Embed Size (px)
Citation preview
Page 1
Web Payment Security (Passing Secure Information Over the Internet)
Secure Computer Systems
I assure on my honour that I have actively participated in these solutions, and that the solutions were developed independently from other groups.
Group members:
Daniel Whitmarsh [[email protected]]Mattias Baecklund [[email protected]]Ioana Ungurean [[email protected]]
Names and personal numbers:
Daniel Whitmarsh 810423P231
Mattias Baecklund 7811080139
Ioana Ungurean 8103071786
Web Payment SecurityDaniel Whitmarsh, Mattias Baecklund & Ioana Ungurean
Page 2
1 INTRODUCTION
Web security is a big issue in all web sites that require a user to pay for goods online. Customers must trust your site in order for them to purchase items through it. However problems exist within web payment security, which we will look into.
The three main problems of web security are:
Making sure the data stored on the web server (wherever it may be) is secure.
Making sure all data that flows is secure.
Securing the users PC, so that there is no possibility of damage to their PC caused from the site being built.
This report will focus mainly at the second one of these points.
1.1 GENERAL OVERVIEW
Garfinkel (1997) states that the web server must be secure and only allow users to have access to certain parts of information. They should not have access to system files for example. The information they will be able to see will be in an area that will be made public for users to interact with but will not be editable.
One of the biggest problems, when talking about Internet security is the passing of user information between users and the web server. Garfinkel (1997), also discusses possible ways to protect information from being intercepted by other people in his book which discusses web security. He points out that by:
Physically securing the network prevents ‘eavesdropping’
Hide the details you want to keep secure with other details
Encrypt the information so that it can’t be decoded by anyone else that doesn’t have the master key.
Garfinkel also mentions that the only practical option out of these is the last option. This is because there is no way of physically securing a network as big as the Internet and the hiding of information is only a feasible option if the people you are concealing the information from do not know it’s concealed.
Web Payment SecurityDaniel Whitmarsh, Mattias Baecklund & Ioana Ungurean
Page 3
One of the most common forms of encryption communication between users and a Web server is Secure Sockets Layer (SSL). Netscape introduced this originally to enable information to be sent securely over the Internet using encryption. It is now used all over the web and has regular updates trying to keep web security to a maximum. We will shortly explain how SSL works:
• The user contacts a site and accesses a secured URL (an URL that begins with “https”, no “http”)
• The server responds by sending a digital signature of the site, so the user knows that it’s the real site, not an impostor
• The user’s Web browser generates a unique session key which will encrypt all communications with the site
• The user’s Web browser encrypts the session key with the site’s public key, so no other sites can read this session key.
• Now we have a secure connection for this session and only the user browser and the site’s server can decrypt the information sent.
If SSL were to be used by a company wishing to sell online they would need to know how they would use SSL within their environment and what would the advantages be when dealing with credit card payments and customer details. The advantages are straightforward by the fact that the user’s information is kept secure and they would use SSL by selecting a hosting company that makes cryptography possible. If the users are using SSL aware browsers such as Firefox, Internet Explorer or Netscape Navigator you can use a secure link back to the server. This uses Https. Normally when using the web people are used to seeing http at the beginning of most web pages but if an ‘s’ is added this makes the site secure.
HTTPS can be purchased from most Internet Service Providers (ISP), for example in the UK BT Internet [online] offers different secure packages that include https encrypting data so it is securely sent back to the correct place helping to eliminate the wrong people getting their hands on the data. BT manages this (or the selected company) by creating a security certificate. HTTPS is SSL protected HTTP.
In order to take secure transactions online it will be necessary to pass secure customer information across the web. A PSP (Payment Service Provider) that can provide secure areas for this shall be looked at next.
1.2 PAYMENT SERVICE PROVIDER (PSP)
A payment service provider can deal with the online payment for a company. Reasons why companies use such services are discussed in this section. A lot of the issues mentioned link in with the last section where we talked about web security problems as a whole.
Some examples of epayment systems are credit card systems, electronic check systems and digital cash systems. We are more interested in how the information is passed to any these systems from our checkout.
