Security
is an issue that comes up most every time people discuss commercial
transactions on the Internet. This is a serious topic for
which VIPwagers has taken a serious approach.
We have taken into consideration a wide variety of potential
areas of concern and implemented the newest and most effective
technologies to combat those who would slow the growth of
the world’s fastest growing medium of media and commerce.
We are confident that, through the use multiple levels of
encryption and account verification, the Members of our service
will experience seamless, safe Internet communication with
our wagering software.
VIPwagers
has adopted the following security creed as the basis for
system development and account activity management: "Never
underestimate the time, expense and effort a hacker will expend
to break our code and infiltrate our system." Although
VIPwagers is confident in the security built into the design
of our system, VIPwagers will continue as an ongoing activity
to evaluate system security as Internet security technologies
and, unfortunately, code-breaking or hacking techniques continue
to develop.
VIPwagers
is aware that security attacks on our Web site are inevitable,
and will use the following cryptographic technologies as a
means to prevent any breakthroughs:
If more
information is necessary to fully explain the safety of our
system feel free to e-mail us at memberservices@vipsports.com
for answers to specific questions.
Secure
Sockets Layer (SSL)
The SSL
protocol operates "lower down" between the application
level and the transport (TCP/IP) layer. This strategy allows
SSL to encrypt the data stream itself, thereby establishing
a secure transmission channel for any Internet application,
independent of protocol. SSL and S-HTTP are not, however,
mutually exclusive. Because they operate on different levels,
the protocols could be layered to double-encrypt the data.
In addition
to a secure data pipe, SSL includes provisions to authenticate
the identity of each VIPwagers server session and the VIPwagers
member using RSA’s system of digital signatures. SSL
also attaches an encrypted ID to each secure session. This
ID, which is cached by both parties, allows an VIPwagers member
and the VIPwagers server that previously established an SSL
connection to reestablish a secure channel without repeating
the entire handshaking process.
The VIPwagers
SSL handshake has been designed to make its security services
as transparent as possible to VIPwagers members. Typically,
VIPwagers members will click a link or a button on a page
that connects to the VIPwagers SSL-capable server. The VIPwagers
SSL Web server will accept SSL connection requests on a different
port (port 443 by default) than standard HTTP requests (port
80 by default). When the VIPwagers Web browser member connects
to this port, it initiates a handshake that establishes the
SSL session. After the handshake finishes, communication between
the VIPwagers SSL-enabled Web server and VIPwagers member’s
browser is encrypted and message integrity checks are performed
until the SSL session expires. The VIPwagers SSL handshake
creates a session during which the handshake needs to happen
only once.
The following
high-level events take place during the VIPwagers SSL handshake:
The
VIPwagers member’s Web browser and the VIPwagers Web
server exchange X.509 certificates to prove their identity.
This exchange may optionally include an entire certificate
chain, up to some root certificate. Certificates are verified
by checking validity dates and verifying that the certificate
bears the signature of a trusted certificate authority.
The
VIPwagers member’s Web browser randomly generates
a set of keys that will be used for encryption and calculating
MACs. The keys are encrypted using the server’s public
key and securely communicated to the server. Separate keys
are used for member to server and server to member communications
for a total of four keys.
A message
encryption algorithm (for encryption) and hash function
(for integrity) are negotiated. In VIPwagers’ SSL
implementation, the member presents a list of all the algorithms
it supports, and the VIPwagers server selects the strongest
cipher available. VIPwagers retains the ability to turn
particular ciphers on and off.
SSL is
an industry-standard protocol that makes substantial use of
public-key technology. SSL is widely deployed over the public
Internet in the form of SSL-capable servers and members from
the leading vendors including Microsoft, IBM, Spyglass, Netscape
and Open Market. All applications used and supported by the
VIPwagers Web site will incorporate SSL to provide advanced
security services. SSL provides three fundamental security
services, all of which use public-key techniques:
Diagram
| Service |
Underlying
Technology |
Protection
Against |
| Message
privacy |
Encryption |
Eavesdroppers |
| Message
integrity |
Message
authentication codes |
Vandals |
| Mutual
authentication |
X.509
certificates |
Impostors |
Back
to top
Encryption
and Authentication Employed by Microsoft
Microsoft
is pursuing an effort to create a single standard for the
transfer of secure business and personal communications over
insecure phone lines. A central component of this effort is
to develop a method of authentication. Encryption and authentication
go hand-in-hand in a secure Internet environment. Each, though
distinctly different, play an important role in allowing users
to pass information that is unreadable except by the intended
recipient and in verifying the identify of the sender.
Authentication
in a digital setting is a process whereby the receiver of
a digital message can be confident of the identity of the
sender and/or the integrity of the message. Authentication
protocols are based on public-key cryptosystems from RSA.
In public-key systems, authentication uses digital signatures,
which are the equivalent of handwritten signatures for printed
documents. The signature is an unforgeable piece of data asserting
that a named person wrote or otherwise agreed to the document
on which the signature appears. The recipient, as well as
a third party, can verify both that the document did indeed
originate from the person who signed it and that the document
has not been altered since it was signed. A secure digital
signature system thus consists of two parts:
- A method
of signing a document so that forgery is unfeasible and
- A method
of signature verification.
Furthermore,
secure digital signatures cannot be repudiated; that is, the
signer of a document cannot later disown it by claiming it
was forged, since each digital signature is registered with
a so-called Certificate Authority (CA).
