My objective is to find combination of right technologies to mitigate hacking and prevent ill doing by the hacker even if ALL servers get completely compromised.

So on this stage my question is: What resources are necessary to get 1024 bit asymmetric encryption key that is compiled by ether of Zend Encoder, Ion Cube, Sourceguardian or C++ ?

Any of the 3 encoding solutions are very good and will encode your PHP code so that it is more or less impossible to decode it. I have done quite a bit of research into all 3 solutions since my own product (see my signature) will integrate into them.

Zend Encoder: Together with ionCube Encoder, this is the top system to use and the most well known. However, it is expensive to buy (although you can use the Small Business Program to get a massive discount). The main disadvantage is that the server admin has to install the Zend Optimizer to run any code

ionCube Encoder: As with Zend, this is the top solution and in my opinion, the best - it is the one I use and like most. They recently released a new version which fully supports PHP 5. The major advantage is that you don't necessarily need to install the loaders onto the server because on many systems, they can be loaded dynamically.

SourceGuardian: This has a repuation of not being very good, and easy to hack. That was true in the old version where it just obfuscated the code. However, with their newest version (which I beta tested), they have real encoding. The interface needs some tweaking but it is a good product. But it isn't as well known or used so fewer people will have the loaders installed on their server. But as with ionCube Encoder, they can be loaded dynamically when needed on some servers.

As for your original question, it is difficult to decrypt the code. I know most about ionCube since I use that and they use several methods to ensure it is more or less impossible. There is no actual source code stored in the encoded files - it is compiled to binary then the code is optimised. Next, the binary is encoded to ionCube's own proprietory format called " ionCube Compiled Code Intermediate Format". At runtime, the loaders process the code using their own closed source execution engine so that the actual code is kept away from the PHP engine which could be modified (since it is open source) to display the source code being processed. For a more detailed explanation, have a read of http://www.ioncube.com/faq.php#sec1

I don't know if you are actually wanting to distribute code but if you are, I would suggest you take a look at the link in my signature to see the product I have developed to handle that :)

Hope that helps!

Thanks for your effort, but "difficult to decrypt" is not specific enough.

You may say that a month is "difficult to decrypt", and I would only accept 10-30 years for my project. After all I would need to secure over a million credit card #.

What i need is the answer in number of operations for a brut force attack. Or some quantifiable number in cipher search. Think of this like this. A hacker broke into the server and got a hold of a encoded script with encryption key. Then he took boot net with 1 million computers in it with average 1.2Ghz ~ 200 million searches per second each = 200 Trillion searches per second and started to brut force or cipher search attacking the encryption of the script to get my key out of it. How long will it take ?

You are asking an impossible question. Nobody can answer that.

I think you are confusing the difference between encoding your scripts to machine bytecode versus cryptographically protecting your credit card data. Please note: They are not really related concepts at all.

For example: Lets say you use ioncube to encode your php scripts, keeping them safe. Then you do something stupid like use DES to encrypt your secure data. Can you see now how they have absolutely nothing to do with each other?

Are you worried about code theft or secure data loss?

Using Zend/Ioncube's methods, your code CANNOT be 'decrypted', its not even the right word. Decoded might be better. It MAY be possible to reverse-engineer your program, but before you panic, consider this: Would it be easier to reverse-engineer some code to securely store credit card numbers, or just write a new script that does the same thing? Its really not rocket science.

On the other hand, if what you want is statistics on how hard it is to 'break' crypto, those are out there. You should think about using AES-256 if you are truly paranoid.

Then again, you have some key storage management issues to worry about. I wouldnt let your script encoding solution keep you up at night.

No, I am not confused between the two. Reverse engineering is another option to get my private PGP asymmetric encryption key out of the encoded script, but that takes a lot of human interaction. And computer based cipher search doesn't take human time after initial setup. Also (CANNOT be 'decrypted') is not true since its being decrypted at run time. It my take long time but by no means is (CANNOT).
Is there something better to encrypt CC numbers with than asymmetric PGP ?

You are asking a very specific question about the security of crypto methods on a general forum not specialized in cryptanalysis techniques. So take the answer bellow for whatever value it has, if any.

If you will settle for a flippant answer from a non-specialist, then it would take years and years of intensive computation for your average run-of-the-mill hacker, even with a network of tens of thousand of dedicated computers. A more intelligent or more serious hacker wouldn't even bother with brute-force methods once it becomes apparent that the data is encrypted. There are easier ways to get at CC numbers.

