Auditing Norms for PKI-based Applications   Universal Banking Solution System Integration Consulting Business Process Outs...
Introduction                                          •   Certifying Authority (CA): There are a number                   ...
Banks routinely undergo manual audit of              and undergoes rigorous internal audit at regularbusiness operations, ...
with primary and back up servers and                Overcoming the Challenges of PKI Application    whether they have adeq...
•   It is a normal practice among banks to copy              the capability to connect to the CA’s central    Digital Cert...
Perspective: Auditing norms for pki based applications
Upcoming SlideShare
Loading in …5

Perspective: Auditing norms for pki based applications


Published on

In general, the audit norms are similar, however,
PKI-based applications have certain constraints,
which need to be addressed during audit

Published in: Technology, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Perspective: Auditing norms for pki based applications

  1. 1. Auditing Norms for PKI-based Applications Universal Banking Solution System Integration Consulting Business Process Outsourcing
  2. 2. Introduction • Certifying Authority (CA): There are a number of Certifying Authorities, which are responsibleThe use of alternative channels like the Internet for issuing Digital Certificates after verifyingand mobile to exchange information and money the documents of identity; these agenciesis now commonplace. Although some security report to the CCA. The Reserve Bank of Indiaconcerns do persist, the fact remains that has established a separate CA exclusively forsystems such as RTGS (Real Time Gross banking applications, and has been followedSettlement), NEFT or SWIFT are among the by a number of private agencies.most reliable and safe mechanisms of fundtransfer and messaging that we have ever • Registration Authority (RA): Every bank has aknown. It is natural to ask how that is possible. Registration Authority, which represents it and its employees. It is the RA, which verifiesThe secret to this is “Public Key Infrastructure” the employees of the bank for whom Digital(PKI). Certificates are needed, consolidates the requirements, and then approaches the CAPKI makes it possible for retail and bank users for issuing the certificates. Incidentally, eachto safely and privately exchange money and bank sets its own policies regarding whichinformation over a public channel, by generating employees should be issued a certificate.a pair of cryptographic keys – one public,typically stored in a browser and the otherprivate, usually stored on a smart card – whichis received and shared with the help of a trustedauthority. A Digital Certificate/ Signatureconnected to the message helps to identify andauthenticate users – senders who use a publickey to encrypt data as well as receivers who usea private key to decrypt it.There are a number of PKI systems isexistence. For example, international financialand non-financial messages via SWIFT From the above description and diagram it is(Society for Worldwide Interbank Financial clear that the PKI hierarchy follows a “trust model”,Telecommunication) are transported over in which each tier performs a specific function:international PKI, whereas local transactionsare typically supported by separate domestic • The CCA represents the law of the land andinfrastructure established by the Central Bank assures legal validity of all the Digitalof each country. Signatures/ Certificates issued in the country of its jurisdiction. It also devolves authorityOrganization Structure upon various Cas.The organization structure of a PKI system has • The CAs are responsible for the actualthe following three tiers: issuance of certificates. • The RAs represent and take care of the• Controller of Certifying Authority (CCA): This interests of individual banks with respect to the is a Government authority and the apex of end-to-end management of Digital Certificates. the PKI organization. For example, in India, the CCA has been established under the The Need for PKI Systems Audit provisions of the Information Technology Act, and works under the Ministry of Information Having designed and implemented such Technology in New Delhi. The CCA is elaborate Public Key Infrastructure, it is equally responsible for providing the Root Certificate, important to ensure that it works properly. This under which all other certificates are granted. is the goal of PKI Systems audit. Auditing Norms for PKI-based Applications
  3. 3. Banks routinely undergo manual audit of and undergoes rigorous internal audit at regularbusiness operations, as well as separate audits intervals. Similarly, RBI and other Certifyingfor information systems and information systems Authorities also conduct audits for PKI Information systems audit is defined as Audit of the Registration Authority at each banka periodic activity in which data and information is necessary to ensure that all the certificatessystems are accessed and verified for desired issued to current employees are valid, and alsobusiness results in order to understand whether that those previously issued to employees whothe systems are working properly or not. have now quit, are no longer so.For the same reason, it is also necessary to The auditing of information systems – of whichaudit PKI Systems. While the auditing of PKI PKI is a part – is a vast domain, which coversapplications costs time and money, banks must most general practices. Unfortunately, it doesmake the investment to ensure that these critical not lay down any specific guidelines for the wayapplications are functioning well. in which PKI applications must be audited. Consequently, banks approach the audit as oneAlthough PKI audit falls within the ambit of more compliance mandate that must be fulfilled.information systems audit, its norms vary This is a pity because PKI audit plays a big rolesomewhat. One of the key differences and in ensuring that the systems are in order, andchallenges of PKI audit is that unlike physical thereby reduces security lapses.signatures, Digital Certificates and Signatureshave a fixed life, after which they automatically This paper attempts to raise awareness ofexpire. When that happens, messages pertaining auditing norms for PKI based the transactions involving the expiredcertificates cannot be verified during audit, and Auditing PKI Applicationshence it becomes impossible to establish thelegality of those transactions. One of the ways to Another key constraint of PKI audit (besides thecircumvent this problem is to create a simulated limited validity of certificates mentioned earlier)environment and push data into it for the is that it can only be a partial one. This is becausepurpose of the audit. PKI transactions always involve an external organization, which are outside the audit’sPKI audit must occur