IBM ZTIC Integration with Ezio Server

IBM ZTIC Integration with Ezio Server
Defeat phishing, Trojan and Man-in-the-Middle attacks
Learn how Ezio Authentication technologies can be integrated with the IBM
Zone Trusted Information Channel (ZTIC) technology to provide strong 2-factor
authentication with secure channel against Man-in-the-Middle attacks.
The IBM ZTIC USB dongle
The IBM ZTIC is a state-of-the-art design end-user device
that functions simultaneously as an EMV card reader and
secure transaction display, as well as a certificate-aware
HTTPS client all bundled in a light-weight, driverless
USB dongle. The combination of EMV CAP authentication
with secure PIN entry and transaction authorization
display, coupled with the ability to establish and maintain
a securely authenticated (TLS/SSL) channel from the ZTIC
device to the back-end application means that users now
have the capability to:
> Strongly authenticate the backend server
> Strongly authenticate the device
> Interface with an EMV Card to generate EMV CAP
2-factor credentials for user authentication
> Allow users to verify the transactions outside their
PCs before any authorizations in a secure channel
are performed
Thus phishing, Trojan, Man-in-the-middle/Man-in-thebrowser attacks can be defeated.
More info at
Further 2FA tokens supported include hardware OTP
tokens (RSA SecurID, VASCO Digipass, OATH HOTP,
TOTP), EMV Mastercard CAP / A A4C / VISA DPA cards,
PKI Digital Signatures, Software J2ME, iPhone tokens,
SMS and Email OTP tokens. In the solution with IBM ZTIC,
the Ezio Server:
> Verifies the incoming EMV CAP authentication and
transaction authorization credentials
> Provide user security management to track user status,
handle user-token assignments, log audit events
> Support helpdesk and token management to administer
token status, token resets, lost tokens, user queries, etc
> Manage each ZTIC out-of-band (OOB) user sessions
> Perform ZTIC device management (provisioning of new
ZTIC firmware)
Deploying an integrated authentication solution comprising
the IBM ZTIC with the Ezio Server for a business
application can be achieved with the following 3 steps:
> EMV CAP (Chip Authentication Program) Authentication
> ZTIC OOB (Out-of-Band) session management
> Business Application integration with HTTPS Server
Step 1 – EMV CAP Authentication
Adding Ezio Server for a complete solution
To provide a complete front-end + back-end authentication
solution to the customer, the IBM ZTIC can be deployed
with the Ezio Server. The Ezio Server is a hardened
security appliance that can authenticate millions of users
in a multi-domain, multi-vendor, multi-token setup.
2-factor authentication is achieved through the positive
verification of the EMV CAP token, generated by an EMV
Card in the possession of the user, by the back-end EMV
CTVS (CAP Token Validation Service) Server. The IBM ZTIC
can function as an EMV Card reader to communicate
with the EMV card to generate the CAP token, while the
Ezio Server is a Mastercard-certified CTVS Server that
can be used to verify the CAP tokens.
To authenticate the EMV CAP token, the IMK (Issuer
Master Key) and card profiles (comprising the PAN, PSN,
IPB, IAD and IAF) have to be defined in the Ezio Server.
Once done, the Ezio Server is ready to authenticate the
CAP tokens generated by the EMV Cards.
creates IMK and
card profiles into
Ezio Server
End-user with EMV card and
Secure PIN entry
Generate EMV
CAP Token
Verify CAP Token
Ezio Server
Step 2 – ZTIC OOB Session Management
A HTTPS server is to be set up to communicate with all the deployed ZTICs. The ZTICs are preprogrammed with
the public key of the SSL certificate of the HTTPS server to ensure that the SSL session is not compromised. During
ZTIC operation, the ZTIC will communicate with the HTTPS server to respond to any authentication or transaction
authorization requests. The HTTPS server in turn will communicate with the Ezio Server to verify the authentication
or authorization responses. Optionally, the Ezio Server can perform validation of the ZTIC device by way of SSL client
authentication using the built-in ZTIC device certificate.
ZTIC Login request
CAP Token = 123456
HTTPS Server
End-user with EMV card and IBM ZTIC
Ezio Server
This flow serves as the out-of-band (OOB) secure channel maintained by the IBM ZTIC.
Step 3 – Business Application Integration with HTTPS Server
Finally, the business application has to be integrated with the HTTPS server in order to request the HTTPS Server carry
out the authentication or transaction authorization requests.
1. User initiates transaction
2. Request ZTIC
4. User verifies transaction on ZTIC
7. OK
3. ZTIC authorization request
6. Verify CAP Token
5. CAP Token = 123456
End-user with EMV card and IBM ZTIC
HTTPS Server
Ezio Server
A sample of a transaction authorization flow is illustrated above:
1. User logins to Business Application and initiates a payment transaction
2. Business Application sends a ZTIC authorization request to HTTPS Server
3. HTTPS Server requests ZTIC via OOB channel to perform a authorization request
4. ZTIC displays transaction information and prompts user to approve
5. ZTIC responds to OOB authorization request with CAP token
6. HTTPS Server verifies CAP token against Ezio Server
7. HTTPS Server confirms that ZTIC authorization is ok.
The above is based on an assumption that the organization has deployed EMV Cards for the users. Note that the
combination of IBM ZTIC + Ezio Server is able to support card-based and cardless PKI and other OTP (One-time
Password) algorithms such as OATH.
About Gemalto
Gemalto is the world leader in digital security with pro-forma 2012 annual revenues of €2.2
billion and more than 10,000 employees, including 1,700 Research & Development engineers.
Gemalto eBanking is a global and trusted partner for financial services and retail institutions.
To date, Gemalto has designed, manufactured and rolled-out over 70 million eBanking devices
and solutions to banks' customers worldwide. Solutions that are part of the Gemalto online
banking suite – the Ezio Suite.
Gemalto's Ezio Suite brings together a unique authentication server, plug-in modules
and a range of authentication devices. Common characteristics of Gemalto’s Ezio Suite of
online banking solutions and services include scalability, flexibility, modularity and ease of
implementation, that are designed to be future-proof, supporting seamless upgrades and
the introduction of new products and services by banks. An approach strengthened by the
Ezio Server, a multi-channel, multi-token and vendor-agnostic authentication solution that
supports all forms of authentication technologies.