Todos XML Sign-What-You-See   The missing link for financial transactions Peter Gullberg VP Product Strategy
<ul><li>Founded in Göteborg, Sweden in 1987. </li></ul><ul><li>17 years of experience in developing security solutions pri...
<ul><li>There is an ever-increasing need to digitally sign a document, to prove authenticity and integrity </li></ul><ul><...
<ul><li>Euro-zone:  (CEN) Specifying citizen cards, eID… </li></ul><ul><li>United States:  Working on PIV </li></ul><ul><l...
Digital Signatures and PKI BUT....., THERE IS A WEAKNESS !! <ul><li>Digital Signature  schemes fails to establish a way fo...
Todos XML Sign-What-You-See
<ul><li>Combines  true Sign-What-You-See with PKI and XML-Signatures </li></ul><ul><li>Customer reviews and approves data ...
<ul><li>Based on  international standards </li></ul><ul><li>Can be  updated   incrementally </li></ul><ul><li>Platform-ind...
<ul><li>Data that need to be approved by cardholder is tagged with an Sign-What-You-See  attribute , and encoded in a form...
Bank Relying party Certificate holder Todos XML Sign-What-You-See SYSTEM OVERVIEW
Todos XML Sign-What-You-See SWYS PRINCIPLE Account number? 12312-3123 Amount: 1 234,00 PIN? * * * * OK OK OK
<ul><li>Todos Connectable 217 or 417 </li></ul><ul><li>PC/SC 2.01 secure PIN entry </li></ul><ul><li>Secure Signing Interf...
Total income 2008: $125 000 PC Reader Secure Signing Interface Todos XML Sign-What-You-See EXAMPLE, “TAX DECLARATION” Mr A...
OTP Challenge Response SWYS Static Passwords Secure Domain Separation Dynamic Signatures ID THEFT KEY LOGGING PHISHING SPY...
One step up is not enough… OTP Challenge Response SWYS Static Passwords Secure Domain Separation Dynamic Signatures ID THE...
Case #1 Nordea Nordeas own words
Case #1 Nordea <ul><li>Nordea e-kod </li></ul><ul><li>Nordea acted strong to re-establish trust  </li></ul><ul><li>Nordea ...
Case #2 ABN AMRO Source: Finextra 2/4-07
<ul><li>ABN AMRO e.dentifer2 </li></ul><ul><li>ABN Amro had to act strongly </li></ul><ul><li>One year later, in June-08 A...
Todos’ Promise A UNIQUE POSITION <ul><li>Todos holds a unique position by offering… </li></ul><ul><li>…  One system for al...
Todos product portofolio <ul><li>The complete solution </li></ul>
Thank You Peter Gullberg VP Product Strategy +46 31 775 88 00 [email_address] www.todos.se
Upcoming SlideShare
Loading in …5
×

Todos Xml Sign What You See

1,661 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,661
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Todos Xml Sign What You See

  1. 1. Todos XML Sign-What-You-See The missing link for financial transactions Peter Gullberg VP Product Strategy
  2. 2. <ul><li>Founded in Göteborg, Sweden in 1987. </li></ul><ul><li>17 years of experience in developing security solutions primarily based on Smart Card. </li></ul><ul><li>Todos’ majority owner is The Sixth AP fund, a state-owned fund managing public pension funds in Sweden. </li></ul><ul><li>Todos is the world leading supplier of connectable card readers; 6 Million+ connectable card-readers in order-stock, being rolled out 2008-2009 </li></ul><ul><li>Todos has strong presence, ready to serve you as customer </li></ul><ul><li>Todos has offices in: - Gothenburg, Sweden (Headquarters, R&D, Sales) - Taipei, Taiwan (Sales, production & logistics) - Qingdao, China (R&D, China) - Beijing, China (Sales, China) </li></ul>Todos HQ Sales R&D Sales
