AT.Sign (for e-cheque)

Transcription

1 AT.Sign (for e-cheque) Application Engine for Implementation of e-cheque using PKI Technologies White Paper iaspec Software Limited Unit 511, Lakeside 1 8, Science Park West Avenue Hong Kong Science Park Shatin, N.T. Hong Kong Phone: Fax: , iaspec All rights reserved (14-W120-1 en)

2 TABLE OF CONTENTS 1. INTRODUCTION... 2 PURPOSE OF THIS WHITEPAPER... 2 ISSUES ON E-CHEQUE IMPLEMENATION... 2 INTRODUCTION TO AT.SIGN (FOR E-CHEQUE)... 3 EASE OF E-CHEQUE IMPLEMENTATION OVERVIEW ON AT.SIGN (FOR E-CHEQUE) INTEGRATION... 5 WHAT IS AT.SIGN (FOR E-CHEQUE)... 5 COMPONENTS OF AT.SIGN (FOR E-CHEQUE)... 8 INTEGRATION WITH AT.SIGN (FOR E-CHEQUE) INTEGRATION USING AT.SIGN (FOR E-CHEQUE) CORE FEATURES USING AT.SIGN (FOR E-CHEQUE) ADDITIONAL FEATURES , iaspec All rights reserved (14-W120-1 en) Page 1

3 1. INTRODUCTION PURPOSE OF THIS WHITEPAPER This Whitepaper is written to assist its readers in understanding how AT.Sign (for e-cheque) can be applied for rapid implementation & deployment of e-cheque services to augment your online banking service portfolio. The target audience of this Whitepaper includes corporate management and senior IT executives who are involved in technology management, evaluation and procurement decisions. This paper assumes a basic level of understanding in information security, in particular digital signature and e-cheque design (based on standards adopted by HKMA). ISSUES ON E-CHEQUE IMPLEMENATION The e-cheque introduced by HKMA is an innovative payment instrument which is legally and functionally equivalent to conventional cheque(s). It creates immediate benefits for the banks on reducing cheque processing cost, as well as opportunity in future as a new type of electronic payment method. At the same time, implementing e-cheque needs to overcome substantial technical issues which can be a headache; such as: 1) Generation of e-cheque PDF according to the very specific standard defined by HKICL 2) Application of approval signature and certification signature to the e-cheque , iaspec All rights reserved (14-W120-1 en) Page 2

4 3) Supporting of applying digital signature using General Purpose Certificate owned by customer in the client end through a generic browser 4) Integration with external hardware, such as HSM/TSA, and with Certificate Authority 5) Handling of enormous amount of digital certificates required by all your customers 6) Fulfilling all the above requirements, while still conforming to the required security standard for the whole solution AT.Sign (for e-cheque) is designed to ease the implementation of e-cheque, through the experience of iaspec in applying digital signature in PDF for many enterprises and government. INTRODUCTION TO AT.SIGN (FOR E-CHEQUE) AT.Sign is a leading Digital Signing Solution designed and developed by iaspec. Many of our local and overseas customers are using the standard AT.Sign product to support a variety of application systems for the meeting of digital signature requirements. The standard features of AT.Sign can be found in the AT.Sign product literature. AT.Sign (for e-cheque) is an extension of the standard AT.Sign product. It is designed and developed to support various requirements of the e-cheque in accordance with the standards adopted by the Hong Kong Monetary Authority (HKMA). It provides a set of comprehensive e-cheque modules (such as e-cheque Generation, Signatory Rules Management, Signature Verification, Batch e-cheque Issuing and e-cheque Ledger) to support simple, no-fuss integration of e-cheque services into your online banking systems , iaspec All rights reserved (14-W120-1 en) Page 3

