- Email: [email protected]
Geisco, Racal sign financial systems security deal
Volume9 Number7
lSS~#l42-0~96
MAY1987
Editorial Advisors:
Editor: RcwN ARNFiEiD
Jay J. BlOOXS?&?Sk~r, director,
Associet@Editor: FRED LAFFERTY Director of Carporrrte Security Cargill fnc, Minn53apoiis
f%&snal i%te Center for Computer Crime, Las An@er
Wiifiam A. J. Bound, Director, Banking & Security, CSC Computer Sciences Company ttd, London Robert P. Campb&l, CDP, President, Advanced Information Management f)r. Jerq Fitrgefetd, Jerry Fitzgerald &Associates,
inc, Woodbridge, Virginia
Redwood City, California
Fred M. Qreguras, Attorney, Fenwick, Stone, Davis &West, Paio Alto, California David Hind, British Telecom &fit& David
Wman, Barrister T.
Investigation ant2 Legal
fxpw?
Department,
London
in ~~c~~~~~~t~~n~~s
and Computing,
ton&n
Lindsay, UK Security Manager, Digital Equipment Co Ltd
James Allartin. Author and Lecturer Adrian R. 0. Nomwm. Consultant, Dorm B. Parker, Senior
Arthur 0. LiRia Ltd. tondon
~anag~rn~~~t
Systems Consul:ant, Stanford Research Institute, Menfa Perk, California
MiehaJ i+Sohot, President, MiS Training institute, Framinghem, ~assa~buset~ Philip Weights, Philip Weights&Associates
Management
Consulting, New York
Sp&af Tecbnicaaf Arhtkor: MARTIN $AMDCRJK Director, Network Security Managemant Lid
CONTENTS
Geisco,
Racal.
sign
systems security
us
financial deal
I
?SWXZ%ty: trssr requirements, workstations, and 3 Wdit&iflty Fortress - the debate continues 10
GEISCQ,
RACAE
SIGN
FINANCIAL SYSTENS SECURITY DEAL,
&ompmer
security
market
approaches $3 billion Beating tzhehac'kers - US report discusses protection techniques Data Encryption Standard to be reviexged Book review
12
13 14 14
On 39 March, GE ~~~~o~rnatio~Services Co~~~~ny of the USA (represented i.rr the.UK by GEISCO Ltd) and Racal-Guardata Ltd signed a cooperative marketing agreement in London to provide financial institutions with an effective protection against computer fraud, "About 18 months ago, GEISCO decided to cls. something abotnt EFT security", said Jamie Graham, GETSGO director, International Banking and Financial Services. Racal-Guardata, the data seczxity arm of the UK's Racal Groupt was contracted to provide %xhe access control software for EFT transactFons on GEISCO's banking network. For the LasC 7.2 months, Racal Guardata has been testing its products on GEISCO's Honey Transfer System (MTS) and is naw setting up support centres around the world.
Racal Guardata is building its data security products into applications an the GEISCO network. The first application is on GEISCO's Money Transfer System, a product which allows banks' authorized corporate customers to generate payment instructions using their own PCs or mainframes for automated deli.very to the bank, The GE/Racal. offering is a two-tier cryptographically-based system rzsing cbe Data Encryption Standard (DES) algorithm, firstly
Vol.
9, No.
7, Page
2
through the ANSI (American National Standards Institute) X9.9 Message Authentication technique, and secondly by integrating Personal Authentication and linking the various components, using ANSI X3.92, with the Message Authentication facility. Together, these two techniques provide a mechanism to ensure end-to-end message authentication and authorization which will identify the originating device as well as the authorizing officer. This is the first step in the introduction of an Electronic Signature, GEISCO says. To date, a bank customer wanting to use the MTS system generated a completed instruction by adding the required input data to a pre-formatted payment skeleton, rather like a blank cheque. With the deployment of the new security system the bank is able to provide its customers with a free techniques, format capability (see figure). The package required by customers for the MTS service comprises security hardware, the MTS application, and security interface software. The security equipment is said to be tamper-resistant and operates as a A slot-in security card peripheral device to the host computer. is provided for PCs (IBM PC/XT/AT and most compatibles). For mainframe applications, a fault-tolerant security module is If anyone tries to tamper with the security card, then supplied. the card zeroes itself and goes dead. =THEAUTHENTICA~ON
AND AUTHORISATION PROCESS
@ 1987 Elsevier Science Publishers B.V., Amsterdam./tW$O.OO + 2.20 No part of this publication may be reproduced, stored in a retrieval system. or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A.-please see special regulations listed on back cover.)
