Instantor identification in Finland

 

Identification documentation

Banks in Finland have requested Instantor to identify in order to properly scrape internet banking. Instantor decided to add query parameters to an initial request. All parameters are signed and the signature is added to the request as well. Banks can extract the parameters and verify they are not tampered with. That ensures that Instantor is indeed the one sending the request.

Identification example

If we have online banking at https://www.bank.fi/login, an example identification request would be

https://www.bank.fi/login?X-AISP-NAME=Instantor%20AB&X-AISP-ORGNUMBER=556818-2835&X-AISP-COUNTRY=Sweden&X-AISP-TIMESTAMP=12312341234&X-AISP-SIGNATURE=
ILQVHqWYD1Ct5sm7VeHz7JNPgR3v89H4mleVpV2h2sk7Ryt+X6iDOrCWX5YLYQ/8Ud7Ns7ORpAfkzEamplhbFoyE33LOJvLHKouEVXPqWBNED3yXeJfcPqfpgu2LXi2l588kMqM8LVg25HqaoPS9AfzmbLM4m15lRWUfkqQw3g
on55bVoS6DTBOLeqAMQ+4iLHfENlzcqPWtYscCaFmScuakEcPc3vfsIir1fol7Gzc0gzrpcAL3bBi0UWBiUN4b/yyqvzaKE44QllkK5vFWGr8XA66I+UPp515Ma1AcvXBf4tfwyp4oGkxXWgileT3z0moyqu/Ekx41u4xn3VTVcA==

Breaking down the URL we have BANK-URL?X-AISP-NAME&X-AISP-ORGNUMBER&X-AISP-COUNTRY&X-AISP-TIMESTAMP&X-AISP-SIGNATURE

Verification

The verification procedure comes down to:

  1. Check URL parameters to see that Instantor is the one trying to log-in
  2. Combine URL parameters into a single value that will be verified
  3. Verify the value by using Instantors public key and signature

Verification example

This example will use files to store the data and then use OpenSSL to verify the provided data.

Example URL is:

https://www.bank.fi/login?X-AISP-NAME=Instantor%20AB&X-AISP-ORGNUMBER=556818-2835&X-AISP-COUNTRY=Sweden&X-AISP-TIMESTAMP=12312341234&X-AISP-SIGNATURE=
ILQVHqWYD1Ct5sm7VeHz7JNPgR3v89H4mleVpV2h2sk7Ryt+X6iDOrCWX5YLYQ/8Ud7Ns7ORpAfkzEamplhbFoyE33LOJvLHKouEVXPqWBNED3yXeJfcPqfpgu2
LXi2l588kMqM8LVg25HqaoPS9AfzmbLM4m15lRWUfkqQw3gon55bVoS6DTBOLeqAMQ+4iLHfENlzcqPWtYscCaFmScuakEcPc3vfsIir1fol7
Gzc0gzrpcAL3bBi0UWBiUN4b/yyqvzaKE44QllkK5vFWGr8XA66I+UPp515Ma1AcvXBf4tfwyp4oGkxXWgileT3z0moyqu/Ekx41u4xn3VTVcA==

 

Get Instantor public key

Download Instantor public key for decryption from here

Create a file with data to verify

Create contentFile.txt file with contents of X-AISP-NAME, X-AISP-ORGNUMBER, X-AISP-COUNTRY and X-AISP-TIMESTAMP separated with semicolons.

File name: contentFile.txt
File content: Instantor AB;556818-2835;Sweden;12312341234

Create a file with the signature

Create signature.sha256 file with contents of X-AISP-SIGNATURE.

File name: signature.sha256
File content:

ILQVHqWYD1Ct5sm7VeHz7JNPgR3v89H4mleVpV2h2sk7Ryt+X6iDOrCWX5YLYQ/8Ud7Ns7ORpAfkzEamplhbFoyE33LOJvLHKouEVXPqWBNED3y
XeJfcPqfpgu2LXi2l588kMqM8LVg25HqaoPS9AfzmbLM4m15lRWUfkqQw3gon55bVoS6DTBOLeqAMQ+4iLHfENlzcqPWtYscCaFmScuakEcPc3vfsIir1fol7Gzc0gzrpcAL3bBi0UWBi
UN4b/yyqvzaKE44QllkK5vFWGr8XA66I+UPp515Ma1AcvXBf4tfwyp4oGkxXWgileT3z0moyqu/Ekx41u4xn3VTVcA==

Verify the data

Use openssl command (linux) that can be downloaded at https://www.openssl.org/

openssl base64 -d -in {path_to_signature.sha256} -out /tmp/temp.sha256

openssl dgst -sha256 -verify {path_to_public_key} -signature /tmp/temp.sha256 {path_to_contentFile.txt}

As result of the second command you will get:

Verified OK – if text is valid

or

Verified Failed – if text is changed and not valid.