incorporating digital signing & encryption in transactions ... · types of digital certificates...
TRANSCRIPT
Incorporating Digital Signing & Encryption in Transactions in the Payment System of
Sri Lanka
Presentation bySunimal Weerasooriya, CEO
LankaClear (Pvt) Ltd.
Introduction to LankaClear
• Originated as Sri Lanka Automated Clearing House (SLACH) under Central Bank of Sri Lanka (CBSL) – 1987
• Divested as a limited liability company owned by all Commercial Banks and the Central Bank of Sri Lanka (CBSL) – 2002
Introduction to LankaClear…
Payment Structure of SLShare Holders
Product Range of LankaClear
Establishment of LankaSign CSP
• Cyber security, information piracy, data theft, etc, are words we hear often these days in a world going High Tech at an ever increasing speed.
• Eliminating information piracy, data theft, etc. and ensuring security of information transmitted online is even more necessary as e‐payments are fast becoming the norm than the exception.
Establishment of LankaSign CSP
Recognizing the need, The Central Bank of Sri Lanka (CBSL) invited LankaClear (Pvt) Ltd. (LCPL) to be the Financial Sector's Certification Service Provider and LCPL launched LANKASIGN on 22nd May 2009, as per the provisions of the Electronic Transactions Act No. 19 of 2006.
Root Signing Key - Protection
• LANKASIGN‐CSP Root signing key pair is ensured with the use of SafeNet Protect Server Gold HSM which is certified to FIPS‐140 ‐2 Level 3. The LANKASIGN‐CSP Root signing key pairs are 2048‐bit and were generated within the Protect Server Gold HSM.
• The LANKASIGN‐CSP takes necessary precautions to prevent compromise or unauthorized usage of the key.
Root Signing Key - Recovery
• LANKASIGN‐CSP Root CA signing keys are encrypted and stored within a secure environment.
• The decryption key is maintained on a physical media and stored in a physically secured offline environment which requires two or more authorized officials of the LANKASIGN‐CSP to again access. When any LANKASIGN‐CSP Root signing key expires, it will be archived for at least 10 years.
Types of Digital Certificates
• Secure Server Certificates
• Digital Signature Certificates
• Public Key Encryption Certificates
• Secure E‐mail Certificates
These Certificates are available for use in both the LCPL private networks and public domain.
Secure Server Certificates
These are Server Certificates that are bound to an IP address that in combination with a SSL Web Server to attest the public server's identity, providing full authentication and enabling secure communication with customers and business partners.
Example: Certificate issued to authenticate the Web Server used for Internet Banking or any other internal web server used in a Bank.
Digital Signature Certificates
Certificates bound to an identity of an individual or an organization to allow owners of the certificates to digitally sign digital objects (transactions or documents) to certify authenticity.
Example: To authenticate a Banking Customer, for online messages and documents exchanged between entities in a public network.
Public Key Encryption Certificates
Certificates that are bound to an identity of an individual or an organization to allow electronic data to be encrypted.
Example: for Encryption of data transmitted in Internet Banking transactions, to Encrypt data exchanged between branches and head office in a Bank’s network.
Secure Email Certificates
Certificates bound to an e‐mail address which will allow owners of the certificates to digitally sign e‐mails to ensure authenticity.
Example: For e‐mail communications in Inter Bank and Intra Bank networks.
Signing & Encryption
CITS Clearing Before Digital Signing
CITS Legs 3 & 4 Completely Online with Digital Signing
Outward Return File
Digital Signing
(Bank Private Key)
Hash
Verify Signature
(Bank’s Public Key)
LankaSign
OCSP Responder
Calculate
Hash
Calculate Hash
Compare
Bank (Sender)
LankaClear (Receiver)
VPN
Hash
Hash
Vice Versa when Inward Return of CITS
Outward Return of CITS
Note: Digital Signature Certificates are being Used
SLIPS with Digital Signing
Bank CBSL
SLIPS Server
Net SettlementWeb Server
Digital Signing
(Bank Private Key)
VPN
LankaSign
OCSP Responder
Verify Signature
(Bank’s Public Key)
Digital Signing
(LCPL Private Key)
Verify Signature
(LCPL’s Public Key)
Bank
Note: Digital Signature Certificates are being Used
US$ Clearing with Digital Signing
Traditional Way With LankaSign
US$ Server Email Server
Digital Signed & Encrypted
US$ Server
Signature Verification & Decrypted
Note: Secure E‐mail Certificates & Public Key Encryption Certificates are being Used
Benefits of PKI Integration
• Data Integrity
• Non‐Repudiation
• Improved Operational Efficiencies.
• Lag Time Elimination.
• Cost Savings & Less Logistic Control Requirement
• Creates a Greener environment
Future of LankaSign
• Build High Awareness among Financial Sector Organizations on Email / Document Signing Certificates Usage, Legality and Benefits.
• Provide an Affordable Solution for Mass Scale Public Usage of E‐mail/Doc Signing Certificates.
• Introduction of Cost Effective Crypto Tokens.
• Seeking Opportunities of Entering Secure Server Certificate Market
Thank You