Recently,
Microsoft created Transport Layer Security (TLS). This specification
starts with Netscape’s SSL version 3.0 and adds features
from Microsoft’s PCT version 2.0 based on feedback from
cryptographers and implementers. It is intended to provide
a simpler and more robust implementation than SSL or PCT,
with added scalability, improved security, and the additional
functionality needed for wider application of the specification.
As the
TLS protocol is fully developed and integrated into Microsoft’s
current Internet product offering, VIPwagers will adhere to
these newer, more robust standards.
Back
to top
Private
and Public Key Encryption
In practice,
both symmetric-key and public-key techniques are used in popular
security protocols such as SSL because symmetric-key algorithms
tend to be much faster than public-key algorithms. To communicate
securely and quickly, here is what VIPwagers will do:
- The
VIPwagers member generates a random number (key) that will
be used for actually encrypting the message being sent to
VIPwagers.
- The
member encrypts the random number (key) with VIPwagers’
public key.
- VIPwagers
decrypts the random number with its private key. Now VIPwagers
can encrypt and decrypt messages with a secret shared with
only with that particular member.
- Once
a secure session has been established between VIPwagers
and the VIPwagers member, ALL information transferred between
the Web browser member and the VIPwagers server is encrypted
and secure and cannot be ‘listened to’, intercepted,
or altered.
In reality,
most security protocols are much more complicated than this,
but the four-step process above is illustrative of security
fundamentals. SSL is an excellent example of a security protocol
that uses these techniques to safeguard communications.
Private-Key
Cryptography
Symmetric-key
or private-key cryptography uses the same key to encrypt and
decrypt messages and their advantage is speed. This is a familiar
real-world phenomenon: we use the same key to unlock and lock
our car doors, for instance. The problem with symmetric-key
cryptography is having the sender and receiver agree on a
secret key without anyone else finding out. The current methods
for achieving this are using telephone or fax machines, mailing
on a floppy disk and using a courier, but all of these are
cumbersome, slow and error-prone techniques. In addition,
the number of Keys tends to be much larger than the number
of nodes; that is, people may have multiple keys they use
for different purposes.
A major
disadvantage of private key cryptography, however, is key
management, since each pair of individuals who wishes to communicate
must have a unique shared key. For example, for VIPwagers
to use private key encrypted communication, each VIPwagers
member would need a separate private key to keep account data
and transactions secure (using the same private key with all
of VIPwagers’ member would allow each member to access
other member’s account information).
Public-Key
Cryptography
Public-key
cryptography was invented to solve the problem inherent in
private key cryptography described above. With public-key
cryptography, each person gets a pair of keys, a public key
and a private key. Each person’s public key is published,
while the private key is kept secret. For example, when a
member wishes to establish a secure connection to the VIPwagers
Web site, the member encrypts the connection using VIPwagers’
public key. When VIPwagers receives the message, VIPwagers
decrypts it using the VIPwagers private key. The member and
VIPwagers no longer have to share secret information before
secure communication is possible.
In other
words, each key actually consists of two parts: an encryption
half (the "public key") and a decryption half (the
"private key," which unlocks data encrypted with
the matching public key). This fail-safe system allows a more
convenient key distribution method—members wishing to
communicate with VIPwagers can use the VIPwagers public key.
Moreover, intruders can not use an intercepted public key
to decrypt files. The downside is that public key cryptosystems
are typically slower than private ones.
Public-key
cryptosystems are based on trapdoor one-way functions. A one-way
function is a mathematical function that is significantly
easier to perform in one direction (the forward direction)
than in the inverse direction. One might, for example, compute
the function in minutes but only be able to compute the inverse
in months or years. A trapdoor one-way function is a one-way
function where the inverse direction is easy if you know a
certain piece of information (the trapdoor), but is difficult
otherwise. The public key gives information about the particular
instance of the function; the private key gives information
about the trapdoor. Whoever knows the trapdoor can perform
the function easily in both directions, but anyone not knowing
the trapdoor can perform the function only in the forward
direction. The forward direction is used for encryption and
signature verification; the inverse direction is used for
decryption and signature generation.
In almost
all public-key systems, the larger the key, the greater the
difference between the efforts necessary to compute the function
in the forward and inverse directions. For a digital signature
to be secure for years, for example, it is necessary to use
a trapdoor one-way function with inputs great enough that
someone without the trapdoor would need many years to compute
the inverse function. Despite the improbability of breaking
the VIPwagers algorithm, the VIPwagers cryptosystem has an
additional layer of security which mandates that all digital
keys expire after one year.
Back
to top
Certificate
Authorities
VIPwagers
utilizes certificate authentication services and Digital IDs
from Verisign, the leading provider of digital authentication
services and products for electronic commerce and other forms
of secure communications.
A Digital
ID binds a person's or company's identity to a digital key
which can be used to conduct secure communications or transactions.
This binding is accomplished through a strict assurance process
conducted by a trusted third party which also electronically
signs the Digital ID so that parties accepting it in a transaction
have confidence in its origin. The Digital ID can then be
attached to electronic transactions and communications as
the critical authentication component.
Verisign
will verify the authenticity of each certificate request (making
sure requesters are who they claim to be). The approval process
helps protect VIPwagers Members, VIPwagers, and Verisign.
Upon approval, Verisign digitally signs the request and returns
the unique digitally signed certificate to VIPwagers.
Back
to top
<<
Back to Home
|
