Security in MultiCash - UniCredit Bank Srbija ad Beograd
Security in MultiCash - UniCredit Bank Srbija ad Beograd
Security in MultiCash - UniCredit Bank Srbija ad Beograd
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
International <strong>Bank</strong><strong>in</strong>g<br />
Omikron Systemhaus<br />
GmbH & Co. KG<br />
Von-Hünefeld-Str. 55<br />
D-50829 Köln<br />
Tel.: +49 (0)221 -59 56 99 -0<br />
Fax: +49 (0)221 -59 56 99 -7<br />
omikron@omikron.de<br />
www.omikron.de<br />
<strong>Security</strong> <strong>in</strong> <strong>MultiCash</strong><br />
Overview of relevant features<br />
Version 1.02 / Dez. 2006
<strong>Security</strong> <strong>in</strong> <strong>MultiCash</strong><br />
CONTENT :<br />
1 BACKGROUND......................................................................................... 3<br />
1.1 <strong>Security</strong> aspects of <strong>MultiCash</strong>................................................................ 3<br />
1.2 Overall <strong>Security</strong> and External Audits ..................................................... 3<br />
2 LOCAL SECURITY.................................................................................... 5<br />
2.1 Access Control and Access Rights........................................................ 5<br />
2.1.1 Passwords........................................................................................................... 5<br />
2.1.2 Users / User Groups............................................................................................ 7<br />
2.1.2.1 Functional Profiles ............................................................................................... 7<br />
2.1.2.2 Data Profiles........................................................................................................ 7<br />
2.1.3 Dual Control......................................................................................................... 7<br />
2.2 Approvals ................................................................................................. 7<br />
2.3 Logs and Audit Trail ................................................................................ 7<br />
2.3.1 System Log ......................................................................................................... 7<br />
2.3.2 Additional Logs .................................................................................................... 8<br />
2.3.3 Payment History .................................................................................................. 8<br />
2.4 Confidential Payments ............................................................................ 8<br />
3 EXTERNAL SECURITY............................................................................. 9<br />
3.1 NTFS <strong>Security</strong> .......................................................................................... 9<br />
4 SECURE COMMUNICATION WITH MCFT............................................. 10<br />
4.1 Background............................................................................................ 10<br />
4.2 MCFT – How it works............................................................................. 10<br />
4.3 Compression.......................................................................................... 11<br />
4.4 Confidentiality........................................................................................ 11<br />
4.5 Electronic Signature.............................................................................. 12<br />
4.6 Initialization ............................................................................................ 12<br />
4.7 Note on the use of TCP/IP communication.......................................... 12<br />
5 ADDITIONAL SECURITY ASPECTS FOR MULTICASH@WEB............ 13<br />
© 12/2006 Omikron Systemhaus GmbH & Co. KG 2
<strong>Security</strong> <strong>in</strong> <strong>MultiCash</strong><br />
1 Background<br />
1.1 <strong>Security</strong> aspects of <strong>MultiCash</strong><br />
This document provides an overview of the security mechanisms <strong>in</strong> <strong>MultiCash</strong>. The<br />
follow<strong>in</strong>g areas have been identified by users as most security sensitive and are subject of<br />
the document :<br />
