iBanking international security standards
Digital signature and encryption
They are supported in accordance with the applicable international standards (XMLDSIG and XAdES (XAdES-BES, XAdES-EPES, XAdES-T, XAdES-C). Crypto functions use RSA and AES algorithms.
Security of the transactions
Different security measures are used depending on how the user authenticated himself during the transaction, or while logging to the system:
If the user is authenticated by the certificate:
- On the client side the account is signed with the client certificate and has been encrypted
- On the server side, the account is decrypted, and after a successful decryption, validity of the signature
If the user is authenticated by the username/password, batch/PIN or Unique Master Citizen Number/PIN:
- The client side sends the user account , while the server side checks whether the user account that the client has sent corresponds to the user account kept in a predetermined account in the iBanking data base.
- On the server side it is checked whether the sent predefined account belongs to the user who sent the account
If the user is authenticated by the SMS code:
- While generating the SMS code, the account is recorded in the iBanking data base, and upon the confirmation of
- sending, only XML is sent with the ID of the account and information on the SMS code.
- The validity of the SMS code via OTP module during sending the account is checked.
Use of the “4-eyes”principle
„4 eyes“ principle is used for the function of issuing certifications to the retail customers. The first system administrator can generate a certification request, send that request to the Certificate Authority, receive the generated certificate, write it to the medium and activate it. When second system administrator confirms the previous activation of the certificate, the certificate becomes valid for use.