Questions and Answers
The INSIKA Project
- What is INSIKA?
- What are the objectives of the INSIKA project?
- What is the current status of the project?
- What is the relationship between financial authorities and the INSIKA project group?
- Who are the INSIKA project partners?
- What are the interests of the INSIKA project partners?
- Are there licenses, rights, or patents for the INSIKA solution?
- Does INSIKA comply with the German accounting principles?
- Is there a legal basis for the introduction of the INSIKA system?
- What is a "TIM"?
- What makes INSIKA different to other fiscal solutions (classic and cryptographic)?
- Are there other formats of transaction data (e.g. SAF-T)?
- What happens if the data cannot be stored permanently in the cash register?
- What's the amount of data collected? Isn't it too much for many cash registers?
- Why is XML used as the data format? Isn't that inefficient?
- What are INSIKA profiles? What advantages do they offer?
- Which profiles are published?
- Why do you require the periodical recording of the taxi cab's mileage?
Security of the System
- How exactly is it ensured that data is stored completely and tamper-proof?
- Why is there no need for a certification or type approval of cash registers?
- What is the purpose of an evaluation according to Common Criteria? When is it planned?
- Why do you use smart cards (instead of sealed fiscal modules etc.)?
- What is a digital signature?
- Isn't a "real" fiscal memory more secure?
- Why are considerably more classical fiscal memories used worldwide than cryptographic solutions?
- What happens if reports were altered that were not protected by a signature?
- Why is printing of the receipt mandatory?
- What is the purpose of the signature on the receipt?
- What is a digital certificate?
- Why do you need a Public Key Infrastructure (PKI)?
- Could you cheat with a second cash register without TIM?
- Could you cheat with additional TIMs?
- Could the TIM be rebuilt or copied?
- What is the purpose of the sums on the TIM?
- What happens if transactions are not recorded by the cash register?
- Why is the data not encrypted but signed?
- Why do you use asymmetric cryptography? How does it work?
Practical Implementation and Usage
- How can a manufacturer of cash registers integrate INSIKA?
- How can a user of cash registers make use of INSIKA?
- How do you verify a receipt?
- Will an INSIKA cash registers be slower?
- What is the correspondence of the INSIKA report with the daily report of a cash register?
- How do you verify INSIKA data in an audit?
- Where can I get documentation, smart cards, information, etc.?
- Who answers questions concerning the INSIKA system?
The INSIKA Project
Q: What is INSIKA?
A: The acronym INSIKA denotes the German project „INtegrierte SIcherheitslösung für messwertverarbeitende KAssensysteme“ (Integrated security solution for cash registers). INSIKA is a research project funded by the German Federal Ministry of Economics and Technology (grant number MNPQ 11/07).
Q: What are the objectives of the INSIKA project?
A: The aim of the project is the development of an innovative solution for tamper proofing of cash transaction and measurement data on cash registers. The main focus is on low costs, automated audits and unrestricted manufacturer's innovations whilst providing high security levels.
Q: What is the current status of the project?
A: As of February 2011: All technical project objectives are achieved. There are functional cash register prototypes that are tested in pilot installations for months. A complete infrastructure solution was built up. All necessary processes for an operation can be performed.
After a registration the documentation is freely available. The smart cards for signing the data can be purchased at the ADM e.V. Demonstration software is available for all major functions (generating signed transactions, verifying signed data and readout of smart card information).
Q: What is the relationship between financial authorities and the INSIKA project group?
A: The INSIKA project is based on a legal framework that was set by a draft law of the German Ministry of Finance in 2008, and on the corresponding technical concept. The INSIKA project group informs the tax authorities of all solved tasks. In the course of the project specific questions were answered by federal and state tax authorities.
Q: Who are the INSIKA project partners?
A: The project is led by the Physikalisch-Technische Bundesanstalt Berlin (the National Metrology Institute). The project involves four manufacturers of cash registers from different sectors. INSIKA is funded within the program "Measure - Standardise - Verify - Quality Assurance" (MNPQ) of the German Federal Ministry of Economics and Technology.
Q: What are the interests of the INSIKA project partners?
A: The INSIKA project partners are exclusively interested in a solution that meets all legal requirements on data storage. When implementing the solution in products and components no type approval should restrict the innovations of the partners. Ideally a single standard for fiscal matters should ensure equality of competition. The solution should be simple, inexpensive and secure.
Q: Are there licenses, rights, or patents for the INSIKA solution?
A: The entire INSIKA specification is published and contains no patented components. Moreover no claims can be raised because of the publication. Unlike other solutions, it can be implemented by any interested company without licence fees etc.