• Local <strong>Security</strong> : <strong>Security</strong> functions with<strong>in</strong> the <strong>MultiCash</strong> application<br />
• External <strong>Security</strong> : Interaction with the operat<strong>in</strong>g system<br />
• Secure Communication : <strong>Security</strong> features of the standard<br />
communication protocol MCFT<br />
Omikron recommends users of an Electronic <strong>Bank</strong><strong>in</strong>g application to take these aspects <strong>in</strong>to<br />
consideration and to implement what is necessary to meet the requirements of the<br />
particular <strong>in</strong>stallation <strong>in</strong> l<strong>in</strong>e with audit considerations.<br />
The document aims to cover all security-sensitive areas of <strong>MultiCash</strong>. The ma<strong>in</strong><br />
enhancements realized <strong>in</strong> version 3.20 are specially highlighted (see sh<strong>ad</strong>owed boxes).<br />
1.2 Overall <strong>Security</strong> and External Audits<br />
In the case of most banks who provide <strong>MultiCash</strong> to their clients there has been an <strong>in</strong>ternal<br />
certification – of both the products and the related processes – m<strong>ad</strong>e by their <strong>in</strong>ternal audit<br />
department.<br />
As software supplier, we can make the follow<strong>in</strong>g general statements on this question :<br />
The approach to certification <strong>in</strong> the complex area of Electronic <strong>Bank</strong><strong>in</strong>g software can be<br />
divided <strong>in</strong>to several areas, which must be considered <strong>in</strong> quite different ways :<br />
A. Communication procedures<br />
This is certa<strong>in</strong>ly the most important area, s<strong>in</strong>ce here security-relevant data are transferred<br />
over public networks. For communication between the bank and its clients, a number of<br />
different procedures are be<strong>in</strong>g used, which are as a rule def<strong>in</strong>ed by the banks <strong>in</strong> the<br />
context of the markets <strong>in</strong> which they are active. Typically, the "Owner" of the procedure <strong>in</strong><br />
each case has organized a certification of this procedure. The results of these audits and<br />
certifications are not available to us, as software supplier.<br />
As background <strong>in</strong>formation, here is a list of the most common communication procedures<br />
used :<br />
1. MCFT : This procedure is based on the standard protocol "EPFT" (ZVDFUE), built to the<br />
specifications of the German bank<strong>in</strong>g community. This procedure is widespre<strong>ad</strong> with<strong>in</strong><br />
Electronic <strong>Bank</strong><strong>in</strong>g implementation across Europe, s<strong>in</strong>ce it is <strong>in</strong>cluded as standard process<br />
with<strong>in</strong> the <strong>MultiCash</strong> application. Omikron has cont<strong>in</strong>ued to develop this procedure over the<br />
years, and <strong>in</strong> the course of this process taken over the "Ownership". Therefore we as<br />
Omikron commissioned an external security audit from the company "debis IT <strong>Security</strong><br />
Services". A description of the MCFT protocol is <strong>in</strong>cluded under Chapter 4 below ; a<br />
summary of the f<strong>in</strong>d<strong>in</strong>gs of the debis audit can be provided on request.<br />
© 12/2006 Omikron Systemhaus GmbH & Co. KG 3
<strong>Security</strong> <strong>in</strong> <strong>MultiCash</strong><br />
2. BCS-FTAM : Currently, this is the valid standard communication procedure of the<br />
German banks for corporate bus<strong>in</strong>ess. Accord<strong>in</strong>g to our <strong>in</strong>formation, an audit was<br />
commissioned by the German Central Credit Committee, when the procedure was first<br />
implemented. If this is relevant for you, please request your bank to provide <strong>in</strong>formation on<br />
this audit.<br />
3. BCS-FTP : This procedure is the further development of the BCS standard on the basis<br />
of the FTP transport protocol. It was def<strong>in</strong>ed by the German private banks, who can<br />
provide further details on request.<br />
4. HBCI : This is the currently valid standard communication procedure of German bank for<br />
private clients and small bus<strong>in</strong>esses. Accord<strong>in</strong>g to our <strong>in</strong>formation, an audit was<br />
