Not sure how or where to start with your own web site, ? We are ready to help you with web design gudelines and strategies so that your internet web site meets your most sophisticated needs.

    Page 1 of 3

Hindsight I T Solutions

ACTINIC CATALOG

SECURITY INFORMATION

 

    Hindsight

    Third Party Software

    White Paper : Actinic Catalog Security Briefing

    “Actinic Catalog v.4 was released in July 2000. It is an entry level ecommerce product designed to be simple to use, low cost and secure. It is designed for use by vendors who have access to the Internet only via a dial-up account. ”

     
    Introduction

    This paper describes the security techniques used by Catalog and the possible attacks that might be made. It compares Actinic Catalog with comparable SSL (Secure Socket Layer) solutions which are in current use.

    Security method

    Catalog allows orders to be placed and sent over the Internet. Encryption can be disabled for non-sensitive orders e.g. requests for further information about a house advertised for sale. If encryption is enabled, it can happen in one of two ways : using a Java Applet or using SSL. An alternative is where all secure payment information is collected by an "Online Credit Card Provider" such as NetBanx, WorldPay, Secure Trading or Datacash. In this case, the security is provided by these companies. This particular option will not be considered further in this paper.

    Using Java Applet

    Encryption occurs on the buyer's PC and decryption only occurs on the vendor's PC. At no stage is the transaction decrypted whilst it travels over the Internet, or whilst it is stored on a web site. In addition, orders (including credit card details) are only stored on a web site until the vendor downloads them to their PC. Hence there is no large store of orders available online to invite attack.

  • The encryption is carried out by using a Java applet. The Java applet is subject to the standard security restrictions of their "sandbox" which restricts their ability to communicate across the Net to only the web site that they are downloaded from. Decryption is carried out on the vendor's PC after orders have been downloaded from the web. The encryption technique used falls into two parts. The first is to use Diffie-Hellman key exchange to agree a 128 bit key for use by the SAFER block cipher. The Diffie-Hellman key currently used is 256 bits and this will be increased further in the future up to 1024 bits, depending on performance. This encryption method is used on the following fields only :

    • credit card number

    • credit card type
    • credit card expiry date
  • Other fields in orders placed using the system are also encrypted using Safer with a 128 bit key, but using a fixed key built in to the software and common across all instances of the software.
  • The following banks have approved their customers use of Actinic Catalog - Barclays Bank, Midland Bank and The Royal Bank of Scotland.

  • Using SSL

  • Where the SSL option is used, the buyers personal details, credit card information and other order information is sent from the browser to the server, using industry standard SSL encryption. At the server, the order is encrypted before being written to disk using the same method and encrypting the same fields as is explained in the Java encryption. Hence the order is only stored encrypted on the web site. When the vendor downloads the orders, they are sent over the Internet using SSL and then decrypted on their PC. Hence there is no large store of orders available online to invite attack.

  • Diffie-Hellman

  • Diffie-Hellman key exchange has been published for over 25 years and has been proved to be strong. RSA have based their encryption method on the same fundamental mathematics. RSA (used in SSL) is essentially a derivation of Diffie-Hellman. Actinic chose to use Diffie-Hellman for the following reasons :

    • it is a public / private key method : this is essential for the ordering model adopted by Actinic

    • the algorithm has been around for many years and has stood the test of time
    • it is now patent-free
    • it has been selected by an increasing number of industry leaders as their system of choice:
      • Microsoft for NT 5
      • Sun Microsystems for their SKIP system

  • Cisco for their routersSafer

  • Actinic has adopted the SAFER SK-128 block encryption method developed by Massey (the developer of IDEA which is used in PGP). The key for use with SAFER is negotiated using Diffie-Hellman. The algorithm has been around for some time and has stood the test of time. It is a public algorithm and is freely available. SAFER is briefly described in the RSA FAQ

  • Key length

  • Actinic have adopted a 128 bit Safer key, which gives a reasonable performance whilst being several orders of magnitude beyond where brute force methods could break the encryption. SSL offers only a 40-bit key in non-US implementations (although 56 bit key implementations are now becoming available). To put things in context, each additional bit of key space takes twice as long to break. So a 41 bit key is twice as strong as a 40 bit key. The 128 bit key used in Actinic Catalog is 4,722,366,482,869,645,213,696 times as strong as the SSL 56 bit key.

     
    Page 2 (possible attacks)
     

     

Contact us now to order or for more information

     

    Click Here to return to the top of this page

     

Page 1 of 3
©2001 Hindsight I T Solutions
All Rights Reserved