The documentation, the TIM software and the demo software are protected by copyright. The TIM software has to be evaluated before it will be used in real operations. Due to the costs of such an evaluation this cannot be carried out in the INSIKA project.
INSIKA® is a registered trademark of the registered association "Anwendervereinigung Dezentrale Messsysteme (ADM) e.V."
Q: Does INSIKA comply with the German accounting principles?
A: INSIKA was designed to comply with the German accounting principles, that are similar to the generally accepted accounting principles.
Q: Is there a legal basis for the introduction of the INSIKA system?
A: No, currently there is no legal basis for the introduction of the INSIKA system in Germany.
Q: What is a "TIM"?
A: A "TIM" ("Tax Identification Module") is a smart card with a special software that was implemented according to the INSIKA specifications.
Q: What makes INSIKA different to other fiscal solutions (classic and cryptographic)?
A: INSIKA uses modern cryptographic signatures. The critical parts of the system run on a smart card that provides a very high security level. There is no need for a type approval of cash registers to ensure the security of the system.
Q: Are there other formats of transaction data (e.g. SAF-T)?
A: A conversion of data can be done in numerous formats as long as all information for the signature verification remains available.
Q: What happens if the data cannot be stored permanently in the cash register?
A: Unlike traditional fiscal memories, the security of the systems does not depend on data being stored in a specific place. The data is secured by digital signatures. Therefore it can be easily transferred from the cash register to other storage media. This makes it easy to integrate INSIKA into existing systems for cash register's data management.
Q: What's the amount of data collected? Isn't it too much for many cash registers?
A: The current legal situation (letter of the German Ministry of Finance from Nov. 26th, 2010) defines the storage of all sales transactions in detail for all cash registers.
For INSIKA every transaction has to be extended by a signature (48 bytes) and a sequence number (1-4 bytes) only. When stored efficiently the amount of data (transaction data and INSIKA specific data) can be expected between 10 to 200 Megabyte per cash register and year.
Q: Why is XML used as the data format? Isn't that inefficient?
A: XML is widely used in the machine-to-machine communication. XML is standardized, portable, self-describing, easy to generate and evaluate. It has to be used for the export of data only - for the storage manufacturers can use their own specialised format.
Q: What are INSIKA profiles? What advantages do they offer?
A: INSIKA profiles map application-specific data of a system. By the concept of profiles INSIKA can be adapted to different applications. In particular, systems handling different measurement data can be mapped. Each application uses exactly one profile.
The data objects of a profile are not passed to the smart card. However, since the hash value of this data objects is passed, these data objects are signed (indirectly). Thus, a large number of data objects can be included in the signature, without transferring them over the smart card interface.
Q: Which profiles are published?
Currently, the profile for cash registers and the one for taximeters have been published. All taximeters that comply with 2004/22/EC ("MID") can be mapped. The type approval will not be affected in any way.
The profile specifications are sent after a registration free of charge.
Q: Why do you require the periodical recording of the taxi cab's mileage?
A: Currently the INSIKA project cannot define requirements for the transmission path of the signal generator to the taximeter and the taximeter itself. This is due to legal requirements and therefore the data will be signed after the taximeter. The comparison with the cab's milage is required in order to detect tampering on the transmission path in front of that.
Security of the System
Q: How exactly is it ensured that data is stored completely and tamper-proof?
A: Part of the INSIKA system is the obligation to issue a signed receipt for every transaction. This signature can only be generated by the smart card. With every creation of a signature a new sequence number will be assigned. By this sequence number it is known how many receipts were signed. So every sequence number corresponds to a transaction. Because of the signature this transaction data cannot be changed or removed undiscovered.
Q: Why is there no need for a certification or type approval of cash registers?
A: The security of the INSIKA system is based on the security of the TIM. The transaction data of the cash register is applied with a digital signature. Afterwards the data can be stored in the journal in any way. The printed signatures also serve as samples that prove the consistent usage of the system. For an audit the transaction data is converted into a defined export format. The signature verification can be performed using an auditing software.
A type approval or certification applies for the TIM only. It is not needed for cash registers.
Q: What is the purpose of an evaluation according to Common Criteria? When is it planned?
A: "Common Criteria for Information Technology Security Evaluation" (CC) are internationally accepted criteria for assessing and certifying the security of IT systems. According to CC smart cards, operating systems, software packages, etc. are being certified. The seven "Evaluation Assurance Levels" (EAL) describe the depth of testing or the correctness of a certified system.
