Verifying the hash value of the bank keys in the EBICS initialisation request

EBICS transactions are divided into different phases: initialisation, data transfer and acknowledgement (the latter only for download transactions).

The scope of the initialisation includes, among other things, checks of the following aspects:

- Order type

- Authentication signature

- Hash values of the bank keys

- User-related authorisations

Only once the initialisation is successfully completed does the transaction continue with the transfer phase, during which the actual order data is sent. The hash values of the bank keys are checked during initialisation to ensure that the client uses the current bank keys. If the check is not successful, the server sends the return code EBICS_BANK_PUBKEY_UPDATE_REQUIRED. For the client, this indicates that the most recent bank keys should be downloaded by means of the order type HPB.

Before the EBICS 3.0 harmonisation, the bank keys could be used directly or within certificates. As per EBICS specification, up to EBICS 3.0 the hash values of the public bank keys must be specified in the transaction initialisation – irrespective of whether it is certificates or keys that are exchanged with the bank.

As of EBICS 3.0, certificates are mandatory for key management. In this context it was decided that both for uploads and for downloads, the hash values of the certificates will have to be specified in EBICS initialisation requests in the future.

Usually the manufacturers of EBICS bank servers enable their customers to have a gradual transition by allowing them to specify both the bank keys and the certificates in DER format. This means that customers do not have to perform a download via the order type HPB after the migration to EBICS 3.0. Both keys and certificates can be specified either in a specification compliant hex layout or in an alternative Base64 layout. A mixture of both layouts in one request is usually not intended.

By the way: with EBICS 3.0, the key management has been unified not only for bank keys, but also for user keys. It is thus now mandatory to initialise users with certificates not only in France (CFONB), but in all countries. Usually EBICS bank servers allow for a gradual transition in this aspect, as well. User keys with a minimum length of 2.048 bits can also be used for EBICS 3.0. For key updates (order types HCA, HCS and PUB) new certificates can usually be signed with the keys of older EBICS versions.
CA-based certificates are still only used in France. From the bank server perspective, however, nothing should stand in the way of introducing them in other countries.

Author: Hendrik Chlosta


Post a Comment