5 With banks move quickly to offer e-cheque and a paucity of solutions on the market, AT.Sign is the first solution of its kind in Hong Kong that is poised to help your bank get a head start on the competition and make e-cheque services a reality. EASE OF E-CHEQUE IMPLEMENTATION AT.Sign offers a set of web services in its server for issuing of e-cheque, and client libraries to support the implementation of different e-cheque signing scenarios for improving user experience. For example, users can sign e-cheque using either General Purpose Certificate accessed locally at their personal computer, or Special Purpose Certificate protected by the bank s HSM server. It is also possible to implement e-cheque function in your mobile banking apps on major mobile platforms. AT.Sign (for e-cheque) provides packaged solutions and open interface which integrates seamlessly with Hardware security module (HSM), and Certificate Authority (CA). With AT.Sign (for e-cheque) - a leading platform for e-cheque implementation you do not have to be bogged down with the technical details, but can instead focus on designing the best e-cheque user experience for your customers , iaspec All rights reserved (14-W120-1 en) Page 4

6 2. OVERVIEW ON AT.SIGN (FOR E-CHEQUE) INTEGRATION WHAT IS AT.SIGN (FOR E-CHEQUE) AT.SIGN (for e-cheque) is a highly adaptive and reliable approach for integrating e-cheque related features into various software applications and back office systems used by the banks. It is implemented as a set of web services (a software library) that can be easily integrated with application systems in order to support the new e-cheque services. It supports (i) the general purpose certificate distributed in USB devices that the signers are in possession, and (ii) the special purpose certificates that are stored in HSM operated by the banks. Some of the key features of AT.SIGN (for e-cheque): It generates the e-cheque PDF files with full compliance to HKMA s e-cheque specifications, such as: - Conform to ISO PDF 1.7 specification - Generate e-cheque PDF according to HKICL s the size and layout restriction, image size, format and transparency constraint - Support AcroForm field w/hidden Flag, locked data field(s) after signature (FieldMDP attribute) - Apply Approval and Certification Signature using DocMDP attribute - Conform to the required document security, write password, accessibility control , iaspec All rights reserved (14-W120-1 en) Page 5

7 - Use of RSA 2048, 4096 bits key-pair - Support PKCS#7 signature digest base on the document byte range via adbe.pkcs7.detached sub-filter, which include signing time, secure timestamp, certificate revocation list - Support Latin and CKJ fonts without fonts embedding It provides an abstract layer interface for the integration with the Certificate Authorities chosen by the bank. Life cycle management of the digital certificates is assumed to be provided by the Certificate Authority. Through this abstraction layer interface, special purpose certificates can be secured maintained in the HSM. It also provides an extended JCE compliant interface with the HSM and TSA (Timestamp) Server. Banks can choose their own hardware suppliers and product models to suit their respective business needs. Through this layer of abstraction, millions of digital certificates can be managed using some standard off-the-shelf HSM products. It can be used to verify all signatures on e-cheque at the time of its presentment, and integration with central clearing for double presentment verification , iaspec All rights reserved (14-W120-1 en) Page 6

8 In addition to the above key features, AT.Sign (for e-cheque) offers the following optional features for easy implementation of your e-cheque services: Signatory rules of the account are applied during the e-cheque generation. It automatically determines the number of signatures required for a given cheque based on its amount. It manages of signatory rules for each of the e-cheques accounts. This is like the digital version of the signatory cards that the banks are using now for managing signatory requirements on an account. It includes profiles of the authorized signers, their associated digital certificate references and their signatory authorization levels. These signatory rules are used to determine the signatory requirements on the e-cheque during its generation. It maintains per-account ledger containing details of all e-cheques issued. The retention period of the ledger records can be configured based on requirements of the banks. Additionally, audit trail records are kept for the auditable actions related to e-cheque. It supports batch generation of e-cheque(s) according to the signing instruction submitted by the enterprise , iaspec All rights reserved (14-W120-1 en) Page 7

9 COMPONENTS OF AT.SIGN (FOR E-CHEQUE) Architecturally, AT.SIGN (for e-cheque) comprises these components or subsystems as shown in the above diagram. It includes a set of core e-cheque features for generation of e-cheque, and another set of optional feature which provide some e-cheque specific business logic. AT.SIGN (for e-cheque) provides the following core features: e-cheque generation signing, and certification This module is responsible for generating and signing e-cheque in full compliance with HKMA s standard The signatory rules will determine the required no. of signature boxes based on cheque amount e-cheque digital signature e-cheque signatures are optionally verified at the time of presentment This is a method to detect any changes in , iaspec All rights reserved (14-W120-1 en) Page 8

