This is used in a web site (merchant) when it needs to securely identify its users. Overall the user need to enter their SSN (Social security number), a password, and at the end a one-time password. The central server for the bank handles the actual authentication, and this allows the user to use the same authentication method across the different web site.
Every HTTP request consists of two "levels": an envelope that contains an RPC request. Example: Figure 12. Request, encode as form-data, also HTTP POST from web site from the sender.
A client of a BankID for example Java applet communicates with the website and the central server over the HTTPS. When a client sends a request, the request is sent as an HTTP POST, and this using standard form-data encoding. Binary data is encoded using base64. Every request is encrypted that uses AES-256-CBC also RSA-2048. …show more content…
These parameters contain: URLs to the central- and merchant’s server, and valid IPs for the domains, timeout variables, language settings, and authentication type. This parameter is signed by the merchant. Clients itself doesn’t validate the signature.
The crypto for BankID is that for every request there is a new secret key generated in 32 bytes. The key that is generated are never used, but the source is created that uses