Instantor identification in Finland

Instantor identification in Finland.

Identification documentation

Banks in Finland have requested Instantor to identify in order to properly scrape internet banking.

Instantor decided to add query parameters to initial request. All parameters are signed and the signature is added to the request as well. Banks can extract the parameters and verify they are not tampered with. That ensures that Instantor is indeed the one sending the request.

Identification example

If we have online banking at https://www.bank.fi/login, an example identification request would be

https://www.bank.fi/login?X-AISP-NAME=Instantor%20AB&X-AISP-ORGNUMBER=556818-2835&X-AISP-COUNTRY=Sweden&X-AISP-TIMESTAMP=12312341234&X-AISP-SIGNATURE=ILQVHqWYD1Ct5sm7VeHz7JNPgR3v89H4mleVpV2h2sk7Ryt+X6iDOrCWX5YLYQ/8Ud7Ns7ORpAfkzEamplhbFoyE33LOJvLHKouEVXPqWBNED3yXeJfcPqfpgu2LXi2l588kMqM8LVg25HqaoPS9AfzmbLM4m15lRWUfkqQw3gon55bVoS6DTBOLeqAMQ+4iLHfENlzcqPWtYscCaFmScuakEcPc3vfsIir1fol7Gzc0gzrpcAL3bBi0UWBiUN4b/yyqvzaKE44QllkK5vFWGr8XA66I+UPp515Ma1AcvXBf4tfwyp4oGkxXWgileT3z0moyqu/Ekx41u4xn3VTVcA==
      

Breaking down the URL we have BANK-URL?X-AISP-NAME&X-AISP-ORGNUMBER&X-AISP-COUNTRY&X-AISP-TIMESTAMP&X-AISP-SIGNATURE

Verification

The verification procedure comes down to:

  1. Check URL parameters to see that Instantor is the one trying to log-in
  2. Combine URL parameters into a single value that will be verified
  3. Verify the value by using Instantors public key and signature

Verification example

This example will use files to store the data and then use openssl to verify the provided data.
Example URL is

      
      https://www.bank.fi/login?X-AISP-NAME=Instantor%20AB&X-AISP-ORGNUMBER=556818-2835&X-AISP-COUNTRY=Sweden&X-AISP-TIMESTAMP=12312341234&X-AISP-SIGNATURE=ILQVHqWYD1Ct5sm7VeHz7JNPgR3v89H4mleVpV2h2sk7Ryt+X6iDOrCWX5YLYQ/8Ud7Ns7ORpAfkzEamplhbFoyE33LOJvLHKouEVXPqWBNED3yXeJfcPqfpgu2LXi2l588kMqM8LVg25HqaoPS9AfzmbLM4m15lRWUfkqQw3gon55bVoS6DTBOLeqAMQ+4iLHfENlzcqPWtYscCaFmScuakEcPc3vfsIir1fol7Gzc0gzrpcAL3bBi0UWBiUN4b/yyqvzaKE44QllkK5vFWGr8XA66I+UPp515Ma1AcvXBf4tfwyp4oGkxXWgileT3z0moyqu/Ekx41u4xn3VTVcA==
      
    


Get Instantor public key
Download Instantor public key for decryption from here


Create a file with data to verify
Create contentFile.txt file with contents of X-AISP-NAME, X-AISP-ORGNUMBER, X-AISP-COUNTRY and X-AISP-TIMESTAMP separated with semicolons.

File name: contentFile.txt
File content: Instantor AB;556818-2835;Sweden;12312341234


Create a file with the signature
Create signature.sha256 file with contents of X-AISP-SIGNATURE.

File name: signature.sha256
File content: ILQVHqWYD1Ct5sm7VeHz7JNPgR3v89H4mleVpV2h2sk7Ryt+X6iDOrCWX5YLYQ/8Ud7Ns7ORpAfkzEamplhbFoyE33LOJvLHKouEVXPqWBNED3yXeJfcPqfpgu2LXi2l588kMqM8LVg25HqaoPS9AfzmbLM4m15lRWUfkqQw3gon55bVoS6DTBOLeqAMQ+4iLHfENlzcqPWtYscCaFmScuakEcPc3vfsIir1fol7Gzc0gzrpcAL3bBi0UWBiUN4b/yyqvzaKE44QllkK5vFWGr8XA66I+UPp515Ma1AcvXBf4tfwyp4oGkxXWgileT3z0moyqu/Ekx41u4xn3VTVcA==


Verify the data
Use openssl command (linux) that can be downloaded at https://www.openssl.org/

openssl base64 -d -in {path_to_signature.sha256} -out /tmp/temp.sha256

openssl dgst -sha256 -verify {path_to_public_key} -signature /tmp/temp.sha256 {path_to_contentFile.txt}

As result of the second command you will get:
Verified OK - if text is valid
or
Verified Failed - if text is changed and not valid.