  3. 3. <ul><li>There is an ever-increasing need to digitally sign a document, to prove authenticity and integrity </li></ul><ul><li>XML-Signatures [XMLDSIG] is a generic framework for signing documents </li></ul><ul><li>Most initiatives worldwide on digital signatures are derivate work based on W3Cs (www.w3.org) XML-Signatures, making XMLDSIG de-facto standard </li></ul><ul><li>Many authorities, such as governments and financial institutions are actively adopting various XML-Signature schemes </li></ul><ul><li>For widespread use of digital signing there must be a digital signature infrastructure enabling digital signing of virtually any document type, “XML-Signatures” </li></ul>Digital Signatures and PKI Intro
  4. 4. <ul><li>Euro-zone: (CEN) Specifying citizen cards, eID… </li></ul><ul><li>United States: Working on PIV </li></ul><ul><li>UK: “Identity grid”, spending 5.6B£ and pushing identity </li></ul><ul><li>Norway : BankID, (XMLDSIG // ETSI) </li></ul><ul><li>Sweden: BankdID (XMLDSIG) </li></ul><ul><li>Brazil: ICP, (XMLDSIG) </li></ul><ul><li>Belgium : eID (XMLDSIG// XAdES) </li></ul><ul><li>Germany: EBICS (XMLDSIG) for financial transfers </li></ul><ul><li>Other: France, Taiwan, Hong-Kong, Japan, Australia, Finland, Singapore etc. etc.… </li></ul><ul><li>CEN/ETSI : Specifying card interoperability, card implementations, XML-signature standards, most work is *very* good </li></ul><ul><li>ISO : Specifying card interoperability, middleware interoperability, card infrastructure is very important, some other work less relevant </li></ul><ul><li>SUMMARY: EVERYONE IS DOING SOMETHING, </li></ul><ul><li>MOST ARE USING XMLDSIG ! </li></ul>Digital Signatures and PKI STATUS WORLDWIDE?
  5. 5. Digital Signatures and PKI BUT....., THERE IS A WEAKNESS !! <ul><li>Digital Signature schemes fails to establish a way for the user to review and approve what he or she is about to sign in a trusted environment </li></ul><ul><li>This leads to doubt regarding the non-repudiation of the transaction </li></ul><ul><li>Using a computer screen to display what will be signed is possible, but is today not considered secure enough </li></ul><ul><li>Q: “Would you sign a blank check, or sign a contract without being able to review the contractual terms?” </li></ul>
  6. 6. Todos XML Sign-What-You-See
  7. 7. <ul><li>Combines true Sign-What-You-See with PKI and XML-Signatures </li></ul><ul><li>Customer reviews and approves data to be signed in a secure environment </li></ul><ul><li>Interoperable document standard; XML </li></ul><ul><li>Support legacy PKI cards and PKI-schemes </li></ul><ul><li>Meet requirements of EU signature directive (1999/93/EC) </li></ul><ul><li>Authentication, Authorisation and Signing are separated into clearly defined processes </li></ul><ul><li>PIN-entry is performed in a secure environment ; PIN is never exposed to the personal computer </li></ul><ul><li>Backwards compatibl e with existing Digital Signature formats, making migration possible towards Todos XML Sign-What-You-See with true SWYS </li></ul>Todos XML Sign-What-You-See BUSINESS PROPOSITION
  8. 8. <ul><li>Based on international standards </li></ul><ul><li>Can be updated incrementally </li></ul><ul><li>Platform-independent, thus relatively immune to changes in technology </li></ul><ul><li>XML is heavily used as a format for document storage and processing, both online and offline </li></ul><ul><li>Hierarchical structure is suitable for most types of documents </li></ul><ul><li>Microsoft Office 2007 , XML based file formats, docx, pptx etc, SOAP etc. </li></ul>Todos XML Sign-What-You-See WHY XML?
