Project on Project on Internet Banking - Report of RBI Working Group
Internet Banking - Security (Contd)

Authentication Techniques

As mentioned earlier, authentication is a process to verify the claimed identity. There are various techniques available for authentication. Password is the most extensively used method. Most of the financial institutions use passwords along with PIN (Personal Identification Number) for authentication. Technologies such as tokens, smart cards and biometrics can be used to strengthen the security structure by requiring the user to possess something physica

Token technology relies on a separate physical device, which is retained by an individual, to verify the user’s identity. The token resembles a small hand-held card or calculator and is used to generate passwords. The device is usually synchronized with security software in the host computer such as an internal clock or an identical time based mathematical algorithm. Tokens are well suited for one-time password generation and access control. A separate PIN is typically required to activate the token.

Smart cards resemble credit cards or other traditional magnetic stripe cards, but contain an embedded computer chip. The chip includes a processor, operating system, and both Read Only Memory (ROM) and Random Access Memory (RAM). They can be used to generate one-time passwords when prompted by a host computer, or to carry cryptographic keys. A smart card reader is required for their use.

Biometrics involves identification and verification of an individual based on some physical characteristic, such as fingerprint analysis, hand geometry, or retina scanning. This technology is advancing rapidly, and offers an alternative means to authenticate a user

The connection between internal networks and the outside world must be watched and monitored carefully by a gatekeeper of sorts. Firewalls do this job. Otherwise, there is a risk of exposing the internal network and systems, often leaving them vulnerable and compromising the integrity and privacy of data. Firewalls are a component or set of components that restrict access between a protected network and the outside world (i.e., the Internet). They control traffic between outside and inside a network, providing a single entry point where access control and auditing can be imposed. All firewalls examine the pieces or packets of data flowing into and out of a network and determine whether a particular person should be given access inside the network. As a result, unauthorized computers outside the firewall are prevented from directly accessing the computers inside the internal network. Broadly, there are three types of firewalls i.e. Packet filtering firewalls, Proxy servers and stateful inspection firewall.

Packet filtering routers are the simplest form of firewalls. They are connected between the host computer of an Internal network and the Internet gateway as shown in Fig.6. 2. The bastion host directs message accepted by the router to the appropriate application servers in the protected network. Their function is to route data of a network and to allow only certain types of data into the network by checking the type of data and its source and destination address. If the router determines that the data is sourced from an Internet address which is not on its acceptable or trusted sources list, the connection would be simply refused. The advantage of this type of firewall is that it is simple and cheaper to implement and also fast and transparent to the users. The disadvantage is that if the security of the router were compromised, computers on the internal network would be open to external network for attacks. Also, the filtering rules can be difficult to configure, and a poorly configured firewall could result in security loopholes by unintentionally allowing access to an internal network.

Proxy servers control incoming and outgoing traffic for a network by executing specific proxy program for each requested connection. If any computer outside the internal network wants to access some application running on a computer inside the internal network, then it would actually communicate with the proxy server, and proxy server in turn will pass the request to the internal computer and get the response which will be given to the recipient (outside user). That is, there is no direct connection between the internal network and Internet. This approach allows a high level of control and in-depth monitoring using logging and auditing tools. However, since it doubles the amount of processing, this approach may lead to som degradation in performance. Fig. 3 shows a typical firewall organization consisting of ‘militarized zone’ that separates the protected network from the Internet.

This type of firewalls thoroughly inspects all packets of information at the network level as in the case of proxy servers. Specifications of each packet of data, such as the user and the transportation method, the application used are all queried and verified in the inspection process. The information collected is maintained so that all future transmissions are inspected and compared to past transmission. If both the "state" of the transmission and the "context" in which it is used deviate from normal patterns, the connection would be refused. This type of firewalls are very powerful but performance would also decline due to the intensive inspection and verification performed.

The process of disguising a message in such a way as to hide its substance is called encryption. An encrypted message is called cipher text. The process of turning a cipher text back into plain text is called decryption. Cryptography is the art and science of keeping messages secure. It uses a ‘key’ for encrypting or decrypting a message. Both the method of encryption and the size of key are important to ensure confidentiality of a message. There are two types of encryption: Symmetric key and Asymmetric key encryption. In the symmetric key cryptography scheme, the same key is used to encrypt and decrypt the message. Common symmetric algorithms include One-time pad encryption, Data Encryption Standard (DES), Triple DES, LOKI, Twofish, Blowfish, International Data Encryption Algorithm (IDEA). DES and Triple DES are the commonly used techniques. Asymmetric key cryptography scheme is also known as Public key crypto-system. Here two keys are used. One key is kept secret and therefore it is referred as "private key". The other key is made widely available to anyone who wants it, and is referred as "Public key". The Public key and Private key are mathematically related so that information encrypted using the public key can only be decrypted by the corresponding private key and vice-versa. Importantly, it is near to impossible to find out the private key from the public key. Common and more popular public key cryptosystem algorithms are Diffie-Hellman, RSA, Elliptic Curve etc. In all these, the confidentiality is directly related to the key size. Larger the key size, the longer it takes to break the encrypted message.

Diffie-Hellman This is the first public key algorithm invented. It gets its security from the difficulty of calculating discrete logarithms in a finite field. Diffie-Hellman method can be used for distribution of keys to be used for symmetric encryption.

RSA Named after its three inventors, Ron Rivest, Adi Shamir and Leonard Adleman, who first introduced the algorithm in 1978, RSA gets its security from the difficulty of factoring large numbers. The public and private keys are function of a pair of large (100 or 200 digits or even larger) prime numbers. The pair is used for asymmetric encryption.