SlideShare une entreprise Scribd logo

Perspective: Auditing norms for pki based applications

Infosys Finacle
Infosys Finacle

This document discusses auditing norms for PKI-based applications. It begins by describing the organization structure of PKI systems, which includes the Controller of Certifying Authority (CCA), Certifying Authorities (CAs), and Registration Authorities (RAs). It then explains that auditing PKI applications is important to ensure they are functioning properly. The challenges of auditing include certificates having a limited validity and the inability to audit external interactions. It provides recommendations for overcoming these challenges such as using secondary servers and accounting for variations in encryption algorithms. The document concludes by outlining specific considerations for auditing the PKI structure and applications.

TechnologieÉconomie & finance
1  sur  6
Auditing Norms for PKI-based Applications Universal Banking Solution System Integration Consulting Business Process Outsourcing
Introduction • Certifying Authority (CA): There are a number of Certifying Authorities, which are responsible The use of alternative channels like the Internet for issuing Digital Certificates after verifying and mobile to exchange information and money the documents of identity; these agencies is now commonplace. Although some security report to the CCA. The Reserve Bank of India concerns do persist, the fact remains that has established a separate CA exclusively for systems such as RTGS (Real Time Gross banking applications, and has been followed Settlement), NEFT or SWIFT are among the by a number of private agencies. most reliable and safe mechanisms of fund transfer and messaging that we have ever • Registration Authority (RA): Every bank has a known. It is natural to ask how that is possible. Registration Authority, which represents it and its employees. It is the RA, which verifies The secret to this is “Public Key Infrastructure” the employees of the bank for whom Digital (PKI). Certificates are needed, consolidates the requirements, and then approaches the CA PKI makes it possible for retail and bank users for issuing the certificates. Incidentally, each to safely and privately exchange money and bank sets its own policies regarding which information over a public channel, by generating employees should be issued a certificate. a pair of cryptographic keys – one public, typically stored in a browser and the other private, usually stored on a smart card – which is received and shared with the help of a trusted authority. A Digital Certificate/ Signature connected to the message helps to identify and authenticate users – senders who use a public key to encrypt data as well as receivers who use a private key to decrypt it. There are a number of PKI systems is existence. For example, international financial and non-financial messages via SWIFT From the above description and diagram it is (Society for Worldwide Interbank Financial clear that the PKI hierarchy follows a “trust model”, Telecommunication) are transported over in which each tier performs a specific function: international PKI, whereas local transactions are typically supported by separate domestic • The CCA represents the law of the land and infrastructure established by the Central Bank assures legal validity of all the Digital of each country. Signatures/ Certificates issued in the country of its jurisdiction. It also devolves authority Organization Structure upon various Cas. The organization structure of a PKI system has • The CAs are responsible for the actual the following three tiers: issuance of certificates. • The RAs represent and take care of the • Controller of Certifying Authority (CCA): This interests of individual banks with respect to the is a Government authority and the apex of end-to-end management of Digital Certificates. the PKI organization. For example, in India, the CCA has been established under the The Need for PKI Systems Audit provisions of the Information Technology Act, and works under the Ministry of Information Having designed and implemented such Technology in New Delhi. The CCA is elaborate Public Key Infrastructure, it is equally responsible for providing the Root Certificate, important to ensure that it works properly. This under which all other certificates are granted. is the goal of PKI Systems audit. Auditing Norms for PKI-based Applications
Banks routinely undergo manual audit of and undergoes rigorous internal audit at regular business operations, as well as separate audits intervals. Similarly, RBI and other Certifying for information systems and information systems Authorities also conduct audits for PKI systems. security. Information systems audit is defined as Audit of the Registration Authority at each bank a periodic activity in which data and information is necessary to ensure that all the certificates systems are accessed and verified for desired issued to current employees are valid, and also business results in order to understand whether that those previously issued to employees who the systems are working properly or not. have now quit, are no longer so. For the same reason, it is also necessary to The auditing of information systems – of which audit PKI Systems. While the auditing of PKI PKI is a part – is a vast domain, which covers applications costs time and money, banks must most general practices. Unfortunately, it does make the investment to ensure that these critical not lay down any specific guidelines for the way applications are functioning well. in which PKI applications must be audited. Consequently, banks approach the audit as one Although PKI audit falls within the ambit of more compliance mandate that must be fulfilled. information systems audit, its norms vary This is a pity because PKI audit plays a big role somewhat. One of the key differences and in ensuring that the systems are in order, and challenges of PKI audit is that unlike physical thereby reduces security lapses. signatures, Digital Certificates and Signatures have a fixed life, after which they automatically This paper attempts to raise awareness of expire. When that happens, messages pertaining auditing norms for PKI based applications. to the transactions involving the expired certificates cannot be verified during audit, and Auditing PKI Applications hence it becomes impossible to establish the legality of those transactions. One of the ways to Another key constraint of PKI audit (besides the circumvent this problem is to create a simulated limited validity of certificates mentioned earlier) environment and push data into it for the is that it can only be a partial one. This is because purpose of the audit. PKI transactions always involve an external organization, which are outside the audit’s PKI audit must occur at two levels: that of the purview. An application module deployed at