Following the INSIKA concept the smart card including the software on it should be certified. Of course smart cards and smart card operating systems that have already been certified can be used. Part of the INSIKA concept is the evaluation of the TIM software package. This should be carried out for software in real operation. More information on CC can be found at http://www.commoncriteriaportal.org/ .
Q: Why do you use smart cards (instead of sealed fiscal modules etc.)?
A: Smart cards can be found in many areas where security is essential, such as card payment systems (EMVCo), electronic passports (ICAO ePassports) or access to cellular networks (SIM). Smart cards provide a secure environment for keys and data to a level that cannot be achieved with other systems. In particular, smart cards offer counter-measures to so-called side channel attacks (SPA, DPA, timing, etc.).
Fiscal modules, that are still in use in many countries, have to be developed for relatively low quantities and with low expenditures. Therefore they can only provide a lower security level at significantly higher costs. Numerous attacks are possible, which can be detected only through a regular inspection of the modules themselves.
Q: What is a digital signature?
A: A digital signature is computed using a cryptographic function on data that should be protected. Digital signatures can ensure and verify the authenticity (authorship) and the integrity (protection from modification) of data. Because digital signatures are based on asymmetric cryptography, a key pair of private and public keys is been used. This key pair is on the smart card. Since in INSIKA the private key on the TIM cannot be read by anybody, the security property non-repudiation (proof of authorship against third parties) can be fulfilled as well.
In an INSIKA system the signing process is the following: First the transaction data is passed to the TIM. Then the TIM calculates a hash value of this data. A hash value can be considered as a unique "fingerprint" of this data. The hash value and the private key are used by the TIM to calculate the digital signature. Now the cash register stores the signature and the corresponding transaction data in the journal. Since this is not an encryption method, the transaction data can be read as plain text. For an audit a hash value is calculated from the transaction data. Together with the public key of the TIM the signature can be verified.
Q: Isn't a "real" fiscal memory more secure?
A: In a classical fiscal memory the relevant data is stored in a hardware module. In an INSIKA system, the data is signed by the TIM and can be stored in any memory medium. Thus the manufacturer of the cash register can implement a backup system of choice. So even in case of damage or loss of a TIM, data can still be provided. In classical fiscal modules there is no possibility to backup data. In case of defect or loss of the hardware module, all relevant data is lost.
Q: Why are considerably more classical fiscal memories used worldwide than cryptographic solutions?
A: The classical fiscal systems go back to the early 1980s in Italy. At that time neither appropriate cryptographic solutions nor enough memory for a detailed recoding of transactions were available. Therefore only summary data (daily turnovers) was stored mechanically secured (by sealed modules). This technical solution has been the basis for most countries that invented fiscal systems. The necessary memories and the cryptographic methods suitable for all types of cash registers, are available for some years now.
Q: What happens if reports were altered that were not protected by a signature?
A: For an audit, only the protected transaction data is relevant. By this data the plausibility of any other tax-related data of the cash register can be checked.
Q: Why is printing of the receipt mandatory?
A: Each secure cash register requires that all transactions are recorded. This can be ensured through audits only. These audits require the printing of a receipt, that can be checked. The INSIKA system requires the signature on the receipt. This signature can be verified and this ensures that the receipt has been processed by the TIM as defined for an INSIKA system.
Q: What is the purpose of the signature on the receipt?
A: The signature on the receipt proves that the transaction was recorded correctly. Therefore it can always be checked, whether the cash register was used as required.
Q: What is a digital certificate?
A: A digital certificate consists of structured data, which ensures an identification and other properties to a public key. To make the assignment unchangeable, the structured data is signed. In INSIKA the digital certificate is signed by a Certification Authority (CA) will be issued together with the TIM. The certificate is stored on a directory server and in addition on the TIM itself.
Q: Why do you need a Public Key Infrastructure (PKI)?
A: A Public-Key Infrastructure provides a system for handling digital certificates. The tasks of a PKI include the identity approval, the personalization of the smart card, the issuing of a digital certificate and the operation of the server for the directory service and the revocation list (Certificate Revocation List, CRL).
Q: Could you cheat with a second cash register without TIM?
A: A second cash register without TIM could not create properly signed receipts. This would immediately be noticed during an audit and could be noticed by attentive customers as well.
Q: Could you cheat with additional TIMs?
A: TIMs with a valid certificate can only be created by financial authorities. All TIMs will be registered centrally when issued. Therefore it is known how many and which TIMs are used by a taxpayer. In an audit the data for every TIM and the TIM itself have to be presented.
Q: Could the TIM be rebuilt or copied?
