Instantor identification in Latvia
Identification documentation
Banks in Latvia have requested Instantor to identify in order to properly scrape internet banking. Instantor decided to add query parameters to an initial request. All parameters are signed and the signature is added to the request as well. Banks can extract the parameters and verify they are not tampered with. That ensures that Instantor is indeed the one sending the request.
Identification example
If we have online banking at https://www.bank.lv/login, an example identification request would be
https://www.bank.lv/login?X-AISP-NAME=Instantor%20AB&X-AISP-ORGNUMBER=556818-2835&X-AISP-COUNTRY=Sweden&X-AISP-TIMESTAMP=12312341234&X-AISP-SIGNATURE=
ILQVHqWYD1Ct5sm7VeHz7JNPgR3v89H4mleVpV2h2sk7Ryt+X6iDOrCWX5YLYQ/8Ud7Ns7ORpAfkzEamplhbFoyE33LOJvLHKouEVXPqWBNED3yXeJfcPqfpgu2LXi2l588kMqM8LVg25HqaoPS9AfzmbLM4m15lRWUfkqQw3g
on55bVoS6DTBOLeqAMQ+4iLHfENlzcqPWtYscCaFmScuakEcPc3vfsIir1fol7Gzc0gzrpcAL3bBi0UWBiUN4b/yyqvzaKE44QllkK5vFWGr8XA66I+UPp515Ma1AcvXBf4tfwyp4oGkxXWgileT3z0moyqu/Ekx41u4xn3VTVcA==
Breaking down the URL we have BANK-URL?X-AISP-NAME&X-AISP-ORGNUMBER&X-AISP-COUNTRY&X-AISP-TIMESTAMP&X-AISP-SIGNATURE
Verification
The verification procedure comes down to:
- Check URL parameters to see that Instantor is the one trying to log-in
- Combine URL parameters into a single value that will be verified
- Verify the value by using Instantors public key and signature
Verification example
This example will use files to store the data and then use OpenSSL to verify the provided data.
Example URL is:
https://www.bank.lv/login?X-AISP-NAME=Instantor%20AB&X-AISP-ORGNUMBER=556818-2835&X-AISP-COUNTRY=Sweden&X-AISP-TIMESTAMP=12312341234&X-AISP-SIGNATURE=
ILQVHqWYD1Ct5sm7VeHz7JNPgR3v89H4mleVpV2h2sk7Ryt+X6iDOrCWX5YLYQ/8Ud7Ns7ORpAfkzEamplhbFoyE33LOJvLHKouEVXPqWBNED3yXeJfcPqfpgu2
LXi2l588kMqM8LVg25HqaoPS9AfzmbLM4m15lRWUfkqQw3gon55bVoS6DTBOLeqAMQ+4iLHfENlzcqPWtYscCaFmScuakEcPc3vfsIir1fol7
Gzc0gzrpcAL3bBi0UWBiUN4b/yyqvzaKE44QllkK5vFWGr8XA66I+UPp515Ma1AcvXBf4tfwyp4oGkxXWgileT3z0moyqu/Ekx41u4xn3VTVcA==
Get Instantor public key
Download Instantor public key for decryption from here
Create a file with data to verify
Create contentFile.txt file with contents of X-AISP-NAME, X-AISP-ORGNUMBER, X-AISP-COUNTRY and X-AISP-TIMESTAMP separated with semicolons.
File name: contentFile.txt
File content: Instantor AB;556818-2835;Sweden;12312341234
Create a file with the signature
Create signature.sha256 file with contents of X-AISP-SIGNATURE.
File name: signature.sha256
File content:
ILQVHqWYD1Ct5sm7VeHz7JNPgR3v89H4mleVpV2h2sk7Ryt+X6iDOrCWX5YLYQ/8Ud7Ns7ORpAfkzEamplhbFoyE33LOJvLHKouEVXPqWBNED3y
XeJfcPqfpgu2LXi2l588kMqM8LVg25HqaoPS9AfzmbLM4m15lRWUfkqQw3gon55bVoS6DTBOLeqAMQ+4iLHfENlzcqPWtYscCaFmScuakEcPc3vfsIir1fol7Gzc0gzrpcAL3bBi0UWBi
UN4b/yyqvzaKE44QllkK5vFWGr8XA66I+UPp515Ma1AcvXBf4tfwyp4oGkxXWgileT3z0moyqu/Ekx41u4xn3VTVcA==
Verify the data
Use openssl command (linux) that can be downloaded at https://www.openssl.org/
openssl base64 -d -in {path_to_signature.sha256} -out /tmp/temp.sha256
openssl dgst -sha256 -verify {path_to_public_key} -signature /tmp/temp.sha256 {path_to_contentFile.txt}
As result of the second command you will get:
Verified OK – if text is valid
or
Verified Failed – if text is changed and not valid.