a structure and the application. The first one Registration Authority may be audited for what examines the processes and norms in use by it does within their four walls, but it is not possible the various tiers of the PKI organization, namely to evaluate its interactions with other modules the CCA, CA and RA. The second one audits at external agencies, such as a Certifying different PKI applications and the way they Authority. The auditors simply have to accept this participate in the business. and move on. Ideally, as the below diagram shows, there There needs to be two separate audits for the should be a separate audit at each level of the structure (CCA, CA, RA etc.) and the applications, PKI organization, and also of PKI applications. both of which will suffer from this constraint. While auditing the structure, the auditor is supposed to follow certain norms to check: • Whether certificate related backups are taken and stored at the CCA level • Whether during the verification of individual signatures, verification is done up to the root level Taking the example of India once again, it is observed that the Controller of Certifying • Whether the CAs are correctly following the Authority is very conscious of its responsibility norms pertaining to the storage of keys Auditing Norms for PKI-based Applications
with primary and back up servers and Overcoming the Challenges of PKI Application whether they have adequately secure Audit storage infrastructure • Using secondary servers to replicate data • Whether any time gaps or difference in as well as change the date can circumvent time zones are taken into account while the run time dependency of PKI applications. transitioning from one root CCA certificate to In this way, signatures may be verified without another. It is important that PKI applications impacting the normal course of business. have a feature to support time gaps, and even the occasional co-existence of root • Different key generation algorithms used by certificates with different validities different applications, may lead to variation in security practices and outcomes. For example, Difference Between PKI-based Application Audit until some time ago, the SHA1 encryption and Regular Information Systems Audit algorithm was very popular; now SHA2 has taken its place in many PKI applications. In general, the audit norms are similar, however, Hence, any proprietary tools used during audit PKI-based applications have certain constraints, must be able to accommodate such changes. which need to be addressed during audit. • Frequently, browser based applications do • Digital Signature generation is a run time not recognize the local Certifying Authority and operation; applications generating and consequently, browser based tools of audit do verifying a Digital Signature always couple not recognize valid transactions and messages. it with the date and time of its creation. What this means is that whenever a Digital This is a known problem, which CAs can solve Signature is affixed to a message there’s by registering their names with the vendors of a date and time attached to it. Also, as different browsers. mentioned earlier, the Digital Signature has a • An important goal of the audit is to limited validity. discover any mismatch in data between the messaging layer and the business layer. • PKI modules always check for the validity Sometimes, because of some errors in the of Digital Certificates during verification by network, messages get delayed. The continuously polling the system date. This rescheduling of messages/transactions might occasionally create a conflict if the impacts normal account closing at end of verification involves countries in two distant day (EOD). Hence, while linking EOD and times zones, such as South Africa and Japan. BOD (beginning of day) operations to accounting entries, it is important to take care • During PKI application audit it is important to of any time gaps. gather the relevant time stamps and verification logs for future reference, in an offline process. • “Hidden snake in the tunnel”: Often, banks implement PKI only at the module level, and • Given the impact and risk associated with bypass the PKI channel while accessing PKI transactions, it is very important for the data, because it is faster and more convenient auditor to cross check each transaction to do so. It is the auditor’s responsibility to signature against the log, something that is find such occurrences and bring them within seldom required in conventional audit. the audit band. It has been found during audit that banks take the required data directly from • In general, an audit is conducted to check middleware, databases or even logs, after business value at the organization level, as bypassing signature verification. well as compliance. PKI audit highlights the enormous technology risks, which PKI based • Many banks allocate separate drives to applications bring to daily banking operations. store logs generated by PKI applications. It is important to note that such transactions They must exercise adequate access control are very secure as long as the private keys over such logs by correctly maintaining system are not compromised. level access. Auditing Norms for PKI-based Applications
• It is a normal practice among banks to copy the capability to connect to the CA’s central Digital Certificates from their primary site to server periodically to check the CRL a secondary/Disaster Recovery (DR) site (Certificates Revocation List). As auditor located on a different seismic plate, as part should also check for revocation, and whether of Business Continuity Planning (BCP). Certain the transactions pertaining to revoked PKI modules may not allow the movement of certificates have also been revoked correctly. certificates, which are tightly coupled with the system’s IP address. In such cases, while • At times, the CCA revokes its own root shifting data from one server to another, it is certificates and issues new ones. This in turn necessary to ensure that the DR/BCP servers revokes the CA’s certificates, and invalidates have the same system IP address. This must all Digital Certificates allied to them. In be considered during audit. such cases, the auditor should audit the application to check for a provision for a • Digital Certificates are normally stored on second root certificate. smart cards, Hardware Security Modules or hard disks; during BCP drills it is important to make sure that the movement of any PKI related artifacts, such as digital certificates or security modules, is conducted by way of a Author standardized process and is also audited. Makarand Madhukar Baji Senior Consultant – Finacle Payments • Since certificates are often revoked as per Infosys banks’ policies, PKI applications should have Auditing Norms for PKI-based Applications
Perspective: Auditing norms for pki based applications