commissioned by the German Central Credit Committee, when the procedure was first<br />
implemented. If this is relevant for you, please request your bank to provide <strong>in</strong>formation on<br />
this audit.<br />
B. Application<br />
Follow<strong>in</strong>g the development of the software and our <strong>in</strong>ternal quality control, each new<br />
program version is delivered to the <strong>in</strong>dividual banks and the organizations def<strong>in</strong>ed for the<br />
task of acceptance by the <strong>Bank</strong> Associations. These parties then subject the software to an<br />
extensive acceptance process. Only when all checks have been m<strong>ad</strong>e <strong>in</strong> the areas of<br />
• User-friendl<strong>in</strong>ess<br />
• Software quality<br />
• System security<br />
• Correct process<strong>in</strong>g<br />
is a release approved for delivery to bank clients.<br />
In Germany, the follow<strong>in</strong>g organizations are responsible <strong>in</strong> this area :<br />
1. For private banks : <strong>Bank</strong>-Verlag GmbH, Köln<br />
2. For cooperative banks : BIK Betriebswirtschaftliches Institut der<br />
Kreditgenossenschaften, Frankfurt<br />
C. Enbedd<strong>in</strong>g with the end-user<br />
It is not possible to certify an application generally <strong>in</strong> this area, s<strong>in</strong>ce the security<br />
requirements depend primarily on how the application is embedded <strong>in</strong> the environment of<br />
that user, and what specific requirements that user has.<br />
© 12/2006 Omikron Systemhaus GmbH & Co. KG 4
<strong>Security</strong> <strong>in</strong> <strong>MultiCash</strong><br />
2 Local <strong>Security</strong><br />
2.1 Access Control and Access Rights<br />
2.1.1 Passwords<br />
Logon to the system is by means of user-ID and password. After first log-on, the user is<br />
prompted to change his password. After three false attempts this user is blocked and has<br />
no further access to the application until released by an authorized <strong>ad</strong>m<strong>in</strong>istrator. The<br />
passwords are always stored <strong>in</strong> encrypted form, as follows :<br />
• The User Log<strong>in</strong> password is stored <strong>in</strong> the user database, encrypted with DES<br />
• The Adm<strong>in</strong>istration password is encrypted with DES <strong>in</strong> several parameter files<br />
In <strong>ad</strong>dition, it is possible to set :<br />
• M<strong>in</strong>imum length of password<br />
• Validity period, after which password must be changed<br />
In <strong>ad</strong>dition, a password history can also be ma<strong>in</strong>ta<strong>in</strong>ed, and a period set, dur<strong>in</strong>g which<br />
passwords may not be re-used.<br />
For each <strong>in</strong>dividual user, it is possible to def<strong>in</strong>e time w<strong>in</strong>dows with<strong>in</strong> which access to the<br />
application is permitted / denied. In the same way, usage can be restricted to def<strong>in</strong>ed days.<br />
Version 3.2 : Alternative Logon-Procedures<br />
a) Use of W<strong>in</strong>dows passwords<br />
As an alternative to the logon us<strong>in</strong>g User-ID and password, the W<strong>in</strong>dows User-ID can be<br />
stored <strong>in</strong> the <strong>MultiCash</strong> user <strong>ad</strong>m<strong>in</strong>istration. At logon, this User-ID will be reconciled with<br />
that one of the current W<strong>in</strong>dows user and, if applicable, an automatic logon will be<br />
executed with the correspond<strong>in</strong>g <strong>MultiCash</strong> User-ID. The entry of ID and password is then<br />
not necessary, nor is the regular prompt to change the password with<strong>in</strong> <strong>MultiCash</strong>.<br />
b) Logon with RSA Signature<br />
If an <strong>in</strong>creased security is required <strong>in</strong>ste<strong>ad</strong> of the simplified logon described above, the<br />
“Logon with ES“ can be activated. In this case, the logon is m<strong>ad</strong>e by an Electronic<br />
Signature, for which the ES medium must be <strong>in</strong>serted. This same signature is used for<br />
authorization of transactions to the bank(s).<br />
Version 3.2 : Additional password rules (optional)<br />