  9. 9. <ul><li>Data that need to be approved by cardholder is tagged with an Sign-What-You-See attribute , and encoded in a format understandable by the signing device </li></ul><ul><li>Large contractual terms is divided into set of screens , each screen fits the device, to overcome the display limitations in a small signing device </li></ul><ul><li>A Secure Signing Interface solves the issue of supporting any PKI-card; any PKI-scheme </li></ul><ul><li>The ”Secure Signing Interface” follows same conceptual principles as Secure PIN Entry (defined in PC/SC 2.01-10), and can be used for both asymmetric and symmetric cryptography </li></ul>Todos XML Sign-What-You-See HOW IT WORKS
  10. 10. Bank Relying party Certificate holder Todos XML Sign-What-You-See SYSTEM OVERVIEW
  11. 11. Todos XML Sign-What-You-See SWYS PRINCIPLE Account number? 12312-3123 Amount: 1 234,00 PIN? * * * * OK OK OK
  12. 12. <ul><li>Todos Connectable 217 or 417 </li></ul><ul><li>PC/SC 2.01 secure PIN entry </li></ul><ul><li>Secure Signing Interface , conceptually same as PC/SC 2.01 </li></ul><ul><li>Supports either 2x17 characters or 4x17 characters </li></ul><ul><li>Enables true Sign-What-You-See , with XML-documents, or other document types in the future </li></ul><ul><li>Support XMLDSIG and ETSI TS 101 903 (XAdES) </li></ul><ul><li>Supports ISO-7816-8, -9,…. </li></ul><ul><li>Supports ISO/IEC 24727-2 </li></ul>Todos XML Sign-What-You-See TODOS CONNECTABLE READER
  13. 13. Total income 2008: $125 000 PC Reader Secure Signing Interface Todos XML Sign-What-You-See EXAMPLE, “TAX DECLARATION” Mr Alegre: Your tax declaration 2008 Total income 2008: $125 000 OK OK
  14. 14. OTP Challenge Response SWYS Static Passwords Secure Domain Separation Dynamic Signatures ID THEFT KEY LOGGING PHISHING SPYWARE MAN-IN-MIDDLE MAN-IN-BROWSER Frauds are becoming more and more Sophisticated … and so is Fraud Mitigation XML Sign-What-You-See
  15. 15. One step up is not enough… OTP Challenge Response SWYS Static Passwords Secure Domain Separation Dynamic Signatures ID THEFT KEY LOGGING PHISHING SPYWARE MAN-IN-MIDDLE MAN-IN-BROWSER ... Make sure you take a dynamic leap XML Sign-What-You-See
  16. 16. Case #1 Nordea Nordeas own words
  17. 17. Case #1 Nordea <ul><li>Nordea e-kod </li></ul><ul><li>Nordea acted strong to re-establish trust </li></ul><ul><li>Nordea replaced their existing one-time-password solution </li></ul><ul><li>Nordea implemented stronger than CAP security solutions with ”Advanced Signing”, with a strong PKI solution </li></ul><ul><li>The new security solution have effectively stopped all attacks on the internet bank </li></ul>
  18. 18. Case #2 ABN AMRO Source: Finextra 2/4-07
  19. 19. <ul><li>ABN AMRO e.dentifer2 </li></ul><ul><li>ABN Amro had to act strongly </li></ul><ul><li>One year later, in June-08 ABN Amro started deploying third generation security solution ”e.dentifier2” </li></ul><ul><li>Protects banking customers over the next 5-7 years. </li></ul><ul><li>True mitigation against Man-in-the-Middle attacks, with improved Transaction Data Signing with ” Sign-What-You-See ” (SWYS) </li></ul><ul><li>” The most secure end-user device today ” (ABN Amro’s own statement) </li></ul>Case #2 ABN AMRO
  20. 20. Todos’ Promise A UNIQUE POSITION <ul><li>Todos holds a unique position by offering… </li></ul><ul><li>… One system for all Solutions </li></ul><ul><li>All devices can be used simultaneously </li></ul><ul><li>One end-user can have multiple devices </li></ul><ul><li>Multi issuer service </li></ul><ul><li>Cost efficient with low total cost of ownership </li></ul><ul><li>… a Wide range of Devices </li></ul><ul><li>From Printed Cards, tokens to connectable Readers </li></ul><ul><li>Enables true segmentation of users </li></ul><ul><li>… High technical knowledge </li></ul><ul><li>Secure Domain Separation </li></ul><ul><li>Dynamic Signatures – True agility </li></ul><ul><li>Sign-What-You-See </li></ul><ul><li>XML Sign-What-You-See </li></ul><ul><li>Customization: tailor made look and feel </li></ul>
  21. 21. Todos product portofolio <ul><li>The complete solution </li></ul>
  22. 22. Thank You Peter Gullberg VP Product Strategy +46 31 775 88 00 [email_address] www.todos.se

×