Your SlideShare is downloading. ×
Todos Xml Sign What You See
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Todos Xml Sign What You See

1,282
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,282
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Todos XML Sign-What-You-See The missing link for financial transactions Peter Gullberg VP Product Strategy
  • 2.
    • Founded in Göteborg, Sweden in 1987.
    • 17 years of experience in developing security solutions primarily based on Smart Card.
    • Todos’ majority owner is The Sixth AP fund, a state-owned fund managing public pension funds in Sweden.
    • Todos is the world leading supplier of connectable card readers; 6 Million+ connectable card-readers in order-stock, being rolled out 2008-2009
    • Todos has strong presence, ready to serve you as customer
    • Todos has offices in: - Gothenburg, Sweden (Headquarters, R&D, Sales) - Taipei, Taiwan (Sales, production & logistics) - Qingdao, China (R&D, China) - Beijing, China (Sales, China)
    Todos HQ Sales R&D Sales
  • 3.
    • There is an ever-increasing need to digitally sign a document, to prove authenticity and integrity
    • XML-Signatures [XMLDSIG] is a generic framework for signing documents
    • Most initiatives worldwide on digital signatures are derivate work based on W3Cs (www.w3.org) XML-Signatures, making XMLDSIG de-facto standard
    • Many authorities, such as governments and financial institutions are actively adopting various XML-Signature schemes
    • For widespread use of digital signing there must be a digital signature infrastructure enabling digital signing of virtually any document type, “XML-Signatures”
    Digital Signatures and PKI Intro
  • 4.
    • Euro-zone: (CEN) Specifying citizen cards, eID…
    • United States: Working on PIV
    • UK: “Identity grid”, spending 5.6B£ and pushing identity
    • Norway : BankID, (XMLDSIG // ETSI)
    • Sweden: BankdID (XMLDSIG)
    • Brazil: ICP, (XMLDSIG)
    • Belgium : eID (XMLDSIG// XAdES)
    • Germany: EBICS (XMLDSIG) for financial transfers
    • Other: France, Taiwan, Hong-Kong, Japan, Australia, Finland, Singapore etc. etc.…
    • CEN/ETSI : Specifying card interoperability, card implementations, XML-signature standards, most work is *very* good
    • ISO : Specifying card interoperability, middleware interoperability, card infrastructure is very important, some other work less relevant
    • SUMMARY: EVERYONE IS DOING SOMETHING,
    • MOST ARE USING XMLDSIG !
    Digital Signatures and PKI STATUS WORLDWIDE?
  • 5. Digital Signatures and PKI BUT....., THERE IS A WEAKNESS !!
    • Digital Signature schemes fails to establish a way for the user to review and approve what he or she is about to sign in a trusted environment
    • This leads to doubt regarding the non-repudiation of the transaction
    • Using a computer screen to display what will be signed is possible, but is today not considered secure enough
    • Q: “Would you sign a blank check, or sign a contract without being able to review the contractual terms?”
  • 6. Todos XML Sign-What-You-See
  • 7.
    • Combines true Sign-What-You-See with PKI and XML-Signatures
    • Customer reviews and approves data to be signed in a secure environment
    • Interoperable document standard; XML
    • Support legacy PKI cards and PKI-schemes
    • Meet requirements of EU signature directive (1999/93/EC)
    • Authentication, Authorisation and Signing are separated into clearly defined processes
    • PIN-entry is performed in a secure environment ; PIN is never exposed to the personal computer
    • Backwards compatibl e with existing Digital Signature formats, making migration possible towards Todos XML Sign-What-You-See with true SWYS
    Todos XML Sign-What-You-See BUSINESS PROPOSITION
  • 8.
    • Based on international standards
    • Can be updated incrementally
    • Platform-independent, thus relatively immune to changes in technology
    • XML is heavily used as a format for document storage and processing, both online and offline
    • Hierarchical structure is suitable for most types of documents
    • Microsoft Office 2007 , XML based file formats, docx, pptx etc, SOAP etc.
    Todos XML Sign-What-You-See WHY XML?
  • 9.
