DotSec developed (and continues to support) the message-security services for APRA’s D2A online reporting service. The first version of the service was released in 2002.
DotSec developed the secure-messaging and key-management infrastructure for the D2A electronic submission system, for the Australian Prudential Regulation Authority (APRA). As per APRA’s web site, “D2A or Direct to APRA, is a flexible, secure and user-friendly electronic data submission system. D2A enables regulated and registered financial entities to lodge their statutory returns with APRA. Data can be manually entered or imported directly into D2A from the reporting institutions’ own information systems. D2A submits returns by passing information in an encrypted form to APRA using a direct internet connection.”
D2A reports are generated as XML documents by the D2A client, and DotSec’s security services then digitally sign and envelope (public-key encryption) the messages using the public and private keys in the D2A client keystore. The original D2A client supported both software keystores and smart cards, although APRA removed the smart card option in around 2006.
Goals and requirements
The primary requirements that DotSec needed to meet in order to support D2A included:
- Provide a secure messaging and cryptographic key-management infrastructure.
- Investigate and implement security best practice for appropriate standards, tools and software libraries related to encryption and digital signatures.
- Based on security best practice investigations, design and implement a solution to protect sensitive documents in transit, and also provide non-repudiation services.
- Provide integration support with the current transport code-base.
- Integrate the D2A secure messaging infrastructure with the APRA Public Key Infrastructure (PKI).
- Subsequently, remove the APRA PKI integration and upgrade the secure-messaging infrastructure to include AUSkey, the Australian federal government’s secure key management infrastructure.
- D2A is used by Australian financial institutions (including banks, building societies and agents) for regular reporting to APRA, Australia’s financial-services regulator.
The D2A service went live on time, and DotSec has continued to maintain and update the secure-messaging software since that time.
In around 2006, DotSec assisted APRA with the migration to a new Certificate Authority by writing code that allowed the D2A service to transition between CAs, and by assisting with the development of supporting processes and procedures. Later, in 2014, DotSec upgraded the D2A key management system so that it no longer used the APRA PKI (which was decommissioned) and instead utilised the federal government’s AUSkey infrastructure.
To achieve these goals, DotSec completed the following tasks:
- Selected and integrated an appropriate cryptographic library which provided the necessary encryption and signature functionality with support for strong cryptographic keys, as was required by security best practice.
- Provided analysis and testing of the client’s current application code-base to determine appropriate entry points to integrate the cryptographic functionality. A test environment was created specifically for this investigation. The test environment was later re-purposed for UAT testing.
- Designed appropriate mechanisms for the protection of the private keys, which were used to decrypt transmitted documents on the server-side and used to sign data on the client-side. Smart cards were selected as a secure repository for the private keys of the server1 and software key stores were selected for customer keys.
- The D2A server is responsible for verifying and decrypting client-generated documents, as well as for supporting functionality such as certificate management. As part of the D2A design and development project, DotSec assisted APRA with the design and integration of the supporting Public Key Infrastructure (PKI).
- Most recently, DotSec has assisted APRA by redesigning and modifying the D2A secure message service to use the Vanguard digital signature services. New key/certificate and message-handling code was developed and subsequently tested with the Vanguard web services, before being deployed into production. Integrity and confidentiality of signatures in transit to the web service was accomplished through use of ws-security via METRO.
The APRA D2A project is just one example of in security infrastructure projects that DotSec has successfully completed. DotSec has 15 years of strong, information-security project history, having worked for clients in the banking, shipping, finance, legal, and superannuation industries, as well as with all tiers (local, state and federal) of government.
Judging from the number of long-term clients and associated repeat business, we are confident that we have achieved our goal – provision of holistic information security services.