If you need a more knowledgeable answer, see http://en.wikipedia.org/wiki/Cryptanalysis . If that source is to be believed, even the experts are comfortable that 1024-bit key RSA encryption would be safe from brute-force attacks until 2010.

So in any case, the answer is still years and years, assuming those encoding tools (Zend Encoder, Ion Cube, Sourceguardian) are using 1024-bit RSA key. Most likely, they aren't.

But what you seem to imply that you want to do (embedding the secret key in an encoded script) is really, really not recommended. Is that the reason behinds your question on those encoding tools? It is like having a super secure lock to your house, and then just hide the key under the welcome mat, or in this case, a heavy rock. And you are asking how long it take for a burglar with sufficient heavy equipment to move the rock away, right?

Yes, super secret key, under Cheyenne Mountain. And I have no choice, CC# have to be on the server and server need to be able to automatically charge them based on occurrence of some conditions.

So what do you suggest in that case ?

A completely seperate server for billing. Although it's not a perfect solution by any means, it's certainly better then storing the key on the same server that other users have access to.

Setup your billing server with no web access and write-only access for the SQL database from a remote server. Have your server connect to the write-only server, upload the info, and then let the billing server do the encryption and billing. Obviously, the billing server would need additional security, including a picky firewall (IP specific).

Obviously, you are still sending credit card information from one server to another, which does provide a risk, but certainly not as much risk as storing key/cc information on a shared server enviornment.

Definitely, a seperate server for billing is a good security measure. At the very least, it limits the amount of public exposure of sensitive information.

But regardless if you want to store the key on the same server or not, it is best to have custom software rather than depending on commercially available tools. That way, there is more more level of protection, plus you can be sure the security strength of the encoded method is as much as you can afford to pay for it.

As I mentioned, that at this stage I am looking into technologies under assumption that "ALL servers got completely compromised" which is 1:1,000,000 or longer possibility. Its outside of this question how to spread and isolate systems. They all got compromised. Hacker already got decryption key encoded in the script and CC# from database. How difficult will it be to decrypt CC# ?

Custom software is a good suggestion, but very expensive proposition. Are there some open source for *ux that will allow nesting encryption and obfuscation methods and I only have to choose which once I use and in what order?

Surely if they have the decryption key and access to the data then they can decode it instantly. In reality, it is always possible to decrypt something, it is just that the more security you add the harder it is; and I don't think you will be able to get a definite answer for time. The fact that you have all this encryption would deter most potential hackers/crackers and the amount of processing power required to get to the stage when they have full access to the decryption key is not possible/not worth it.

AlphaOne,

Reading your posts makes me want to bang my head into a wall :)

Reverse engineering is another option to get my private PGP asymmetric encryption key out of the encoded script, but that takes a lot of human interaction.

Dont store your private key on the server. Thats the whole point of asymmetric encryption.

Also (CANNOT be 'decrypted') is not true since its being decrypted at run time.

Depends what you are talking about. If you are talking about ioncube-encoded scripts, that is patently untrue. They are not 'decrypted', ever. I dont know how else to explain machine bytecode to you. Would you say that when you run a program compiled from C code that it is 'decompiled' or 'decrypted' at runtime? No. Its machine code.

what you seem to imply that you want to do (embedding the secret key in an encoded script) is really, really not recommended.

Why not? Has there ever been a report of someone reverse engineering an ioncube-encoded script to obtain the key? Obviously you need to take a few steps, as literal strings such as a key are NOT excrypted. You cannot store it as a global variable or anything silly like that.

Another thought: Get the key from multiple sources. Embed a piece of it in an encoded script, and make the rest dependent on various hardware parameters in the machine. Concatenate them all into one long key, and chop it to whatever length you need with a key-scrambling function. I actually found a program at one point that would spit out a string based on all kinds of hardware parameters, sort of a hardware 'signature'.

Hacker already got decryption key encoded in the script

May I remind you that if this has happened it doesnt matter what system is used if we are talking symmetric keys. If we are talking asymmetric, then your private key has no business being on the server anyway.

CC# have to be on the server and server need to be able to automatically charge them based on occurrence of some conditions.

Ok I will finally cut to the chase.

