PSD2/EIDAS DEMONSTRATIONS

Transcription

1 PSD2/EIDAS DEMONSTRATIONS Chris Kong, Azadian Kornél Réti, Microsec Luigi Rizzo, InfoCert All rights reserved

2 Overview for this Presentation As previously reported and reviewed at ERPB, with ECB and EC, there are five general stages of activity for actors within the new PSD2 services. Authorization & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA Revocations & Access Today, we will be looking at these five stages and explaining the principles, rational and providing a demonstration of those activities in practice. 2

3 1. AUTHORISATION & PASSPORTING Authorization & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access

4 Authorization & Passporting Authorization & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access Authorization & Passporting is the process for any PSP getting an Financial Authorization from their Home National Competent Authority (NCA) regulator. A successful application by a PSP results in an entry on the Public Register of an NCA. NOTE: For the purposes of the demonstration today, we have created an NCA, with Example Tpp and Example Bank as our entities to use as our demonstration. 4

5 DEMO 5

6 Authorization & Passporting Authorization & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA Revocations & Access SUMMARY It is expected that all NCAs will make available their Public Registers with PSD2 Upgrades in There is a market dependency on the availability and accuracy of the NCA Public Registers, as will be shown through this demonstration. 6

7 2. EIDAS CERTIFICATE ISSUING Authorization & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access

8 eidas Certificate Issuing Authorization & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access Any PSP can acquire eidas certificates, including: Qualified certificate for website authentication (QWAC) Qualified certificate for electronic seal (QSealC) This phase assumes that the PSP is already registered and authorized by the NCA NOTE: for the purposes of this demo we are using Example TPP as an example for the certificate subject 8

9 Example Certificate Request Process 1. Generate a key pair e.g. in the PSP secure systems 2. Visit the QTSP website, fill out certificate request form, include public key to be certified 3. The QTSP will prepare the papers and contact PSP 4. Validation of all data to be included in the certificate 5. QTSP issues certificate to PSP 6. Install certificate into PSP secure systems 9

10 Screenshot 10

11 DEMO 11

12 Verification performed by the QTSP Identity validation, using one of: qualified signature of authorized representative of PSP, face-to-face identification of representative using photo ID, other method providing equivalent assurance Validation of possession of the Private Key Validation of company data against company register Validation of authorization of representative PSD2 attribute validation against NCA register 10

13 NCA Public Register - TPP 13

14 Example Certificate Request Process 1. Generate a key pair e.g. in the PSP secure systems 2. Visit the QTSP website, fill out certificate request form, include public key to be certified 3. The QTSP will prepare the papers and contact PSP 4. Validation of all data to be included in the certificate 5. QTSP issues certificate to PSP 6. Install certificate into PSP secure systems 14

15 DEMO 15

16 Screenshot 16

17 eidas Certificate Issuing Authorization & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access SUMMARY QTSP identifies PSP and relies on NCA register to validate PSD2 specific attributes QTSP takes responsibility that all information in the certificate is correct at the time of issuance QTSP issues qualified certificates according to ETSI TS , which specifies a standard format and management of PSD2 specific data 17

18 3. IDENTIFICATION & SETUP Authorisation & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access

19 TPP to ASPSP - Identification & Setup Authorisation & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access The TPP & ASPSP Setup is an identification process within API Access enablement. Although not mandated in the RTS SCA CSC, it is generally API industry best practice. As the TPP has a QSEALC, they can now digitally identify themselves towards ASPSPs online for PSD2 API Access. Successful identification & Setup between the TPP and ASPSP, results in a TPP getting API Access from an ASPSP. eidas and ETSI TS enables a common framework and pan-european interoperability between all TPPs and ASPSPs for this process. 19

20 Authorisation & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access 1 Discovery 2 3 Access 4 eidas 5 PSD2 6 API Sign Up Request Check Check Access 20

21 DEMO 21

22 TPP to ASPSP - Identification & Setup Authorisation & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access SUMMARY QSEALC Certificates provide a common and eidas secured method for an unknown TPP to become identified to the ASPSP. PKI can be used verify the TPP is who they claim to be in the QSEALC. QSEALC Certificates do not contain all information and may not be up to date, so ASPSPs need to check NCA Public Registers (or equivalent). Successful application of this Identification process allows TPPs a quick and universal way of secure access to APIs, with ASPSPs. 22

23 4. INTERFACES USING CERTIFICATES Authorisation & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access

