15 July 1997
Source:
http://www.r3.ch/standards/ecbs/
Thanks to mail list ukcrypto@maillist.ox.ac.uk: Nicholas Bohm <nbohm@ernest.net> and Dr. Rainer A. Rueppel, rueppel@r3.ch, tf direct ++41-1-9345600 r3 security engineering ag, Zuerichstrasse 151, CH-8607 Aathal/Zurich, Switzerland. http://www.r3.ch/, r3@r3.ch, tf ++41-1-9345656, fax ++41-1-9345657
Following material is introductory to the 62-page report which is available in PDF format (241K): http://www.r3.ch/standards/ecbs/papers/tr401sbi.pdf
A mirror of the report is on this site: http://jya.com/tr401sbi.pdf
Note: Acrobat reader version 3.0 is required; version 2.1 cannot read the report.
European Committee for Banking Standards
TC4 Security
Secure Banking over the Internet
Purpose and justification
The Internet is a rapidly evolving information
infrastructure ("Information Highway") which provides global connectivity,
easy reachability and interactive communications at moderate cost for the
consumer. The dominating application is the World Wide Web (WWW), with its
potential of 3 million connected computer systems and an order of magnitude
more actual users. Currently, WWW is primarily used to provide easy access
to free-of-charge information (typically research or marketing information).
But this is expected to change dramatically in the near future. WWW is expected
to provide a basis for electronic commerce and trade. A similar development
can be expected for the IBC networks and "Information Highways".
Hence, the Internet has reached an increased market potential which makes it attractive for all service providers and, in particular, for the banks. With the Internet, banks can easily reach their customers on a global scale. Customers may sign up electronically, may order electronically, may transfer money electronically from almost any place in the world. However, as the Internet per se is a highly open and distributed infrastructure without central regulation and control, it is mandatory that the banks carefully address and solve the security issues related to banking applications over the Internet.
European banks must position themselves regarding:
Scope
This ECBS Technical Report shall provide
a survey of current and planned banking use of the Internet, investigate
the security requirements for secure banking on the Internet, provide a survey
of the security-related protocols, services and applications on the Internet,
identify the synergies between EDIFACT and the Internet, provide a set of
recommendations how banks can securely connect to the Internet (e.g. firewall
technology), provide a set of recommendations how banks can securely do banking
transactions over the Internet (primarily for customer-bank relationships),
discuss other requirements for global banking (e.g. banking secrecy, data
privacy, export issues), provide an outlook on new banking applications and
services (such as electronic cash) which are needed regarding the advent
of a global electronic marketplace.
Timetable
| Approval of NWI | 1/96 |
| Draft Report | 6/96 |
| Final Report | 12/96 |
| Approval | 3/97 |
Members of ECBS TC4 Working Group 6
| Rueppel, A. Rainer (Convenor) | r³ security engineering ag, Switzerland |
| Antunes, Joao | Sociedade Interbancaria de Servicos S.A., Portugal |
| Barbut, Jean Louis | GSIT, France |
| Beltrando, Rene | Groupement des Cartes Bancaires "CB", France |
| Beykirch, Hans-Bernhard | Informatikzentrum der Sparkassenorganisation GmbH, Germany |
| Cornet, Alain | Interbank Standards Association, Belgium |
| Daemen, Joan | Esat Lab. K. U. Leuven, Belgium |
| de Rooj, Peter | Europay International, Belgium |
| Faulkner, Paul | Palisade Ltd, United Kingdom |
| Fjelbye, Peter | Danish Payment Systems Ltd., Denmark |
| Garbe, Sebastian | Bundesverband Deutscher Banken e.V., Germany |
| Harpes, Carlo | Certel S.C., Luxembourg |
| Johansson, Anders | Nordbanken, Sweden |
| Meggle, Claude | Groupement des Cartes Bancaires "CB", France |
| Moulart, Yves | Banksys S.A., Belgium |
| Niehoff, Wilhelm | Bundesverband Deutscher Banken e.V., Germany |
| Stirland, Mark | Association for Payment Clearing Services, United Kingdom |
| van Oudheusden, Daaf | Interpay, The Netherlands |
| Ward, Mike | Association for Payment Clearing Services, United Kingdom |
Copyright © 1997 r³ security engineering
ag.
