the-south-asian.com                                     July / August  2006

 

Home

 

August/September Contents 

Sufis - wisdom against
 violence

 Sufi poet saints

 50 years of mountain
 climbing


 Interviews with:
 Ajaz Anwar
 
Iqbal Hussain
 
Kamil Mumtaz

 Heritage cities:
 Taxila
 Taxila Dharmrajika
 Harappa
 Bhera - Part I
 
Bhera - Part II
 Gujranwala

 
 

Cotton - the fibre of
 civilisation


 
Cotton textiles of
 South Asia

 Handlooms & Dyes

 Hiran Minar

 Basant

 Lahore Gymkhana

 
 
Business/Technology
 B2B - Part I

 
B2B - Part II

 
Optical Networks I
 
Optical Networks II

 
Role of Internet in
 S Asian development


 
Technology and
 investment in US
 stock markets


 
Security & Trust in
 Internet banking


 Telecom & software
 - trends & future in
 South Asia


 
China & India - major
 players by 2025


 
Pakistan - IT Markets
 
Part I
 
Part II
 
Part III
 
Part IV
 

 

 

 

 


 

 

 

 

   about us              back-issues           contact us         search             data bank

 

  craft shop

print gallery

 Page  5  of  6

Security and Trust in Internet Banking

(cntd)

by

Salman Minhas

 

First published November 2001
Copyright the-south-asian.com

 

DIGITAL CREDENTIALS

for Retail & Corporate Banking [ B2B] Security Solutions:

PKI [ Asymmetric or Public Key Infrastructure ] is required especially if Multi Million Dollar value Corporate Transactions are to start taking place and provide the speed , efficiency and increase in Global Trade .

What is PKI ?

It is a combination of Software, Encryption Technologies , Services comprising

-- Digital Certificates & Certificate Authorities – CA [ trusted third parties-- see below ].

-- Using Certificate Distribution via LDAP & DAP [ X.500] Management --Lightweight Directory Access Protocols interface services for Computer System Directories [ containing customer & staff name and addresses] ,

-- Public Key Management, Renewing & Revoking Certificates into a total Enterprise–wide Network Security architecture

-- Authentication is used via CAs similar to the Dept. Motor Vehicles Driving Licenses are used to identify a check being cashed .

-- Also CAs are similar to a Passport that identifies travellers entering countries .

 

PKI Companies: Customers

Baltimore Technologies Wisekey, Identrus [ SWIFT & about 50 major banks ]

Entrust Telia. Royal Mail , Chase Manhattan Bank. Canadian Government. US Patent & Trademark.

Arcot Visa, First Union Bank, Swedish Postal Service, Union PacificRailroad.

Verisign Barclays , Canadian Imperial Bank, GE eXchange Services – 100,000 enterprise customers , Texas Instruments, SEC., Univ.of Pittsburg , N.J. State.

Valicert U.S. Postal Service , U.S. Navy , Treasury , Intelligence.

 

Problems & Weaknesses of PKI - Public Key Infrastructure [ PKI issues ].

Security as a Chain ; PKI is only as strong as its weakest Link. PKI is based on Cryptography and People. Therefore PKI needs processes & procedures , Trust is involved .Some argue that PKI needs E-Commerce more than E- Commerce needs PKI . Its $ 5 per certificate is a good market for PKI Certificates for the Internet of 100 million users . Some companies naturally want to sell certificates and make a lot of money.

RISK # 1 – Who makes a CA trusted & grant authorization? This is the heart of PKI .

Is the CA a Trusted authority/ third party ?

The CAs role is the same as the IRS , DMV, Post Office .Do these bodies sell your information to marketeers in the USA ?

The Credit Bureau Model is flawed as it sells information to others, etc . How does the CA identify the certificate holder.In the South Asian countries this is a Major barrier to B2B Commerce and PKI implementation.

In the case of South Asian countries who will be the Trusted Third Party ?

Driving Licenses are easily forged or obtainable . Passports too can be obtained easily .

The Judiciaries are not efficient and trustworthy and there are very few Tax authorities in South Asian countries who can be above nepotism 

In the Internet age 2001 , some secure transaction system [ the PKI model ] is necessary for the Internet advantages to be exploited . The South Asian Countries also have a weak legal Infrastructure to implement PKI.

Trusted Third Parties - Certificates of Authority [ CA]:

In the Internet age , especially with the danger of anthrax via paper mail PKI use in paperless transactions seems ideal.

The Department of Motor Vehicles- DMV’s Driving License is used as a CA /Trusted Third Party in the Western countries , when cashing a check.

One could consider the Internal Revenue Service as a trusted third party – it has the tax details of an Individual.

The major Western [ SWIFT] & Japanese Banks have formed such a trusted Bank party called " Identrius " . Identrus certifies various corporate companies with CAs and allows companies to carry out B2B banking in this way.

Similarly " WiseKey" a partnership with ITU [ International Telecom Union ] and

Private entrepreneurs have set up a Root Authority in Switzerland and issues CAs to business companies.

 

Risk # 2 – Who is using the key – REPUDIATION.

Is my private key in a PC sitting in a room without CCTV.It does not matter who is at the keyboard - you are legally responsible. Currently Credit Cards laws are that under the Mail Order / Telephone order laws in the US .

If you object to a line item on a credit card bill, you have the right to repudiate it.

Risk # 3 – Security of Verifying Computer

The "Root" Public keys can be added by a attacker and his own public key attached.

Root Certificate verification in the case of WiseKey is on a Off-Site Computer [ e.g. in a Bunker in the Swiss Alps .]

Risk # 4 - Public keys associated with names run into multiple names problem.

Risk # 5 - Is the CA a Trusted authority/ third party ?

Is it the IRS , DMV, Post Office .

The Credit Bureau Model is flawed as it sells information to others, etc . How does the CA identify the certificate holder. In the South Asian countries this even a Major barrier to B2B Commerce and PKI implementation.

Risk # 6 - What is key lifetime ?

How does one revoke keys ? Is revocation retroactive.

With browsers – what is the user action when establishing an SSL connection.

Does he read the Certificate ?

 

Risk # 7 - PKI - INTEROPERABILITY issues :

How do Certificate authorities in Different Companies / security domain recognize each other.

- at Application level between any two peers e.g. Email clients .

- at Enterprise level – sharing repository data

- how will harmonizing policies and enforcement be done by CAs.

Other issues :

Browser versions issues- different browsers versions do not work within PKI .

Administration of Centralized Directories – and compatibility with Potential Customers and Business Partners. [ solution is to use LDAP Directory Servers scattered throughout the network.]

Non- Secure Operating Systems

Microsoft NT system is known to be not secure . Banks & Telecom companies prefer Sun Solaris or UNIX operating systems..

PKI is Expensive & Complex to implement. Some recent PKI solutions are starting in a out of the box version.

 next page

 

Disclaimer

Copyright © 2000 - 2006 [the-south-asian.com]. Intellectual Property. All rights reserved.

Home