Security of STP communication

printable version

The security of the communication channel between STP Electra and the customer's own systems as well as the security of the entire STP solution is very important to both banks and their customers.

The STP Electra communication protocol used in the communication between customers' own systems (the routine library) and STP Electra will operate as follows:

  • communication is TCP/IP-based and uses a TCP/IP port selected by the customer
  • communication starts with setting up a session, always including a standard key exchange completed using the Diffie-Hellman algorithm and keys selected at random
  • communication following the key exchange is still encrypted, using a standard AES (Rijndael) algorithm
  • the AES algorithm uses a 128-bit key
  • communication is packet-based and uses an error detection algorithm to ensure safe and secure packet transfer
  • users need to be authenticated (by user ID and password) if they want to use the STP function; the validity of the authentication is limited to the current session
  • similarly to the solutions applied in the client program, users can be authenticated in two ways: they can log in into STP Electra or into the Electra server
  • when a user logs in into STP Electra, the password is verified by the client program; following the third failed login attempt the user is denied access, and the ban can later be lifted only by logging in into the server
  • when a user logs in into the server, the password is verified by the bank; following the third failed login attempt the user is denied access, and the ban can later be lifted only by one of the bank's administrators
  • neither the Electra client program nor the Electra server store passwords in a direct form; they store only (digest) codes generated from passwords by one-way functions
  • passwords are forwarded to the Electra client program in an unencrypted form, using the previously established encrypted channel
  • the login password can be any string and changed any time even via the STP interface (any policy applying to passwords is to be defined by the relevant bank)
  • orders submitted via STP are fed into the client program in an unsigned form through the previously established encrypted channel
  • the Electra client program will perform exactly the same checks for orders submitted via STP that it performed for orders entered manually or as part of previous imports (syntax and semantics checks, checking whether orders meet the requirements set forth in the bank's effective business regulations)
  • users must sign (i.e. add a digital signature to) orders to be submitted via STP the same way as they did previously: they must enter the signatory's user ID and a separate signature password; the signing procedure can also be performed via STP; the Electra server (and thereby, the bank) will not accept any unsigned order
  • the Electra client program does not verify the signature password, so any problem that may occur in relation to it will only be identified when it is forwarded to the bank
  • similarly to login passwords, signature passwords can be changed any time, even via the STP interface
  • digital signatures linked to orders can be generated in two ways: either by the customer's system in Electra's proprietary format (an Electra-format report is to be used in this case), or by the Electra client program, using a standard 512-bit RSA algorithm
  • apart from user signatures generated in the customer's system, the signature of the STP Electra client program is also required
  • the RSA-key used as the program signature is stored by the Electra program
  • following signing, orders must be sent to the bank in a similar way users submitted orders earlier; the Electra client program will not forward automatic orders to the bank and orders can also be submitted via STP
  • STP will store data requested from the bank in encrypted files, i.e. the same way as the Electra client program did
  • information (notifications, account balances and statements) requested from the bank using the STP Electra program will not be authenticated using an electronic signature
  • requests received via STP are logged by the Electra client program.
 
 Related news:Related articles