Last Update : 97/01/23 - Please send feedback or comments to
webmaster@r3.ch
ECBS TC4 Security
Secure Banking over the Internet
Contents
1 Introduction
1.1 Background
1.2 Scope
2 Internet security
2.1 Introduction
2.1.1 What is the Internet?
2.1.2 The World Wide Web?
2.1.3 Java
2.1.4 The common Internet services?2.2 Relevant scenarios
2.2.1 The bank as a user of the Internet
2.2.2 The bank as an information provider
2.2.3 The bank as an electronic banking provider
2.2.4 The bank as a part of an electronic payment system2.3 Threats
2.3.1 Introduction
2.3.2 Some Categories of Threat
3 Separating trusted networks - Firewalls
3.1 Introduction
3.1.1 The Need for Security Measures
3.1.2 The Firewall Concept
3.1.3 Running a Web server3.2 Firewall elements
3.2.1 Packet Screening
3.2.2 A Proxy or Application Level Gateway
3.2.3 Bastion Host
3.2.4 Screened Host3.3 Security Policy Design Considerations
3.4 Discussion
4 Internet Session Security
4.1 Secure Sockets Layer (SSL)
4.1.1 Background
4.1.2 Applicable scenarios
4.1.3 Description
4.1.4 Discussion4.2 Secure HTTP (S-HTTP)
4.2.1 Background
4.2.2 Description
4.2.3 Discussion4.3 Private Communication Technology (PCT) Protocol
4.3.1 Background
4.3.2 Description
4.3.3 Discussion4.4 IETF Transport Layer Security Protocol
4.4.1 Discussion
5 Internet Mail Security
5.1 Applicable scenarios5.2 Internet Mail
5.2.1 Background
5.2.2 Description
5.2.3 Security5.3 PGP
5.3.1 Background
5.3.2 Description
5.3.3 Security
5.3.4 Discussion5.4 Privacy Enhanced Mail (PEM)
5.4.1 Background
5.4.2 Description
5.4.3 Security
5.4.4 Discussion5.5 MIME Object Security Services (MOSS)
5.5.1 Background
5.5.2 Description
5.5.3 Security
5.5.4 Discussion5.6 S/MIME
5.6.1 Background
5.6.2 Description
5.6.3 Security
5.6.4 Discussion
6 Web Integration of Financial Applications
6.1 Background
6.1.1 General considerations
6.1.2 Applicable scenarios6.2 Security issues regarding downloading documents
6.2.1 Discussion6.3 Security considerations regarding downloading code
6.3.1 The sandbox approach
6.3.2 The code signing approach
6.3.3 Discussion6.4 Helper Application
6.4.1 Description
6.4.2 Discussion6.5 Plug-in
6.5.1 Description
6.5.2 Discussion
6.5.3 National activities6.6 ActiveX
6.6.1 Description
6.6.2 Discussion6.7 Applets
6.7.1 Description
6.7.2 Discussion
7 Electronic Commerce Security
7.1 Secure Electronic Transaction (SET)
7.1.1 Background
7.1.2 Applicable scenarios
7.1.3 Description
7.1.4 Discussion
7.1.5 National solutions7.2 Homebanking Solutions
7.2.1 Microsoft's Open Financial Connectivity (OFC)
7.2.2 Internet Gatways to Legacy Applications
7.2.3 National Activities
8 Hardware and Software Solutions
8.1 Background8.2 Applicable Scenarios
8.3 Description
8.3.1 Software solutions
8.3.2 Simple Secure Environments
8.3.3 Extended Secure Environments8.4 Discussion
9 Public Key Infrastructure
9.1 Registration & Certification of Public Key Users
9.1.1 Introduction
9.1.2 Example - The VeriSign Certificate Classes
9.1.3 Discussion
9.1.4 National activities9.2 Key Escrow (Key Recovery)
9.2.1 Background
9.2.2 Discussion
10 Terminology
Copyright © 1997 r³ security engineering
ag.
Last Update : 97/01/23 - Please send feedback or comments to
webmaster@r3.ch