June 18, 2013 at 16:13Protection of Internet banking systems: TLS, electronic signature, GOST, tokens
Many modern RBS systems provide a Web interface for customer service. The advantages of a thin client over a fat client are obvious. At the same time, there are federal laws, orders of regulators and requirements for RB systems from the Bank of Russia, many of which relate specifically to the protection of information in RB systems. Somehow they need to be executed and crypto tools that implement Russian cryptographic algorithms (GOSTs) are usually used. These cryptocurrencies cover part of the “holes”, but their implementation can significantly increase the complexity of using the RBS system for the client.
In this article we will collect and test from the "bricks" on a demo Internet banka comprehensive solution - in fact, a special portable secure browser stored on flash-memory - in which channel closure (TLS), strict two-factor authentication on a WEB resource and electronic signature of payment orders via a USB token Rutoken EDS or a trustscreen device Rutoken PINPad will be implemented . The trick of the solution is that it is absolutely not burdensome for the end user - he connected a token, launched a browser and immediately you can start spending money.
TLS, authentication and signature are implemented using Russian cryptography.
Next will go a manual with explanations.
So, the "bricks" of the solution (for Windows):
1. Download the Mozilla FireFox Portable Edition browser, unpack it on a flash-memory Rootoken EDS Flash. We indicate demo.rutoken.ru as the start page
2. Download sTunnel , assembled with the support of GOSTs. The archive contains all the necessary files, including openssl with support for Russian cryptography. Unpack on the flash-memory Rutoken EDS Flash in the sTunnel folder. Please note that the sTunnel folder with the files should be in the root of the flash memory of the device.
Config:
; проверять сертификат сервера
verify=2
; прокси работает в режиме клиента
client=yes
; версия протокола SSL
sslVersion=TLSv1
; показывать значок в в трее
taskbar=yes
; уровень логирования
DEBUG=7
[https-demobank]
; при загрузке openssl подгружать engine gost
engine=gost
; корневой сертификат, до которого строится цепочка при проверке сертификата сервера
CAFile=ca.crt
; прокси принимает незащищенные соединения на 1443 порту localhost
accept = 127.0.0.1:1443
; прокси устанавливает защищенные соединения с demo.rutoken.ru:443
connect = demo.rutoken.ru:443
; используемый в протоколе TLS шифрсьют
ciphers = GOST2001-GOST89-GOST89
TIMEOUTclose = 1
sTunnel at startup will receive an insecure connection at 127.0.0.1:1443, establish a secure connection with demo.rutoken.ru:443 and transmit the received input data through it.
If you work on the Internet through a proxy server (for example, corporate), then additional configuration of sTunnel is required.
When a secure connection is established, strict server authentication and encryption of the transmitted data are performed.
3. We write in the Mozilla FireFox Portable Edition browser proxy 127.0.0.1:1443, for all protocols. This way all data will go through sTunnel. The proxy is written like this: Settings-> Advanced-> Network-> Configure-> Manual proxy settings. Check the box “Use this proxy server for all protocols”
4. Add the Rutoken Plugin to the browser. For this, the files npCryptoPlugin.dll and rtPKCS11ECP.dll from the archive are put in the folder FirefoxPortable \ Data \ plugins
5. We write the autorun script on vbscript. The script starts sTunnel first, and then Mozilla FireFox Portable Edition.
Dim WshShell, oExec
Set WshShell = CreateObject("WScript.Shell")
Set wshSystemEnv = wshShell.Environment( "PROCESS" )
currentDirectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))
wshSystemEnv( "OPENSSL_ENGINES" ) = currentDirectory + "\stunnel"
Set oExec = WshShell.Exec("stunnel\stunnel.exe")
Do While oExec.Status = 1
WScript.Sleep 100
Loop
Set oExec = WshShell.Exec( "FirefoxPortable\FirefoxPortable.exe")
We save it in the file DemoBank.vbs and put it in the root of the flash-memory of the device Rootoken EDS Flash.
All.
Now launch DemoBank.vbs and get to the Rootoken demo site using a secure connection. If an error occurred while running the script, then again pay attention to the folder hierarchy.
Next, we register, perform two-factor authentication of the client and sign the payment using the Rutoken Plug-in and a USB token, as described in articles habrahabr.ru/company/aktiv-company/blog/155835 and habrahabr.ru/company/aktiv-company/blog/ 165887 .
To work at another workplace, simply connect the Rutoken EDS Flash and run DemoBank.vbs.
What did we get? A portable and easy-to-use solution for the end user that meets modern ideas about the security of systems with a Web interface and is completely built on the use of Russian cryptographic algorithms.