Bill prorated 1x per month. Therefore, you have no need to store your key on the server (your private key that is) and there is no danger in giving out your public key. Then, at the first of the month, you can decrypt the CC's over SSL (duh) and submit your billing.

Any other solution will expose your key. I welcome someone to come up with something.

I have found zend to be the best. And mosts hosts have it on their servers.

wow, man you sound like me, super paranoid and wondering what the possibilities are, REGARDLESS how unlikely they are.

Basically, not one person has hacked ion cube or zend, and only the FIRST version of source guardian was hacked, before they used they new php key system.

Use Zend, heck add ion cube onto that, and if your still paranoid, source gaurdian it.

You should also think about how likely it is to get hacked, who your enemies are, and HOW THEY GOT in, at the first place. Lock your box up tighter.

If a hacker EVER broke ALL THREE, come knock on my door, until then, relax ;)

I would say get this:
http://www.makesolutions.com/index.php?action=detail&cat_id=3&image_id=319

Here is a sample:
<?php
echo "Hi, I'm a PHP script!";
?>
Basic encoding:
<? eval(gzinflate(base64_decode('
s7ezsS/IKODlSk3OyFdQ8sjUUfBUz1VIVAjwCFAo
Ti7KLChRVLLm5bIHqgMA
'))); ?>
Info:
Obfuscation-Strength: Normal (Fast code execution)
Compatibility: Zlib Required. 100% Code compatibility
Input Length: 40
Output Length: 104
Advanced encoding:(Same thing:
<? eval(gzinflate(base64_decode('
DZRJjqNIAAC/0rfuEgcMCcaoR1PCgNmM2dfLKFnNnuyY109d4gGhUHz/+8/3r3yD7Z/yrPqihUv+J4FzfqX+y/J0yPI/v4XYlJvxpXCijccB48r2uaNOJZdSrxV3V3hLCgV45xS+tEB/slckgBYXPwXOsDSWhVvlvgjcGMhRVdG2T24K0wi/CnmW3HFjBdxKPIGHjRqP8vrAdpDPcs7QdmQaF2OCznwdb5vYOWY22xkOlOqIPs+BeuaSFMdL+7GrNOI/rQN3Fa5n1NQ6/jD5WuQirqmqIgGxbPuhdyg1nUusmelgYSYpJvcJUoyXtuvivOXjaF2hCNeMOhySCjOGRqHYzTuhqu051nSzNJ77HISniGNFSob3s6nJsUAkDkUxGzUPfOItHJXJ8hQKMpYF3kqspdKAkQWJ8jCy7w/SkMw4i2qLWD+abnk7K9Czrwe6thfYdCfSWHDo3S1DZK6D72KFWoJcfZjSSrQvrC4Y1qsAY66CKR1pIXWURmrFRdYnW6cUG6nXTdWy4q1LxuIml+1oOEPwDLENelV+kD2QR6WLkzY13EW99BnkHHJbQ YGltXhaSNjI433cxut86vosenYZX+PyPji0d8JKZYtgFOdUmrsBqFo07hWxzBPRE8Y0mgT0XbqV8vvjFJ2z6/D7x7xzkt701L4l5Ej3KmLWmtASy/A1AM3hVVMpFRcQPz3qArUb7Cf0OUMSiVdFYnd0mX2K68S+qMr9dG6fQmYe3NHT7cvSoytMjR/rM4ius2bogS8bW8OxYvCYWUSzCcnQDZs56S54EH8TttD7kbZ6yP2oRnWhIlT6ZfK0svv68p+DNw9oTW/7FE+ynLk7617Y1ztgCtaduoMh36fxSF3+lVlJAppDHAQFiWs1IxCNzyg90sH2AiTzN4NfqBHeCfGn7Cz2mY5/yJ7owKiODDMZ5HFuYDsue7q4NfAP9NHVxNwUf78FgNhfWj4+t7KL4xvpl5o1LXxaMaVUwQD6Ysgns4XgOzDNLuz5CUl40Cet+ZbsJKAJhKgGZnNIXrlnVbi+dnkpGBHjmEKA9zu9YHtnlOBAtwJwdo 5vgMULwP5gI27n1uC/v76+/v76/pnB/w=='))); ?>
Info:
Obfuscation-Strength: Trecherous (Best Protection)
Compatibility: Zlib Required. 100% Code Compatibility.
Input Length: 40
Output Length: 1150
I have this on my site, if u need to test it pm me.