Vol. 9, No. 7, Page 3
Each authorizing officer is issued with a WATCHWORD generator, a hand-held calculator which computes his "digital signature", a 7-digit response to a 7-digit non-repetitive The officer then challenge issued by the WATCHWORD controller. enters his answer onto the computer terminal. To prevent unauthorized use of the WATCHWORD generator, the correct response is generated only if the user enters the correct Personal Identification Number (PIN). This process can be used not only for network access control, but also in person-to-person communication - e.g. over the telephone. Precautions against fraud adopted by Racal Guardata include providing WATCHWORD users with two PINS - one for normal use, and one for use when under duress - e.g. someone is forcing a corporate treasurer at gunpoint to make a fraudulent EFT transaction. This "duress PIN" alerts the bank's computer that the transaction is being delivered against the user's will. The If he were able user can only enter his PIN into his own device. to put his PIN into someone else's terminal, it could be rigged to capture the number. Racal Guardata adds that this type of technology is being used at the point-of-sale. Sister company Racal Transcom is selling PoS terminals with PIN pads attached. GEISCO is planning to work on authentication for ED1 (Electronic Document Interchange), paperless trading between companies. However, there does not appear to be much demand yet in this marketplace for authentication. The WATCHWORD PIN device costs around f100, said Professor Henry Beker, director-in-charge of Racal Guardata. A complete package consisting of two WATCHWORD devices, firmware and software, and a PC card costs around $2500. The same package, with a mainframe security module instead of a PC card, would cost $10 000 to $30 000, said Professor Beker. So far, Euroclear, which provides a worldwide Eurobond settlement service, is the only user of the Racal Guardata products on the MTS system. Several UK banks are already using Racal Guardata's security products for other applications. GEISCO says about 15 banks around the world are using MTS to service their corporate clients. GEISCO has over 65% of the world market for bank transfer services. Its clients can use the new security products in custom applications provided for them by GEISCO. Racal will be marketing the products "with GE and without GE", Professor Beker said. A US subsidiary of Racal Guardata has just been set up in Orange County, California. For further information, contact: Racal Guardata Ltd, Richmond Court, 309 Fleet Road, Fleet, Hampshire GU13 8BU, UK; tel: 0252-622144; GE Information Services, GEISCO Ltd, Shortlands, Hammersmith, London W6 8BX, UK; tel: 01-846-9711.
SECURITY: USER REQUIREMENTS, WORKSTATIONS, AND AUDITABILITY
The Computer Industry Research Unit (CIRU) was established in 1985 by Professor Krish Bhaskar at the University of East Anglia, Norwich, UK. The unit conducts its own research, undertakes consultancy assignments, and is a partner in an
@1987 Eisevier Science Publishers B.V., Amsterdam.itt7/$0.00 + 2.20 No part of this publication may he reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise. without the prior permission of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover.)
lSS~#l42-0~96
MAY1987
Editorial Advisors:
Editor: RcwN ARNFiEiD
Jay J. BlOOXS?&?Sk~r, director,
Associet@Editor: FRED LAFFERTY Director of Carporrrte Security Cargill fnc, Minn53apoiis
f%&snal i%te Center for Computer Crime, Las An@er
Wiifiam A. J. Bound, Director, Banking & Security, CSC Computer Sciences Company ttd, London Robert P. Campb&l, CDP, President, Advanced Information Management f)r. Jerq Fitrgefetd, Jerry Fitzgerald &Associates,
inc, Woodbridge, Virginia
Redwood City, California
Fred M. Qreguras, Attorney, Fenwick, Stone, Davis &West, Paio Alto, California David Hind, British Telecom &fit& David
Wman, Barrister T.
Investigation ant2 Legal
fxpw?
Department,
London
in ~~c~~~~~~t~~n~~s
and Computing,
ton&n
Lindsay, UK Security Manager, Digital Equipment Co Ltd
James Allartin. Author and Lecturer Adrian R. 0. Nomwm. Consultant, Dorm B. Parker, Senior
Arthur 0. LiRia Ltd. tondon
~anag~rn~~~t
Systems Consul:ant, Stanford Research Institute, Menfa Perk, California
MiehaJ i+Sohot, President, MiS Training institute, Framinghem, ~assa~buset~ Philip Weights, Philip Weights&Associates
Management
Consulting, New York
Sp&af Tecbnicaaf Arhtkor: MARTIN $AMDCRJK Director, Network Security Managemant Lid
CONTENTS
Geisco,
Racal.
sign
systems security
us
financial deal
I
?SWXZ%ty: trssr requirements, workstations, and 3 Wdit&iflty Fortress - the debate continues 10
GEISCQ,
RACAE
SIGN
FINANCIAL SYSTENS SECURITY DEAL,
&ompmer
security
market
approaches $3 billion Beating tzhehac'kers - US report discusses protection techniques Data Encryption Standard to be reviexged Book review
12
13 14 14
On 39 March, GE ~~~~o~rnatio~Services Co~~~~ny of the USA (represented i.rr the.UK by GEISCO Ltd) and Racal-Guardata Ltd signed a cooperative marketing agreement in London to provide financial institutions with an effective protection against computer fraud, "About 18 months ago, GEISCO decided to cls. something abotnt EFT security", said Jamie Graham, GETSGO director, International Banking and Financial Services. Racal-Guardata, the data seczxity arm of the UK's Racal Groupt was contracted to provide %xhe access control software for EFT transactFons on GEISCO's banking network. For the LasC 7.2 months, Racal Guardata has been testing its products on GEISCO's Honey Transfer System (MTS) and is naw setting up support centres around the world.