Recommandé

US FICAM Overview
US FICAM OverviewUS FICAM Overview
US FICAM OverviewUS FICAM
 
COMPARISON OF CERTIFICATE POLICIES FORMERGING PUBLIC KEY INFRASTRUCTURESDURIN...
COMPARISON OF CERTIFICATE POLICIES FORMERGING PUBLIC KEY INFRASTRUCTURESDURIN...COMPARISON OF CERTIFICATE POLICIES FORMERGING PUBLIC KEY INFRASTRUCTURESDURIN...
COMPARISON OF CERTIFICATE POLICIES FORMERGING PUBLIC KEY INFRASTRUCTURESDURIN...IJNSA Journal
 
REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...
REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...
REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...IJNSA Journal
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Systems, Inc.
 
FACTA Red Flag Ruling - Frost Report
FACTA Red Flag Ruling - Frost ReportFACTA Red Flag Ruling - Frost Report
FACTA Red Flag Ruling - Frost ReportRobert Hutt
 
test
testtest
testpixeldemo
 

Recommandé

US FICAM Overview
US FICAM OverviewUS FICAM Overview
US FICAM OverviewUS FICAM
 
COMPARISON OF CERTIFICATE POLICIES FORMERGING PUBLIC KEY INFRASTRUCTURESDURIN...
COMPARISON OF CERTIFICATE POLICIES FORMERGING PUBLIC KEY INFRASTRUCTURESDURIN...COMPARISON OF CERTIFICATE POLICIES FORMERGING PUBLIC KEY INFRASTRUCTURESDURIN...
COMPARISON OF CERTIFICATE POLICIES FORMERGING PUBLIC KEY INFRASTRUCTURESDURIN...IJNSA Journal
 
REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...
REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...
REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...IJNSA Journal
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Systems, Inc.
 
FACTA Red Flag Ruling - Frost Report
FACTA Red Flag Ruling - Frost ReportFACTA Red Flag Ruling - Frost Report
FACTA Red Flag Ruling - Frost ReportRobert Hutt
 
test
testtest
testpixeldemo
 
133IEEE Network • NovemberDecember 2020 0890-804420$25.00 ©.docx
133IEEE Network • NovemberDecember 2020 0890-804420$25.00 ©.docx133IEEE Network • NovemberDecember 2020 0890-804420$25.00 ©.docx
133IEEE Network • NovemberDecember 2020 0890-804420$25.00 ©.docxdurantheseldine
 
Alpha Education
Alpha EducationAlpha Education
Alpha EducationAlpha20 Group
 
KYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAINKYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAINIRJET Journal
 
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2dP2PSystem
 
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Avirot Mitamura
 
Blockchain & Islamic Finance
Blockchain & Islamic FinanceBlockchain & Islamic Finance
Blockchain & Islamic FinanceFarrukh Habib
 
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)Pace IT at Edmonds Community College
 
Blockchain Poc for Certificates and Degrees
Blockchain Poc for Certificates and DegreesBlockchain Poc for Certificates and Degrees
Blockchain Poc for Certificates and DegreesCyberBahn Federal Solutions
 
Blockchain PoC For Education
Blockchain PoC For EducationBlockchain PoC For Education
Blockchain PoC For EducationSanjeev Raman
 
ICAM - Demo Architecture review
ICAM - Demo Architecture reviewICAM - Demo Architecture review
ICAM - Demo Architecture reviewRamesh Nagappan
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
How blockchain is solving regulatory compliance pain points
How blockchain is solving regulatory compliance pain pointsHow blockchain is solving regulatory compliance pain points
How blockchain is solving regulatory compliance pain pointsGroup50 Consulting
 
E collaborationscottrea
E collaborationscottreaE collaborationscottrea
E collaborationscottreaCollaborative Health Consortium
 
