Using EBICS client in NIST 800-131a compliance mode

An EBICS Client non-technical user can be configured with X509 certificates and RSA keys to support NIST 800-131a compliance for signature, encryption, and authentication. Only NIST 800-131a compliant certificates and signing algorithms are available when running with NIST 800-131a compliance enabled.

If only signing is required, a Hardware Security Module can be used in place of X509 certificates and RSA keys; however, only NIST 800-131a compliant certificates can be used. RSA keys must be located or uploaded to the keyfile from the local filesystem. If the selected key is not NIST 800-131a compliant in the selected mode, the process will error. If you receive an error, you must go back to the configuration page and re-configure for NIST 800-131a compliance and only NIST 800-131a compliance certificates and signing algorithms are available when running with NIST 800-131a compliance enabled.

If running in NIST 800-131a compliance mode, only CA certificates that are NIST 800-131a compliant are available on the Bank Configuration page for TLS.

RSA Keys

When an RSA key is retrieved, it is validated for NIST 800-131a compliance based on the selected compliance mode, if it is non-compliant, an error is logged.

Signatures

The signature processes will error out when the keys being used for signature calculation are non-compliant.

Import and Export

SCI_TRUSTED_CERTS and SCI_CA_CERTS are internally imported as part of HOST import dependencies. SCI_PRIVATE_KEY_CERTS and SCI_TRUSTED_CERTS are internally imported as part of USER import dependencies. NIST 800-131a compliance imports these dependencies. A USER / HOST can also use RSA keys instead of X509 certificates. If running in NIST 800-131a strict mode, the import report will indicate failures for those USERs / HOSTs with keys where keylengths are not NIST 800-131a compliant.

SCI_TRUSTED_CERTS and SCI_CA_CERTS are exported as part of HOST export. SCI_PRIVATE_KEY_CERTS and SCI_TRUSTED_CERTS export as part of USER export. A USER / HOST can use RSA keys instead of X509 certificates. If the system is running in NIST 800-131a strict mode, export will throw this error to indicate the noncompliance of the RSA keys: Not NIST 800-130a Compliant. The keys can still be exported.

HSM Signature (3S Key)

For signing, a Hardware Security Module can be used in place of system certificates and RSA keys; however, only NIST 800-131a compliant certificates can be used.