How does the CA identify the certificate holder.In the South Asian countries this is a Major barrier to B2B Commerce and PKI implementation.
In the case of South Asian countries who will be the Trusted Third Party ?
Driving Licenses are easily forged or obtainable . Passports too can be obtained easily .
The Judiciaries are not efficient and trustworthy and there are very few Tax authorities in South Asian countries who can be above nepotism
In the Internet age 2001 , some secure transaction system [ the PKI model ] is necessary for the Internet advantages to be exploited . The South Asian Countries also have a weak legal Infrastructure to implement PKI.
Trusted Third Parties - Certificates of Authority [ CA]:
In the Internet age , especially with the danger of anthrax via paper mail PKI use in paperless transactions seems ideal.
The Department of Motor Vehicles- DMV’s Driving License is used as a CA /Trusted Third Party in the Western countries , when cashing a check.
One could consider the Internal Revenue Service as a trusted third party – it has the tax details of an Individual.
The major Western [ SWIFT] & Japanese Banks have formed such a trusted Bank party called " Identrius " . Identrus certifies various corporate companies with CAs and allows companies to carry out B2B banking in this way.
Similarly " WiseKey" a partnership with ITU [ International Telecom Union ] and
Private entrepreneurs have set up a Root Authority in Switzerland and issues CAs to business companies.
Risk # 2 – Who is using the key – REPUDIATION.
Is my private key in a PC sitting in a room without CCTV.It does not matter who is at the keyboard - you are legally responsible. Currently Credit Cards laws are that under the Mail Order / Telephone order laws in the US .
If you object to a line item on a credit card bill, you have the right to repudiate it.
Risk # 3 – Security of Verifying Computer
The "Root" Public keys can be added by a attacker and his own public key attached.
Root Certificate verification in the case of WiseKey is on a Off-Site Computer [ e.g. in a Bunker in the Swiss Alps .]
Risk # 4 - Public keys associated with names run into multiple names problem.
Risk # 5 - Is the CA a Trusted authority/ third party ?
Is it the IRS , DMV, Post Office .
The Credit Bureau Model is flawed as it sells information to others, etc . How does the CA identify the certificate holder. In the South Asian countries this even a Major barrier to B2B Commerce and PKI implementation.
Risk # 6 - What is key lifetime ?
How does one revoke keys ? Is revocation retroactive.
With browsers – what is the user action when establishing an SSL connection.
Does he read the Certificate ?
Risk # 7 - PKI - INTEROPERABILITY issues :
How do Certificate authorities in Different Companies / security domain recognize each other.
- at Application level between any two peers e.g. Email clients .
- at Enterprise level – sharing repository data
- how will harmonizing policies and enforcement be done by CAs.
Other issues :
Browser versions issues- different browsers versions do not work within PKI .
Administration of Centralized Directories – and compatibility with Potential Customers and Business Partners. [ solution is to use LDAP Directory Servers scattered throughout the network.]
Non- Secure Operating Systems
Microsoft NT system is known to be not secure . Banks & Telecom companies prefer Sun Solaris or UNIX operating systems..
PKI is Expensive & Complex to implement. Some recent PKI solutions are starting in a out of the box version.
Copyright © 2000 - 2006 [the-south-asian.com]. Intellectual Property. All rights reserved.