A. Additional password options <strong>in</strong> the system parameters (the options can be comb<strong>in</strong>ed):<br />
1. Inactive users block after x days<br />
Intended to reduce the risk that user accounts which have not been used for a longer<br />
period of time are used for attacks.<br />
2. M<strong>in</strong>imum number of letters<br />
3. M<strong>in</strong>imum number of figures<br />
4. M<strong>in</strong>imum number of special characters<br />
5. Max. number of characters <strong>in</strong> ascend<strong>in</strong>g sequence<br />
© 12/2006 Omikron Systemhaus GmbH & Co. KG 5
<strong>Security</strong> <strong>in</strong> <strong>MultiCash</strong><br />
6. Password change only once per day<br />
If this option is activated, a password change can be executed only once per day. This<br />
should prevented a user immediately return<strong>in</strong>g to his old password after the enforced<br />
password change.<br />
7. Enforce password change<br />
So far, it has been possible to cancel of the prompt for password change after a<br />
password has expired, <strong>in</strong> order that the change cycles can be easier synchronized with<br />
other applications. If this new option is activated, the user will be forced to change his<br />
password when his exist<strong>in</strong>g one has expired.<br />
8. Not more than 2 same characters <strong>in</strong> sequence<br />
9. Check negative list (stored <strong>in</strong> INI file)<br />
If this parameter is activated, new passwords are checked aga<strong>in</strong>st the negative list<br />
stored <strong>in</strong> a def<strong>in</strong>ed control file and are rejected if they match.<br />
10. Display last access for logon<br />
As a control aga<strong>in</strong>st program abuse, the display of the time of the last access can be<br />
activated us<strong>in</strong>g this option.<br />
11. For ES logon with hardware ES, no password prompts any longer<br />
If this parameter is activated, no signature password will be prompted when sign<strong>in</strong>g as<br />
long as the logon to the chipcard is still valid (i. e. the card has not been removed from<br />
the re<strong>ad</strong>er s<strong>in</strong>ce logon).<br />
B. In <strong>ad</strong>dition, the follow<strong>in</strong>g fields are <strong>ad</strong>ded to the user record:<br />
1. Last access time<br />
2. Use W<strong>in</strong>dows users<br />
This allows the time of the last access to be controlled by the system <strong>ad</strong>m<strong>in</strong>istrator for each<br />
user.<br />
C. The follow<strong>in</strong>g <strong>ad</strong>ditional functionalities have been implemented:<br />
1. For password change: Check password rules accord<strong>in</strong>g to A.<br />
2. For logon: Display date and time of the last access (if A.10 is activated)<br />
3. For logon: if applicable, prompt W<strong>in</strong>dows users and when they agree, logon without<br />
password prompt (if the correspond<strong>in</strong>g option is set <strong>in</strong> the user record)<br />
4. For logon: if applicable ES logon (if the correspond<strong>in</strong>g option is set <strong>in</strong> the user record)<br />
5. In the first automat run of the day, check the last logon time of all users and block users<br />
if period is exceeded accord<strong>in</strong>g to A.1.<br />
6. In the Users dialog: After manual change of the fields “Password“ or “Blocked“, prompt<br />
for password change at the next logon of the relevant user.<br />
© 12/2006 Omikron Systemhaus GmbH & Co. KG 6
<strong>Security</strong> <strong>in</strong> <strong>MultiCash</strong><br />
2.1.2 Users / User Groups<br />
Users may be assigned to User Groups which are def<strong>in</strong>ed <strong>in</strong> <strong>ad</strong>vance by authorized<br />
<strong>ad</strong>m<strong>in</strong>strators. For users and/or user groups, access rights can be def<strong>in</strong>ed as follows :<br />
2.1.2.1 Functional Profiles<br />
Access can be permitted / denied for users and/or user groups down to the level of<br />
<strong>in</strong>dividual functions. This allows a strict segregation of organisational functions between<br />
users, <strong>in</strong> l<strong>in</strong>e with <strong>in</strong>ternal audit requirements.<br />
2.1.2.2 Data Profiles<br />
The use of data profiles ensures that any user has access only to data for which he is<br />