What's in Blockchain For Chartered Accountants
What's in Blockchain For Chartered AccountantsWhat's in Blockchain For Chartered Accountants
What's in Blockchain For Chartered AccountantsABHISHEK JAIN
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructureAditya Nama
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization ModelsCSCJournals
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
IEEE Blockchain Summit Korea 2018 - Commercial Blockchain Application & Scala...
IEEE Blockchain Summit Korea 2018 - Commercial Blockchain Application & Scala...IEEE Blockchain Summit Korea 2018 - Commercial Blockchain Application & Scala...
IEEE Blockchain Summit Korea 2018 - Commercial Blockchain Application & Scala...ICON Foundation
 
Define PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdfDefine PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdfxlynettalampleyxc
 
DocsInBlocks - A Blockchain-Based Document Handler for Candidate Verification
DocsInBlocks - A Blockchain-Based Document Handler for Candidate VerificationDocsInBlocks - A Blockchain-Based Document Handler for Candidate Verification
DocsInBlocks - A Blockchain-Based Document Handler for Candidate VerificationIRJET Journal
 
Finacle Webinar – Innovation in Retail Banking 2013
Finacle Webinar – Innovation in Retail Banking 2013Finacle Webinar – Innovation in Retail Banking 2013
Finacle Webinar – Innovation in Retail Banking 2013Infosys Finacle
 
Finacle - Banking & Technology Trends 2013 | Technology Innovations
Finacle - Banking & Technology Trends 2013 | Technology InnovationsFinacle - Banking & Technology Trends 2013 | Technology Innovations
Finacle - Banking & Technology Trends 2013 | Technology InnovationsInfosys Finacle
 

Contenu connexe

Similaire à Perspective: Auditing norms for pki based applications

133IEEE Network • NovemberDecember 2020 0890-804420$25.00 ©.docx
133IEEE Network • NovemberDecember 2020 0890-804420$25.00 ©.docx133IEEE Network • NovemberDecember 2020 0890-804420$25.00 ©.docx
133IEEE Network • NovemberDecember 2020 0890-804420$25.00 ©.docxdurantheseldine
 
KYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAINKYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAINIRJET Journal
 
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2dP2PSystem
 
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Avirot Mitamura
 
Blockchain & Islamic Finance
Blockchain & Islamic FinanceBlockchain & Islamic Finance
Blockchain & Islamic FinanceFarrukh Habib
 
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)Pace IT at Edmonds Community College
 
Blockchain PoC For Education
Blockchain PoC For EducationBlockchain PoC For Education
Blockchain PoC For EducationSanjeev Raman
 
ICAM - Demo Architecture review
ICAM - Demo Architecture reviewICAM - Demo Architecture review
ICAM - Demo Architecture reviewRamesh Nagappan
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
How blockchain is solving regulatory compliance pain points
How blockchain is solving regulatory compliance pain pointsHow blockchain is solving regulatory compliance pain points
How blockchain is solving regulatory compliance pain pointsGroup50 Consulting
 
What's in Blockchain For Chartered Accountants
What's in Blockchain For Chartered AccountantsWhat's in Blockchain For Chartered Accountants
What's in Blockchain For Chartered AccountantsABHISHEK JAIN
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructureAditya Nama
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization ModelsCSCJournals
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
IEEE Blockchain Summit Korea 2018 - Commercial Blockchain Application & Scala...
IEEE Blockchain Summit Korea 2018 - Commercial Blockchain Application & Scala...IEEE Blockchain Summit Korea 2018 - Commercial Blockchain Application & Scala...
IEEE Blockchain Summit Korea 2018 - Commercial Blockchain Application & Scala...ICON Foundation
 
Define PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdfDefine PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdfxlynettalampleyxc
 
DocsInBlocks - A Blockchain-Based Document Handler for Candidate Verification
DocsInBlocks - A Blockchain-Based Document Handler for Candidate VerificationDocsInBlocks - A Blockchain-Based Document Handler for Candidate Verification
DocsInBlocks - A Blockchain-Based Document Handler for Candidate VerificationIRJET Journal
 

Similaire à Perspective: Auditing norms for pki based applications (20)

133IEEE Network • NovemberDecember 2020 0890-804420$25.00 ©.docx
133IEEE Network • NovemberDecember 2020 0890-804420$25.00 ©.docx133IEEE Network • NovemberDecember 2020 0890-804420$25.00 ©.docx
133IEEE Network • NovemberDecember 2020 0890-804420$25.00 ©.docx
 
Alpha Education
Alpha EducationAlpha Education
Alpha Education
 
KYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAINKYC VERIFICATION USING BLOCKCHAIN
KYC VERIFICATION USING BLOCKCHAIN
 
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
 
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)
 
Blockchain & Islamic Finance
Blockchain & Islamic FinanceBlockchain & Islamic Finance
Blockchain & Islamic Finance
 
