Information protection

When working with Client Terminal, information security is provided in a number of ways listed below:

• User access management
• Limiting user privileges
• Encrypting transmitted information by using session keys updated every time you connect to the server
• Logging all user actions. Actions are chronologically stored in a permanent unchangeable log, leaving no chance to falsify a protocol of a user’s session
• Digitally signing payment orders. In order for a payment to be accepted and executed by the bank, it has to be signed by an owner of a corresponding bank account, using his private digital key.

• Using a username and a password
• Using a personal digital certificate stored in your computer’s local registry
• Using a personal digital certificate stored on a smart card

You can choose an authentication scheme that is best for you.

Password-Based Authentication

When using this authentication scheme, the following security measures are taken:

• The software controls password complexity
• The software controls password expiration period set by the bank
• A customer receives his username and password in a sealed envelope. The password is considered to be temporary and it is strongly recommended that the customer changes it to a new one right after receiving the envelope
• If you loose your user envelope or forget your password, it is possible to request a new user envelope from the bank. At the moment of printing a new user envelope the user’s password automatically changes to a new one that can be read exclusively by a person who opens the envelope
• Each user envelope that has ever been printed has a unique ID and undergoes a mandatory registration procedure by making a corresponding record in a security journal

Certificate-Based Authentication

We offer two types of digital certificates: regular certificates stored in your computer’s local registry (provided by Microsoft CSP) and certificates stored on a smart card (provided by Schlumberger CSP).

1. RSA asymmetric encryption algorithm (1024-bit key)
2. SHA1 hashing algorithm used for creating digital signatures
3. RC4 symmetric encryption algorithm (128-bit key)

1. RSA asymmetric encryption algorithm (1024-bit key)
2. SHA1 hashing algorithm
3. 3DES symmetric encryption algorithm (168-bit key)

When using a smart-card certificate, all cryptographic functionality is implemented inside a smart card, which has a built-in crypto-chip. Therefore this method is considered safer, and we strongly recommend our customers to use this authentication scheme.

Exchanging Information with Bank

The client software communicates with the bank server by using portions of encrypted and digitally signed information called digital envelopes. When preparing customer payment orders for sending, the software offers you to digitally sign them and then packs them in a digital envelope.

When creating a digital envelope, every payment order is signed separately along with a final signature applied to the whole envelope by using the customer’s private certificate. The envelope is than encrypted by using the bank’s public certificate, which is installed on your computer with the client software. Thus, the envelope becomes digitally signed and encrypted. If any kind of corruption is found while verifying the envelope by the server, the envelope is discarded immediately. Successfully verified client envelopes are extracted; the information about all payment orders is transferred into the database, and a confirmation reply is sent back to the customer in a form of another digital envelope signed with the bank’s private certificate and encrypted with the customer’s public certificate. As soon as a customer gets a confirmation, the payment orders are considered to be accepted by the bank for execution. The confirmation envelope is stored on a client side and can then be used by a customer to prove the fact of ordering certain payments (non-repudiation principle). Further execution of every accepted payment order involves the standard procedure of verifying corresponding certificate (see above).

Digital certificate is used for signing only in case of using certificate-based authentication (with storing certificates either in a computer’s registry or on a smart card). In case of using password-based authentication, the signature is emulated by corresponding CSP, basing on the user’s login/password pair.

Used Protocols

To communicate to the server, Bank++ Client Terminal uses HTTPS protocol, i.e. HTTP wrapped into the SSL (Secure Sockets Layer) protocol, which encrypts all HTTP data. This allows to provide the following features:

• Authentication. This guarantees that a client has established a connection to the genuine server that has corresponding certificate
• Unique session keys. This ensures every session to be secure even in case if security of a previous session has been violated
• Guaranteed safe transportation of sensitive information over the Internet.

The SSL protocol is the common and proven standard for transferring sensitive data over the Internet. Most of modern web servers and browsers support SSL.