Folie 1 - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Folie 1

Description:

KOBIL Systems the Company. Who we are and what we do ... PIN / PUK . PKCS12 . OTP. PROVUS Card. Issuing Software. Log DB. SecOVID. Server. Secure ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 21
Provided by: markusw
Category:
Tags: folie | puk

less

Transcript and Presenter's Notes

Title: Folie 1


1

KOBIL eBanking authenticationexperiences with a
Turkish Bank
Markus Tak, Product Manager
2
Overview
  • KOBIL Systems the CompanyWho we are and what
    we do
  • Banking authentication in KocBank /
    IsbankFlexible Banking authentication solution
  • Smartcard Middleware Features and Design
    Background

3
KOBIL Systems the Company
  • Founded in 1986
  • Headquaters in Worms / Germany45 minutes from
    Frankfurt
  • 65 Employees
  • 35 of staff working in RD
  • Cooperation with cryptographic researchinstitutes
  • All Products Made in Germany
  • Production Sites in Europe und Asia
  • Certified Company according to DIN EN ISO 9001
    2000

4
Product Philosophy
KOBIL SecOVID
Strong Authentication based on One Time
Passwords (OTP)
5
Product Philosophy
KOBIL Smart Key
Certificate- and Smartcard- based Authentication
and Data Security
6
Product Philosophy
Smart Card Terminals Classes 1 - 4
7
Product Philosophy
KOBIL mIDentity Mobile Identity Mobile Data
Safe Mobile Office
8
Banking authentication in KocBank / Isbank
  • Requirements
  • Strong Authentication Internet Banking Strong
    user authentication using certificates
    onsmartcard and/or One-Time-Passwords (OTP)
  • Inhouse PKI and OTP managementMicrosoft
    Certification Authority, SecOVID Server
  • Centralized ManagementSmart Card Rollout and
    Management
  • Seemless Integrationinto Banking
    Backend-Systemsand Microsoft Plattform

9
Internet Banking Customers
  • Commercial / Institutional Customers
  • Smart Card based authenticationSSL client
    authentication with IE
  • Other PKI enabled applicationsFile Encryption,
    Email Security, ...
  • Individual / Private Customers
  • One Time Password authenticationEnables also
    mobile telephone bankingOTP-Token or mobile
    Smart Card Reader
  • No installation neededReduced Help Desk Costs
  • No Token expirationReplaceable Batteries protect
    investment

10
Banking authentication the Big Picture
ISBANK
Root CA
Customer DB LDAP Server
Application
FILTER
KOBIL Certificate Registration Authority
Sub CA
Sub CA
. PIN / PUK . PKCS12 . OTP ....
IIS
SecOVID Server
Backup DB
Log DB
Secure Channel
INTERNET
. PIN / PUK . PKCS12 . OTP ....
PROVUS Card Issuing Software
PROVUS
Client
11
Advantages of this Solution
  • Combination of PKI and OTP technologiesenables
    flexible authentication scenarios for desktop
    and mobile end users
  • Seemless Integration into Backend-Systemsbased
    on international Standards like RADIUS / TACAS,
    MS-CHAP, X.509, PC/SC etc.
  • Strong CryptographyAuthentication based on 3DES
    (168 Bit key strength) andRSA 1024 Bit
  • No Token expirationreplaceable Standard
    Batteries reduce operating costs
  • PerformanceOTP authentication gt 1000
    requests/secondCertificate based authentication
    uses HSM accelerator
  • ExtensibilityOther applications can easily added
    later

12
Smart Card Middleware
  • Enabling Smart Cards to be used for PKI-based
    applications
  • Electronic Signatures for e-mails and
    filesIntegrity protection against unauthorized
    data modificationProof of authorship (who is
    the originator of this email?)
  • Encryption for e-mails, files and hard disk
    (Container)Confidential data are kept secret,
    access only with appropriate smart card (Private
    Key) and PIN code
  • Windows Smart Card LogonStrong two-factor
    Authentication (Possesion and Knowledge)Also for
    Terminal Servers and Remote Desktop applications
  • SAP R/3 SecurityAuthentication, Session
    Encryption and Message Integrity for SAPGui /
    SAPServer, often running on Terminal Servers
  • VPN-Authentification in Intranet
    ExtranetSensitive data are protected even if
    transferred over public networks