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
 
Blockchain Poc for Certificates and Degrees
Blockchain Poc for Certificates and DegreesBlockchain Poc for Certificates and Degrees
Blockchain Poc for Certificates and Degrees
 
Blockchain PoC For Education
Blockchain PoC For EducationBlockchain PoC For Education
Blockchain PoC For Education
 
ICAM - Demo Architecture review
ICAM - Demo Architecture reviewICAM - Demo Architecture review
ICAM - Demo Architecture review
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
How blockchain is solving regulatory compliance pain points
How blockchain is solving regulatory compliance pain pointsHow blockchain is solving regulatory compliance pain points
How blockchain is solving regulatory compliance pain points
 
E collaborationscottrea
E collaborationscottreaE collaborationscottrea
E collaborationscottrea
 
What's in Blockchain For Chartered Accountants
What's in Blockchain For Chartered AccountantsWhat's in Blockchain For Chartered Accountants
What's in Blockchain For Chartered Accountants
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization Models
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
 
IEEE Blockchain Summit Korea 2018 - Commercial Blockchain Application & Scala...
IEEE Blockchain Summit Korea 2018 - Commercial Blockchain Application & Scala...IEEE Blockchain Summit Korea 2018 - Commercial Blockchain Application & Scala...
IEEE Blockchain Summit Korea 2018 - Commercial Blockchain Application & Scala...
 
Define PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdfDefine PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdf
 
DocsInBlocks - A Blockchain-Based Document Handler for Candidate Verification
DocsInBlocks - A Blockchain-Based Document Handler for Candidate VerificationDocsInBlocks - A Blockchain-Based Document Handler for Candidate Verification
DocsInBlocks - A Blockchain-Based Document Handler for Candidate Verification
 

Plus de Infosys Finacle

Finacle Webinar – Innovation in Retail Banking 2013
Finacle Webinar – Innovation in Retail Banking 2013Finacle Webinar – Innovation in Retail Banking 2013
Finacle Webinar – Innovation in Retail Banking 2013Infosys Finacle
 
Finacle - Banking & Technology Trends 2013 | Technology Innovations
Finacle - Banking & Technology Trends 2013 | Technology InnovationsFinacle - Banking & Technology Trends 2013 | Technology Innovations
Finacle - Banking & Technology Trends 2013 | Technology InnovationsInfosys Finacle
 
Finacle - New Banking Technology Advancement
Finacle - New Banking Technology Advancement Finacle - New Banking Technology Advancement
Finacle - New Banking Technology Advancement Infosys Finacle
 
Finacle - Bank Customer Service: Click or Dial versus Branch Banking
Finacle - Bank Customer Service: Click or Dial versus Branch BankingFinacle - Bank Customer Service: Click or Dial versus Branch Banking
Finacle - Bank Customer Service: Click or Dial versus Branch BankingInfosys Finacle
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding PracticesInfosys Finacle
 
Finacle Digital Commerce
Finacle Digital CommerceFinacle Digital Commerce
Finacle Digital CommerceInfosys Finacle
 
Finacle Thought Paper - Digital Wallet Success Strategy
Finacle Thought Paper - Digital Wallet Success StrategyFinacle Thought Paper - Digital Wallet Success Strategy
Finacle Thought Paper - Digital Wallet Success StrategyInfosys Finacle
 
Finacle - Agency Banking: New Frontiers In Financial Inclusion
Finacle - Agency Banking: New Frontiers In Financial InclusionFinacle - Agency Banking: New Frontiers In Financial Inclusion
Finacle - Agency Banking: New Frontiers In Financial InclusionInfosys Finacle
 
Thought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking ApplicationsThought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking ApplicationsInfosys Finacle
 
Perspective- Multi Channel Banking: A Five Point Strategy
Perspective- Multi Channel Banking: A Five Point Strategy Perspective- Multi Channel Banking: A Five Point Strategy
Perspective- Multi Channel Banking: A Five Point Strategy Infosys Finacle
 
Thought Paper:Four Strategies to Build the Smarter Bank
Thought Paper:Four Strategies to Build the Smarter BankThought Paper:Four Strategies to Build the Smarter Bank
Thought Paper:Four Strategies to Build the Smarter BankInfosys Finacle
 
Perspective: The rise and rise of emerging market banks
Perspective: The rise and rise of emerging market banksPerspective: The rise and rise of emerging market banks
Perspective: The rise and rise of emerging market banksInfosys Finacle
 
Perspective: Needed, A Holistic Approach to Reputation Risk Management in Banks
Perspective: Needed, A Holistic Approach to Reputation Risk Management in Banks Perspective: Needed, A Holistic Approach to Reputation Risk Management in Banks
Perspective: Needed, A Holistic Approach to Reputation Risk Management in Banks Infosys Finacle
 