authorized. In <strong>ad</strong>dition, it is possible to def<strong>in</strong>e whether access to certa<strong>in</strong> data is available to<br />
a def<strong>in</strong>ed user as re<strong>ad</strong>-only.<br />
2.1.3 Dual Control<br />
Access to sensitive <strong>ad</strong>m<strong>in</strong>istration functions, <strong>in</strong> particular <strong>ad</strong>ditions and changes to users<br />
and access rights, is subject to the password authorization by an <strong>ad</strong>m<strong>in</strong>istrator, or<br />
optionally two <strong>ad</strong>m<strong>in</strong>istrators (dual control).<br />
2.2 Approvals<br />
In most implementations, one or more payment modules are <strong>in</strong>cluded with<strong>in</strong> an <strong>in</strong>stallation<br />
of <strong>MultiCash</strong>. All payment modules with<strong>in</strong> the product range offer a match<strong>in</strong>g approvals<br />
mechanism, which allows payment orders to be protected aga<strong>in</strong>st unauthorized changes,<br />
and to ensure that only complete and pre-authorized payments are sent to the banks. The<br />
approvals mechanism <strong>in</strong>cludes :<br />
• S<strong>in</strong>gle approval, applicable to a s<strong>in</strong>gle payment order<br />
• Multiple approval, allow<strong>in</strong>g several orders for a pre-def<strong>in</strong>ed account to be viewed<br />
and selected / excluded for approval<br />
In <strong>ad</strong>dition, it is possible to def<strong>in</strong>e different approvals levels by order type, and to set an<br />
amount (<strong>in</strong> base currency) from which a second approval is mandatory.<br />
2.3 Logs and Audit Trail<br />
2.3.1 System Log<br />
A system log can be activated : this log records all menu options which are called dur<strong>in</strong>g<br />
sessions with the application, <strong>in</strong>clud<strong>in</strong>g time and name of the user<br />
© 12/2006 Omikron Systemhaus GmbH & Co. KG 7
<strong>Security</strong> <strong>in</strong> <strong>MultiCash</strong><br />
2.3.2 Additional Logs<br />
Further <strong>in</strong>formation which may be required <strong>in</strong> specific cases is <strong>in</strong>cluded <strong>in</strong> <strong>ad</strong>ditional logs,<br />
<strong>in</strong>clud<strong>in</strong>g a log for capture of all communications sessions with results.<br />
Changes <strong>in</strong> version 3.20<br />
Log entries have been stored so far separately accord<strong>in</strong>g to the type <strong>in</strong> different text files.<br />
The relevant entries for<br />
> Error log<br />
> Communications<br />
> System log<br />
> MT940 process<strong>in</strong>g log<br />
> Plan data reconciliation log<br />
are now comb<strong>in</strong>ed to be stored <strong>in</strong> a central file. The display is m<strong>ad</strong>e <strong>in</strong> a central overview,<br />
<strong>in</strong> which the data can be easily selected, pr<strong>in</strong>ted or output to PDF.<br />
2.3.3 Payment History<br />
A full history of all orders and payment files is kept, <strong>in</strong>clud<strong>in</strong>g full details of payment files<br />
<strong>in</strong>clud<strong>in</strong>g<br />
• Status<br />
• Time of all activities m<strong>ad</strong>e (e.g. creation of file, signatures), with names of users<br />
<strong>in</strong>volved<br />
• Answer code from communication and timestamp from the bank<br />
This allows track<strong>in</strong>g of <strong>in</strong>dividual files/orders at a later date.<br />
2.4 Confidential Payments<br />
New feature <strong>in</strong> version 3.20<br />
<strong>MultiCash</strong> is <strong>in</strong>creas<strong>in</strong>gly used as central solution with<strong>in</strong> the corporate network and is used<br />
by all divisions of the company. This means that payment orders orig<strong>in</strong>ated <strong>in</strong> different<br />
parts of the company, with vary<strong>in</strong>g responsibilities are stored <strong>in</strong> one place. Often, these<br />
orders also differ <strong>in</strong> terms of confidentiality (e. g. credit transfers to suppliers, wages and<br />
salaries, customer direct debits). Given this situation, a concept was developed which<br />
allows access to confidential payments – throughout the entire system - only to persons<br />