at two levels: that of the purview. An application module deployed at astructure and the application. The first one Registration Authority may be audited for whatexamines the processes and norms in use by it does within their four walls, but it is not possiblethe various tiers of the PKI organization, namely to evaluate its interactions with other modulesthe CCA, CA and RA. The second one audits at external agencies, such as a Certifyingdifferent PKI applications and the way they Authority. The auditors simply have to accept thisparticipate in the business. and move on.Ideally, as the below diagram shows, there There needs to be two separate audits for theshould be a separate audit at each level of the structure (CCA, CA, RA etc.) and the applications,PKI organization, and also of PKI applications. both of which will suffer from this constraint. While auditing the structure, the auditor is supposed to follow certain norms to check: • Whether certificate related backups are taken and stored at the CCA level • Whether during the verification of individual signatures, verification is done up to the root levelTaking the example of India once again, it isobserved that the Controller of Certifying • Whether the CAs are correctly following theAuthority is very conscious of its responsibility norms pertaining to the storage of keys Auditing Norms for PKI-based Applications
  4. 4. with primary and back up servers and Overcoming the Challenges of PKI Application whether they have adequately secure Audit storage infrastructure • Using secondary servers to replicate data• Whether any time gaps or difference in as well as change the date can circumvent time zones are taken into account while the run time dependency of PKI applications. transitioning from one root CCA certificate to In this way, signatures may be verified without another. It is important that PKI applications impacting the normal course of business. have a feature to support time gaps, and even the occasional co-existence of root • Different key generation algorithms used by certificates with different validities different applications, may lead to variation in security practices and outcomes. For example,Difference Between PKI-based Application Audit until some time ago, the SHA1 encryptionand Regular Information Systems Audit algorithm was very popular; now SHA2 has taken its place in many PKI applications.In general, the audit norms are similar, however, Hence, any proprietary tools used during auditPKI-based applications have certain constraints, must be able to accommodate such changes.which need to be addressed during audit. • Frequently, browser based applications do• Digital Signature generation is a run time not recognize the local Certifying Authority and operation; applications generating and consequently, browser based tools of audit do verifying a Digital Signature always couple not recognize valid transactions and messages. it with the date and time of its creation. What this means is that whenever a Digital This is a known problem, which CAs can solve Signature is affixed to a message there’s by registering their names with the vendors of a date and time attached to it. Also, as different browsers. mentioned earlier, the Digital Signature has a • An important goal of the audit is to limited validity. discover any mismatch in data between the messaging layer and the business layer.• PKI modules always check for the validity Sometimes, because of some errors in the of Digital Certificates during verification by network, messages get delayed. The continuously polling the system date. This rescheduling of messages/transactions might occasionally create a conflict if the impacts normal account closing at end of verification involves countries in two distant day (EOD). Hence, while linking EOD and times zones, such as South Africa and Japan. BOD (beginning of day) operations to accounting entries, it is important to take care• During PKI application audit it is important to of any time gaps. gather the relevant time stamps and verification logs for future reference, in an offline process. • “Hidden snake in the tunnel”: Often, banks implement PKI only at the module level, and• Given the impact and risk associated with bypass the PKI channel while accessing PKI transactions, it is very important for the data, because it is faster and more convenient auditor to cross check each transaction to do so. It is the auditor’s responsibility to signature against the log, something that is find such occurrences and bring them within seldom required in conventional audit. the audit band. It has been found during audit that banks take the required data directly from• In general, an audit is conducted to check middleware, databases or even logs, after business value at the organization level, as bypassing signature verification. well as compliance. PKI audit highlights the enormous technology risks, which PKI based • Many banks allocate separate drives to applications bring to daily banking operations. store logs generated by PKI applications. It is important to note that such transactions They must exercise adequate access control are very secure as long as the private keys over such logs by correctly maintaining system are not compromised. level access. Auditing Norms for PKI-based Applications
  5. 5. • It is a normal practice among banks to copy the capability to connect to the CA’s central Digital Certificates from their primary site to server periodically to check the CRL a secondary/Disaster Recovery (DR) site (Certificates Revocation List). As auditor located on a different seismic plate, as part should also check for revocation, and whether of Business Continuity Planning (BCP). Certain the transactions pertaining to revoked PKI modules may not allow the movement of certificates have also been revoked correctly. certificates, which are tightly coupled with the system’s IP address. In such cases, while • At times, the CCA revokes its own root shifting data from one server to another, it is certificates and issues new ones. This in turn necessary to ensure that the DR/BCP servers revokes the CA’s certificates, and invalidates have the same system IP address. This must all Digital Certificates allied to them. In be considered during audit. such cases, the auditor should audit the application to check for a provision for a• Digital Certificates are normally stored on second root certificate. smart cards, Hardware Security Modules or hard disks; during BCP drills it is important to make sure that the movement of any PKI related artifacts, such as digital certificates or security modules, is conducted by way of a Author standardized process and is also audited. Makarand Madhukar Baji Senior Consultant – Finacle Payments• Since certificates are often revoked as per Infosys banks’ policies, PKI applications should have Auditing Norms for PKI-based Applications