Protection of Internet banking systems: TLS, electronic signature, GOST, tokens

Many modern RBS systems provide a Web-based interface for customer service. The advantages of a “thin client” over a “fat client” are obvious. At the same time, there are federal laws, orders of regulators and requirements for RBS systems from the Bank of Russia, many of which relate specifically to information security in RBS systems. Somehow they need to be executed and cryptographic tools that implement Russian cryptoalgorithms (GOSTs) are commonly used. These cryptographic tools cover a part of the “holes”, but their implementation can significantly increase the difficulty of using the RBS system for the client.

In this article, we will assemble and test from the “bricks” a comprehensive solution on a demonstration Internet bank — essentially a special portable secure browser stored on flash memory — which will implement channel closure (TLS), strict two-factor authentication on a WEB resource and electronic signature of payment orders via USB-token Rutoken EDS or trustscreen-device Rutoken PINPad. The trick of the solution is that it is absolutely burdensome for the end user - he hooked up the token, launched the browser and immediately began to spend money.

TLS, authentication and signature are implemented using Russian cryptography.
')
Further the manual with explanations will go.


So, the "building blocks" of the solution (for Windows):

• Mozilla FireFox Portable Edition Browser
• Stunnel tls proxy
• Rutoken Plugin
• USB-token Rutoken EDS Flash

1. Download Mozilla FireFox Portable Edition browser, unpack it into flash-memory Rutoken EDS Flash. As a start page, we indicate to him demo.rutoken.ru

2. We load sTunnel , assembled with the support of GOST. The archive contains all the necessary files, including openssl with support for Russian cryptography. We unpack on flash-memory Rutoken EDS Flash in folder sTunnel. Please note that the sTunnel folder with files must be in the root of the flash memory of the device.

Config:

;    verify=2 ;      client=yes ;   SSL sslVersion=TLSv1 ;      taskbar=yes ;   DEBUG=7 [https-demobank] ;   openssl  engine gost engine=gost ;  ,         CAFile=ca.crt ;      1443  localhost accept = 127.0.0.1:1443 ;      demo.rutoken.ru:443 connect = demo.rutoken.ru:443 ;    TLS  ciphers = GOST2001-GOST89-GOST89 TIMEOUTclose = 1 

sTunnel, when launched, will, at 127.0.0.1:1443, receive an unprotected connection, establish a secure connection with demo.rutoken.ru:443 and transfer the data received at the input to it.

If you are working on the Internet through a proxy server (for example, a corporate one), then additional configuration of sTunnel is required.

When a secure connection is established, strict server authentication and encryption of the transmitted data is performed.

3. We register in the browser Mozilla FireFox Portable Edition proxy 127.0.0.1:1443, for all protocols. Thus, all data will go through sTunnel. A proxy is written as: Settings-> Advanced-> Network-> Configure-> Manual proxy settings. Set the checkbox “Use this proxy server for all protocols”

4. Add Rutoken Plugin to browser. For this, we put the files npCryptoPlugin.dll and rtPKCS11ECP.dll from the archive into the folder FirefoxPortable \ Data \ plugins

5. We write an autorun script on vbscript. The script first launches sTunnel, and then Mozilla FireFox Portable Edition.

 Dim WshShell, oExec Set WshShell = CreateObject("WScript.Shell") Set wshSystemEnv = wshShell.Environment( "PROCESS" ) currentDirectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName))) wshSystemEnv( "OPENSSL_ENGINES" ) = currentDirectory + "\stunnel" Set oExec = WshShell.Exec("stunnel\stunnel.exe") Do While oExec.Status = 1 WScript.Sleep 100 Loop Set oExec = WshShell.Exec( "FirefoxPortable\FirefoxPortable.exe") 

Save it to the file DemoBank.vbs and put in the root of the flash memory of the device Rutoken EDS Flash.

Everything.

Now we launch DemoBank.vbs and get to the Rutoken demo site via a secure connection. If an error occurred while starting the script, then again pay attention to the folder hierarchy.

Next, we register, two-factor client authentication and payment signature using Rutoken Plug-in and USB-token, as described in the articles habrahabr.ru/company/aktiv-company/blog/155835 and habrahabr.ru/company/aktiv-company/blog/ 165887 .

To work in another workplace, we simply connect Rutoken with EDS Flash and launch DemoBank.vbs.

What did we get? A portable and easy for the end user solution that meets modern ideas about the security of systems with a Web-interface and is completely built on the use of Russian cryptographic algorithms.