Title: Folie 1
1 KOBIL eBanking authenticationexperiences with a
Turkish Bank
Markus Tak, Product Manager
2Overview
- KOBIL Systems the CompanyWho we are and what
we do - Banking authentication in KocBank /
IsbankFlexible Banking authentication solution - Smartcard Middleware Features and Design
Background
3KOBIL Systems the Company
- Founded in 1986
- Headquaters in Worms / Germany45 minutes from
Frankfurt - 65 Employees
- 35 of staff working in RD
- Cooperation with cryptographic researchinstitutes
- All Products Made in Germany
- Production Sites in Europe und Asia
- Certified Company according to DIN EN ISO 9001
2000
4Product Philosophy
KOBIL SecOVID
Strong Authentication based on One Time
Passwords (OTP)
5Product Philosophy
KOBIL Smart Key
Certificate- and Smartcard- based Authentication
and Data Security
6Product Philosophy
Smart Card Terminals Classes 1 - 4
7Product Philosophy
KOBIL mIDentity Mobile Identity Mobile Data
Safe Mobile Office
8Banking authentication in KocBank / Isbank
- Requirements
- Strong Authentication Internet Banking Strong
user authentication using certificates
onsmartcard and/or One-Time-Passwords (OTP) - Inhouse PKI and OTP managementMicrosoft
Certification Authority, SecOVID Server - Centralized ManagementSmart Card Rollout and
Management - Seemless Integrationinto Banking
Backend-Systemsand Microsoft Plattform
9Internet Banking Customers
- Commercial / Institutional Customers
- Smart Card based authenticationSSL client
authentication with IE - Other PKI enabled applicationsFile Encryption,
Email Security, ... - Individual / Private Customers
- One Time Password authenticationEnables also
mobile telephone bankingOTP-Token or mobile
Smart Card Reader - No installation neededReduced Help Desk Costs
- No Token expirationReplaceable Batteries protect
investment
10Banking authentication the Big Picture
ISBANK
Root CA
Customer DB LDAP Server
Application
FILTER
KOBIL Certificate Registration Authority
Sub CA
Sub CA
. PIN / PUK . PKCS12 . OTP ....
IIS
SecOVID Server
Backup DB
Log DB
Secure Channel
INTERNET
. PIN / PUK . PKCS12 . OTP ....
PROVUS Card Issuing Software
PROVUS
Client
11Advantages of this Solution
- Combination of PKI and OTP technologiesenables
flexible authentication scenarios for desktop
and mobile end users - Seemless Integration into Backend-Systemsbased
on international Standards like RADIUS / TACAS,
MS-CHAP, X.509, PC/SC etc. - Strong CryptographyAuthentication based on 3DES
(168 Bit key strength) andRSA 1024 Bit - No Token expirationreplaceable Standard
Batteries reduce operating costs - PerformanceOTP authentication gt 1000
requests/secondCertificate based authentication
uses HSM accelerator - ExtensibilityOther applications can easily added
later
12Smart Card Middleware
- Enabling Smart Cards to be used for PKI-based
applications - Electronic Signatures for e-mails and
filesIntegrity protection against unauthorized
data modificationProof of authorship (who is
the originator of this email?) - Encryption for e-mails, files and hard disk
(Container)Confidential data are kept secret,
access only with appropriate smart card (Private
Key) and PIN code - Windows Smart Card LogonStrong two-factor
Authentication (Possesion and Knowledge)Also for
Terminal Servers and Remote Desktop applications - SAP R/3 SecurityAuthentication, Session
Encryption and Message Integrity for SAPGui /
SAPServer, often running on Terminal Servers - VPN-Authentification in Intranet
ExtranetSensitive data are protected even if
transferred over public networks
13Integration into Microsoft Platform
Microsoft CryptoAPI links Applications and Smart
Cards
Standard-Software
Outlook
Internet Explorer
MS Office
KOBIL Smart Key
Microsoft CryptoAPI
Certificate Validation
WindowsCertificateManager
KOBILSigG CSP
Microsoft-CSP
KOBILCSP
otherCSPs
Private Key stored in Registry
e.g. Gemplus, Schlumberger etc.
14Terminal Server Integration
PC/SC-based Apps Smartcard Logon RDP Terminal
Applications
Terminal Server (W2003, Citrix)
Windows Domain Controller
ADS
CryptoAPI
PC/SC Forwarding via RDP/ICA Protokoll
Terminal Client Windows 2000/XP
Only PC/SC driver Installation required!
15CSP Middleware Design Background
- The Cryptographic Service Provider (CSP) is
called from - Winlogon / LSASSWindows Logon screen. Very
restricted access policy, no dialog boxes are
allowed. Runs with SYSTEM privileges - Microsoft VPN ClientNo dialog boxes are allowed.
Direct Access to the Smart Card. - Applications (Outlook, Internet Explorer
etc.)GUI integration (please insert card,
please enter PIN). Certificate registration in
Windows Explorer required. - Windows Citrix Terminal ServicesCSP running on
the Terminal Server accesses local PC/SC readers
on the client (PC/SC Forwarding). Support for
Thin Clients - Windows 2000/2003 CA Certificate Enrollment,
AutoEnrollment, Key Backup
16CSP Middleware Design Background
- CSP implementation requirements
- Multiple Application AccessAs more than one
application may want to access the CSP at the
same time (e.g. Winlogon, Outlook, CardManagement
Tool etc).A synchronization mechanism needs to
be implemented. - PIN-cachingMicrosoft did not know about secure
PINPad readers when CryptoAPI was designed. A
strict PIN caching strategy is required from CSP
implementors. - Smart Card PersonalizationA CSP must be able to
initialize an empty smart card from scratch,
create file structure and PIN files on card,
generate Private and Public Key and write it to
the card. Handle multiple certificates on the
card. Support Windows 2003 CA key backup feature.
17Internal Structure
Applications
Card Management Tool (CMT)
CSP
KSKUI
File Security
PKCS11
Dialogs
Explorer Shell Extension
card-specific commands
card personalization
card.lib
configuration
Win 9x/NT Linux, SunOS
Win 2000 XP, 2003
PCSC Bridge
reader mapping
Windows PCSC Layer
KOBIL CT-API
KOBIL PC/SC Driver
18Qualified Signatures using CryptoAPI
Development of a certified CSP for qualified
Signatures Cooperation with KOBIL, Datev and
MicrosoftAllowing Standard Applications to use
qualifiedSignatures based on Microsoft
CryptoAPI.Easy and fast integration for
individual applications Seperate CSP
Module Only for signatures, being evaluated
according to CC EAL 3 as required for qualified
accredited signatures by German FederalOffice
for Information Security (BSI) Available for a
big variety of e-ID signature cardsDeutsche
Telekom PKS, ZKA Seccos, Datev, Signtrust,
...Further cards can easily be
added Certificate online validation Using OCSP
standard through CryptoAPI
19CSP quality assurance
- Microsoft / Veritest Verified for Windows XP
Logo - Worldwide the only CSP certifiedwith Verified
for Windows XP logo - SetupVerification of proper installation /
deinstallation process - StabilityStable performance
- Windows XP features testedRemote Desktop, Fast
User Switching - Conformance with Microsoft Software
GuidelinesVersioning, UI appearance, design
20References
Thank you