Web Payment SecurityDaniel Whitmarsh, Mattias Baecklund & Ioana Ungurean
Page 4
1.2.1 Secure Transactions
Many hackers on the web now exist that just search round looking for holes in peoples systems to exploit, users of sites want guarantees when accessing a site about the security measures in place. As written in a journal by Peter Buck on ‘Electronic money to electronic cash: payment on the Net’ there are three properties that he suggests a payment should be:
Safe
Private
Trustworthy
Web Payment SecurityDaniel Whitmarsh, Mattias Baecklund & Ioana Ungurean
Page 5
The payment needs to be safe (secure) because a user:
“Assumes that noone else can divert it or impersonate me in order to steal my
funds or use them for nefarious purposes.” (Buck, P. 1997)
The payment needs to be private because the user:
“Does not want anyone else to know about the transaction apart from the other
party I (the user) am dealing with in each individual payment” (Buck, P. 1997)
The payment also needs to be trustworthy because as the user
“I want to be able to rely on the mechanism itself and the other party [group quote
“trust the payment service provider and the seller”] in the transaction.” (Buck, P.
1997)
These are important factors when looking into dealing with payments because the user is the most important factor to the site because they are the people that are going to be spending money their. If they don’t trust the site then they are less likely purchase items from it.
Therefore if the site passes through to a recognised Payment Service Provider (PSP), this will help install the confidence in the user. Consumer are more likely to proceed with an order if they know the PSP is a tried and trusted one rather than one created in house that may lead them to concern.
We therefore have decided that if we were to set up an ecommerce site that sells goods online we would use a payment service provider. So, now we must look into the issue of passing the information from our site to the PSP. Information like what goods the user is going to purchase and the total cost. We don’t therefore have to look at the actual money transfer.
Web Payment SecurityDaniel Whitmarsh, Mattias Baecklund & Ioana Ungurean
Page 6
2 PASSING INFORMATION TO PSP
One of the major issues that needs to be addressed when one has decided that a PSP is going to be used is how the information is going to be passed to the provider. The main reason for concern could be that people could try and change the information being sent. For example, change the price to 100kr from 20,000kr. It is therefore imperative that the transaction is secure so to stop Internet hacking.
One way of doing this is to add an encrypted signature to each purchase form they send to the PSP e.g. using SHA1, which is a messagedigest algorithm. This protects the purchase information from unauthorised tampering.
“ The Secure Hash Algorithm (SHA), the algorithm specified in the Secure Hash Standard (SHS, FIPS 180), was developed by NIST [NIS93a]. SHA-1 [NIS94c] is a revision to SHA that was published in 1994; the revision corrected an unpublished flaw in SHA. Its design is very similar to the MD4 family of hash functions developed by Rivest. SHA-1 is also described in the ANSI X9.30 (part 2) standard. The algorithm takes a message of less than 264 bits in length and produces a 160-bit message digest. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks. SHA is part of the Capstone project.”
(http://www.rsasecurity.com/rsalabs/node.asp?id=2252)
The idea of using signatures has been incorporated by PSP’s and enables the sending of data securely between the shopping cart and the PSP so, if the user changes any of the data sent the transaction is declined.
When using one of these algorithms such as SHA1 or MD5, the page that sends the information to the PSP needs to be either
An offtheshelf shopping cart (i.e. a piece of software that is developed by a software company that deals with placing goods in a shopping basket/cart for the site) that has been designed to use one of these secure algorithm such as MD5
or
be generated using a programming language that has a library that supports such algorithms, such as C, C++, Visual Basic, PHP, ASP and Perl but not HTML or JavaScript
HTML and JavaScript are unsuitable for this feature because they are clientside scripting languages. In order for the encryption process to happen, serverside scripts must be run, these run through the code on the server and so ensure a level of security of the data.
Web Payment SecurityDaniel Whitmarsh, Mattias Baecklund & Ioana Ungurean
Page 7
2.1.1 Passing cart details to a PSP
When looking into how to pass details from our shopping cart to a PSP securely we decided that we would use a real world example that we could evaluate afterwards. The example we are using is World Pay, which is one of the largest PSP’s.
World Pay uses the MD5 hashing algorithm as its security method when passing the details. They tell the designer of the site to include two hidden fields within their shopping cart page that enable MD5 to operate. These fields are the signatureFields field and the signature field.
1. Choose a "secret" to be used in encrypting and decrypting the signature.
This should be a string (spaces are permitted) of up to 16 characters, known only by the designer and by World Pay. The string should be static rather than dynamically generated. This secret is inputted into the admin domain within World Pay. So when a secret is set up you must sign all transactions correctly otherwise they will be rejected.
2. Choose which of the purchase form parameters you wish to protect with the signature.
This is where the designer chooses the hidden fields they want to encrypt
3. Add a new parameter named signatureFields to the purchase form.
This parameter lists all the fields you want to include in the encrypted signature as a colon separated list. <input type="hidden" name="signatureFields" value="amount:currency:cartID">
We have selected amount, currency and cartID because this protects the total amount of the cart; the currency the goods are to be paid in; and the contents of the cart. This cartID could be automatically generated and would provide details of what has been purchased. We store the CartID in our database and since it is a unique ID we can then back trace and see what the user has bought. This provides extra security. 4. Construct a string consisting of the secret and the values of the parameters you
want to encrypt.