24 Interfaces and SCA/CSC Authorisation & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access Interfaces and SCA requirements are laid out in the RTS SCA and CSC. Generally, the key communication requirements are listed as: - Identification - Confidentiality - Integrity NOTE: Whilst there are many technical methods for Communications, APIs and SCA, we have selected appropriate mechanisms for this demonstrations and should be considered as one way to do it, but not the only way to do it. 24

25 Interfaces and SCA/CSC Authorisation & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access eidas Certificates and Internet CSC It s important to know that QWAC and QSEALC Certificates are used for different purposes and effects. QSEALs provide: - Identification - Integrity QWACs provide: - Identification - Confidentiality 25

26 TLS protocol From a high-level, TLS has three main capabilities that may be used independently or in combination to secure content transport (or the network pipe). These capabilities are: 1. Authenticating a server to a client 2. Encrypting client/server communications 3. Authenticating a client to a server Most public web sites use TLS only to authenticate the web server to the client. Web server authentication is easily implemented and sufficient for establishing a TLS connection. However, web servers can be configured to request or require that the client authenticate using a certificate. This is known as mutual authentication. 26

27 Mutual TLS Authentication Two parties authenticating each other through verifying the provided digital certificate issued by QTSPs both parties are assured of the other s identity Very popular in server-to-server communications A client (web browser or client application) authenticating itself to a server (website or server application) and that server also authenticating itself to the client QTSPs listed in EU member states TSLs are an important part of the mutual authentication process 27

28 DEMO 28

29 Interfaces and SCA/CSC Authorisation & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access eidas Certificates and Internet CSC It s important to know that QWAC and QSEALC Certificates are used for different purposes and effects. QSEALs provide: - Identification - Integrity QWACs provide: - Identification - Confidentiality 29

30 PISP ASPSP payment transaction Customer customer payment request PISP services ASPSP services payment request is generated and sealed by means of PISP QSEALC sealed payment request omissis customer is authenticated in some way by ASPSP omissis sealed payment response sealed payment request is validated, PISP QSEALC is validated by means of QTSP validation services, payment request is processed, ASPSP response is generated and sealed by means of ASPSP QSEALC customer payment request processing outcomes 30

31 DEMO 31

32 Interfaces and SCA/CSC Authorisation & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access SUMMARY 1. QWAC and QSEALC are used at different communication layers and provide different effects: QWAC for Transport Layer QSEALC for Application Layer. 2. QWAC provides Identification and Confidentiality. 3. QSEALC provides Identification and Integrity. 4. When used in combination and with Qualified Certificates, this will fulfil the requirements from RTS SCA CSC and also have legal effect from eidas. 32

33 5. REVOCATION OF CERTIFICATES Authorisation & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access

34 eidas Certificate Revocation Authorisation & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access All certificates have a validity period (expiry date) However, certificate data may become invalid earlier, e.g.: Private key is compromised PSP authorization revoked or authorization number changed PSP role(s) revoked In these cases the certificate needs to be revoked Revocation is published by the issuer QTSP 34

35 Certificate Validation Certificate validation includes Is it expired? dates in the certificate Is it revoked? CRL or OCSP CRL: Certificate Revocation List OCSP: Online Certificate Status Protocol Is the issuer QTSP trusted? certificate path building Typically done automatically by application software NOTE: in this demo we use e-szigno SCVA by Microsec 35

36 The Certificate Revocation Process Visit the QTSP website, specify certificate serial number and password (to authenticate owner) The QTSP will process revocation request If properly authenticated, this can be automatic QTSP publishes that certificate is revoked Certificate cannot be used any more to create seals / authenticate website 36

37 DEMO 37

38 Screenshot 38

39 Certificate Revocation Authorisation & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA/CSC Revocations & Access SUMMARY 1. Revocation may be requested by a. PSP (who owns the certificate), or b. NCA (who authorized the PSP) 2. Certificate loses its validity when a. Revocation is published by the QTSP, or b. The certificate expires 3. Invalid certificate shall not be accepted by the receiving party 39

40 PSD2 DEMONSTRATION OVERALL SUMMARY

41 SUMMARY Today we have briefly explained and demonstrated a few live processes for the E2E journey of a TPP. We have also discussed where NCAs, QTSPs, ASPSP and the TPPs themselves need to perform Regulatory or Technological actions for this to fit together. Authorisation & Passporting eidas Certificates Issuing TPP & ASPSP XS2A Setup Interfaces & SCA Revocations & Access 41

42 PSD2 DEMONSTRATION Chris Kong Kornél Réti Luigi Rizzo PKI: