Account Authority Digital Signatures:

Enabling Secure Internet Transactions via

Existing Payment Processes & Infrastructure

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

David C. Stewart

Director

Global Concepts

708 Holcomb Bridge Road

Norcross, Georgia 30071

 

Introduction

Digital signatures are a hot topic in the financial services industry; and for good reason. Financial institutions plan to use digital signature technology to authenticate retail and commercial customers who want to view account information, apply for loans, make payments or conduct any number of other transactions. Digital signatures offer the validation benefits of handwritten signatures without the labor-intensive processes of physical validation. Digital signatures are one of the great enablers of electronic commerce.

The most prevalent digital signature methodologies in the market today, however, are flawed as enablers of large scale electronic commerce. Specifically, digital signature methodologies that require digital certificates to be pushed around with each transaction are expensive, difficult to manage and loaded with systemic risk.

I was first turned on to this contrarian view by a conversation at the April 98 Internet Forum with Lynn Wheeler from First Data Corporation. The Internet Forum is an information exchange program for leading banks and vendors. Members gather three times annually to discuss case studies in banking and payment over the Internet. Global Concepts manages the Internet Forum and provides research and consulting to members. This document is based on a report that was delivered originally to members of the 1998 Internet Forum.

Wheeler is proposing alternatives to traditional digital signature methodologies through his work on the x9a10 working group of x9, the only ANSI-accredited financial standards development group. Specifically, Wheeler and others are developing the x9.59 electronic payment standard as an alternative to existing digital signature-based payment schemes. Whether x9.59 is the best solution is unclear, what is clear is that Wheeler is right in challenging the status quo.

Banks need to take a hard look at the methodologies being proposed to validate and to authorize electronic transactions via digital certificates.

 

Conventional Digital Signature Methodology

Commerce will occur on the Internet. For commerce to occur, contracts must exist. For contracts to exist, signatures are required. It is becoming increasingly accepted that digital signatures will suffice as binding signatures for Internet commerce. Global Concepts contends, therefore, that the digital signature will be a core component in the realization of true electronic commerce.

Digital signatures rely on a public key infrastructure (PKI). The PKI model involves an entity, such as a consumer, having a pair of encryption keys - one private, one public. These keys work in consort to encrypt, decrypt and authenticate messages. One way authentication occurs is through the application of a digital signature. For example:

This is the digital signature - a message digest encrypted with the private key. The buyer then sends the following to the seller:

To validate the signature, the seller performs the following:

Because of the potential for uncertainty about key pairs, the seller needs some way of knowing that the public key is safe to trust. To date, most of the solutions to this problem rely on a digital certificate issued by a third-party Certification Authority (CA).

A digital certificate is not a digital signature. Signatures are unique to each message - the unique digest of the message encrypted with the sender's private key. A certificate is the user's public key to which the CA has applied a digital signature. Functionally, it is the CA's way of saying, "we vouch for this public key." The certificate usually identifies the user in some way. In financial applications, one way of identifying the user is to bind the public key to the user's account. Secure Electronic Transactions (SET), the specification for processing credit card transactions over the Internet, does this.

One of the acknowledged shortcomings of digital certificates is that they themselves often need to be validated. It is assumed that CAs will put expiration dates on certificates or that a CA may need to revoke certificates because of fraudulent use. Therefore, more complex signature validation systems are required. There has to be some way of knowing that the digital certificate, which was issued at some point in the past, is still valid. The solution is a certificate revocation list (CRL). CRLs are meant to be accessed online, optionally (although preferably) in real-time, to guarantee that the certificate itself had not expired or been revoked since being issued to the user.

It may seem like a fairly complex transaction process already, but it can get even more complicated. Certificate-based commerce relies on trust in the certification authority. Since not all CAs are known or necessarily trusted by parties to a transaction, these types of transactions often require certification of the CAs themselves. There needs to be a common denominator of trust between two parties in the transaction. This translates into multiple certificates, one layered on top of another, in a single transaction. Each CA is essentially vouching for the integrity of its sub-CAs. This is what is called a CA hierarchy. Therefore, to get at the user's public key in order to validate a digital signature may require the receiver the transaction to peal off multiple digital certificates - each through a relatively intensive cryptographic operation. Suffice it to say, transaction times can be abysmally slow.

Thus, as we look at the traditional digital signature model - the one being discussed for many financial applications today - we see a complex and computationally expensive process for issuing, applying and validating digital signatures; one that will not work for mainstream financial transaction processing over the Internet. Why?

The problem is simple. Digital signature technology was devised by cryptographers and technologists, independent of any of the business processes that exist today for conducting financial transactions. Now that digital signatures are being used for financial transactions, they should use the infrastructure and business processes already in place to ensure trust in financial transactions - usually exclusive of digital certificates. Otherwise, banks are going to build costs into electronic transaction processing that are neither welcome nor necessary.

 

Proposed Digital Signature Methodology

Remember, the purpose of the digital certificate in a PKI transaction is to convince the receiver of the message to trust the public key presented by the message sender. The sender's public key is how the receiver validates the authenticity of the digital signature and therefore the origin of a message and the integrity of its contents. It all boils down to validating the public key, so you can validate the digital signature.

What Wheeler suggests is that we change the way we validate the digital signature. Rather than using a Certification Authority Digital Signature (CADS) model, Wheeler recommends using Account Authority Digital Signatures (AADS). The difference is relatively simple. It is the difference between pushing certificates around in every transaction and not pushing certificates around. Account authority digital signatures rely on a party to a transaction, such as the payer's bank (but it could simply be the other party involved), to keep a current copy of the payer's public key on file. There are no digital certificates and no certificate hierarchy to churn through. It's a brilliantly simple solution with potentially far reaching implications for the payments system as a whole.

The AADS model integrates digital signatures into the traditional financial transaction processing model. An account holder registers his public key with the account authority (e.g. depository financial institution). During a transaction, the public key (and/or transaction authorization) is retrieved from the payer's account record. This corresponds to how a merchant might perform online authorization of a credit card or paper check transaction at the point of sale; or how the payer bank might validate a signature on a high dollar check. Both of these specific scenarios can be replicated on the Internet. There is no need to use a more complicated transaction. The existing payment models already include processes and features that build trust into each financial transaction. The AADS model just sends the transaction directly to the entity that has the authority and the knowledge to approve the signature and the transaction.

Wheeler proposes two models for how payments could occur using account authority digital signatures injected into standard banking transaction models:

 

Model 1: Account-Based PKI

This model allows the payer's bank to verify the payer's digital signature either off-line or online (real-time or batch). When the payer initiates payment, he sends the transaction to the receiving business along with the digital signature and an account number to which payment should post. When the transaction arrives at the payer's bank, the bank validates the digital signature using the payer's registered public key (held on file in the payer's account record).

One feature of this model is that it allows for - but does not require - any immediacy in the way the transaction arrives at the payer bank. This makes it very well suited for securing E-Check transactions. One benefit of the E-Check is that both payment and clearing are asynchronous. The receiver of an E-Check payment, for example, decides when to deposit or to cash the E-Check regardless of when it was received from the payer. Refer to commentary #5 of the 97-98 Internet Forum The E-Check: Fortifying the Bank Payment Franchise for a more thorough discussion of how the E-Check works.

Account-based PKI is certainly not limited to E-Check payments. This model can also apply to electronic payments for which real-time authorization is required. For a credit card transaction over the Internet, for example, this model has the consumer passing his card number and digital signature along with the transaction to the merchant - but not a digital certificate. The merchant forwards the digital signature to the card issuer via the acquirer. The issuer verifies the digital signature using the registered public key and returns an online authorization to the merchant.

This model requires that the merchant have some way of passing the payer's digital signature to the payer's bank. In a credit card scenario, the message set additions to the authorization being processed over the private banking network are the following:

Regardless of the payment transaction, the net result of account authority digital signatures is that the payer's bank has limited its liability by validating a digital signature through existing processes. The merchant is also off the hook for a charge-back, because the signature has been validated. On top of that, the entire validation occurs without the cost of issuing and maintaining digital certificates.

 

Model 2: Positive Authentication

Wheeler proposes a second model that mirrors the POS credit card authorization process very closely. Rather than sending a digital signature in the authorization request, the merchant sends only the account number to the issuer. The issuer then returns what Wheeler calls a digitally signed "status response." The status response includes confirmation that the account is valid as well as a copy of the account holder's public key. If you will recall, a digital certificate is the user's public key that is digitally signed by the CA. Therefore, this status response is in essence a real-time digital certificate; the account authority is digitally signing the user's public key before sending it to the merchant. The merchant then uses the public key delivered by the issuer to validate the account holder's digital signature. Now here is where this model resembles the traditional CADS model - It is incumbent on the merchant (or merchant processor) in this scenario to validate the digital signature of the issuer. This may mean checking it against something like a certificate revocation list. This process introduces more steps into the process than does Model 1. Global Concepts believes that for most retail transactions, real-time validation of the issuer's certificate will not be necessary.

This model mirrors the existing credit card authorization model almost exactly. The message set additions to a credit card authorization being processed over the private banking network are the following:

This model seems best suited for high dollar transactions where the seller wants absolute assurance from the payer's bank of funds availability. In this case a digitally signed status response from the payer's bank makes sense. Beyond that, this model may exceed the requirements of most electronic transactions. Verifying the signature of the payer's bank looks awfully like checking a certificate revocation list online, a process we have assumed to be prohibitively cumbersome to high volume transaction processing.

The main business difference between this transaction model and Model 1 is the that it opens the door for chargebacks. There is no requirement that the buyer's signature be validated. Therefore, unscrupulous merchants could generate transactions using account numbers that don't belong to them. Or an honest merchant inadvertently could have sent the wrong payment amount for authorization. The payer's bank has no way of knowing that a digital signature was ever applied to the transaction.

 

Model 3: Global Concepts' Adaptation of Model 1 for Credit Card Transactions

Of the two models proposed by Wheeler, the first makes the most sense in terms of preventing merchant fraud, supporting high-volume, low-cost transactions and supporting myriad electronic payment types. It is a better alternative to the transaction model being implemented for SET. However, Global Concepts foresees AADS payment models having even greater implications on the payment system - specifically credit card payment - than Wheeler's model suggests.

Global Concepts proposes that account authority digital signatures could and should put an end to the two stroke credit card transaction model for Internet commerce. Because the digital signature sent through is by itself authorization for the transaction, there is no real difference between online PIN-authorized debit card transactions and credit card transactions authorized by a digital signature. With the account authority digital signature model, the issuer can validate the signature and post the transaction upon receipt of the authorization request from the acquirer. This is essentially the same type single message transaction used with debit cards. With debit cards, the account authorization, user authentication and initiation of payment occur through a single message. The current credit card process is a legacy of a 1970s process whereby a telephone authorization was coupled with physical clearing of the paper sales receipt. Even with the advent of card authorization terminals and electronic draft capture, this two-step process has persisted.

Therefore, Global Concepts recommends that Wheeler's first model be refined to specify single message credit card transactions that incorporate account authority digital signatures over the Internet. There is no inherent need to separate authorization and payment when the digital signature arrives in the first transmission.

 

Conclusions

Many people at the forefront of Internet banking and payment have accepted the notion that for digital signatures to work they require digital certificates, CAs and a CA hierarchy. This acceptance is understandable; the encryption technologies at issue here have grown out of technology developments not payment system innovations. Bankers are simply following the methodologies that cryptographers have developed to make transactions secure on the Internet. We have embraced them because they seem to work. By doing so, we have neglected to take full advantage of our own infrastructure. We have not done as much thinking inside the box as we should have.

 

Making Conscious Decisions about Risk Management

Certificate authority digital signatures are not only expensive to manage and computationally burdensome but they place the bank that issues the digital certificates in a position of risk. In a CADS model, compromise of a CA's private key is catastrophic. Bogus certificates can be issued and fraudulent transactions initiated, all seemingly authorized by the CA. To remedy the situation would require the CA (at the very least) to re-issue certificates to every certificate holder and to put ever previously issued certificate on a CRL. During any time a breach goes undetected, it puts the CA in the position of extreme risk. This systemic risk is why CAs guard their private keys with expensive physical and procedural security. The AADS model, on the other hand, carries no systemic risk. Without digital certificates, there is no technical need for a bank to have a private key. Granted, any bank involved in PKI transactions will likely have a private key, but no certificates (or hierarchy of certificates) are inherently dependent on the security of that key in the AADS model.

