Versions Compared

Version Old Version 12 New Version 13
Changes made by

CBB Admin

CBB Admin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

API connections and data in transit must be encrypted using TLS v1.2 3 Mutual Authentication (MA) as a minimum, with a defined set of strong cipher suites.

Transport Layer Security (TLS) v 1.2 3 MA

  • TLS was designed with the goal of providing privacy and ensuring data integrity between two communicating applications

  • This has two layers:

    • The first layer uses TLS Record Protocol to encapsulate other higher level protocols

    • The second layer uses the TLS Handshake Protocol which allows the server and client to authenticate each other. The protocol allows negotiation and agreement of a cryptographic algorithm and keys prior to transmission or receipt of any data

  • This is a basic level of security which rides on the TCP protocol and HTTPS. All RESTful APIs by default are created to use this as an encryption mechanism

...

Note: The APIs require TLS 1.2 3 Mutual Authentication and this may be used as a means of non-repudiation. However, it would be difficult to maintain digital records and evidence of non-repudiation if the API only relied on TLS 1.23. A solution for non-repudiation that does not rely on TLS, would be achieved by providing a JWS with detached content (as defined in RFC 7515 - Appendix F) in the HTTP header of each API request. The HTTP body would form an un-encoded payload as defined in RFC 7797. The JWS would be signed using an algorithm that supports asymmetric keys. A request would be signed by an AISP’s/PISP’s private key and a response would be signed by the ASPSP's private key. Digital signatures are used to provide non-repudiation and authenticity by using public key algorithms. Private and public key is used to encrypt/decrypt the hash of the content. Encrypted hash is called a digital signature. JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. The certificate is digitally signed by the trusted Certificate Authority (CA) – the hash of the certificate is encrypted with the private key of the trusted CA

...