Electronic Signature in the banks data/order exchanges within the small, medium-sized or large corporate and their banks in France

Transcription

1 LCEN-ETSI e-sign Workshop Paris November 21 st Electronic Signature in the banks data/order exchanges within the small, medium-sized or large corporate and their banks in France Yves Le Querrec 1

2 Reminder: ETEBAC Protocol since 1984 ETEBAC 3 and 5 are the two file transfer protocols which till 2011 are currently used in France ETEBAC 3 is a very basic file transfer over X 25 (around corporate) ETEBAC 5 is a secured and signed file transfer defined over X 25 protocol network Launched in 1988 with a 512 bits key length Upgraded en 1998 with a 1024 bits key length Around corporate 2

3 2005: Thinking on the migration phase End of the X25 Network announced for end of 2011 Security Upgrade necessary for the length keys End of the Hardware Chip Smart Card used on the ETEBAC 5 Signature SEPA ISO format not supported by ETEBAC th of November Official Launch for ETEBAC protocol replacement. 2 solutions supported by the CFONB SWIFTNet EBICS, Electronic Banking Internet Communication Standard, the new standard of exchanges developed by the German Banking Community DK Deutch Kreditausschuss (Formerly ZKA Zentraler KreditAusschuss) 3

4 EBICS Short presentation Open Communication Protocol over TCP / IP Respect the same exchange process as ETEBAC communication protocol Point to point communication protocol Using open standards like XML HTTP/S Fixed or variables formats supported Multimodal Personal E-Signature supported joined un-joined

5 EBICS Security Use HTTP/S Server Certificate (mandatory distributed by Certificate Authority) Use 3 Public/Private Keys pairs for the user RSA Keys Pair in Germany X509 Certificate in France Use 2 Public/private Key pairs for the Bank Server RSA Keys Pair in Germany X509 Certificate in France

6 Exchange Format in the EBICS protocol EBICS use Order Types Messages Technical Order Type Initialization Keys or certificates Management. General Order Types FUL (upload file with any format) FDL (download file with any format) BankOrder Order Types Used in Germany File Format with General Order Type used in France Status reports PTK (Customer Report) in Germany PSR (ISO Payment status Report) in France

7 EBICS implementation in France 2 levels of EBICS EBICS T, Transport only, without personal E- Signature. Machine E-Signature used to the Integrity Control. Designed to replace ETEBAC 3 Out-of-band confirmation (necessary to authorize the bank to process the file Order) sent by other channel (usually by a signed fax or by Web banking and E-Siganture) EBICS TS, Transport and Signature, with E- Signature by a personal Signature Certificate Designed to replace ETEBAC 5 Only 1 sending with all Signatures

8 EBICS E-Signature Short Features 3 modes of E-Signature ES level = 0 Transport Only (EBICS T implementation in France) ES Level = 1 One E-Signature is mandatory (EBICS TS implementation in France) ES Level = 2 Two E-Signature are mandatory In the same sending (EBICS TS implementation in France) Disjoined sending (VEU Distributed Electronic Signature concept in Germany)

9 Selected French Certificate features Mandatory for Personal Signature Certificates hardware support (usually slim-card or USB dongle). face to face in enrolment phase EBICS messages signature use algorithm of hash SHA 256 and key's length = Separate Key Usage, Signature Certificate must be different from Identification/Authentication and Encryption certificates. Other Certificates Authentication and Encryption can be on hardware or software support or self signed certificates. For EBICS T only, all (Authentication, Encryption and Signature ) certificates can be self-signed or CA certificates.

10 EBICS development roadmap in France 2008 Launch of the press communication by the CFONB to fix the choise of SWIFTNet and EBICS Protocol Launch of the EBICS Technical Working Group to define the new common specifications 4 expert members from Germany and 4 experts from France Publication of the version 2.4 of EBICS protocol including Certificate usage and File Format usage in France. Development and diffusion of EBICS T. German Implementation Guide Line French Implementation Guide Line Definition of the EBICS Co organization status (board of Directors with 4 members from Germany and 4 from France) 2010 Publication of the Personal Certificate Characteristics Launch of the EBICS TS development Launch of the EBICS Co Organization in Brussels 2011 Launch of the version 2.5 of the specifications Common Implementation Guide line (always differences between France and Germany) End of ETEBAC migration (to EBICS or SWIFTNet solutions) for the end of this year 2013 Launch of the first common Implementation Guide Line (same implementation in both countries) with the version 2.6 of EBICS. 10

11 Other CFONB Works about E-Signature Publication of the PAC (in French Politique d Acceptation Commune i.e Policy of Common Acceptance ). PAC defines: Certificates which may be exchange between customers/corporates and banking applications. Requirements to be published in the PAC trusted List For Certificates, For PAC banking application (Acceptance) The PAC Policy is based on the French RGS Referential or foreign ones. EBICS Certificates are compliant with PAC technical characteristics several CAs (Bank and none Bank) have already been registered as PAC compliant.ca s. PAC trusted list published on CFONB site 11

12 Other CFONB Working 2011 Development of the Common Validation Policy Certificate Validation E-Signature Validation Proof management Record management Time-Stamp..

13 Thank for your attention All EBICS specification are on the EBICS Web Site All Information on CFONB Working Tasks are on the CFONB (Comité Français d Organisation et de Normalisation Bancaire, the French Banking Organization and Normalization Committee) Web site 13