10 verification signatory rules from the time of e-cheque signing to time of presentment Hardware Abstraction Layer This abstraction layer hides the underlying differences among various HSM & Time-stamping servers to offer a unified interface for applications to access AT.Sign e-cheque Modules and CA Gateway Additional e-cert storage management of the digital certificates is provided for all registered e-cheque signers, such as retrieval of certificates for signing and verification. Protection is offered by FIPS-140 compliant HSMs Provide open standard based interface to Certificate Authority Gateway (CA gateway) and support for various HSM vendors Certificate Authority (CA) Gateway and Interface A secure channel for interfacing with the CA can be implemented (for example, the process of digital certificate distribution can be automated through this interface between the CA and the AT.SIGN system) Performing Certificate management instructions from the CA (e.g. revocation, downloading of blacklist and actions) Web Service API and Client Library Web Services API and Client Library that can be used in the integration with the target application systems running on a variety of platforms (ios, Android, Windows, Java Applet); Customized features can be added to the library based on the customization needs of the applications , iaspec All rights reserved (14-W120-1 en) Page 9

11 AT.Sign also provides the following additional features for optional use: e-cheque Account and Signatory rule management by bank accounts E-Cheque account and signers can be created at the time customer registered for the services. Signatory Rules are encoded as sets of Boolean equations in XML format. Boolean algebra is used in evaluation of signature verifications, particularly for e-cheque(s) signed by multiple parties e-cheque number management Allocate cheque number for each e-cheque account analog to the cheque book in physical world The e-cheque number preserves what in the paper cheque. The payee could reference to the cheque number same as in paper cheque. e-cheque ledger for bank accounts Details of e-cheque(s) signed are kept in this ledger for the retention period defined by your bank Audit trail is available for auditable actions related to the e-cheque account e-cheque Payee Name Matching System evaluates if the e-cheque Payee Name matches the deposit account name according to the matching rules and risk level defined by the administrator. Confidence level is applied to matched results Manual adjustment of matching results is possible on per A/C basis, and system can learn from adjusted results to improve matching accuracy , iaspec All rights reserved (14-W120-1 en) Page 10

12 INTEGRATION WITH AT.SIGN (FOR E-CHEQUE) The AT.SIGN solution is designed in the form of an App Engine. "App Engine" used in the current context can be understood as a set of software services that can be invoked, in a loosely coupled form, by a collection of applications. The intent is to make the target applications easier to design, develop and to maintain by factoring out some of the core features and more complex processes needed in these applications. The App Engine provides a level of abstraction for the core processes and basic services of digital signing. These functions (also referred to as "services") are implemented in a way such that the lower-level details are hidden from the higher level applications. This "separation of concerns" provides clear and well-defined boundaries isolating the internals of the App Engine from the exposed outside view that the applications can use in invoking these functions. The functions are sufficient fine-grained to promote reusability; they are also modular in nature to support service autonomy; highly composable to form more complex composite functions; and interoperable with different technologies which banks may choose to implement the target applications. AT.SIGN (for e-cheque) App Engine provides a set of web services that are designed specifically to support digital signing of e-cheque documents by other trusted applications. This Web Service based interface can be used for integration with applications developed using various types of technologies and languages , iaspec All rights reserved (14-W120-1 en) Page 11