Colons should separate the items in this string. The order must be the same as the signatureFields parameter. This string constructed is done so with the asp script so that any
Web Payment SecurityDaniel Whitmarsh, Mattias Baecklund & Ioana Ungurean
Page 8
user cannot see the password that is chosen. So, if the password the designer chooses was “pass” the string could look like this
<% MyMD5Hash=MD5("pass:" & orderTotal & ":GBP") %>
5. Calculate an MD5 signature from this string and include the signature in the purchase form.
The MD5 algorithm will return a hexadecimal value 32 characters long. This digital signature should be included in the purchase form as the value of a parameter named signature. <input type="hidden" name="signature" value="<%=MyMD5Hash%>">
This script creates a hidden field called signature and reads in the created string (MyMD5Hash) created in the dynamic script (i.e. MD5.asp). This value is then compared with the one created by World Pay and if this is different the transition is declined.
When the shopping cart page is loaded, the dynamic md5 script then creates a value for MyMD5Hash that is put into the signature hidden field, if the user changes either the amount or currency this will change the signatureFields field to have a different value and if these values are different the transaction will fail.
2.1.2 Evaluation of World Pay
One of the first major points that we observed is that World Pay use the MD5 hashing algorithm. This has a serious weakness as can seen below MD5 has been cracked.
“ MD5CRK was a distributed computing project started in March 2004 with the aim of demonstrating that MD5 is practically insecure by finding a collision using a brute force attack. However, MD5CRK ended shortly after 17 August 2004, when hash collision for the full MD5 were announced by Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu. Their analytical attack was reported to take only one hour on an IBM p690 cluster." (http://en.wikipedia.org/wiki/MD5)
Arjen Lenstra, Xiaoyun Wang, and Benne de Weger also presented on the 1 of March 2005 a practical collision demonstration. A few days later Vlastimil Klima presented a new and improved version of the algorithm, which could find collision in a mater of hours on a regular notebook.
So, if we were to implement this system we would rather use a more secure algorithm such as SHA-1 even though this has been cracked as well. This took 56 hours on a modified DES-cracker. Another option would be to use SHA-256 or SHA-315.
In analysis one of the main downsides here is that the algorithms are always going to be cracked so the most important conclusion from this is that the PSP needs to make sure the algorithm they use is secure enough to deal with the payments. One of the disadvantages being that if they are always changing the algorithms costs money and time.
Web Payment SecurityDaniel Whitmarsh, Mattias Baecklund & Ioana Ungurean
Page 9
Since we send the whole cart to the Payment Service Provider, we would like to encrypt it. We do this because we want to ensure our customers that their orders are private. This is so the payment will fulfill all three conditions: safe, private and trustworthy. If we want to insure complete privacy for our clients when they build up the cart, HTTPS should be used.
Web Payment SecurityDaniel Whitmarsh, Mattias Baecklund & Ioana Ungurean
Page 10
3 BIBLIOGRAPHY
• Acme Internet Technical Support [Online]. Available from http://support.acmeinternet.com/howtofaqs/ecommerce/sslhowitworks.htm [Accessed : 14 Oct 2005]
• BT Internet [Online]. Available from www.btinternet.com [Accessed : 14th Oct 2005]
• BUCK, S. P. 1997. From Electronic Money to Electronic Cash: Payment on the Net. Logistics Information Management, 10 (6), 289299.
• GARFINKEL, S., 1997. Web Security and Commerce. Risks, Techniques and Strategies
1st ed. Cambridge, Beijing: O’Reilly
• How to Implement MD5 in many languages [Online]. Available from http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html [Accessed : 14th Oct 2005]
• MIT’s Specification of MD5 [Online]. Available from http://www.faqs.org/rfcs/rfc1321.html [Accessed : 14th Oct 2005]
• RSA Laboratories Definition of MDS [Online]. Available from http://www.rsasecurity.com/rsalabs/node.asp?id=2252 [Accessed : 14th Oct 2005]
• Wikipedia [Online]. Available from http://en.wikipedia.org/wiki/MD5 [Accessed : 14 Oct 2005]
• World Pay Services [Online]. Available from www.Worldpay.com [Accessed : 14th Oct 2005]
• World Pay Support [Online]. Available from http://support.worldpay.com [Accessed : 14th Oct 2005]
Web Payment SecurityDaniel Whitmarsh, Mattias Baecklund & Ioana Ungurean