Racal Guardata is building its data security products into applications an the GEISCO network. The first application is on GEISCO's Money Transfer System, a product which allows banks' authorized corporate customers to generate payment instructions using their own PCs or mainframes for automated deli.very to the bank, The GE/Racal. offering is a two-tier cryptographically-based system rzsing cbe Data Encryption Standard (DES) algorithm, firstly
Vol.
9, No.
7, Page
2
through the ANSI (American National Standards Institute) X9.9 Message Authentication technique, and secondly by integrating Personal Authentication and linking the various components, using ANSI X3.92, with the Message Authentication facility. Together, these two techniques provide a mechanism to ensure end-to-end message authentication and authorization which will identify the originating device as well as the authorizing officer. This is the first step in the introduction of an Electronic Signature, GEISCO says. To date, a bank customer wanting to use the MTS system generated a completed instruction by adding the required input data to a pre-formatted payment skeleton, rather like a blank cheque. With the deployment of the new security system the bank is able to provide its customers with a free techniques, format capability (see figure). The package required by customers for the MTS service comprises security hardware, the MTS application, and security interface software. The security equipment is said to be tamper-resistant and operates as a A slot-in security card peripheral device to the host computer. is provided for PCs (IBM PC/XT/AT and most compatibles). For mainframe applications, a fault-tolerant security module is If anyone tries to tamper with the security card, then supplied. the card zeroes itself and goes dead. =THEAUTHENTICA~ON
AND AUTHORISATION PROCESS
@ 1987 Elsevier Science Publishers B.V., Amsterdam./tW$O.OO + 2.20 No part of this publication may be reproduced, stored in a retrieval system. or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A.-please see special regulations listed on back cover.)
Vol. 9, No. 7, Page 3
Each authorizing officer is issued with a WATCHWORD generator, a hand-held calculator which computes his "digital signature", a 7-digit response to a 7-digit non-repetitive The officer then challenge issued by the WATCHWORD controller. enters his answer onto the computer terminal. To prevent unauthorized use of the WATCHWORD generator, the correct response is generated only if the user enters the correct Personal Identification Number (PIN). This process can be used not only for network access control, but also in person-to-person communication - e.g. over the telephone. Precautions against fraud adopted by Racal Guardata include providing WATCHWORD users with two PINS - one for normal use, and one for use when under duress - e.g. someone is forcing a corporate treasurer at gunpoint to make a fraudulent EFT transaction. This "duress PIN" alerts the bank's computer that the transaction is being delivered against the user's will. The If he were able user can only enter his PIN into his own device. to put his PIN into someone else's terminal, it could be rigged to capture the number. Racal Guardata adds that this type of technology is being used at the point-of-sale. Sister company Racal Transcom is selling PoS terminals with PIN pads attached. GEISCO is planning to work on authentication for ED1 (Electronic Document Interchange), paperless trading between companies. However, there does not appear to be much demand yet in this marketplace for authentication. The WATCHWORD PIN device costs around f100, said Professor Henry Beker, director-in-charge of Racal Guardata. A complete package consisting of two WATCHWORD devices, firmware and software, and a PC card costs around $2500. The same package, with a mainframe security module instead of a PC card, would cost $10 000 to $30 000, said Professor Beker. So far, Euroclear, which provides a worldwide Eurobond settlement service, is the only user of the Racal Guardata products on the MTS system. Several UK banks are already using Racal Guardata's security products for other applications. GEISCO says about 15 banks around the world are using MTS to service their corporate clients. GEISCO has over 65% of the world market for bank transfer services. Its clients can use the new security products in custom applications provided for them by GEISCO. Racal will be marketing the products "with GE and without GE", Professor Beker said. A US subsidiary of Racal Guardata has just been set up in Orange County, California. For further information, contact: Racal Guardata Ltd, Richmond Court, 309 Fleet Road, Fleet, Hampshire GU13 8BU, UK; tel: 0252-622144; GE Information Services, GEISCO Ltd, Shortlands, Hammersmith, London W6 8BX, UK; tel: 01-846-9711.
SECURITY: USER REQUIREMENTS, WORKSTATIONS, AND AUDITABILITY
The Computer Industry Research Unit (CIRU) was established in 1985 by Professor Krish Bhaskar at the University of East Anglia, Norwich, UK. The unit conducts its own research, undertakes consultancy assignments, and is a partner in an
@1987 Eisevier Science Publishers B.V., Amsterdam.itt7/$0.00 + 2.20 No part of this publication may he reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise. without the prior permission of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover.)