What is a PKI?
PKI (public key infrastructure) is a comprehensive system of policies, processes and technologies, which together control the creation and management of digital certificates. Digital certificates are one of the key components, which enable an increased level of security for communications and transactions over the Internet.
How does PKI secure messages?

When sending messages over the Internet, public key encryption may be used to increase security.

Public key encryption is the use of complex mathematical formulae to make data unreadable. Under public-key encryption, two different keys are used, one for encrypting the data and a second key to decrypt it.

Someone wanting to send a message would request the recipient's digital certificate, which contains the public key, from a trusted directory, and then use the public key to encrypt the message before sending. Once the message is encrypted it can only be decrypted using the intended recipient's private key.

What is a digital certificate?

A digital certificate is one of the foundations of a public key infrastructure (PKI). A digital certificate is in many ways the electronic equivalent of a passport or driver's license, and may be used to identify and authenticate someone making online transactions.

A digital certificate is issued to a certificate holder by a certification authority on the request of a registration authority. Details on a digital certificate include the certificate holder’s name, their public key, the name of the certification authority and an indication of the certificate policy under which it was issued. Most digital certificates are in the format specified in the X.509 standard.

The public key and private key pair can be generated on a secure device. A certification authority creates the digital certificate, incorporating the public key and signs it, protecting the integrity of the information.

The public key in a digital certificate is linked to the private key. The certificate holder must hold the private key securely. The security of the private key is extremely important. In many applications a private key is stored by placing or creating the private key on a physical token such as a smart card.

Why use digital certificates for online transactions?
The security we take for granted in the physical world has been developed over time to ensure the credibility and authenticity of the people we do business with. These include, amongst other things, sealing envelopes to ensure privacy, presenting credentials and signatures to confirm identity and providing receipts to confirm transactions. As e-commerce and Internet transactions grow, similar safeguards are required to meet the needs of the online world. PKI encryption, digital signatures and digital certificates provide a level of security and trust for eCommerce transactions conducted in the online world.
What is a digital signature?

A digital signature is an electronic equivalent of a signature, based on a digital certificate that is used to prove a communication originated from a particular sender and has not been tampered with.

A digital signature should not be confused with a ‘real’ signature, even though it is intended to serve the same purpose as a signature in the ‘real world’. It is not a digitised image of the sender’s hand-written signature.

When someone digitally signs a message (or a document), a mathematical calculation of the clear text is undertaken to produce a ‘hash’ of the message (or document). This hash is a calculated value that is often likened to being a ‘fingerprint’ of the complete message. The sender will calculate the hash of their message, and then sign it using their private key. The message and the signed hash are then sent together.

On receipt, the recipient also calculates the hash of the message, decrypts the signed hash and compares the two. If they are the same, it means the message has not been tampered with since even the slightest alteration to the message would generate a different hash value. It also means that the message has originated from the claimed source. Any difference in the hash value computed by the receiver and the hash value sent means that either the message has been tampered with or the sender is not the claimed originator of the message.

What are private and public keys?

Under public key encryption, two different keys are used, one for encrypting data and a second key to decrypt it. Keys are simply large numbers used to create complex mathematical formulas to make data unreadable.

Under a PKI scheme, a key pair (a public key and a private key) is allocated to a subscriber. A business wanting to send the subscriber a more secure message would use the subscriber's public key that is listed in a trusted public directory.

Private keys are closely guarded secrets as they are the means by which a person signs a message and creates legally binding obligations. To aid in securing the private key they are often stored in physical tokens, such as smart cards

The key pair must be revoked if a subscriber's private key is lost, stolen or compromised in any way.

What is a smart card?

A smart card is a form of secure token. Physically a smart card is a plastic credit card-sized card with a computer chip embedded that holds information in electronic form and controls the use of that information.

Under ANZ's public key infrastructure (PKI) implementation, private keys and digital certificates will be stored on smart cards.

Why use smart cards to store private keys?

Security of private keys is extremely important, as this is the means by which a person signs messages (or documents) and creates legally binding obligations. If a person’s private key is lost, stolen or compromised in any way, regardless of whether this is due to the owner’s negligence or a hacking attack, the key pair must be revoked.

There are a number of ways to store a private key. In many applications, digital certificates and private keys are stored on the user’s hard drive of their PC, but this can leave them vulnerable to attack by hackers.

Another method involves placing or creating the private key on a physical token such as a smart card. This option provides additional protection against electronic theft and thus impersonation, as the user is able to carry the key with them meaning it is stored away from the workstation they access systems from which reduces the availability to hacking attempts. Furthermore, a pass-phrase must be entered on each occasion a smart card is used, providing additional protection should the card be lost or stolen.

Smart cards are considered to have advantages over other tokens (such as a USB tokens) these advantages include the ability to use chips that can store and process multiple applications.

What is a subscriber?
Subscribers are customers who have signed up to a PKI service and who agree to operate in accordance with the certificate policy and the prescribed terms and conditions for the service. They subscribe to the certification authority (via the registration authority) for a digital certificate and key pair that they will then use to authenticate themselves online.
What are the components of a PKI?
A PKI is typically made up of a certification authority, a root certification authority, a registration authority, certificate policy and a certification practice statement. It may also include, as is the case with ANZ PKI, a policy approval authority and a policy creation authority.
What is a certification authority (CA)?

The certification authority issues and signs digital certificates at the request of a registration authority.

The CA is one of the entities that provides the element of trust for the PKI. A party relying on a digital certificate trusts the CA to have correctly included the certificate holder's public key, and other details, in the digital certificate, and to have digitally signed the digital certificate to validate its authenticity and integrity.

