Ana səhifə

This specification describes the ofc data format and details how Microsoft ® Money uses ofc for online home banking and online bill payment features


Yüklə 0.88 Mb.
səhifə4/14
tarix18.07.2016
ölçüsü0.88 Mb.
1   2   3   4   5   6   7   8   9   ...   14

Secure communication protocols


Microsoft Money will support two Internet standard protocols for securing the communication channel between client and server: Private Communications Technology (PCT) and Secure Sockets Layer (SSL). Money will support PCT 1.0, SSL 2.0 and SSL 3.0.

PCT and SSL also guarantee the integrity of messages sent between client and will authenticate the identity of a server using certificates. Money will support a 128-bit key (64-bit internationally) for use with SSL or PCT.



Note: Email ofc@microsoft.com for more information on enabling your server to use 64 bit encryption.

PCT and SSL


Both PCT and SSL use public-key encryption to secure a channel between client and server. Before any OFC data is sent, Money and the bank’s server will negotiate a session key that is used to encrypt the session. Once a session key has been agreed upon and the session is secure, Money will send an OFC file to the server.

Each session secured using PCT and SSL uses a different session key. If a session is compromised, this security breach is limited to one particular session. Compromising subsequent sessions will involve spending the same amount of effort as it took to compromise the first session.

Using a 128-bit key makes the communication between Money and a bank’s server significantly more secure than previous implementations of SSL that used 40-bit keys. These implementations were subject to “brute force” attacks where it was possible to try each of the 240 possible keys until you find the one that decrypts the message. Using longer 128-bit keys make calculations prohibitively more expensive.

SSL is currently available in the Netscape Navigator browser, Netscape Commerce Server, Microsoft Internet Explorer 2.0, 3.0 and Microsoft Internet Information Server. PCT will be supported in Microsoft Internet Explorer 3.0 and Microsoft Internet Information Server 1.1.

A bank can choose the solution that best meets their needs. For more information about PCT reference http://pct.microsoft.com or http://www.microsoft.com/internet. For more information about SSL reference http://www.netscape.com/newsref/std/SSL.html.

Communicating over a private network


A bank can choose to communicate with Microsoft Money using a private dial-up network running the PPP protocol. Microsoft Money will use the same 128-bit (64-bit internationally) SSL or PCT security protocols to communicate on this type of network.

OFC User ID and Password


To set up Microsoft Money for use with OFC, the user will be asked for a bank-issued user identification code and password.

The user identification code must uniquely identify a user (i.e. social security number) on the bank’s server. A user will enter their password into Microsoft Money once and it will be sent to the bank’s server in every session.

A user must enter their password before calling the bank’s server. Microsoft Money will never write this password to disk and will always be displayed as asterisks (*) in the Money user interface. A bank can send a request to Microsoft Money that will force the user to change their password on the next session.

Implementing security


A bank should take the following steps to implement security:

  1. Install SSL or PCT on the HTTP server. Reference the server documentation for details on how to do this.

  2. Obtain a certificate for the server from VeriSign. The VeriSign home page (www.verisign.com) includes instructions on how to get a certificate for your HTTP server.

Note: The Common Name on the server’s certificate should be the URL of the server (servername.domainname) For example, www.bank.com is a valid Common Name. When connecting to a server, Money will match the Common Name on the certificate with the server’s URL. If they match, Money will allow the session to proceed. If they don’t match, Money will alert the user that the server they are connecting to may be an impostor. The user will be given the option to proceed or to cancel the session.

  1. Define a process for distributing User IDs and passwords to Microsoft Money users. For example, some banks may mail these to their users, while others may issue these over the telephone.

Chapter 3


Microsoft Money and the Branding Server


The Branding Server is a server used by Microsoft Money to download details about the online services a bank chooses to offer its customers. The information stored on the Branding Server is provided by the bank and can be updated by the bank at any time. Microsoft Money users will be able to call the Branding Server free of charge.

Information downloaded from the Branding Server tells Money what online services are offered by a bank, how to connect to the bank, and also provides graphics to enhance the Money user interface with the bank’s logo and contact information.


Chapter overview


  1. Microsoft Money uses the Branding Server to find out how to connect to a bank’s server.

  2. The Branding Server will also download branding information that will customize the Money user interface with information provided by the bank.

  3. Money users will be able to call the Branding Server free of charge.

Identifying a financial institution


The first step in Money’s online services setup process involves the user providing Money with the 9 digit routing and transit number or the first 6 digits of their credit card number.

This information will be sent to the Branding Server. The Server will match the routing and transit number or credit card number to a financial institution. Once the Branding Server has identified an institution, the information provided by the institution will be downloaded to Money.


1   2   3   4   5   6   7   8   9   ...   14


Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©atelim.com 2016
rəhbərliyinə müraciət