Your SlideShare is downloading. ×
Todos Xml Sign What You See
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Todos Xml Sign What You See


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Todos XML Sign-What-You-See The missing link for financial transactions Peter Gullberg VP Product Strategy
  • 2.
    • Founded in Göteborg, Sweden in 1987.
    • 17 years of experience in developing security solutions primarily based on Smart Card.
    • Todos’ majority owner is The Sixth AP fund, a state-owned fund managing public pension funds in Sweden.
    • Todos is the world leading supplier of connectable card readers; 6 Million+ connectable card-readers in order-stock, being rolled out 2008-2009
    • Todos has strong presence, ready to serve you as customer
    • Todos has offices in: - Gothenburg, Sweden (Headquarters, R&D, Sales) - Taipei, Taiwan (Sales, production & logistics) - Qingdao, China (R&D, China) - Beijing, China (Sales, China)
    Todos HQ Sales R&D Sales
  • 3.
    • There is an ever-increasing need to digitally sign a document, to prove authenticity and integrity
    • XML-Signatures [XMLDSIG] is a generic framework for signing documents
    • Most initiatives worldwide on digital signatures are derivate work based on W3Cs ( XML-Signatures, making XMLDSIG de-facto standard
    • Many authorities, such as governments and financial institutions are actively adopting various XML-Signature schemes
    • For widespread use of digital signing there must be a digital signature infrastructure enabling digital signing of virtually any document type, “XML-Signatures”
    Digital Signatures and PKI Intro
  • 4.
    • Euro-zone: (CEN) Specifying citizen cards, eID…
    • United States: Working on PIV
    • UK: “Identity grid”, spending 5.6B£ and pushing identity
    • Norway : BankID, (XMLDSIG // ETSI)
    • Sweden: BankdID (XMLDSIG)
    • Brazil: ICP, (XMLDSIG)
    • Belgium : eID (XMLDSIG// XAdES)
    • Germany: EBICS (XMLDSIG) for financial transfers
    • Other: France, Taiwan, Hong-Kong, Japan, Australia, Finland, Singapore etc. etc.…
    • CEN/ETSI : Specifying card interoperability, card implementations, XML-signature standards, most work is *very* good
    • ISO : Specifying card interoperability, middleware interoperability, card infrastructure is very important, some other work less relevant
    Digital Signatures and PKI STATUS WORLDWIDE?
  • 5. Digital Signatures and PKI BUT....., THERE IS A WEAKNESS !!
    • Digital Signature schemes fails to establish a way for the user to review and approve what he or she is about to sign in a trusted environment
    • This leads to doubt regarding the non-repudiation of the transaction
    • Using a computer screen to display what will be signed is possible, but is today not considered secure enough
    • Q: “Would you sign a blank check, or sign a contract without being able to review the contractual terms?”
  • 6. Todos XML Sign-What-You-See
  • 7.
    • Combines true Sign-What-You-See with PKI and XML-Signatures
    • Customer reviews and approves data to be signed in a secure environment
    • Interoperable document standard; XML
    • Support legacy PKI cards and PKI-schemes
    • Meet requirements of EU signature directive (1999/93/EC)
    • Authentication, Authorisation and Signing are separated into clearly defined processes
    • PIN-entry is performed in a secure environment ; PIN is never exposed to the personal computer
    • Backwards compatibl e with existing Digital Signature formats, making migration possible towards Todos XML Sign-What-You-See with true SWYS
  • 8.
    • Based on international standards
    • Can be updated incrementally
    • Platform-independent, thus relatively immune to changes in technology
    • XML is heavily used as a format for document storage and processing, both online and offline
    • Hierarchical structure is suitable for most types of documents
    • Microsoft Office 2007 , XML based file formats, docx, pptx etc, SOAP etc.
    Todos XML Sign-What-You-See WHY XML?
  • 9.