What is a root certification authority (RCA)?

Digital certificates can only be an effective enabler of trade when all parties to a transaction have confidence in the certification authorities that issued the digital certificate. Trade is conducted globally and there will be times where a relying party will not be familiar with a certification authority and therefore may not feel confident in relying on a digital certificate they have issued.

To overcome this issue, certification authorities may be certified by a higher level certification authority that is more widely known and trusted. This is known as a trust hierarchy and at the top of a hierarchy is the Root certification authority, sometimes also referred to as a trust anchor.

The IdenTrust scheme is an example of a trust hierarchy. The IdenTrust organisation acts as a RCA and uses its own-signed digital certificate to certify the digital certificate of a participating financial institution, which acts as certification authority. By doing this IdenTrust™ also states that they have qualified to the standards of the scheme.

IdenTrust, IdenTrust & System and the IdenTrust logo are Trademarks and Service Marks of IdenTrust, LLC.

What is a registration authority (RA)?

A registration authority is responsible for processing digital certificate requests received from subscribers. The RA firstly checks that requests are valid and comply with the certification practice statement and certificate policy. It then authenticates the identity of the user in accordance with any requirements in the certification practice statement and certificate policy. Once satisfied, the RA forwards the request to the certification authority to sign and issue a digital certificate to the intended certificate holder.

The quality of the registration process determines the level of trust that can be placed in the digital certificates.

What is a certificate policy (CP)?
A certificate policy is a document, which contains a set of rules that indicates the applicability of a digital certificate to a particular community and/or class of application with common security requirements. The certificate policy typically outlines who may use the digital certificate as well as who may rely on the digital certificate.
What is a certification practice statement (CPS)?
A CPS outlines the practices employed to run a PKI. A CPS typically describes the processes of issuing, accepting, suspending and revoking certificates; as well as generating, registering, storing and distributing keys to users.
What is a policy approval authority (PAA)?
The policy approval authority is responsible for the management and operation of the overall PKI and establishment of the certificate policy and a certification practice statement. The PAA is also responsible for managing the integrity of the PKI by approving (or otherwise) recommended changes to the policies and procedures detailed in the certification practice statement and associated certificate policies.
What is a policy creation authority (PCA)?
The policy creation authority is a body setup by the PAA to research and recommend changes to the certification practice statement and associated certificate policy.
What is a certification revocation list (CRL)?
A certificate revocation list is a list compiled and maintained by the certification authority of all the digital certificates it has issued that that are no longer valid. However, the CRL does not include digital certificates that have expired. Any party wanting to rely on a digital certificate should check the CRL to determine whether that digital certificate has been revoked. digital certificates are revoked, for example, when they are lost, stolen or if an employee who had been issued with one had left the company.
How does ANZ plan to use PKI with its customers?
ANZ PKI enables customers to use digital certificates to authenticate their identity and access ANZ's leading Internet solutions more securely.
What will ANZ's PKI implementation be used for?

Corporate customers and staff will use ANZ PKI to authenticate themselves when accessing ANZ systems via the Internet.

Over time, customers may also be able use appropriate ANZ issued digital certificates to undertake transactions and communications with Government and ultimately with their trading counter-parties via the Eleanor™ project.

Eleanor™ is a subsidiary of IdenTrust, LLC

What technology is ANZ's PKI implementation based on?

ANZ's PKI implementation is based on PKIX component standard that is based on two other standards:

  • X.509 digital certificate format standards from the International Telecommunications Union (ITU)
  • the public key cryptography standards (PKCS) from RSA security covering certificate enrolment and renewal, and certificate revocation List distribution.
Who is IdenTrust LLC?

IdenTrust LLC is an organisation formed in April 1999 by a group of the world's leading financial institutions who recognised the need for a global trust infrastructure to enable cross-border Internet commerce.

The IdenTrust™ scheme has established a technical and legal infrastructure based on a set of uniform system rules, business practices and contracts to assist in providing risk management for transactions and confidence in the identity of trading partners online. Lack of trust has been one of the key obstacles preventing business-to-business Internet commerce from thriving.

Through the IdenTrust™ framework, businesses are able to leverage the trusted relationship with their financial institution to assist in managing their B2B e-Commerce risks. In turn, financial institutions around the world are able to have greater trust in each other through the IdenTrust™ system.

What is the relationship between ANZ and IdenTrust ?

ANZ joined the IdenTrust scheme as an equity investor in March 2000 and was the first Australian bank to do so. There are 20 shareholding member banks in IdenTrust™ and more than 30 other participating financial institutions. This number is growing.

IdenTrust, IdenTrust System and the IdenTrust logo are trademarks and service Marks of IdenTrust, LLC.

What is Project Eleanor™ ?

Project Eleanor™ is an initiative of a group of IdenTrust™ financial institutions to introduce direct business-to-business Internet-based payments. Numerous online credit card payment solutions have already been developed worldwide to meet business-to-consumer needs, but businesses don't use credit cards to settle their trade transactions. Project Eleanor™ aims to provide specifications to initiate B2B payments on the Internet that will feed into traditional bank systems for settlement. To date, trading partners have needed to use paper-based cheques or legacy private networks to conclude their e-business transactions. Project Eleanor™ was initiated to enable organisations to settle their online transactions with an online payment.

Eleanor is a subsidiary of IdenTrust LLC

What is Gatekeeper?
Gatekeeper is the Commonwealth Government of Australia's framework, standards and policies for digital certificates that are to be used by Government and in transactions with Government. Financial Institutions, who want their certificates to be accepted by Government agencies, must undergo a rigorous recognition process and comply with policies and practices set by the Commonwealth Government.