Mobile Banking – A Transformation of Traditional Banking
Mobile Banking – A Transformation of Traditional BankingMobile Banking – A Transformation of Traditional Banking
Mobile Banking – A Transformation of Traditional BankingInfosys Finacle
 
Retail Banking: Making other Channels mobile
Retail Banking: Making other Channels mobileRetail Banking: Making other Channels mobile
Retail Banking: Making other Channels mobileInfosys Finacle
 
Social media and retail banking
Social media and retail bankingSocial media and retail banking
Social media and retail bankingInfosys Finacle
 
International remittances
International remittancesInternational remittances
International remittancesInfosys Finacle
 
Banking in the Philippines : A close-up
Banking in the Philippines : A close-upBanking in the Philippines : A close-up
Banking in the Philippines : A close-upInfosys Finacle
 

Plus de Infosys Finacle (20)

Finacle Webinar – Innovation in Retail Banking 2013
Finacle Webinar – Innovation in Retail Banking 2013Finacle Webinar – Innovation in Retail Banking 2013
Finacle Webinar – Innovation in Retail Banking 2013
 
Finacle - Banking & Technology Trends 2013 | Technology Innovations
Finacle - Banking & Technology Trends 2013 | Technology InnovationsFinacle - Banking & Technology Trends 2013 | Technology Innovations
Finacle - Banking & Technology Trends 2013 | Technology Innovations
 
Finacle - New Banking Technology Advancement
Finacle - New Banking Technology Advancement Finacle - New Banking Technology Advancement
Finacle - New Banking Technology Advancement
 
Finacle - Bank Customer Service: Click or Dial versus Branch Banking
Finacle - Bank Customer Service: Click or Dial versus Branch BankingFinacle - Bank Customer Service: Click or Dial versus Branch Banking
Finacle - Bank Customer Service: Click or Dial versus Branch Banking
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
 
Finacle Digital Commerce
Finacle Digital CommerceFinacle Digital Commerce
Finacle Digital Commerce
 
Finacle Thought Paper - Digital Wallet Success Strategy
Finacle Thought Paper - Digital Wallet Success StrategyFinacle Thought Paper - Digital Wallet Success Strategy
Finacle Thought Paper - Digital Wallet Success Strategy
 
Finacle - Agency Banking: New Frontiers In Financial Inclusion
Finacle - Agency Banking: New Frontiers In Financial InclusionFinacle - Agency Banking: New Frontiers In Financial Inclusion
Finacle - Agency Banking: New Frontiers In Financial Inclusion
 
Thought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking ApplicationsThought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking Applications
 
Perspective- Multi Channel Banking: A Five Point Strategy
Perspective- Multi Channel Banking: A Five Point Strategy Perspective- Multi Channel Banking: A Five Point Strategy
Perspective- Multi Channel Banking: A Five Point Strategy
 
Thought Paper:Four Strategies to Build the Smarter Bank
Thought Paper:Four Strategies to Build the Smarter BankThought Paper:Four Strategies to Build the Smarter Bank
Thought Paper:Four Strategies to Build the Smarter Bank
 
Perspective: The rise and rise of emerging market banks
Perspective: The rise and rise of emerging market banksPerspective: The rise and rise of emerging market banks
Perspective: The rise and rise of emerging market banks
 
Perspective: Needed, A Holistic Approach to Reputation Risk Management in Banks
Perspective: Needed, A Holistic Approach to Reputation Risk Management in Banks Perspective: Needed, A Holistic Approach to Reputation Risk Management in Banks
Perspective: Needed, A Holistic Approach to Reputation Risk Management in Banks
 
Mobile Banking – A Transformation of Traditional Banking
Mobile Banking – A Transformation of Traditional BankingMobile Banking – A Transformation of Traditional Banking
Mobile Banking – A Transformation of Traditional Banking
 
Retail Banking: Making other Channels mobile
Retail Banking: Making other Channels mobileRetail Banking: Making other Channels mobile
Retail Banking: Making other Channels mobile
 
Social media and retail banking
Social media and retail bankingSocial media and retail banking
Social media and retail banking
 
Branch of the future
Branch of the futureBranch of the future
Branch of the future
 
International remittances
International remittancesInternational remittances
International remittances
 
Agile banking managing
Agile banking managingAgile banking managing
Agile banking managing
 
Banking in the Philippines : A close-up
Banking in the Philippines : A close-upBanking in the Philippines : A close-up
Banking in the Philippines : A close-up
 

Dernier

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Dernier (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Perspective: Auditing norms for pki based applications