13
Integration into Microsoft Platform
Microsoft CryptoAPI links Applications and Smart
Cards
Standard-Software
Outlook
Internet Explorer
MS Office
KOBIL Smart Key
Microsoft CryptoAPI
Certificate Validation
WindowsCertificateManager
KOBILSigG CSP
Microsoft-CSP
KOBILCSP
otherCSPs
Private Key stored in Registry
e.g. Gemplus, Schlumberger etc.
14
Terminal Server Integration
PC/SC-based Apps Smartcard Logon RDP Terminal
Applications
Terminal Server (W2003, Citrix)
Windows Domain Controller
ADS
CryptoAPI
PC/SC Forwarding via RDP/ICA Protokoll
Terminal Client Windows 2000/XP
Only PC/SC driver Installation required!
15
CSP Middleware Design Background
  • The Cryptographic Service Provider (CSP) is
    called from
  • Winlogon / LSASSWindows Logon screen. Very
    restricted access policy, no dialog boxes are
    allowed. Runs with SYSTEM privileges
  • Microsoft VPN ClientNo dialog boxes are allowed.
    Direct Access to the Smart Card.
  • Applications (Outlook, Internet Explorer
    etc.)GUI integration (please insert card,
    please enter PIN). Certificate registration in
    Windows Explorer required.
  • Windows Citrix Terminal ServicesCSP running on
    the Terminal Server accesses local PC/SC readers
    on the client (PC/SC Forwarding). Support for
    Thin Clients
  • Windows 2000/2003 CA Certificate Enrollment,
    AutoEnrollment, Key Backup

16
CSP Middleware Design Background
  • CSP implementation requirements
  • Multiple Application AccessAs more than one
    application may want to access the CSP at the
    same time (e.g. Winlogon, Outlook, CardManagement
    Tool etc).A synchronization mechanism needs to
    be implemented.
  • PIN-cachingMicrosoft did not know about secure
    PINPad readers when CryptoAPI was designed. A
    strict PIN caching strategy is required from CSP
    implementors.
  • Smart Card PersonalizationA CSP must be able to
    initialize an empty smart card from scratch,
    create file structure and PIN files on card,
    generate Private and Public Key and write it to
    the card. Handle multiple certificates on the
    card. Support Windows 2003 CA key backup feature.

17
Internal Structure
Applications
Card Management Tool (CMT)
CSP
KSKUI
File Security
PKCS11
Dialogs
Explorer Shell Extension
card-specific commands
card personalization
card.lib
configuration
Win 9x/NT Linux, SunOS
Win 2000 XP, 2003
PCSC Bridge
reader mapping
Windows PCSC Layer
KOBIL CT-API
KOBIL PC/SC Driver
18
Qualified Signatures using CryptoAPI
Development of a certified CSP for qualified
Signatures Cooperation with KOBIL, Datev and
MicrosoftAllowing Standard Applications to use
qualifiedSignatures based on Microsoft
CryptoAPI.Easy and fast integration for
individual applications Seperate CSP
Module Only for signatures, being evaluated
according to CC EAL 3 as required for qualified
accredited signatures by German FederalOffice
for Information Security (BSI) Available for a
big variety of e-ID signature cardsDeutsche
Telekom PKS, ZKA Seccos, Datev, Signtrust,
...Further cards can easily be
added Certificate online validation Using OCSP
standard through CryptoAPI
19
CSP quality assurance
  • Microsoft / Veritest Verified for Windows XP
    Logo
  • Worldwide the only CSP certifiedwith Verified
    for Windows XP logo
  • SetupVerification of proper installation /
    deinstallation process
  • StabilityStable performance
  • Windows XP features testedRemote Desktop, Fast
    User Switching
  • Conformance with Microsoft Software
    GuidelinesVersioning, UI appearance, design

20
References
Thank you
Write a Comment
User Comments (0)
About PowerShow.com