Security & trust in internet banking 5

PKI [ Asymmetric or Public Key Infrastructure ] is required especially if Multi Million Dollar value Corporate Transactions are to start taking place and provide the speed , efficiency and increase in Global Trade .

What is PKI ?

It is a combination of Software, Encryption Technologies , Services comprising

-- Digital Certificates & Certificate Authorities – CA [ trusted third parties-- see below ].

-- Using Certificate Distribution via LDAP & DAP [ X.500] Management --Lightweight Directory Access Protocols interface services for Computer System Directories [ containing customer & staff name and addresses] ,

-- Public Key Management, Renewing & Revoking Certificates into a total Enterprise–wide Network Security architecture

-- Authentication is used via CAs similar to the Dept. Motor Vehicles Driving Licenses are used to identify a check being cashed .

-- Also CAs are similar to a Passport that identifies travellers entering countries .

PKI Companies: Customers

Baltimore Technologies Wisekey, Identrus [ SWIFT & about 50 major banks ]

Entrust Telia. Royal Mail , Chase Manhattan Bank. Canadian Government. US Patent & Trademark.

Arcot Visa, First Union Bank, Swedish Postal Service, Union PacificRailroad.

Verisign Barclays , Canadian Imperial Bank, GE eXchange Services – 100,000 enterprise customers , Texas Instruments, SEC., Univ.of Pittsburg , N.J. State.

Valicert U.S. Postal Service , U.S. Navy , Treasury , Intelligence.

Problems & Weaknesses of PKI - Public Key Infrastructure [ PKI issues ].

Security as a Chain ; PKI is only as strong as its weakest Link. PKI is based on Cryptography and People. Therefore PKI needs processes & procedures , Trust is involved .Some argue that PKI needs E-Commerce more than E- Commerce needs PKI . Its $ 5 per certificate is a good market for PKI Certificates for the Internet of 100 million users . Some companies naturally want to sell certificates and make a lot of money.

RISK # 1 – Who makes a CA trusted & grant authorization? This is the heart of PKI .

Is the CA a Trusted authority/ third party ?

The CAs role is the same as the IRS , DMV, Post Office .Do these bodies sell your information to marketeers in the USA ?

The Credit Bureau Model is flawed as it sells information to others, etc . How does the CA identify the certificate holder.In the South Asian countries this is a Major barrier to B2B Commerce and PKI implementation.

In the case of South Asian countries who will be the Trusted Third Party ?

Driving Licenses are easily forged or obtainable . Passports too can be obtained easily .

The Judiciaries are not efficient and trustworthy and there are very few Tax authorities in South Asian countries who can be above nepotism

In the Internet age 2001 , some secure transaction system [ the PKI model ] is necessary for the Internet advantages to be exploited . The South Asian Countries also have a weak legal Infrastructure to implement PKI.

Trusted Third Parties - Certificates of Authority [ CA]:

In the Internet age , especially with the danger of anthrax via paper mail PKI use in paperless transactions seems ideal.

The Department of Motor Vehicles- DMV’s Driving License is used as a CA /Trusted Third Party in the Western countries , when cashing a check.

One could consider the Internal Revenue Service as a trusted third party – it has the tax details of an Individual.

The major Western [ SWIFT] & Japanese Banks have formed such a trusted Bank party called " Identrius " . Identrus certifies various corporate companies with CAs and allows companies to carry out B2B banking in this way.

Similarly " WiseKey" a partnership with ITU [ International Telecom Union ] and

Private entrepreneurs have set up a Root Authority in Switzerland and issues CAs to business companies.

Risk # 2 – Who is using the key – REPUDIATION.

Is my private key in a PC sitting in a room without CCTV.It does not matter who is at the keyboard - you are legally responsible. Currently Credit Cards laws are that under the Mail Order / Telephone order laws in the US .

If you object to a line item on a credit card bill, you have the right to repudiate it.

Risk # 3 – Security of Verifying Computer

The "Root" Public keys can be added by a attacker and his own public key attached.

Root Certificate verification in the case of WiseKey is on a Off-Site Computer [ e.g. in a Bunker in the Swiss Alps .]

Risk # 4 - Public keys associated with names run into multiple names problem.

Risk # 5 - Is the CA a Trusted authority/ third party ?

Is it the IRS , DMV, Post Office .

The Credit Bureau Model is flawed as it sells information to others, etc . How does the CA identify the certificate holder. In the South Asian countries this even a Major barrier to B2B Commerce and PKI implementation.

Risk # 6 - What is key lifetime ?

How does one revoke keys ? Is revocation retroactive.

With browsers – what is the user action when establishing an SSL connection.

Does he read the Certificate ?

Risk # 7 - PKI - INTEROPERABILITY issues :

How do Certificate authorities in Different Companies / security domain recognize each other.

- at Application level between any two peers e.g. Email clients .

- at Enterprise level – sharing repository data

- how will harmonizing policies and enforcement be done by CAs.

Other issues :

Browser versions issues- different browsers versions do not work within PKI .

Administration of Centralized Directories – and compatibility with Potential Customers and Business Partners. [ solution is to use LDAP Directory Servers scattered throughout the network.]

Non- Secure Operating Systems

Microsoft NT system is known to be not secure . Banks & Telecom companies prefer Sun Solaris or UNIX operating systems..

PKI is Expensive & Complex to implement. Some recent PKI solutions are starting in a out of the box version.

next

Disclaimer

Home