<? echo(gzinflate(base64_decode('
s7ezsS/IKODlSk3OyFdQ8sjUUfBUz1VIVAjwCFAo
Ti7KLChRVLLm5bIHqgMA
'))); ?>

PHP 101

criminal, you have ANY idea how easy it is to hack what you advissed. It's not even called hacking is so bloody easy and simple.

I could get your original php code in less than 20 seconds with that ENCODING.

JustinH says PHP101, cause it's that bloody easy, EVERYONE kows how to encrypt decrypt.

The object was if the ENTIRE server was hacked, and they downloaded ALL files, which would mean they would have this information: "eval(gzinflate(base64_decode( which is all you need".

Yeah thats not a protection scheme at all. LOL.

Stop banging your head, neighbors are calling the police. :)

1) A separate server or workstation or what have you, I still have to store asymmetric key somewhere, not like I will be typing it every time I need to charge the credit card. 2) Company does 100,000 CC transactions a day. That is more than one transaction every second of every minute of every day which only brings us to 84,600 . 3) Products can't be packaged in a warehouse until credit card is approved and batching will be holding work of other departments. 3. lets say

Ok, I will write it out. Due to newly discovered vulnerability of OS or one of programs on the server hacker had broke into the webserver where CC is taken (1:100,000), had defeated the watcher program on that server before it was able to report brake in (1:10 Million) mimicked entire system to a remote process and binary comparation watcher server, that only has access to servers it watches, before it's next scan, that everything is ok (1:10 Trillion = 1E-13). Substituting the scripts for collecting new customer's credit cards is a small fry because DB has 1.2 million credit cards so he had installed his own spyware and copied entire database via webserver, got access to SQL server via same OS/program vulnerability. Defeated local watcher again (additional 1:10 Million) Mimicked entire system to a remote process and binary comparation watcher server again (additional 1:10 Trillion). From it got access to a billing server, via same vulnerability, that only talks to SQL server and CC processor. Defeated local watcher third time (additional 1:10 Million). Mimicked entire system to a remote process and binary comparation watcher server third time (additional 1:10 Trillion).

Yes, there are better and less difficult ways to get DB with CC# and program with asymmetric decryption key encoded in it. Like bribing or threatening employee from datacenter to report 1 drive of a mirror set to fail from DB server and billing server at different days, weeks, months - whatever. Or just storming the datacenter (1:1 is 100% success). That way hacker/terrorist will have everything he needs, fast and at any time of his choosing.

Anyway. Now! Are we all on a same page ?!
He has CC# DB and my program with asymmetric decryption key encoded in it. How to protect the asymmetric key ?

And don't think that I am paranoid, what I am doing is Business 101. Protect your assets. And company reputation and customer data are the assets.

zend, ioncube, sourceguardian..

They will not break those to get your "asymmetric key ".

Hi AlphaOne,

I have one really good piece of advise for you: Get professional help!

You're obviously outside your own reach. You need to hire for example a consulting firm to design a new system and do risk analysis for you. Then you need to hire another firm to check that the first company did their job well.

You have a lot of terms confused (encryption vs. lossy mappings), and you have a very sketchy idea of risk analysis as far as I can see.

_Never_ store a private key unencrypted on the server. Using a compiler or encoder is not encrypting, and thus you should not store a private key encoded or compiled into a program. It is just not secure.

Believe me, it is easier than you think to get data such as a private key out of an compiled or encoded binary. Encryption is the only way to go.

The solution to your problem is simply NOT to store the private key unencrypted on the server. Instead store it encrypted or do not store it at all.

In a medium security system, you could store the private key encrypted on the server. You then need to enter a decryption pass-phrase that will load the unencrypted private key into the servers' ram. From there you can do all the transactions you need with the key. Just let it stay in RAM and do not commit it to disk.

If you want to make the system more secure, you simply refrain from storing the private key on the server itself. Instead you use a hardware device to perform encryptions for you. You probably know the principle from various types of smart cards -- but these types of systems are also available for "industrial" scenarios, where larger capacities are required.

In short: Hire help.

jks,
I am the hired help. And I am learning about better ways of doing what I need. Pointless to hire 2 other companies, I still will not trust them because I am in charge of security and need to know how security is done, so it easier to just learn it and don't waist money on someone pretending to be an expert on 2+2. The answer that I am looking for is simple, i just don't know it yet.

where did I " confused (encryption vs. lossy mappings)" ?

