Web Services Project Secures Credit Card Info

Think web services are risky? Well, one online casino actually thinks web services prevent risk. See how Lokitech, a web services security firm, quickly built an iron-clad encrypt/decrypt solution for protecting directory and database info on .NET and Java networks. Another bonus: Lokitech also used standard Crypto++ free libraries.

Tags: Encryption, Crypto, Open Source, Security, Libraries, Credit Card, Lokitech,

Lokitech Inc., a small software security firm in suburban Washington, D.C., has crafted an Open Source-based security solution for credit card processing that will run with .NET and Java enterprise systems.

Lokitech's approach allows a business to store encrypted credit card lists and other sensitive information, says the company's CEO, Serge Knystautas. Lokitech developed the encryption solution for an Internet-based casino project, involving teams in the U.S., Canada, U.K. and Costa Rica, but the resultant easy-to-deploy two-way encryption platform is finding a larger audience, taking the risk out of using Open Source solutions for securing mission-critical data.

"We needed a way to store credit card numbers and account information without making the integration between different teams overly complicated. The technique we came up with allowed us to ensure that backups and communication were secure without adding significant costs or complexity," Knystautas explained.

Lokitech also needed to find a method that would help eliminate developer error. Company engineers hit on a solution that, with a little re-engineering and some Open Source libraries, moved the encryption function from the application layer to the data layer.

The encryption/decryption libraries are available as Crypto++, an Open Source (and free) C++ Class library for encryption. To make the transfer of the encryption logic to the database layer, Lokitech wrapped the C++ encryption code inside extended stored procedures of an off-the-shelf SQL database (in this case, the casino used Microsoft SQL Server). Using the .NET Framework Class Library, Lokitech took advantage of many encryption APIs that can be called from any .NET-capable language, such as VB .NET, VC++ or C#.

In addition, the Lokitech team also leveraged HTTS, actually inserting a layer on small pieces of data to ensure added security.

Moving the encryption logic, Knystautas said, can help eliminate developer error. In particular, the approach means that developers can secure their data, "and you don't have to figure out XML encryption" or other new security processes, he claimed.

Lokitech uses Crypto++ to encrypt passwords (based on SHA hashes) and encrypt/decrypt credit card numbers with triple DES. The Crypto++ library can handle the encryption logic within (and among) distributed databases -- with Microsoft's SQL Server, it works with ANSI C; and in J2EE application servers, Crypto++ libraries are slated to be bundled with JDK 1.4. Further, Crypto++ works with standard X.509 technologies.

Another benefit? Performance can actually increase, depending on the application. "The amount of data encrypted is very small, compared to doing something with an entire application," Knystautas said.

Using Crypto++ with Commercial Security
Crypto++ has an object-oriented class hierarchy and uses internal C++ templates heavily. Key concepts in Crypto++ are data sources, filters and sinks. In general, the process works like this: Plain text data originates from a source, undergoes a series of filters (encryption algorithms), and emerges at a sink as the cipher text. The converse happens with decryption. The sources and sinks can be files, I/O or network streams, or C++ strings.
Crypto++ covers most popular encryption algorithms, including:
  • DES, Triple-DES, Blowfish and other Symmetric block ciphers;
  • RSA, DSA and other public key cryptography, as well as padding schemes for public key systems;
  • SHA-1, SHA-2, MD4, MD5 and one-way hash functions;
  • Stream ciphers: Panama, ARC4, etc.; and
  • Key agreement schemes: Diffie-Hellman (DH), etc.

Hands-On Resources for Lokitech's Web Service Security

  • The website 15seconds offers a detailed, first-person implementation story from Lokitech engineer Zhenlei Cai, entitled "Platform Neutral and Transparent Encryption of Sensitive Customer Information. Code samples are included, which perform two key functions: (1) Password protection, and (2) Simple credit card number encryption using Crypto++ and DES encryption and decryption.

    Go here for more details on the Crypto ++ library. Also, a detailed Crypto++ FAQ is available.