13 INTEGRATION USING AT.SIGN (FOR E-CHEQUE) CORE FEATURES Two single e-cheque signing scenarios are supported, namely signing on server side using Special Purpose Certificate (protected by HSM), and signing on client side using General Purpose Certificate. Steps involved in issuing an e-cheque are: 1. Preparation of e-cheque according to e-cheque parameters provided by customer. 2. Evaluation of the signature requirement according to the signatory rule. 3. User s confirmation of e-cheque signing (may require input of an OTP) using either Special Purpose Certificate or General Purpose Certificate. 4. Certification of e-cheque on behalf of the bank once it has satisfied the signatory rules. In addition to the above single e-cheque issuing scenarios, AT.Sign also supports multiple e-cheque issuance through batch processing for corporate customers: 1. Enterprise e-cheque user can submit a data file containing details of those e-cheque(s) to be generated 2. According to submitted data, system will generate an e-cheque Signing Instruction for user s review and confirmation 3. User can confirm this instruction by signing it using his/her own digital certificate. This signed instruction will serve as a record for the bank and a reference for the user. 4. E-Cheque(s) will be generated and issued according to this signed instruction , iaspec All rights reserved (14-W120-1 en) Page 12

14 AT.Sign (for e-cheque) supports all these e-cheque issuing processes by offering the following core web services: Service Group e-cheque Issuing Services e-cheque Batch Signing Services e-cheque Verification Services Name of the Major Functions Perform Signatory Rule Assessment Update Signatory Rule Assessment List Signatory Result Type Check Signing Eligibility General e-cheque Image Generate e-cheque PDF Sign e-cheque Certify e-cheque List e-cheque Remove Pending e-cheque Retrieve Pending e-cheque Generate e-cheque (Detached) Sign e-cheque (Detached) Lock e-cheque Release e-cheque Stop e-cheque Set e-cheque to Clear Generate Signing Instruction Sign Signing Instruction Generate Signing Instruction (Detached) Sign Signing Instruction (Detached) Generate e-cheque by Signing Instruction List e-cheque by Signing Instruction ID For Payee Bank Verify validity of e-cheque s digital signature Match the payee name of e-cheque against the name of deposit account with logic to determine if the name matches or not in cases of minor inconsistencies , iaspec All rights reserved (14-W120-1 en) Page 13

15 Allow override of the name matching result. The system can learn the matching exception to improve matching accuracy on per account basis Provide abstract interface to allow implementing a plug-in for integration with central clearing. This allows double-presentment verification. For Payer Bank Verify validity of e-cheque digital signature, optionally, verify if the signatory rule has been changed after the cheque was issued. USING AT.SIGN (FOR E-CHEQUE) ADDITIONAL FEATURES This group of services provides e-cheque specific business functions for easy implementation of e-cheque services. For example, it provides provisioning and maintaining of e-cheque Signer profile. Each e-cheque Signer profile is registered with one corresponding digital certificate (either General Purpose Certificate or Special Purpose Certificate, or both). It is associated with one or multiple e-cheque Account(s) of that customer for the issuing of e-cheque. Such Signer to e-cheque association mechanism allows flexible utilization of digital certificates. Each e-cheque A/C can be configured with its own signatory rules to determine whether single or multiple signers are required to sign e-cheque(s) according to the rules defined by customer. It provides the follow functions in the form of web services: Service Group Signer Provisioning Name/Description of the Key Functions Create/Update Signer Profile This is for the creation of a signer profile and a Signer , iaspec All rights reserved (14-W120-1 en) Page 14

16 Service Profile reference will be returned. Banks can also assign their own Bank Reference in order to identify this profile. CA Gateway will be invoked to generate and apply Special Purpose Certificate for this profile Registration of General Purpose Certificate for the signer Update Signer Status Activate / de-activate a profile Remove a Signer Profile Revoke digital certificate. e-cheque A/C Maintenance Service e-cheque Ledger Inquiry Services Create/Update e-cheque A/C Associate/De-associate an e-cheque A/C with a Signer Profile Create/Update Signatory Rule under this e-cheque A/C Multiple versions of signatory rule can exist under one single e-cheque A/C but only one can be active at a specific moment. Those expired signatory rules will be removed from the system at a scheduled time Create/Update/Remove Signer Group Definition for the e-cheque A/C Retrieve e-cheque Ledger Download e-cheque Ledger , iaspec All rights reserved (14-W120-1 en) Page 15