Also, about not storing the asymmetric key. Did you missed the part where I was explaining that everything got compromised. Its hacker's server now. And hacker can see everything that is in RAM or typed in to a server by any means. And can run any decryption based on hardware in that server or any other server that this server uses to decrypt mimicking this servers. And if I encrypt my key with some other key then how do I keep that other key safe ?

What I need is long odds way to store my DB encryption key that PHP or C++ program on a server can use as it needs it. Remember hardware keys that some software were protected by few years back and still used by some companies ? Well, the only once I know are those that were compromised inside of few months.

Originally posted by AlphaOne
I am the hired help.

Then learn to say no to tasks that are beyond you.

I am in charge of security and need to know how security is done, so it easier to just learn it

Then buy some of the basic books on cryptography and security and start reading?

Or you could see if your local university offers courses in this subject to companies?

If not, there are a lot of private companies that offer courses of varying quality in this area.

The answer that I am looking for is simple, i just don't know it yet.

That is what you pay consultants for: The knowledge and the answers that you do not have.

Also, about not storing the asymmetric key. Did you missed the part where I was explaining that everything got compromised. Its hacker's server now.

And?

And can run any decryption based on hardware in that server or any other server that this server uses to decrypt mimicking this servers.

I said to store the ENCRYPTION key. Not the decryption key.

And if I encrypt my key with some other key then how do I keep that other key safe ?

A pass-phrase is not a key.

Remember hardware keys that some software were protected by few years back and still used by some companies ? Well, the only once I know are those that were compromised inside of few months.

Yes, but then you probably don't know much about the subject. Do some research before just rejecting everything that is said to you. Why ask for help if you will not appreciate any help you receive?

In short: Hire help or get out of this project before you are sued to pay compensation after a break-in.

jks,
I appreciate every constrictive comment.

No reason to drop it because its difficult or solution is not in sight. Security is not absolute. I still have 1E-40 or better chances of what I have so far to be compromised. What I am looking is additional unpredictable situation insurance.

I have many books and access to entire internet (as far as books are concerned its like looking for a drop in an ocean, I just need that drop) I just decided to ask few people here, maybe someone came across of what I need.

quote:
Also, about not storing the asymmetric key. Did you missed the part where I was explaining that everything got compromised. Its hacker's server now.


And?

And everything that comes out of it.


quote:
And can run any decryption based on hardware in that server or any other server that this server uses to decrypt mimicking this servers.


I said to store the ENCRYPTION key. Not the decryption key.


That is what comes out of it. (This is the answer to your question above.) Only by DECRYPTION someone can decrypt something, which is the purpose of the hacker. Its asymmetric key. I can use asymmetric encryption key clear text.

quote:
And if I encrypt my key with some other key then how do I keep that other key safe ?


A pass-phrase is not a key.


And how do I keep it safe ?

quote:
Remember hardware keys that some software were protected by few years back and still used by some companies ? Well, the only once I know are those that were compromised inside of few months.


Yes, but then you probably don't know much about the subject.

If you saying that I don't know something about it. How about you make it clear.
I don't reject everything indiscriminately, but suggestions of not storing asymmetric decryption key on a server where its needed is unworkable.

Originally posted by AlphaOne
jks,
I appreciate every constrictive comment.

Cool. I don't understand why, but cool. Just value this comment: Get help.

Processing tens of thousands credit card transactions a day and asking for security help on webhostingtalk just sounds weird.

Security is not absolute.

You're right about that.

I still have 1E-40 or better chances of what I have so far to be compromised.

You haven't given any formal argument for that probability calculation. Nor have you given any informal argument for your "guesses" on the initial probabilities.

Probability theory is not intuitive. Be sure that you know what you're doing.

I have many books and access to entire internet

Cool! - I've only got access to the green and white parts of the internet so far.

If you want me to point you in the direction of material to read, then consider reading Schneiers "Applied Cryptography" as well as


That is what comes out of it. (This is the answer to your question above.) Only by DECRYPTION someone can decrypt something, which is the purpose of the hacker.


Well, that's a tautology. Noone is going to learn much from that :-)


Its asymmetric key. I can use asymmetric encryption key clear text.

