TLS in finance and banking
TLS is a standard SSL extension used in the Internet. It ensures the confidentiality and integrity of data transmission as well as authentication of the server and the client. It is of particular importance in safe banking transactions. At present, electronic banking is accessible only via browsers supporting the latest version of the TLS protocol. The similar rules are introduced by the Ministry of Finance, which in October last year posted on its website the information about the change in the way in which the e-Declarations test gate communicates with WebServices. TLS version 1.0 was replaced by TLS 1.2. The sudden change caused numerous problems with sending required documents by end users, so the Ministry decided to revert to TLS 1.0. The situation showed that end users and vendors of software had to adapt themselves to changes. The re-upgrade of the protocol to TLS 1.2 is scheduled for mid-2017.
The described problem is related to both the adaptation of endpoint workstations (a relevant version of an operating system and a browser is required), software and systems responsible for exchanging information with the Ministry or banks requiring a secure TLS 1.2 protocol as well as mobile devices.
One must remember that the connection security also depends on the cipher suites used in the connection. In addition, it is necessary to use current libraries – implementations of the TLS protocol where vulnerabilities appear frequently. Due to the security and performance enhancement features that appeared in TLS 1.2, customers should connect using the latest version of the protocol.
Comparison of TLS versions
Developed in 1999 as an update for SSL 3.0 with many vulnerabilities. It is vulnerable to the BEAST attack, which enables, for example, stealing a cookie from a TLS-secured HTTP session.
Published in 2006. Includes fixes in CBC implementation: secure IV initialization vectors and handling of padding errors.
Published in 2008. In this version, the features increasing security and performance were added: using the SHA-256 algorithm instead of MD5-SHA-1 in the pseudo-random function and support for AEAD (Authenticated Encryption with Associated Data) ciphers. These ciphers are used in GCM and CCM modes. They protect against the “Lucky Thirteen" attack. In addition, the GCM mode is characterized by high performance.
TLS 1.2 vs. SAP systems
SAP systems also require adjustments and comprehensive verification of the configuration to ensure full support of the encryption protocol and proper communication before its final change. SAP systems that connect to external systems supporting only TLS version 1.2 require verification of versions of such components as:
- Kernel (SAPSSL) – SAPSSL is an integrated part of ICM (Internet Connection Manager) responsible for handling NetWeaver Kernel sessions. The configuration is made using SAP profile parameters.
- CommonCryptoLib – a library called up by SAPSSL.
- IAIK JCE & JSSE (for SAP AS JAVA only) – a component responsible for outgoing connections.
SAP systems that do not have relevant versions of the mentioned components will not be able to connect via the TLS 1.2 communication protocol. The upgrade of the components to the required versions and loading the configuration from the SAP profiles require the system to be restarted, which means its unavailability.
IT security management is a process. Confidentiality, Integrity, Availability (CIA) are stable pillars of this process. If any of them is degraded with time, then the IT security management process can quickly collapse in ruins. Security administrators must therefore ensure that the security pillars are sound. The security of communication protocols is all the more important that breaking them can lead to both intercepting, changing the content, and interruption of communication between IT systems, i.e. the destruction of each of the security pillars. This can have catastrophic consequences for business processes and their owners.
Dariusz Kurkiewicz, SAP Implementation Team Leader, SNP Poland
A new standard = greater security
Over time, the TLS 1.2 encryption protocol will be required by an increasing number of IT solutions. The adaptation of the administrated systems to the new standard is just a matter of time. It is therefore recommended to verify the current condition of IT systems and to adapt them to the forthcoming requirements much earlier. In this way, we gain not only full compatibility with third party solutions but, first of all, full security of data transmission.
SNP provides services related to IT security in its broad sense. Our team of certified security consultants is able to take the role of a group of hackers (pentesters) and check the security of a company, i.e. to perform the so-called penetration tests (pentests). We also carry out configuration audits regarding security settings, hardening, good practices and other guidelines and methodologies.