  • 1. Auditing Norms for PKI-based Applications Universal Banking Solution System Integration Consulting Business Process Outsourcing
  • 2. Introduction • Certifying Authority (CA): There are a number of Certifying Authorities, which are responsible The use of alternative channels like the Internet for issuing Digital Certificates after verifying and mobile to exchange information and money the documents of identity; these agencies is now commonplace. Although some security report to the CCA. The Reserve Bank of India concerns do persist, the fact remains that has established a separate CA exclusively for systems such as RTGS (Real Time Gross banking applications, and has been followed Settlement), NEFT or SWIFT are among the by a number of private agencies. most reliable and safe mechanisms of fund transfer and messaging that we have ever • Registration Authority (RA): Every bank has a known. It is natural to ask how that is possible. Registration Authority, which represents it and its employees. It is the RA, which verifies The secret to this is “Public Key Infrastructure” the employees of the bank for whom Digital (PKI). Certificates are needed, consolidates the requirements, and then approaches the CA PKI makes it possible for retail and bank users for issuing the certificates. Incidentally, each to safely and privately exchange money and bank sets its own policies regarding which information over a public channel, by generating employees should be issued a certificate. a pair of cryptographic keys – one public, typically stored in a browser and the other private, usually stored on a smart card – which is received and shared with the help of a trusted authority. A Digital Certificate/ Signature connected to the message helps to identify and authenticate users – senders who use a public key to encrypt data as well as receivers who use a private key to decrypt it. There are a number of PKI systems is existence. For example, international financial and non-financial messages via SWIFT From the above description and diagram it is (Society for Worldwide Interbank Financial clear that the PKI hierarchy follows a “trust model”, Telecommunication) are transported over in which each tier performs a specific function: international PKI, whereas local transactions are typically supported by separate domestic • The CCA represents the law of the land and infrastructure established by the Central Bank assures legal validity of all the Digital of each country. Signatures/ Certificates issued in the country of its jurisdiction. It also devolves authority Organization Structure upon various Cas. The organization structure of a PKI system has • The CAs are responsible for the actual the following three tiers: issuance of certificates. • The RAs represent and take care of the • Controller of Certifying Authority (CCA): This interests of individual banks with respect to the is a Government authority and the apex of end-to-end management of Digital Certificates. the PKI organization. For example, in India, the CCA has been established under the The Need for PKI Systems Audit provisions of the Information Technology Act, and works under the Ministry of Information Having designed and implemented such Technology in New Delhi. The CCA is elaborate Public Key Infrastructure, it is equally responsible for providing the Root Certificate, important to ensure that it works properly. This under which all other certificates are granted. is the goal of PKI Systems audit. Auditing Norms for PKI-based Applications
  • 3. Banks routinely undergo manual audit of and undergoes rigorous internal audit at regular business operations, as well as separate audits intervals. Similarly, RBI and other Certifying for information systems and information systems Authorities also conduct audits for PKI systems. security. Information systems audit is defined as Audit of the Registration Authority at each bank a periodic activity in which data and information is necessary to ensure that all the certificates systems are accessed and verified for desired issued to current employees are valid, and also business results in order to understand whether that those previously issued to employees who the systems are working properly or not. have now quit, are no longer so. For the same reason, it is also necessary to The auditing of information systems – of which audit PKI Systems. While the auditing of PKI PKI is a part – is a vast domain, which covers applications costs time and money, banks must most general practices. Unfortunately, it does make the investment to ensure that these critical not lay down any specific guidelines for the way applications are functioning well. in which PKI applications must be audited. Consequently, banks approach the audit as one Although PKI audit falls within the ambit of more compliance mandate that must be fulfilled. information systems audit, its norms vary This is a pity because PKI audit plays a big role somewhat. One of the key differences and in ensuring that the systems are in order, and challenges of PKI audit is that unlike physical thereby reduces security lapses. signatures, Digital Certificates and Signatures have a fixed life, after which they automatically This paper attempts to raise awareness of expire. When that happens, messages pertaining auditing norms for PKI based applications. to the transactions involving the expired certificates cannot be verified during audit, and Auditing PKI Applications hence it becomes impossible to establish the legality of those transactions. One of the ways to Another key constraint of PKI audit (besides the circumvent this problem is to create a simulated limited validity of certificates mentioned earlier) environment and push data into it for the is that it can only be a partial one. This is because purpose of the audit. PKI transactions always involve an external organization, which are outside the audit’s PKI audit must occur at two levels: that of the purview. An application module deployed at a structure and the application. The first one Registration Authority may be audited for what examines the processes and norms in use by it does within their four walls, but it is not possible the various tiers of the PKI organization, namely to evaluate its interactions with other modules the CCA, CA and RA. The second one audits at external agencies, such as a Certifying different PKI applications and the way they Authority. The auditors simply have to accept this participate in the business. and move on. Ideally, as the below diagram shows, there There needs to be two separate audits for the should be a separate audit at each level of the structure (CCA, CA, RA etc.) and the applications, PKI organization, and also of PKI applications. both of which will suffer from this constraint. While auditing the structure, the auditor is supposed to follow certain norms to check: • Whether certificate related backups are taken and stored at the CCA level • Whether during the verification of individual signatures, verification is done up to the root level Taking the example of India once again, it is observed that the Controller of Certifying • Whether the CAs are correctly following the Authority is very conscious of its responsibility norms pertaining to the storage of keys Auditing Norms for PKI-based Applications