You do not make much sense.

In assymmetric cryptography the encryption and decryptions keys are distinct. In order to do encryptions you do not need access to the decryption key.

The "hardware systems" that I talked about help you in regards of keeping the encryption key secure (i.e. ensure that noone can download the encryption). It does not as such prevent anyone from encrypting stuff while on the server, but it does prevent them from just downloading the key.


If you saying that I don't know something about it. How about you make it clear.

You can't just explain everything about cryptography and security in two sentences on a message board. I have spent years working on this stuff, and there's still a lot I have to learn.


storing asymmetric decryption key on a server where its needed is unworkable.

Which bring us back to another problem: You haven't specified your problem.

Earlier you said that you want to hide an encryption key. You didn't write that you needed the decryption key as well.

Could you (semi)-formally specify the workings of your system?

Originally posted by AlphaOne
not like I will be typing it every time I need to charge the credit card. 2) Company does 100,000 CC transactions a day. That is more than one transaction every second of every minute of every day which only brings us to 84,600 . 3) Products can't be packaged in a warehouse until credit card is approved and batching will be holding work of other departments.

I find this extremely difficult to believe. No offense, but I'm not even close to qualified for a security job at that level, and judging by your posts, you know far less then I do about the topic.

Someone who actually knows what they are doing should be setting this up. First, I'm going to say, that if anyone is capable of accessing a properly setup billing system NOTHING YOU CAN DO will prevent them from getting the key. You can already assume they are far too good for encoding or encryption to hold them up for too long.

Instead of jumping into the "probability" game, why not spend less time on this and more time keeping your servers secure? You've already mentioned the probability of all servers getting hacked (which, seems to have been pulled out of the air), so does it matter? None of us have the answer you're looking for, because none of us (I'd imagine) have any form of training in probability scenerios.

As recommended, get a security consultant and, assuming you're being honest about the transaction volume, the company should be quite capable of affording a highly qualified individual.

I have "Applied Cryptography" didn't get to it yet.
I am just designing and testing the system. Its not yet processing anything. But once operational it will have that kind of volume. Probability numbers are semi-arbitrary, and more likely on a low side. Its virtually impossible to calculate because it has to use many statistically unknown human factors. Only if humans make every mistake possible, few dozens, which is virtual impossibility, and if system attacked then it will take just few hours to get all CC#. (Some of few human mistakes are: turning off watcher server, disabling local watcher service, replacing encryption engine with non-encryption one, changing password of sysadmin to "password", disabling firewalls that isolate each server, ext.) All of that could be done only on purpose.
Anyway, I don't worry about over the net security. I worry about physically compromised security. I though that I had explained it already, didn't I?
Webserver uses asymmetric key to encrypt CC# and sends it to DB server. Billing server retrieves encrypted CC# from DB server, decrypts it with asymmetric decryption key and charged it.

But, Hacker got physical access to a server or I am running my billing program on hacker's server. The program is the one that takes encrypted CC# from DB server, decrypts it and sends it to the processor and then posts back results to the DB server.

if anyone is capable of accessing a properly setup billing system NOTHING YOU CAN DO will prevent them from getting the key
JustinH,
I said hacker/terrorist stormed data center with a f*** tank, and killed half of your employees already and will kill you too if you don't give them the password or key or server itself.

Originally posted by AlphaOne
I have "Applied Cryptography" didn't get to it yet.

Get to it. Reading that book will give you some insight if you understand what it says.

I am just designing and testing the system.

Do you have a formal design?

Probability numbers are semi-arbitrary

Basing your risk analysis on arbitrary numbers is just plain stupid. You won't be able to use the result of that calculation for anything serious.

Its virtually impossible to calculate because it has to use many statistically unknown human factors.

You should read up on probability theory and risk analysis / management.

Just because there are more factors than you can handle, it's not right to just say that "my result is as good as any other result, so I just pick an arbitrary number that I like".

You can always approximate the "true" probability by examining the factors that you can handle.

Concerning the probability of "human error" that is difficult to assess, it is possible to approximate the correct probability through argumentation, historic events, etc.

Only if humans make every mistake possible, few dozens, which is virtual impossibility, and if system attacked then it will take just few hours to get all CC#.

You're in dangerous territory. Saying that this happens in 1:10000 cases and that happens in 1:1000 cases, then this must mean that my system is secure with a probability of 1/10000000 for failure -- that is simply naive.

