Project on Project on Internet Banking - Report of RBI Working Group
Internet Banking - Security (Contd)

Authentication Techniques(Contd) - Digital Signature and Certification

Digital signatures authenticate the identity of a sender, through the private, cryptographic key. In addition, every digital signature is different because it is derived from the content of the message itself. The combination of identity authentication and singularly unique signatures results in a transmission that can not be repudiated.

Digital signature can be applied to any data transmission, including e-mail. To generate digital signature, the original, unencrypted message is processed through mathematical algorithms that generate a ‘message digest’ (a unique character representation of data). This process is known as "hashing". The message digest is then encrypted with the private key and sent along with the message (could be encrypted also). The recipient receives both the message and encrypted message digest. The recipient decrypts the message digest using the sender’s public key, and then runs the message through the hash function again. If the resulting message digest matches the one sent with the message, the message has not been altered and data integrity is verified. Because the message digest was encrypted using the private key, the sender can be identified and bound to the specific messag

Certificate Authorities and Digital Certificates are emerging to further address the issues of authentication, non-repudiation, data privacy and cryptographic key management. A Certificate Authority (CA) is a trusted third party that verifies the identity of a party to a transaction. To do this, the CA vouches for the identity of a party by attaching the CA’s digital signature to any messages, public keys, etc., which are transmitted. The CA must be trusted by the parties involved, and identities must have been proven to the CA beforehand. Digital certificates are messages that are signed with the CA’s private key. They identify the CA, the represented party, and even include the represented party’s public key.

SSL is designed to make use of TCP to provide a reliable end-to-end secure service. The SSL servers have digital certificates issued by Certifying Authorities so that the clients can authenticate the service provider (a bank in our case). The servers use a password /PIN/digital certificate to authenticate clients. Once the clients and server have authenticated each other, they establish a session key for encryption of messages. The diagram above shows flow of messages in SSL.

Public key cryptography can play an important role in providing needed security services including confidentiality, authentication, digital signatures and integrity. Public key cryptography uses two electronic keys: a public key and a private key. The public key can be known by anyone while the private key is kept secret by its owner. As long as there is strong binding between the owner and the owner’s public key, the identity of the originator of a message can be traced to the owner of the private key. A Public Key Infrastructure (PKI) provides the means to bind public keys to their owners and helps in the distribution of reliable public keys in large heterogeneous networks. Public keys are bound to their owners by public key certificates. These certificates contain information such as the owner’s name and the associated public key and are issued by a reliable Certification Authority (CA).

PKI consists of the following components

• Key Certificate - An electronic record that binds a public key to the identity of the owner of a public-private key pair and is signed by a trusted entity

• Certification Authority (CA) - A trusted entity that issues and revokes public key certificates

• Registration Authority (RA - An entity that is trusted by the CA to register or vouch for the identity of users to the CA.

• Registration Authority (RA - An entity that is trusted by the CA to register or vouch for the identity of users to the CA.

• Certificate Repository - An electronic site that holds certificates and CRLs. CAs post certificates and CRLs to repositories

• Certificate Revocation List (CRL) - A list of certificates that have been revoked. The list is usually signed by the same entity that issued the certificates. Certificates can be revoked for several reasons. For example, a certificate can be revoked if the owner’s private key has been lost or if the owner’s name changes.

• Certificate User - An entity that uses certificates to know, with certainty, the public key of another entity.

The widespread use of PKI technology to support digital signatures can help increase confidence of electronic transactions. For example, the use of a digital signature allows a seller to prove that goods or services were requested by a buyer and therefore demand payment. The use of a PKI allows parties without prior knowledge of each other to engage in verifiable transactions.

Certificate : Although there have been several proposed formats for public key certificates, most certificates available today are based on an international standard (ITU-T X.509 version 3). This standard defines a certificate structure that includes several optional extensions. The use of X.509v3 certificates is important because it provides interoperability between PKI components. Also, the standard’s defined extensions offer flexibility to support specific business needs.

A PKI is often composed of many CAs linked by trust paths. The CAs may be linked in several ways. They may be arranged hierarchically under a "root CA" that issues certificates to subordinate CAs. The CAs can also be arranged independently in a network. Recipients of a signed message with no relationship with the CA that issued the certificate for the sender of the message can still validate the sender’s certificate by finding a path between their CA and the one that issued the sender’s certificate. The National Institute of Standards and Technology (NIST) has developed a hybrid architecture specification based on both a hierarchical and a network architecture model in the document, Public Key Infrastructure (PKI) Technical Specifications (Version 2.3): Part C - Concept of Operations.

Tools are extremely useful in monitoring and controlling networks, systems and users. Some of the system administration and network management tools are Scanners, Sniffers, Logging and Audit tools.

