The importance of PKI-based transaction authorization
Markus Tak, a well-known German technology architect, shared his knowledge on the value and importance of PKI-based transaction authorizations in an ever-more technical world in this Interview.
Over the last few months, with social distancing and the new normal taking hold, we’ve all made more online purchases with debit or credit cards.
This transaction authorization process, which is part of the wider electronic payment process, involves the cardholder and numerous other entities working together to complete an electronic transaction. As users, we don’t see the behind-the-scenes process that protects transactions from manipulation — but it has never been more important.
Markus Tak, a well-known technology architect in Germany who specializes in cryptography, network security, hardening, encryption and information security, has led KOBIL’s technology department since 2014. Here he shares his knowledge on the value and importance of PKI-based transaction authorizations in an ever-more technical world.
1.What is PKI-based transaction authorization?
It is used to protect transactions (such as financial wire transfers) against manipulation. It can be considered the equivalent of a hand-written signature under a transaction statement, because the signer will use his private key to digitally sign the transaction. That means it can also be seen as a kind of ‘proof’ that can be validated by any third party.
2.What is the difference between a private key and a public key?
Private keys and public keys are both used in encryption and decryption. They encrypt and decrypt sensitive information: private keys are used to decrypt and sign data, while public keys are used to encrypt and verify signatures.
Public/private cryptography is always asymmetric, because of the two distinct keys. The public key must be made ‘public’, e.g. known to everybody so that they can send encrypted messages to me and verify my signatures, while the private key must remain secret, e.g. only usable/accessible to the owner, because it decrypts encrypted data and creates signatures.
3. Why is it important for authentication to be based on two or more factors? And if one of the factors is given incorrectly, is another chance given — or is it blocked from the system automatically?
Two (or more) factors offer protection in case one of them is lost or stolen. In such scenarios, like a PIN being eavesdropped, there is still a second factor, such as possession of a physical device, which prevents misuse of the lost or stolen factor.
4. In a transaction authorization, where does the authentication code come from and what authority does it have?
The authentication code is generated by the payer as a ‘proof’ (of his authenticity) and to protect the integrity of the transaction. It is the equivalent of a hand-written signature on a paper-based order form.
5. Can a virtual smart card increase the security of PKI identities?
Yes, absolutely. It securely protects the end user’s private key and allows you to track transactions not only for a given user but also to a given device and app. KOBIL’s app hardening mechanisms protect the private key from being stolen or misused.
6. How can we best minimize the risks of an electronic payment transaction?
In terms of KOBIL´s solution mAST, there is a two-factor-based authentication and authorization that maximizes the security of the end user. The separated secure execution environments are defined by KOBIL as follows:
The secure execution environment for verifying the user’s PIN, which represents the authentication factor ‘knowledge’ is the Smart Security Management Server (SSMS). The local SDK is not involved, as the PIN is at no point stored — let alone verified — in the SDK. Even in a scenario where the SSMS is compromised, no fraudulent actions are possible. That’s because all authentication and authorization procedures are dependent on the vSC, which is stored exclusively on the user’s mobile device, and not the SSMS.
The secure execution environment for the registered individual SDK instance, which represents the authentication factor ‘possession’, is provided by the interconnection between the SDK and the SSMS.
The connection between the SSMS and a registered SDK instance is cryptographically secure, and both communication participants are cryptographically authenticated.
7. How can you identify the user, app and the device?
With the private key inside the virtual smart card, the digital certificate generated by the SSMS certificate authority (CA) is generated specifically for a user, device and app. This means the keys will be different in the following cases:
· The same user has KOBIL protected apps on two devices (iPhone, iPad)
· The same user has two KOBIL protected apps on a single device
· Multiple users share the same app on the same device (family tablet)
8. What is a company risking if they don´t integrate the PKI-based transaction authorization?
There is a huge monetary risk, because recovering the damage will cost a company a high investment, while being hacked also means all the company and costumer data is in the ‘wrong hands’.
There have been several instances of PhotoTAN or SMS TAN being hacked. On 28 December 2015, the pushTAN app of a popular bank received repeated attacks. The goal was to manipulate the user interface of apps in such way that the processed transaction varied from the text displayed. But luckily, with the KOBIL mAST solution the transactions were automatically cancelled. In addition, the transaction data was being provided by the KOBIL Smart Security Management Server and was being transmitted on a separate, secured channel of the banking app — and not locally on the app.
Another example came in November 2016, when the press released the attacks against the photoTAN apps used by various banks. IT security research at a university in Germany initiated an attack against the photoTAN method and purposefully redirected amounts to other bank accounts. Attacked in this context was the two-apps-on-one-mobile device scenario, i.e. a mobile banking app combined with the photoTAN mobile app. In our case, the big difference between photoTAN and KOBIL mAST was the fact that KOBIL actively involves the SSMS server in the process as ‘trusted entity’, instead of employing purely local app-to-app communication.
Companies nowadays are being very careful and generally pay the attention needed to secure their costumers’ digital identities in the best possible way.
To find out more about signPod and trusted digital identities, visit www.kobil.com.
The importance of PKI-based transaction authorization was originally published in KOBIL on Medium, where people are continuing the conversation by highlighting and responding to this story.