Presentation is loading. Please wait.

Presentation is loading. Please wait.

KOBIL eBanking authentication experiences with a Turkish Bank Markus Tak, Product Manager.

Published byDarlene Morris Modified over 10 years ago

Similar presentations

Presentation on theme: "KOBIL eBanking authentication experiences with a Turkish Bank Markus Tak, Product Manager."— Presentation transcript:

1 KOBIL eBanking authentication experiences with a Turkish Bank Markus Tak, Product Manager

2 Overview KOBIL Systems – the Company Who we are and what we do Banking authentication in KocBank / Isbank Flexible Banking authentication solution Smartcard Middleware Features and Design Background

3 KOBIL Systems – the Company Founded in 1986 Headquaters in Worms / Germany 45 minutes from Frankfurt 65 Employees 35% of staff working in R&D Cooperation with cryptographic research institutes All Products „Made in Germany“ Production Sites in Europe und Asia Certified Company according to DIN EN ISO 9001: 2000

4 KOBIL SecOVID Strong Authentication based on One Time Passwords (OTP) Product Philosophy

5 KOBIL Smart Key Certificate- and Smartcard- based Authentication and Data Security Product Philosophy

6 Smart Card Terminals Classes 1 - 4 Product Philosophy

7 KOBIL mIDentity Mobile Identity Mobile Data Safe Mobile Office Product Philosophy

8 Banking authentication in KocBank / Isbank Requirements: Strong Authentication Internet Banking Strong user authentication using certificates on smartcard and/or One-Time-Passwords (OTP) Inhouse PKI and OTP management Microsoft Certification Authority, SecOVID Server Centralized Management Smart Card Rollout and Management Seemless Integration into Banking Backend-Systems and Microsoft Plattform

9 Internet Banking Customers Commercial / Institutional Customers: Smart Card based authentication SSL client authentication with IE Other PKI enabled applications File Encryption, Email Security,... Individual / Private Customers: One Time Password authentication Enables also mobile telephone banking OTP-Token or mobile Smart Card Reader No installation needed Reduced Help Desk Costs No Token expiration Replaceable Batteries protect investment

10 İŞBANK PROVUS Client INTERNET IIS Root CA Sub CA Customer DB LDAP Server FILTER Application. PIN / PUK. PKCS12. OTP.... KOBIL Certificate Registration Authority Backup DB. PIN / PUK. PKCS12. OTP.... PROVUS Card Issuing Software Log DB SecOVID Server Secure Channel Banking authentication – the Big Picture

11 Advantages of this Solution Combination of PKI and OTP technologies enables flexible authentication scenarios for desktop and mobile end users Seemless Integration into Backend-Systems based on international Standards like RADIUS / TACAS, MS-CHAP, X.509, PC/SC etc. Strong Cryptography Authentication based on 3DES (168 Bit key strength) and RSA 1024 Bit No Token expiration replaceable Standard Batteries reduce operating costs Performance OTP authentication > 1000 requests/second Certificate based authentication uses HSM accelerator Extensibility Other applications can easily added later

12 Enabling Smart Cards to be used for PKI-based applications: Electronic Signatures for e-mails and files Integrity protection against unauthorized data modification Proof of authorship („who is the originator of this email?“) Encryption for e-mails, files and hard disk (Container) Confidential data are kept secret, access only with appropriate smart card (Private Key) and PIN code Windows Smart Card Logon Strong two-factor Authentication (Possesion and Knowledge) Also for Terminal Servers and Remote Desktop applications SAP R/3 Security Authentication, Session Encryption and Message Integrity for SAPGui / SAPServer, often running on Terminal Servers VPN-Authentification in Intranet & Extranet Sensitive data are protected even if transferred over public networks Smart Card Middleware

13 KOBIL SigG CSP Microsoft- CSP Microsoft CryptoAPI Standard- Software Outlook Internet Explorer MS Office Windows Certificate Manager KOBIL CSP other CSP‘s KOBIL Smart Key Private Key stored in Registry e.g. Gemplus, Schlumberger etc. Certificate Validation Integration into Microsoft Platform Microsoft CryptoAPI links Applications and Smart Cards

