Brokat AG: Twister for eCommerce

by Paul Grosse - March 1999

Introduction

As the number of companies taking part in e-commerce grows, companies that fail to participate in this type of activity will begin to see their market share fall as their competitors overtake them. Clearly, there are problems when trying to make a workable, reasonably secure system from a disparate collection of legacy databases, business transactions and delivery channels - with so many complexities, any home grown system could not be guaranteed to be complete, would be difficult to monitor and hacker would find it easy to locate vulnerabilities that had been overlooked in the rush to get online.

Taking into account the nature of online transactions - the fact that in effect, money is changing hands over an open, public network - they are particularly vulnerable to attack simply because there is potentially so much to be gained by breaking into the system. Any company that decided that it is going to implement a home grown system has to be very sure of the abilities of its programmers testing to remove any loopholes in the system before it is implemented.

Twister from Brokat is designed to provide a central platform providing services into which various modules connect back-end databases and delivery channels thereby integrating the system as a whole using a secure system running on a number of common operating systems.

Products

Twister

Many systems consist of a multiplicity of legacy databases and services that need to be connected to various networks using a number of protocols. There are effectively three options open to a company that wished to implement an e-commerce solution: get their own programmers to build one; opt for a third party solution; or, out-source everything.

To build in-house, a suite of programs, each to connect the users to the required services and the databases would be a programming nightmare involving an in depth knowledge of all of the components to be integrated. As a result of the fact that realistically, the process could take between one and one and a half years, the time available to set up a thorough testing programme would become compromised leading to a situation where there was no guarantee of the functionality or security of the resulting programs. With the attractive rewards for a successful attack on such a system, any holes in the programmer's knowledge of any component used could lead to an open invitation to a hacker. A third party solution could simply complicate the issue and be just as vulnerable - possibly more so.

Brokat's approach is to have a system with a central core into which each component plugs - making it effectively, a modular transaction platform. The Twister system consists of Gateways, Accessors and Services with Development Tool-kits available for companies wishing to employ third party as sources for twister components. Gateways connect the user to the system via their network and Accessors connect existing computer systems and databases to the system. Therefore, new technology and functionality may be incorporated simply by adding a new Gateway or Accessor.

The central Twister Service monitors and controls communications between the Gateways and the Accessor Modules. The transaction traffic, based on the CORBA communications standard IIOP (Internet Inter ORB Protocol - thus allowing Twister components to be integrated into other CORBA-based (Common Object Request Broker Architecture) applications) may be displayed and analysed statistically using central logging and a SNMP daemon or a browser accessible HTTP daemon. IIOP traffic may be protected by 128 bit Secure Sockets Layer (SSL) thus allowing the distribution of Twister components over an open network.

Twister's services allow the basic functioning of Twister co-ordinating communications between Gateways and Accessors in addition to the logging and monitoring of the system. They may be divided into two groups - Base services and Extended Services. Base Services include: Naming; Repository management; Logging; Load Balancing; and, Licensing whilst Extended Services include: Reporting; System Administration; SNMP Monitoring and Administration; Transaction Management and Queuing for asynchronous applications.

Application Gateways

The Gateways are like Application Gateways that you would find in a second generation firewall. They filter the incoming data traffic ensuring that every single client order that reaches a Twister Gateway is completely interpreted before it is passed onto the appropriate Accessor Module which then initiates the enquiry - the Accessor Modules obtaining the necessary information from Twister services.

Twister contains many Application Gateways but the most important ones are: X.PRESSO; X.PAY; HTTP; HBCI; RMG; and BTX.

X.PRESSO is a Java-based encryption package which enables simple, bank controlled 128 bit enhancement for all standard Internet bowser-based solutions 'without', as Brokat puts it, the requirement for 'additional software to be installed onto the browser computer'. The package consists of a security server and Java Security Classes with which SRT - Secure Request Technology, an optimised variant of SSL - has been implemented and it is not subject to export restrictions. X.PRESSO has received the European ITSEC security certificate E3-high. As SRT supports any carrier protocol, by using the X.PRESSO Security Classes, any Java and HTML banking applications are able to use 128 bit encryption.