explicitly authorized for this. In the realization, the follow<strong>in</strong>g detailed requirements were<br />
taken <strong>in</strong>to consideration:<br />
1. The access protection is effective with<strong>in</strong> all payment modules (on the basis of <strong>in</strong>dividual)<br />
transactions and <strong>in</strong> the File Manager<br />
2. All payment formats used <strong>in</strong> <strong>MultiCash</strong> are supported, even if no unique ID for<br />
confidential payments is <strong>in</strong>cluded <strong>in</strong> the files or def<strong>in</strong>ed <strong>in</strong> the format itself<br />
3. The rules are def<strong>in</strong>ed centrally <strong>in</strong> the user <strong>ad</strong>m<strong>in</strong>istration.<br />
© 12/2006 Omikron Systemhaus GmbH & Co. KG 8
<strong>Security</strong> <strong>in</strong> <strong>MultiCash</strong><br />
3 External <strong>Security</strong><br />
3.1 NTFS <strong>Security</strong><br />
<strong>MultiCash</strong> can be operated together with NTFS-<strong>Security</strong>. In this mode, the access to<br />
resources (directories etc.) is not permitted to the user who is logged on, but to a system<br />
user for the application <strong>MultiCash</strong>, who receives his own account at operat<strong>in</strong>g system level<br />
for this purpose.<br />
Note : this is implemented from version MCC 3.01 for W<strong>in</strong>NT / W<strong>in</strong>dows 2000<br />
© 12/2006 Omikron Systemhaus GmbH & Co. KG 9
<strong>Security</strong> <strong>in</strong> <strong>MultiCash</strong><br />
4 Secure Communication with MCFT<br />
4.1 Background<br />
The <strong>MultiCash</strong> application supports a number of different communication options, based on<br />
standards of different countries and banks. In the follow<strong>in</strong>g we refer only to the secure<br />
communication protocol “MCFT“, which is provided by default <strong>in</strong> the application and is the<br />
most widely used option <strong>in</strong>ternationally.<br />
MCFT is a dialog-oriented protocol for the transfer of data. This <strong>in</strong>cludes the transfer of<br />
files from a corporate to the banks (e.g. payment files) as well as the collection of data from<br />
the banks (e.g. balance and transaction data). With MCFT, communication is possible via<br />
the communication protocols TCP/IP, X.25, ISDN and Modem-Modem. This<br />
communication protocol is supported by banks <strong>in</strong> over 20 European countries and has<br />
been audited and approved by various <strong>in</strong>ternational auditors, with a particular focus on the<br />
use of MCFT over the <strong>in</strong>ternet.<br />
4.2 MCFT – How it works<br />
All data transferred between <strong>Bank</strong> and Customer are fully encrypted. A key component of<br />
the encryption is the exchange of Public Keys, us<strong>in</strong>g the algorithm of Diffie / Hellmann,<br />
after each successful transmission, so that each tranmsmission is secured with a new key.<br />
This guarantees that this <strong>in</strong>formation is not to be used for decrypt<strong>in</strong>g a future message,<br />
even <strong>in</strong> the theoretical case that a used session-key becomes known. S<strong>in</strong>ce an <strong>ad</strong>ditional<br />
„Timestamp“ is generated for the send<strong>in</strong>g and receipt of the message, it is also impossible<br />
to use a cumbersome decryption procedure to manipulate the message.<br />
On the <strong>Bank</strong> side, an automated process controls Customer access. Each customer is set<br />
up with a set of permissions for bank services, as identified by validated session types.<br />
Before the orig<strong>in</strong>al file (e.g. a payments file) is transferred, a start block is sent, which<br />
<strong>in</strong>cludes .a series of significant details, i.e. a customer ID, user ID, accounts to be debited,<br />
electronic signatures and check sums over the entire file.<br />
Dur<strong>in</strong>g communication (onl<strong>in</strong>e, dur<strong>in</strong>g the transmission of start blocks), the follow<strong>in</strong>g<br />
checks are then m<strong>ad</strong>e :<br />
• Authorization of the user (validation aga<strong>in</strong>st immediately previous communication<br />
session)<br />
• Authorization for a specified bank service (e.g. <strong>in</strong>ternational payments,<br />