  • 4. with primary and back up servers and Overcoming the Challenges of PKI Application whether they have adequately secure Audit storage infrastructure • Using secondary servers to replicate data • Whether any time gaps or difference in as well as change the date can circumvent time zones are taken into account while the run time dependency of PKI applications. transitioning from one root CCA certificate to In this way, signatures may be verified without another. It is important that PKI applications impacting the normal course of business. have a feature to support time gaps, and even the occasional co-existence of root • Different key generation algorithms used by certificates with different validities different applications, may lead to variation in security practices and outcomes. For example, Difference Between PKI-based Application Audit until some time ago, the SHA1 encryption and Regular Information Systems Audit algorithm was very popular; now SHA2 has taken its place in many PKI applications. In general, the audit norms are similar, however, Hence, any proprietary tools used during audit PKI-based applications have certain constraints, must be able to accommodate such changes. which need to be addressed during audit. • Frequently, browser based applications do • Digital Signature generation is a run time not recognize the local Certifying Authority and operation; applications generating and consequently, browser based tools of audit do verifying a Digital Signature always couple not recognize valid transactions and messages. it with the date and time of its creation. What this means is that whenever a Digital This is a known problem, which CAs can solve Signature is affixed to a message there’s by registering their names with the vendors of a date and time attached to it. Also, as different browsers. mentioned earlier, the Digital Signature has a • An important goal of the audit is to limited validity. discover any mismatch in data between the messaging layer and the business layer. • PKI modules always check for the validity Sometimes, because of some errors in the of Digital Certificates during verification by network, messages get delayed. The continuously polling the system date. This rescheduling of messages/transactions might occasionally create a conflict if the impacts normal account closing at end of verification involves countries in two distant day (EOD). Hence, while linking EOD and times zones, such as South Africa and Japan. BOD (beginning of day) operations to accounting entries, it is important to take care • During PKI application audit it is important to of any time gaps. gather the relevant time stamps and verification logs for future reference, in an offline process. • “Hidden snake in the tunnel”: Often, banks implement PKI only at the module level, and • Given the impact and risk associated with bypass the PKI channel while accessing PKI transactions, it is very important for the data, because it is faster and more convenient auditor to cross check each transaction to do so. It is the auditor’s responsibility to signature against the log, something that is find such occurrences and bring them within seldom required in conventional audit. the audit band. It has been found during audit that banks take the required data directly from • In general, an audit is conducted to check middleware, databases or even logs, after business value at the organization level, as bypassing signature verification. well as compliance. PKI audit highlights the enormous technology risks, which PKI based • Many banks allocate separate drives to applications bring to daily banking operations. store logs generated by PKI applications. It is important to note that such transactions They must exercise adequate access control are very secure as long as the private keys over such logs by correctly maintaining system are not compromised. level access. Auditing Norms for PKI-based Applications
  • 5. It is a normal practice among banks to copy the capability to connect to the CA’s central Digital Certificates from their primary site to server periodically to check the CRL a secondary/Disaster Recovery (DR) site (Certificates Revocation List). As auditor located on a different seismic plate, as part should also check for revocation, and whether of Business Continuity Planning (BCP). Certain the transactions pertaining to revoked PKI modules may not allow the movement of certificates have also been revoked correctly. certificates, which are tightly coupled with the system’s IP address. In such cases, while • At times, the CCA revokes its own root shifting data from one server to another, it is certificates and issues new ones. This in turn necessary to ensure that the DR/BCP servers revokes the CA’s certificates, and invalidates have the same system IP address. This must all Digital Certificates allied to them. In be considered during audit. such cases, the auditor should audit the application to check for a provision for a • Digital Certificates are normally stored on second root certificate. smart cards, Hardware Security Modules or hard disks; during BCP drills it is important to make sure that the movement of any PKI related artifacts, such as digital certificates or security modules, is conducted by way of a Author standardized process and is also audited. Makarand Madhukar Baji Senior Consultant – Finacle Payments • Since certificates are often revoked as per Infosys banks’ policies, PKI applications should have Auditing Norms for PKI-based Applications