X.PAY is based on SET (Secure Electronic Transaction) and is composed of: X.PAY wallets; a merchant component, the server; and, the X.PAY Gateway. X.PAY wallets are, again, Java based applications, loaded from the acquirer and are responsible for the secure transmission of payment information such as credit card details and name of bank. The Gateway allows connection to a range of clearing networks using further Twister components - supporting, in addition to credit card transactions, other payment methods such as direct debits, customer loyalty cards, cash cards and micropayments.

The HTTP gateway processes HTTP requests from the Internet and makes the results available to the customer in the form of HTTP responses for their browser. Rapid, bespoke customisation to HTTP clients may be done with TCL scripts thus allowing existing financial management programs to be linked quickly to any back-office systems via the Internet provided that they have an HTTP interface. The use of HTTP also allows the quick programming of back office solutions to provide integrated and customised HTML banking and other payment transaction solutions.

Home Banking Computer Interface (HBCI) transaction are processed by the Twister HBCI Gateway. This German online banking standard defines security and business criteria for multi-banking applications. The Twister HBCI Gateway allows secure integration into various back office components. In order to keep in line with Microsoft's online banking standard Open Financial Exchange (OFX), there will be a Twister OFX Gateway available.

Twister has an RMG gateway which can process the proprietary RMG requests of the online services from AOL. This gateway allows simple customised configuration using TCL scripts thus any back-office transaction application may be generated and integrated within AOL. Similarly, the Twister BTX Gateway allows traditional videotext transaction solutions (such as the German BTX and Swiss VTX) to be integrated in the same way.

In addition to these gateways, third party gateways may be connected to Twister via the Twister Development Framework such as One-to-one software by BroadVision.

Accessor Modules

Preconfigured, generic Twister Accessor Modules allow the connection of a wide variety of back-office systems using TCL scripts to individualise them. In this way, there are virtually no changes required to the existing back-office systems. Transaction logging on each module is supported as standard. Again, there are a number of Accessor modules with some of the more important ones described here:

The SQL Accessor module enables TCL controlled script access on almost all relational databases such as Oracle, Sybase and IBM Informix with the ability to define all database queries as required.

The Message Accessor Module allows accesses on a number of transaction middleware systems with modules for simple SNA access on host-based IBM transaction systems CICS, IMS and MQSeries already in use.

HBCI Accessor modules allow a HBCI hose application to access HBCI net data interfaces directly therefore allowing HBCI data to be used for any number of other appropriate applications.

A generic Screen Accessor Module allows script-controlled access on terminals such as 3270 and VT 220 with an additional extension being used for videotext systems such as BTX and VTX mentioned earlier thus existing videotext banking solutions may be used to the Internet or AOL.

The Low-Level Accessor Module allows legacy systems that use non-relational databases or individual files to be used in the same way as the others mentioned above.

Many security vulnerabilities are as a result of poor implementation - files and programs that provide loopholes being left on machines, incorrect configuration and so on. In order to make sure that Twister is implemented correctly, Brokat do this for a company.

Platforms

Operating Systems:

Accessors:

Applications Specific Accessors:

Services:

Gateways:

Applications Specific Gateways:

Pricing

Pricing depends upon the overall configuration of the system (Accessor Modules, Application Gateways and so on) together with the number of concurrent users. It is recommended that a price for a particular implementation be obtained from Brokat directly.

Opinion

Connecting a disparate set of users and financial services and to an equally disparate set of databases is handled neatly with this product as each end device and its protocol is handled by an application gateway that plugs into the same central core as the Accessor modules that connect them to the databases and other back-office components. In this way, existing services may be incorporated simply and effectively but allowing them to be extended to include services that they would otherwise not have had access to. In this way, existing videotext users can not only access their videotext services but also Internet services and others - all defined by the services.

The Twister platform is CORBA/IIOP compliant and, as an option, may be encrypted using SSL thus allowing it to be distributed over a network. Load balancing services ensuring that the capacity of the system is maximised at all times and, in addition, redundancy may be built in allowing the continuation of the service in the event of a partial system failure.

The Brokat Twister platform is built on standard operating systems which, while providing a tested platform where any vulnerability is closed reasonably quickly thus reducing the window of opportunity for hackers, such operating systems do support a number of other programs and come with example applications both of which can give hackers opportunities to exploit weaknesses. With the computer running the Application Gateways effectively being the system's firewall, the same rules applying to the effective running of firewalls must also apply to that machine - that is to say that only the programs required to run the system should be allowed on that machine as any others will open the doors to other routes of attack.

