System Security

eKassir PaySystem Server input protocol (eKassir v2 Protocol) is designed to transfer information from kiosks (cashier operated points) to the server and employs HTTP protocol as a message transport. From security point of view this protocol transfers traffic openly and can be intercepted by adversaries. To ensure encryption of information it is envisaged that HTTPS protocol can be used. There is also an option of establishing VPN connections by any available programming methods.

In addition, authentication mechanism is combined with protection from spoofing since packet digital signature is implemented. A data packet containing the identifier also contains a digital signature of the information body.

At present digital signature in eKassir® system is carried out as follows:

• Information hash is computed by md5 algorithm;
• A digital signature of the generated hash is computed using RSA private key (1024bit);
• The digital signature is attached to the message body.

A data packet having reached the server undergoes verification before the process request is sent to the system. First an identifier of the point (kiosk) on behalf of which the request has been created is retrieved, next a public key belonging to this point is retrieved from repository of public keys. Then verification of signature occurs. Currently eKassir® system uses MD5 algorithm for hash generation. In the future SHA1 may be employed.

Apart form digital signature the payment record has a timestamp indicating the time of the payment creation on the terminal. After signature is verified the server matches the current time and the timestamp of the packet data. If the time difference is bigger than admissible the request is denied.

Our company has developed our own library (cryptolib.dll) to arrange digital signature mechanism. The library has the functionality necessary for the system performance but does not allow you to do anything that would compromise the private key like using blind signature scheme. We use RSA 1024 bit algorithm which is a noncommercial public key cryptosystem distributed free of charge and requiring no usage licenses.

You will find a more detailed information on how security issues are handled in eKassir® system in the technical documentation with a separate chapter being devoted to this matter.