    • Data that need to be approved by cardholder is tagged with an Sign-What-You-See attribute , and encoded in a format understandable by the signing device
    • Large contractual terms is divided into set of screens , each screen fits the device, to overcome the display limitations in a small signing device
    • A Secure Signing Interface solves the issue of supporting any PKI-card; any PKI-scheme
    • The ”Secure Signing Interface” follows same conceptual principles as Secure PIN Entry (defined in PC/SC 2.01-10), and can be used for both asymmetric and symmetric cryptography
    Todos XML Sign-What-You-See HOW IT WORKS
  • 10. Bank Relying party Certificate holder Todos XML Sign-What-You-See SYSTEM OVERVIEW
  • 11. Todos XML Sign-What-You-See SWYS PRINCIPLE Account number? 12312-3123 Amount: 1 234,00 PIN? * * * * OK OK OK
  • 12.
    • Todos Connectable 217 or 417
    • PC/SC 2.01 secure PIN entry
    • Secure Signing Interface , conceptually same as PC/SC 2.01
    • Supports either 2x17 characters or 4x17 characters
    • Enables true Sign-What-You-See , with XML-documents, or other document types in the future
    • Support XMLDSIG and ETSI TS 101 903 (XAdES)
    • Supports ISO-7816-8, -9,….
    • Supports ISO/IEC 24727-2
  • 13. Total income 2008: $125 000 PC Reader Secure Signing Interface Todos XML Sign-What-You-See EXAMPLE, “TAX DECLARATION” Mr Alegre: Your tax declaration 2008 Total income 2008: $125 000 OK OK
  • 14. OTP Challenge Response SWYS Static Passwords Secure Domain Separation Dynamic Signatures ID THEFT KEY LOGGING PHISHING SPYWARE MAN-IN-MIDDLE MAN-IN-BROWSER Frauds are becoming more and more Sophisticated … and so is Fraud Mitigation XML Sign-What-You-See
  • 15. One step up is not enough… OTP Challenge Response SWYS Static Passwords Secure Domain Separation Dynamic Signatures ID THEFT KEY LOGGING PHISHING SPYWARE MAN-IN-MIDDLE MAN-IN-BROWSER ... Make sure you take a dynamic leap XML Sign-What-You-See
  • 16. Case #1 Nordea Nordeas own words
  • 17. Case #1 Nordea
    • Nordea e-kod
    • Nordea acted strong to re-establish trust
    • Nordea replaced their existing one-time-password solution
    • Nordea implemented stronger than CAP security solutions with ”Advanced Signing”, with a strong PKI solution
    • The new security solution have effectively stopped all attacks on the internet bank
  • 18. Case #2 ABN AMRO Source: Finextra 2/4-07
  • 19.
    • ABN AMRO e.dentifer2
    • ABN Amro had to act strongly
    • One year later, in June-08 ABN Amro started deploying third generation security solution ”e.dentifier2”
    • Protects banking customers over the next 5-7 years.
    • True mitigation against Man-in-the-Middle attacks, with improved Transaction Data Signing with ” Sign-What-You-See ” (SWYS)
    • ” The most secure end-user device today ” (ABN Amro’s own statement)
    Case #2 ABN AMRO
  • 20. Todos’ Promise A UNIQUE POSITION
    • Todos holds a unique position by offering…
    • … One system for all Solutions
    • All devices can be used simultaneously
    • One end-user can have multiple devices
    • Multi issuer service
    • Cost efficient with low total cost of ownership
    • … a Wide range of Devices
    • From Printed Cards, tokens to connectable Readers
    • Enables true segmentation of users
    • … High technical knowledge
    • Secure Domain Separation
    • Dynamic Signatures – True agility
    • Sign-What-You-See
    • XML Sign-What-You-See
    • Customization: tailor made look and feel
  • 21. Todos product portofolio
    • The complete solution
  • 22. Thank You Peter Gullberg VP Product Strategy +46 31 775 88 00 [email_address]