Scanners: Scanners query the TCP/IP port and record the target’s response and can reveal the information like services that are currently running, users owning those services, whether anonymous logins are supported, and whether certain network services require authentication. Scanners are important because they reveal weaknesses in the network. There are many security vulnerabilities on any given platform. Scanners can do an excellent security audit and then system can be suitably upgraded. Scanners are programs that automatically detect security weaknesses in remote or local hosts. System administrators may use them to find out weaknesses in their system and take preventive measures. Scanners can be used to gather preliminary data for an audit. Scanners offer a quick overview of TCP/IP security.

Sniffer: Sniffers are devices that capture network packets. They analyze network traffic and identify potential areas of concern. For example, suppose one segment of the network is performing poorly. Packet delivery seems incredibly slow or machines inexplicably lock up on a network boot. Sniffers can determine the precise cause. Sniffers are always a combination of hardware and software components. Proprietary sniffers are generally expensive (vendors often package them on special computers that are "optimized " for sniffing).

Intrusion Detection Tools An intrusion attempt or a threat is defined to be the potential possibility of a deliberate unauthorized attempt to access or manipulate information or render a system unreliable or unusable. Different approaches are used to detect these intrusion attempts. Some Intrusion Detection Systems (IDS) are based on audit logs provided by the operating system i.e. detecting attacks by watching for suspicious patterns of activity on a single computer system. This type of IDS called Host based IDS is good at discerning attacks that are initiated by local users which involve misuse of the capabilities of one system. The Host based IDS can interpret only high level logging information and they can not detect low level network events such as Denial of Service attacks. The network-based approach can be effectively used to detect these low level Denial of Service attacks. Distributed intrusion detection systems (DIDS) take data from various hosts, network components and network monitors and try to detect intrusions from the collected data

are based on interpretation of raw network traffic. They attempt to detect attacks by watching for patterns of suspicious activity in this traffic. NIDS are good at discerning attacks that involve low-level manipulation of the network, and can easily correlate attacks against multiple machines on a network. An Intrusion Detection System detects the attacks in real-time and informs system administrator about it to take appropriate action. As a result, exposure to the intrusion and the possible damage caused to the data or systems can be countered.

Physical security is a vital part of any security plan and is fundamental to all security efforts--without it, information security, software security, user access security, and network security are considerably more difficult, if not impossible, to initiate. Physical security is achieved predominantly by controlled and restricted physical access to the systems resources. Access control broadly provides the ability to grant selective access to certain people at certain times and deny access to all others at all times. Physical security involves the protection of building sites and equipment (and all information and software contained therein) from theft, vandalism, natural disaster, manmade catastrophes and accidental damage (e.g., from electrical surges, extreme temperatures and spilled coffee). It requires solid building construction, suitable emergency preparedness, reliable power supplies, adequate climate control, and appropriate protection from intruders. Thus, in broad terms, the focus is on restricting access to the computer area, controlling access to all vulnerable and sensitive areas of the department, and monitoring of all staff and visitors.

Physical Access can be secured through the following means: Bolting Door locks and Combination Locks, Electronic Door Locks, Biometric Door Locks, Manual Logging, Electronic Logging, Photo Identification Badges, Video Cameras stationed at strategic points, Controlled Visitor Access. A bank should also have in place environmental controls to manage exposures from fire, natural disasters, power failure, air-conditioning failure, water damage, bomb threat / attack etc. A few means of obtaining control over environmental exposure are:

The server room and any other unattended equipment room should have water detector. Fire extinguishers should be placed at all strategic points, supplementing fire suppression systems with smoke detectors, use of fire resistant materials in office materials including furniture, redundant power supply from two substations, electrical wiring placed in fire resistant panels and conduits and documented and tested evacuation plans.

It is important to educate all ‘stake-holders’ (users, employees, etc) about the importance of physical security. This education should be carried out as part of ‘social engineering’

The information security policy is the systemization of approaches and policies related to the formulation of information security measures to be employed within the organization to assure security of information and information systems owned by it. The security policy should address the following items:

1. Basic approach to information security measures.

2. The information and information systems that must be protected, and the reasons for such protection

3. Priorities of information and information systems that must be protected.

4. Involvement and responsibility of management and establishment of an information security coordination division.

5. Checks by legal department and compliance with laws / regulations

6. The use of outside consultants.

7. Identification of information security risks and their managemen

8. Impact of security policies on quality of service to the customers (for example, disabling an account after three unsuccessful logins may result in denial of service when it is done by somebody else mischievously or when restoration takes unduly long time).

9. Decision making process of carrying out information security measures.

10. Procedures for revising information security measures.

11. Responsibilities of each officer and employee and the rules (disciplinary action etc) to be applied in each case.

12. Auditing of the compliance to the security polic

13. User awareness and training regarding information security

14. Business continuity Plans

15. Procedures for periodic review of the policy and security measures

The top management of the bank must express a commitment to security by manifestly approving and supporting formal security awareness and training. This may require special management level training. Security awareness will teach people not to disclose sensitive information such as password file names. Security guidelines, policies and procedures affect the entire organization and as such, should have the support and suggestions of end users, executive management, security administration, IS personnel and legal counsel.