Coldstreame Seafood Ltd. website is using Actinic Catalog for e-commerce. Encryption can happen in one of two ways : using a Java Applet or using SSL.
Using Java Applet
Encryption occurs on the buyer's PC and decryption only occurs on the
vendor's PC. At no stage is the transaction decrypted whilst it travels
over the Internet, or whilst it is stored on a web site. In addition,
orders (including credit card details) are only stored on a web site until
the vendor downloads them to their PC. Hence there is no large store of
orders available online to invite attack.
The encryption is carried out by using a Java applet. The Java applet is subject to the standard security restrictions of their "sandbox" which restricts their ability to communicate across the Net to only the web site that they are downloaded from. Decryption is carried out on the vendor's PC after orders have been downloaded from the web. The encryption technique used falls into two parts. The first is to use Diffie-Hellman key exchange to agree a 128 bit key for use by the SAFER block cipher. This encryption method is used on the following fields only :
- credit card number
- credit card type
- credit card expiry date
Other fields in orders placed using the system are also encrypted using
Safer with a 128 bit key, but using a fixed key built in to the software
and common across all instances of the software.
Diffie-Hellman
Diffie-Hellman key exchange has been published for over 25 years and has
been proved to be strong. RSA have based their encryption method on the
same fundamental mathematics. RSA (used in SSL) is essentially a derivation
of Diffie-Hellman. Actinic chose to use Diffie-Hellman for the following
reasons :
- it is a public / private key method (this is essential
for the ordering model adopted by Actinic)
- the algorithm has been around for many years and has stood the test
of time
- it is now patent-free
- it has been selected by an increasing number of industry leaders as
their system of choice:
- Microsoft
for NT 5
- Sun Microsystems
for their SKIP system
- Cisco for
their routers
Safer
Actinic has adopted the SAFER SK-128 block encryption method developed
by Massey (the developer of IDEA which is used in PGP). The key for use
with SAFER is negotiated using Diffie-Hellman. The algorithm has been
around for some time and has stood the test of time. It is a public algorithm
and is freely available.
Key length
Actinic have adopted a 128 bit Safer key, which gives a reasonable performance
whilst being several orders of magnitude beyond where brute force methods
could break the encryption. SSL offers only a 40-bit key in non-US implementations
(although 56 bit key implementations are now becoming available). To put
things in context, each additional bit of key space takes twice as long
to break. So a 41 bit key is twice as strong as a 40 bit key. The 128
bit key used in Actinic products is 4,722,366,482,869,645,213,696 times
as strong as the SSL 56 bit key.
Summary
Overall, it can be seen that Actinic represents a much safer way of transacting
business across the Internet than just using SSL and this applies whether
Catalog is used in SSL or Java Applet mode. This is primarily because
it never decrypts the orders at the web site nor stores them in clear
which is by far the most likely point of attack.