documentary credits etc.), def<strong>in</strong>ed by session type<br />
• Authorization for access to the specified account<br />
• Provision of sufficient signatures<br />
• Limit checks (limits set up for this Electronic Delivery channel)<br />
If one of these checks fails dur<strong>in</strong>g transmission of the start blocks, the transmission is<br />
immediately aborted by the bank server. The customer receives a clear message <strong>in</strong> the<br />
form of an answer code, which is held <strong>in</strong> a log file on both customer and bank side. This<br />
check is m<strong>ad</strong>e on the Communication Level. This ensures that customers of the bank can<br />
<strong>in</strong> no case access directly the ma<strong>in</strong>tenance functions, database server or file server, even<br />
where this is <strong>in</strong>stalled with<strong>in</strong> a Local Area Network (LAN).<br />
© 12/2006 Omikron Systemhaus GmbH & Co. KG 10
<strong>Security</strong> <strong>in</strong> <strong>MultiCash</strong><br />
The communications server can therefore be viewed as a “Block<strong>in</strong>g Firewall“ with<strong>in</strong> the<br />
Back Office environment. As a result, any abuse or error can be detected early, <strong>in</strong> which<br />
case the communication process is aborted immediately. The file is then rejected.<br />
• A trailer, or end block is always transmitted at the end of the dialog, whether it is<br />
successful or has been aborted. Response codes <strong>in</strong> the trailer allow the result of<br />
the communications session to be accurately identified.<br />
• If the Electronic Signature is not correct, the communication session will be<br />
aborted before transmission of the orig<strong>in</strong>al file. If the electronic signature is<br />
accepted, the file will be transmitted. The bank system then needs only to<br />
calculate the „f<strong>in</strong>gerpr<strong>in</strong>t“ and match this aga<strong>in</strong>st the one received <strong>in</strong> the start<br />
block, which has alre<strong>ad</strong>y been verified. If the electronic signature is correct, the<br />
result of the various checks are transmitted at the end of the communication; these<br />
are then displayed on the customer system, and logged accord<strong>in</strong>gly <strong>in</strong> an audit<br />
trail.<br />
The general flow of customer – bank communication with MCFT is outl<strong>in</strong>ed <strong>in</strong> graphic form<br />
below :<br />
Private<br />
Key A<br />
Private<br />
Key B<br />
Customer <strong>Bank</strong><br />
Orig<strong>in</strong>al file<br />
RSA<br />
CHK2<br />
CHK6<br />
EUZ<br />
ES file<br />
4.3 Compression<br />
RSA<br />
DAD<br />
MCDFUE dialog<br />
Start block<br />
Answer block<br />
Data<br />
F<strong>in</strong>al mess.<br />
Acknowl.<br />
© 12/2006 Omikron Systemhaus GmbH & Co. KG 11<br />
Checks:<br />
����<br />
����<br />
����<br />
����<br />
Session type<br />
User<br />
Account<br />
ES<br />
Check<br />
CHK2<br />
CHK6<br />
EUZ = ES Intermediate File<br />
CHK2 = Checksum 2<br />
CHK6 = Checksum 6<br />
RSA = Rivest, Shamir, Adleman encryption method<br />
Data compression is achieved on the basis of the <strong>in</strong>ternationally accepted and highly<br />
efficient algorithm which is <strong>in</strong>tegrated <strong>in</strong> PKZIP software for data compression.<br />
4.4 Confidentiality<br />
The data are protected aga<strong>in</strong>st unauthorized view<strong>in</strong>g dur<strong>in</strong>g transmission by the use of<br />
Triple-DES encryption. A key exchange accord<strong>in</strong>g to Diffie-Hellman is m<strong>ad</strong>e : the new keys<br />
are calculated on the customer and the bank side after each successful communication,<br />
but are never sent across the l<strong>in</strong>e themselves.<br />
EU file<br />
Orig<strong>in</strong>al<br />
file
<strong>Security</strong> <strong>in</strong> <strong>MultiCash</strong><br />
4.5 Electronic Signature<br />
The MCFT protocol supports optionally the use of Electronic Signature (also known as<br />
digital signature). The signatures are sent automatically <strong>in</strong> a s<strong>in</strong>gle session with the<br />
<strong>in</strong>struction file. A check is m<strong>ad</strong>e on the access rights of the party send<strong>in</strong>g, the validity of the<br />