A: The technical specifications of the INSIKA technology are being published. Based on these specifications the functionalities of a TIM could rebuilt. But a false TIM can never have a valid digital certificate. A verification of transactions (or receipts) signed by a false TIM will always fail.
To copy a TIM, one would need the private key of the TIM. As with many smart cards, nobody (not even the issuer) is able to read the private key. Therefore is not possible to create a copy.
Q: What is the purpose of the sums on the TIM?
A: Any successful transaction updates the sums on the TIM. These total turnovers are grouped by month and VAT class. In case there is no other export data available the sums on the TIM could be used in an audit. This helps the taxpayer, as without such sums the financial authorities usually estimate the turnover.
Q: What happens if transactions are not recorded by the cash register?
A: No technical system can force a user to record the data properly. It can only ease the checking of this acquisition. Due to the constraint of printing signed receipts an audit could be performed at any time. If the density of audits is sufficient, the risk of detection is accordingly high.
Q: Why is the data not encrypted but signed?
A: For protecting data from unauthorized access one uses encryption. The INSIKA system protects data from unauthorized changes, which can be achieved by a digital signature. If there is an additional encryption desired, the cash register can do so. Of course this data has to be decrypted for an audit.
Q: Why do you use asymmetric cryptography? How does it work?
A: Asymmetric cryptography uses a key pair of private and public key. For the signature creation, the private key is used. This key has been generated when issuing the smart card. It cannot be read and never leaves the smart card. The corresponding public key is readable and is required for the signature verification. The public key is contained in the digital certificate, which can be read from the smart card itself or from the certificate server.
Practical Implementation and Usage
Q: How can a manufacturer of cash registers integrate INSIKA?
A: Based on the letter of the German Ministry of Finance from Nov. 26th 2010 every new cash register has to record all transactions. If a system is not able to do so, appropriate software changes have to be made. Depending on the hardware the necessary memory has to be provided, e.g. by additional memory.
Moreover INSIKA requires, that a smart card reader is connected and the required protocol for the communication with the TIM is implemented. The INSIKA specific data (in particular sequence number and signature) has to be printed, saved and provided on request in the specified INSIKA XML format.
Q: How can a user of cash registers make use of INSIKA?
A: When using an INSIKA enabled cash register the operator has no additional tasks to perform. The operation is completely unchanged. Only when setting up the system a TIM has to be ordered and inserted into the card reader of the cash register. In the INSIKA concept TIMs should be ordered from the financial authorities.
Q: How do you verify a receipt?
A: The verification of the receipt itself is one key point of the security of the system. No transaction data is needed for that. For verification the relevant data can be entered into a verification software. Then the receipt verification is done together with the digital certificate of the corresponding TIM, which will be downloaded from the certificate server by the software.
If all relevant data is stored in a 2D code, the verification is more convenient. For this the 2D code will be scanned and the verification will be done web-based, completely without special software. All that is required is a smart phone capable of reading 2D codes and an internet connection.
Q: Will an INSIKA cash registers be slower?
A: The signature calculation is carried out by the TIM once for every transaction and will take about 0.3 seconds. This delay is barely noticeable. In the practical tests it was not reported as disturbing.
Q: What is the correspondence of the INSIKA report with the daily report of a cash register?
A: The INSIKA reports divide the recorded data into sections. As the report contains signed sum data, the audit can be simplified. The transaction data of one section corresponds to the difference of the report at the beginning and the one at the end. The INSIKA reports are rather technical and organizational and can be carried out independently of the daily reports of the cash register. To balance the INSIKA data and all other data of the cash register it is recommended to perform both in parallel.
Q: How do you verify INSIKA data in an audit?
A: The first step will determine whether the data is unchanged, complete and authentic. Through the verification of signatures any changes can be detected. Through an examination of the sequence numbers a removal or a not saving of data would be detected. A verification of the digital certificate will ensure that the data originates from the specific taxpayer. As data has to be presented for every smart card issued for the taxpayer ensuring the completeness. The audits will be done automatically in software. In the second step, tests as done today can be carried out, e.g. sums of different criteria.
Q: Where can I get documentation, smart cards, information, etc.?
A: All important information of the project INSIKA can be accessed on: www.insika.de . The technical specifications will be sent by the INSIKA consortium by e-mail without charge after a registration. All registered companies and organisations receive the latest information on technical enhancements or modifications. Demonstration and verification software can be downloaded from the INSIKA website. A INSIKA smart card ("TIM") can be ordered for demonstration and development purposes from the ADM e.V.
Q: Who answers questions concerning the INSIKA system?