The transaction traffic on the central platform may be encrypted using SSL thus allowing the system to be distributed amongst several machines. Unfortunately, SSL is open to an adaptive attack. SSL uses RSA as its method of encryption and the implementation used in SSL allows a hacker to send packets to a machine and gain information about the session by observing the replies. In this way, the system can be partially broken. Note that this type of attack does not apply to all types of asymmetric encryption as no such information can be gained in this way on a system using the Diffie-Hellmann algorithm.

Strengths

Weaknesses

Conclusions

Twister is a well designed platform for e-commerce that allows the easy accommodation of new technologies as systems become more capable and the expectations of users increases. e-commerce is growing exponentially and as more and more users and companies start doing business via the Internet a scalable product like Twister is set to empower companies that need to get online.

Being a commercial product designed for this specific use by a company that does not have other significant priorities that could divert investment away from this product, users are reassured that Twister remains Brokat's top priority and therefore has all of Brokat's attention. Many other software vendors have many other interests and sometimes political decisions are made that are not in the interests of the security of end users, services or the companies that use their software - this is not the case with Brokat.

Twister has already been installed in over a thousand banks in Europe and with the Euro being the second largest currency world-wide the significance of having a system that can interact with it is quite great - as a result, Twister should be of great interest to companies in the US as well as European companies.

Company Profile

Brokat AG was founded in 1994 in Stuttgart in Germany, and has developed into a supplier of secure solutions for Internet banking, Internet Brokerage, and Internet Payment all of which are based around its core product Twister. The company now employs 265 employees and has subsidiaries in Australia; Austria; Eire; Luxembourg; Singapore; South Africa; Switzerland; UK; and, the USA.

During the financial year 1997 - 1998, revenues amounted to approximately 30 million Deutsch Marks which represents an increase on revenues over the previous year of 175% which itself was an increase of 200% for the year 1995 - 1996. Of this, 100% was from Germany in 1996 - 1997 with the international share increasing through 18% to 35% for 1997 - 1998. By 1998, Brokat had a 76% share of the Internet Banking solutions market in Germany.

Brokat's partner programme, Tornado, is divided into Solution Providers; Consulting Partners; Component Providers / Value Added Resellers / Original Equipment Manufacturers; and, Product Partners. Tornado includes such names as: AOL Bertelsmann Online; Concord-Eracom; Hewlett-Packard; IBM Deutschland Informationssysteme; Netscape Communications; Siemens Nixdorf; Sun Microsystems Inc.; and, TeleCash.

Brokat Twister is already implemented in electronic banking and electronic commerce solutions in over 100 financial service with customers including: Allianz Kapitalanlagegesellschaft; Bank 24; The Co-operative Bank; Deutsche Bank; Fiducia; Fortis Bank Luxembourg; Genossenschafts- Rechenzentrale Norddeutschland; Lufthansa; Metro AG; and, TeleCash.

In the summer of 1996, Bank 24 and the Direct Anlange Bank were the first European banks to initiate secure Internet banking on the basis of encryption enhanced Java applets and within six months, Brokat had become the European market leader for secure Internet banking solutions. Taking into account: the rapid growth of e-commerce and the need for an existing, tested solution that is able to bring together a company's legacy systems; and, the fact that with over a hundred customers responsible for the implementation of Twister at well over 1,500 sites, Brokat is in a good position to expand into non-European markets with great effect.

In the US:
USA BROKAT Info Systems, inc.
3840 Preston Ridge Road
Suite 200
Alpharetta
Georgia 30005
USA
Tel: +1 770 261 8100
Fax: +1 770 261 8140
Email:
info-us@brokat.com
WWW:
http://www.brokat.com/

In the UK:
BROKAT Limited
World Business Centre
Newall Road
London Heathrow Airport
Hounslow
Middlesex
TW6 2RJ
UK
Tel: +44 (0) 7000 276528
Fax: +44 (0) 7000 276529
Email:
info-uk@brokat.com
WWW:
http://www.brokat.com/

Copyright (c) 1999 P. A. Grosse. All Rights Reserved.


Back to the Internet Security Index

Back to the Index