|
http://www.kivco.com/security.html Kivco Consulting Inc. |
|
|
 |
Egghead.Com HACKED! Dec 22nd, 2000 A hacker broke into the computer systems of Egghead.com earlier this week, forcing the online retailer to alert credit card companies and 3.5 million customers about the breach and the possibility that their financial information was accessed. ... Shares of Egghead.com fell 12.5 cents, or 16 percent, to close at 65.6 cents Friday on the Nasdaq Stock Market. Don't let this be you! KivcoRSA is a simple Reusable Symmetric / Asymmetric encryption program designed for ASP programming in the Windows environment. The package enables you to encrypt data without a password, but will require a password to decrypt. This means the password does not need to be on the server for encrypting. This is public-key encryption and you should settle for no less. A hacker can effectively break into your computer and steal everything, but will still not be able to decrypt encoded information. Password protected databases are normally hackable if any webpage can access them, so beware, don't be an Egghead. It is more specifically a small library of encryption routines that communicate with ASP using the ATL COM standard. Most modern languages and environments, including Visual Basic, VBA, and PHP all support ATL COM libraries. KivcoRSA supports both regular password encoding for fast encryption and also public-key encryption for higher security needs. Good question... And there are good answers:
The module was designed to address these specific issues:
How Safe Is It? The asymmetric encryption system uses RSA by RSA, US Patent #4,405,829. RSA is an encryption algorithm that is encoded and decoded using different keys. It is also the defacto standard, and it is implemented as part of SSL (https). It is a public-key cryptosystem. That is to say, the public key is made public so stealing it is not relevant. A set of mathematical computations is performed to produce encoded text. These computations cannot be undone in reverse. In order to recover the original text, the private key is required. The private key need never be stored on the server. Public-Key Encryption Asymmetric encryption, (and in this case RSA) is an excellent tool for securing small pieces of information in a hack-proof manner. Hacking into the system to steal credit card numbers is no longer possible, because the private key -- the thing that is needed to recover the credit card numbers -- is not stored on the server where it can be stolen.
Large scale version supports up to 256 bits, or about
100, 000, 000, 000, 000, 000, 000, 000, 000, 000, 000, 000, 000,
The prime-number generator takes no short-cuts. Several years ago,
Netscape was caught by a savvy student. Netscape used a 40-bit
public-key encryption that operated with less than one millionth the
key-strength. There are NO SHORTCUTS!
Regular Encryption
The symmetric encryption system uses hashpads that are
generated using a combined MRG and LCG pseudo-random
generator. Both the linear congruential and multiple
recursive generators are 64 bits in length.
Supported combined LCG-MRG pseudo-random number generator yields
virtually unpredicable number sets, roughly
100, 000, 000, 000, 000, 000, 000, 000, 000, 000, 000, 000, 000,
The algorithm turns any password into a key with 96-bit key-strength --
much stronger than DES.
Common To Both
The information you encode has random characters inserted throughout
the message. Where the characters are and how many characters are inserted
is random, so the same message can be encoded in literally googles
of different ways even with the same password. This makes it impossible
for a hacker to compare encoded information with guess-tries. It also
makes it impossible for the hacker to be sure exactly how many characters
long the original information was.
The encryption is so unfeasible to break that it becomes a deterrent to
those who might try to steal information.
You operate a small web store and currently take credit card numbers and
store them into a database... Your server gets hacked into. Do you tell
your customers that their credit card numbers might have been stolen? Do
you tell the bank? Or do you just hope no one finds out? If the credit
card numbers were stolen, the bank will eventually trace the common
purchases to your company. And you'll have questions to answer.
But it need not be that way...
The Small Web Store Example:
You ask clients to give their credit card information. You need it,
because you manually enter the credit card orders offline. You
already know you have to use SSL (https), but after you receive the
credit card numbers, you encode it using KivcoRSA.
Later when you log into the administration section of your website,
you supply the decode password and you get a listing of all the
credit card numbers. If you type even one character wrong, the
credit card numbers come out as total garble. You are secure because
the password is not on the server. You have to supply it only when you
want and each time that you want the credit card numbers.
The Larger Web Store Example:
You ask clients to give their credit card information. You need it,
because you use a transaction processing house, even though they take
a hefty percentage of your sales. You later realize that your business
could improve with a recurring charge model. Every month you want
to charge for a newsletter. The problem is you went with a transaction
processing house because you didn't want to worry about the credit
card numbers -- so you don't keep them. Your solution,
you encode the credit card numbers using KivcoRSA.
Whenever a user wants to subscribe to a service, you encode his/her
credit card number. Once a month an administrator logs into the
system and enters the password to retrieve the credit card numbers.
The numbers are decoded and new charges are processed. Then the
decoded versions of the credit card numbers are forgotten. However,
you can still recover them for next month.
Kivco Consulting Inc. |
|