QUIK Software ensures integrity and privacy of transmitted data, by providing secure connection between user workstations and the QUIK server. All information exchange between the server and the client is encrypted.
Broker tools for encryption and authentication
- Authentication and encryption with standard TLS/SSL protocols
Authentication may be done by name and password, or by X.509 certificate issued for a personal private key generated by its user.
- Use of certified GOST algorithms generated by systems of cryptographic data protection CryptoPRO CSP and/or SignalCom SSLPro
Authentication is done by X.509 certificate issued for a personal private key generated by a user. The key may also be stored on better protected external carriers — 'pendant' memory devices (JaCarta, eToken, ruToken, etc.).
- Cryptographic tools by ARQA Technologies
Public and private keys are generated by users and may be password protected. Private keys are kept separately from the software, for example, on a flash card. Authentication is done by public user key, encryption — by symmetric private key.
Other security tools
- various two-factor authorization mechanisms (RSA SecurID or RADIUS authentication, Windows domain authentication) with a PIN code sent to the user via email or, if Alert dispatch module is installed, to the user's mobile device via an SMS/push message;
- logging of all users’ transactions and text messages of;
- fixed IP-range available for connection to a specific terminal;
- individual security settings for each user, selective approach;
- transactions signed with a digital signature using certified cryptographic tools such as Message-PRO/Signal-COM, CryptoPro CSP, Validata CSP or Bicrypt.
External Cryptographic Tools
Security capabilities can be enhanced by using external certified cryptographic tools for creating digital signatures (sold separately).
- CryptoPro CSP,
- Message-PRO (by Signal-KOM),
- Validata CSP,
- National Ukrainian Depositary,
- Cesaris (Ukraine),
- MASTERKEY (by Art-master, Ukraine).
* — for companies that intend to use the QUIK server as a managed service for access to Ukrainian exchanges, integration with solutions that use digital signature of certified Ukrainian providers is impossible due to Russian and Ukrainian legislation.
- TUMAR-CSP (by “Gamma Technologies” Research Laboratory, Kazakhstan),
- Central Securities Depository (Kazakhstan).
In addition to standard means for authorization of QUIK Workstation and webQUIK users, the use of RSA SecurID® technology is also possible.
- PIN, a number known only to the user,
- A token-key, the number on the token’s display.
The user must always keep his token at hand. If the token is lost, the person who finds it cannot use the token since it is possible only with the user’s PIN. Similarly, if someone learns its PIN, he will not be able to use it without the token. Moreover, the owner of the token can block it at any time. The token code can be used only once for authentication. This precludes the possibility of re-using the code in case authentication details have been stolen by an intruder.
Application in QUIK SoftwareTo use RSA SecurID technology, one should have RSA ACE/Server software (basic license) and RSA SecurID Key Fob, Card or PINPad Card tokens. Demos company (www.demos.su) is a distributor of RSA Security in Russia.
One dedicated computer is required for deployment of RSA ACE/Server. It is important that this computer and the QUIK server function within the same network segment, and the computer's clock is synchronized with UTC (e.g. via NTP).
Two-factor authentication is available separately for each client, and does not affect the work of other users of the system. To connect to the QUIK server the user needs to enter one’s PIN (password) and token code. The number of attempts is limited. In case an attempt to guess the password is suspected, the communication session is interrupted, and the token is blocked until the administrator interferes.