Electronic Signature are m<strong>ad</strong>e <strong>in</strong> one step dur<strong>in</strong>g the communication dialog, so that both<br />
security and user-friendl<strong>in</strong>ess are guaranteed. Key features of the Electronic Signature as<br />
used with<strong>in</strong> MCFT are :<br />
• Use of RIPEMD-160 for build<strong>in</strong>g the hash<br />
• Use of RSA 1024bit for generat<strong>in</strong>g the Electronic Signature<br />
• The keys can be stored on disk or ChipCard. In case of diskette, the Private-Key is<br />
stored <strong>in</strong> encrypted form (Triple-DES – more details, see below). In case of<br />
ChipCard, special secure storage facility of processor chipcards is used.<br />
4.6 Initialization<br />
• The private details for Electronic Signature S are currently encrypted us<strong>in</strong>g Triple-<br />
DES 192 Bit CBC. Us<strong>in</strong>g PKCS#5, a 24 Byte key and an 8 Byte <strong>in</strong>itialization vector<br />
are generated from the user's password. In the PKCS#5 key generation, two<br />
random values are <strong>in</strong>cluded which are stored <strong>in</strong> the public part of the file. The first of<br />
these is an IterationCount, which outl<strong>in</strong>es how often the generation function is<br />
executed <strong>in</strong>ternally, and the second of these is a so-called Salt, which represents a<br />
start<strong>in</strong>g value for generat<strong>in</strong>g the keys. From these three components (password, salt<br />
and IterationCount) the PKCS#5 algorithm generates the required keys.<br />
The customer sends the Public Key to the server at his bank(s). In parallel he pr<strong>in</strong>ts an<br />
“Initialization letter“ (or INI letter), which is sent by mail (or fax) to the bank. The bank<br />
checks the personal signature on the INI letter aga<strong>in</strong>st their documents and checks that the<br />
signature <strong>in</strong> the letter matches that sent electronically. The user’s Public Key is then<br />
released by the bank.<br />
4.7 Note on the use of TCP/IP communication<br />
Independent of the application <strong>MultiCash</strong>, it is important to ensure sufficient protection<br />
aga<strong>in</strong>st the dangers with<strong>in</strong> the use of the TCP/IP protocol over the <strong>in</strong>ternet by the<br />
appropriate measures <strong>in</strong> the <strong>in</strong>frastructure (firewalls etc.) This always applies when PCs<br />
with<strong>in</strong> a company are connected to the <strong>in</strong>ternet.<br />
At the same time, we stress that with<strong>in</strong> the protocol MCFT, the security mechanisms are<br />
implemented up to the application layer. For this reason the transport of data between<br />
corporate and bank is secured.<br />
© 12/2006 Omikron Systemhaus GmbH & Co. KG 12
<strong>Security</strong> <strong>in</strong> <strong>MultiCash</strong><br />
5 Additional <strong>Security</strong> aspects for <strong>MultiCash</strong>@Web<br />
<strong>MultiCash</strong>@Web is the optional <strong>ad</strong>d-on for the <strong>MultiCash</strong> customer application, provid<strong>in</strong>g a<br />
browser <strong>in</strong>terface for (some or all) <strong>in</strong>dividual users of the application.<br />
When <strong>MultiCash</strong>@Web is used beyond the company Intranet, SSL-encryption can and<br />
should be used for the communication between the browser clients and the <strong>MultiCash</strong><br />
<strong>in</strong>stallation.<br />
With <strong>MultiCash</strong>@Web, the client has no access rights to the resources (directories etc.) of<br />
the <strong>MultiCash</strong> Server.<br />
In any case, the access to resources can be controlled us<strong>in</strong>g NTFS security on the<br />
<strong>MultiCash</strong> server.<br />
When us<strong>in</strong>g <strong>MultiCash</strong>@Web, there is no need for active components (e.g. Java applets.)<br />
to be <strong>in</strong>stalled. It is only necessary to <strong>in</strong>stall a plug-<strong>in</strong> for Electronic signature, if this<br />
function is be<strong>in</strong>g used. This means that the browser sett<strong>in</strong>gs for the user can rema<strong>in</strong> at a<br />
very high level of security.<br />
© 12/2006 Omikron Systemhaus GmbH & Co. KG 13