As attractive as AADS may sound, it will never eliminate the need for digital certificates. In cases where two parties have no prior relationship, third-party certification makes sense. Imagine a retail customer wanting to open a new account with a bank over the Internet. The idea of a third-party certificate would aid the bank tremendously in making quick work of the electronic sign-up process. This resembles the role that credit bureaus play today and points to the recent announcement between Equifax and IBM to provide CA services. Third-party digital certificates will exist.

Luckily, account authority digital signatures do not preclude the use of CADS. They rely on the same cryptographic operations to validate digital signatures. The latter simply requires additional steps in the validation process. An account authority can easily become a certification authority by applying its digital signature to a customer's public key rather than storing the public key in the account record. Wheeler contends that if an account authority wants to support trust propagation by issuing certificates, it should - but it should do so based on a conscious business decision. By requiring certificate authority digital signatures - as most existing methodologies do - banks are thrust into the position of trust propagation via digital certificates. It is no longer a business decision but a technical requirement. Banks may not want to take on the risk of trust propagation. As account authorities they don't have to, and they can still remain central to the transaction processing business.

 

AADS Require Buy-In

Clearly account authority digital signatures are not the norm right now. The account-based model will require buy-in both internally and across the banking industry.

The fact that the AADS model requires the addition of a new field in the account record and the ability to query that field for signature verification necessitates buy-in from the managers of the bank's core processing systems. Integration into core processing is more difficult to come by than a pilot of a few thousand digital certificates run out of the e-commerce group. Nevertheless, the avoidance of systemic risk and the relative costs associated with AADS should go over better with senior management in the long run.

From an industry perspective, AADS will require development of new payment protocols. Wheeler and the x9a10 committee are developing the x9.59 messaging standard. Without truly scrutinizing the x9.59 efforts, it is difficult to determine whether it is the best solution. But it is definitely a step in the right direction - and may be the best solution. To what extent Global Concepts' proposed migration to single message credit card processing can leverage x9.59 is not immediately clear. However, we encourage banks and the card associations to take a serious look at revamping the traditional credit card model. Account authority digital signatures obsolesces the need for two-message credit card transactions. We look forward to working with interested processors and banks in order to bring this change about.

Account authority digital signatures are a topic worthy of further research. We have only skimmed the surface in this commentary, but hopefully we have opened your eyes to a new and better alternative for securing electronic transactions.

 

David Stewart is a director at Global Concepts, a payment systems consulting firm based in Norcross, Georgia. Stewart is a recognized authority on Internet banking and payment systems. He works with financial institutions and vendors to help them to develop products and strategies for electronic banking and payment.

Mr. Stewart is director of the Internet Forum, a group of financial institutions, vendors and associations that sponsors research from Global Concepts and meets three times annually to discuss case studies in banking and payment online.

The Internet Forum comprises 48 member organizations:

Abbey National Plc
ABN AMRO
Banc One
Bank of Hawaii
Bank of Montreal
BankBoston
BellSouth
BroadVision
Brokat Infosystems, Inc.
CashStation, Inc.
Chase Manhattan Bank
Check Solutions
Comerica
ComTec
Concentric Network Corp.
First Citizens Bank
First Data Corporation
First National Bank of Maryland
First Union National Bank
Firstar Bank
Fiserv
Fleet Financial Group
Global Concepts
Hibernia National Bank
HONOR Technologies, Inc.
Huntington Bank
IBM
InteliData
Key Bank
MECA Software
Mellon Bank
Mid Am Bank
National City Bank
NationsBank
NEC Planning Research, Ltd.
Norwest Bank
Open Market
Royal Bank of Canada
S2 Systems
Security First Technologies
SouthTrust Bank
Summit Bank
SunTrust Bank
Toronto Dominion Bank
Travelers Express Co., Inc.
Union Bank of California
Visa USA
Wachovia Corporation

For more information about the Internet Forum visit http://www.global-concepts.com.

To reach Mr. Stewart directly:

email:

david@xxxxxxxx

phone:

(770) 300-9400