14 Terminal Server Integration Windows Domain Controller Terminal Server (W2003, Citrix) ADS Terminal Client Windows 2000/XP PC/SC Forwarding via RDP/ICA Protokoll PC/SC-based App‘s Smartcard Logon RDP Terminal Applications Only PC/SC driver Installation required! CryptoAPI

15 The Cryptographic Service Provider (CSP) is called from: Winlogon / LSASS Windows Logon screen. Very restricted access policy, no dialog boxes are allowed. Runs with SYSTEM privileges Microsoft VPN Client No dialog boxes are allowed. Direct Access to the Smart Card. Applications (Outlook, Internet Explorer etc.) GUI integration („please insert card“, „please enter PIN“). Certificate registration in Windows Explorer required. Windows & Citrix Terminal Services CSP running on the Terminal Server accesses local PC/SC readers on the client („PC/SC Forwarding“). Support for Thin Clients Windows 2000/2003 CA Certificate Enrollment, AutoEnrollment, Key Backup CSP Middleware Design Background

16 CSP implementation requirements Multiple Application Access As more than one application may want to access the CSP at the same time (e.g. Winlogon, Outlook, CardManagement Tool etc). A synchronization mechanism needs to be implemented. PIN-caching Microsoft did not know about secure PINPad readers when CryptoAPI was designed. A strict PIN caching strategy is required from CSP implementors. Smart Card Personalization A CSP must be able to initialize an empty smart card from scratch, create file structure and PIN files on card, generate Private and Public Key and write it to the card. Handle multiple certificates on the card. Support Windows 2003 CA key backup feature. CSP Middleware Design Background

17 Windows PCSC Layer KOBIL PC/SC Driver KOBIL CT-API PCSC Bridge card.lib Win 2000 XP, 2003 Win 9x/NT Linux, SunOS reader mapping card-specific commands Card Management Tool (CMT)* CSP KSKUIFile Security Dialog‘s* Explorer Shell Extension PKCS#11 Applications configuration card personalization Internal Structure

18 Development of a certified CSP for qualified Signatures Cooperation with KOBIL, Datev and Microsoft Allowing Standard Applications to use qualified Signatures based on Microsoft CryptoAPI. Easy and fast integration for individual applications Seperate CSP Module Only for signatures, being evaluated according to CC EAL 3+ as required for qualified accredited signatures by German Federal Office for Information Security (BSI) Available for a big variety of e-ID signature cards Deutsche Telekom PKS, ZKA Seccos, Datev, Signtrust,... Further cards can easily be added Certificate online validation Using OCSP standard through CryptoAPI Qualified Signatures using CryptoAPI

19 CSP quality assurance Microsoft / Veritest „Verified for Windows XP“ Logo Worldwide the only CSP certified with „Verified for Windows XP“ logo Setup Verification of proper installation / deinstallation process Stability Stable performance Windows XP features tested Remote Desktop, Fast User Switching Conformance with Microsoft Software Guidelines Versioning, UI appearance, design

20 References Thank you

Download ppt "KOBIL eBanking authentication experiences with a Turkish Bank Markus Tak, Product Manager."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
McAfee One Time Password

McAfee One Time Password
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
SPD1 Improving Security and Access to Network with Smart Badge Eril Pasaribu CISA,CISSP Security Consultant.

SPD1 Improving Security and Access to Network with Smart Badge Eril Pasaribu CISA,CISSP Security Consultant.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
 Physical Logical Access  Physical and Logical Access  Total SSO and Password Automation  Disk/Data Encryption  Centralized management system  Biometric.

 Physical Logical Access  Physical and Logical Access  Total SSO and Password Automation  Disk/Data Encryption  Centralized management system  Biometric.
EToken PRO Anywhere. Agenda  eToken PRO Anywhere Overview  Market background and target markets  Identifying the opportunity  Implementation and Pricing.

EToken PRO Anywhere. Agenda  eToken PRO Anywhere Overview  Market background and target markets  Identifying the opportunity  Implementation and Pricing.
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI

Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Similar presentations

Ads by Google