    • Data that need to be approved by cardholder is tagged with an Sign-What-You-See attribute , and encoded in a format understandable by the signing device
    • Large contractual terms is divided into set of screens , each screen fits the device, to overcome the display limitations in a small signing device
    • A Secure Signing Interface solves the issue of supporting any PKI-card; any PKI-scheme
    • The ”Secure Signing Interface” follows same conceptual principles as Secure PIN Entry (defined in PC/SC 2.01-10), and can be used for both asymmetric and symmetric cryptography
    Todos XML Sign-What-You-See HOW IT WORKS
  • 10. Bank Relying party Certificate holder Todos XML Sign-What-You-See SYSTEM OVERVIEW
  • 11. Todos XML Sign-What-You-See SWYS PRINCIPLE Account number? 12312-3123 Amount: 1 234,00 PIN? * * * * OK OK OK
  • 12.
    • Todos Connectable 217 or 417
    • PC/SC 2.01 secure PIN entry
    • Secure Signing Interface , conceptually same as PC/SC 2.01
    • Supports either 2x17 characters or 4x17 characters
    • Enables true Sign-What-You-See , with XML-documents, or other document types in the future
    • Support XMLDSIG and ETSI TS 101 903 (XAdES)
    • Supports ISO-7816-8, -9,….
    • Supports ISO/IEC 24727-2
    Todos XML Sign-What-You-See TODOS CONNECTABLE READER
  • 13. Total income 2008: $125 000 PC Reader Secure Signing Interface Todos XML Sign-What-You-See EXAMPLE, “TAX DECLARATION” Mr Alegre: Your tax declaration 2008 Total income 2008: $125 000 OK OK
  • 14. OTP Challenge Response SWYS Static Passwords Secure Domain Separation Dynamic Signatures ID THEFT KEY LOGGING PHISHING SPYWARE MAN-IN-MIDDLE MAN-IN-BROWSER Frauds are becoming more and more Sophisticated … and so is Fraud Mitigation XML Sign-What-You-See
  • 15. One step up is not enough… OTP Challenge Response SWYS Static Passwords Secure Domain Separation Dynamic Signatures ID THEFT KEY LOGGING PHISHING SPYWARE MAN-IN-MIDDLE MAN-IN-BROWSER ... Make sure you take a dynamic leap XML Sign-What-You-See
  • 16. Case #1 Nordea Nordeas own words
  • 17. Case #1 Nordea
    • Nordea e-kod
    • Nordea acted strong to re-establish trust
    • Nordea replaced their existing one-time-password solution
    • Nordea implemented stronger than CAP security solutions with ”Advanced Signing”, with a strong PKI solution
    • The new security solution have effectively stopped all attacks on the internet bank
  • 18. Case #2 ABN AMRO Source: Finextra 2/4-07
  • 19.
    • ABN AMRO e.dentifer2
    • ABN Amro had to act strongly
    • One year later, in June-08 ABN Amro started deploying third generation security solution ”e.dentifier2”
    • Protects banking customers over the next 5-7 years.
    • True mitigation against Man-in-the-Middle attacks, with improved Transaction Data Signing with ” Sign-What-You-See ” (SWYS)
    • ” The most secure end-user device today ” (ABN Amro’s own statement)
    Case #2 ABN AMRO
  • 20. Todos’ Promise A UNIQUE POSITION
    • Todos holds a unique position by offering…
    • … One system for all Solutions
    • All devices can be used simultaneously
    • One end-user can have multiple devices
    • Multi issuer service
    • Cost efficient with low total cost of ownership
    • … a Wide range of Devices
    • From Printed Cards, tokens to connectable Readers
    • Enables true segmentation of users
    • … High technical knowledge
    • Secure Domain Separation
    • Dynamic Signatures – True agility
    • Sign-What-You-See
    • XML Sign-What-You-See
    • Customization: tailor made look and feel
  • 21. Todos product portofolio
    • The complete solution
  • 22. Thank You Peter Gullberg VP Product Strategy +46 31 775 88 00 [email_address] www.todos.se

×