In order to do this properly you have to research this properly, write stuff down and think about it. Yes, perhaps there is a 1/10000000 probably of exactly _that_ attach to happen --- but what about the 1000 other attack paths that you haven't considered?

Read up on basic security methods such as attack trees before doing your security analysis.

[QOUTE]Webserver uses asymmetric key to encrypt CC# and sends it to DB server. Billing server retrieves encrypted CC# from DB server, decrypts it with asymmetric decryption key and charged it.[/QUOTE]

I don't see how that conflicts with what I suggested you earlier on. The webserver only needs to encrypt things, and the billing server only needs to decrypt things. Thus you do not need the encryption and decryptions keys on the same server, as you objected earlier.

Basically, you need to get help. You are having problems even describing the intended behaviour of your system, so I wouldn't trust that you could foresee all the "unintended behaviour" that could arise.

If money is a problem for you -- try talking to your local university and hear if they have some students that need a case to work on for a semester project. That could be a cheap way to get access to an evaluation of your system.

Originally posted by AlphaOne
JustinH,
I said hacker/terrorist stormed data center with a f*** tank, and killed half of your employees already and will kill you too if you don't give them the password or key or server itself.

Hi AlphaOne,

Try reading about tamper proof devices as well. As I wrote earlier, these types of hardware devices can secure the private key against others obtaining it, while allowing encryptions with the key by the server. Tamper proof devices are ofcourse not 100% secure against tampering, but it is a hell of a lot better than nothing.

I assume you just want to protect yourself against ordinary "thieves". Or are you actually trying to protect yourself from the military, CIA, FBI, NSA and the muppet show?

"semester project" is a good idea!
But most likely will be outside of their capabilities, but I will still try. Maybe postgraduates.

Money are tight at this point.

I never said that encryption and decryption key on a same server, and I did said many times that its done on different server.

I assume you just want to protect yourself against ordinary "thieves". Or are you actually trying to protect yourself from the military, CIA, FBI, NSA and the muppet show?

LOL
More like extra-ordinary thieves. Possible disgruntle employee or industrial espionage or terrorist bent on disrupting economy. Government too should be kept within the law. Just because someone work for the government it doesn't make him right.

Originally posted by AlphaOne
"semester project" is a good idea!
But most likely will be outside of their capabilities, but I will still try. Maybe postgraduates.

The level of expertise you have shown up until now is considerably below that of an security-interested computer science student in his/her fourth year or similar.

Money are tight at this point.

Have some integrity.

You're hired help. You want to secure your system like a government nuclear missile facility -- and you want to do so with no money and without reading books.

Just tell your client that you have researched the matter and found that it is not possible for you to ensure that the system will enjoy the security promises that they need with the budget they have set.

In other words: Ask for more money so that you can hire professional help.

If you client has some wits, they are going to like that answer. It is better to be told now, than let whole thing blow up in their hands a year later when someone hacks the system.

I never said that encryption and decryption key on a same server, and I did said many times that its done on different server.

You actually wrote this when I suggested storing only the encryption key on a hardware device:

I don't reject everything indiscriminately, but suggestions of not storing asymmetric decryption key on a server where its needed is unworkable.

Which I took to mean that you couldn't make do with just having an encryption device -- you also wanted the decryption device on the same server.

Alas: You need to describe your system better.

Try making a Word-document or a homepage or something that describes your system in detail. Use rich pictures, graphs, dataflow diagrams, etc. Describe the use of keys and encryption with pseudo-code or formal methods. Create use-cases that explains how the system is going to be used.

When you have that, you are ready to talk to others about your security questions.

Right now you have a half-hearted, vague description of a system, and you want a very detailed, technical and precise answer to a question you haven't specified fully.

In other words:

You're asking too much from a forum like Webhostingtalk. People aren't going to do your home work for you in here.

If you pay a consulting company to help you, then you can give the vague descriptions and ask the hard questions. They'll then be glad to spend a lot of time trying to understand your system and your question and then give the correct answer (hopefully).

1. Its my own project. "I am the hired help" - simply meant in a context that I am like the once you want me to hire. 2. I do work as a consultant for some companies, but never got to the encryption side of things. 3. System is well defined with UML diagrams and stuff and I did had in initial post explained what I need.
I need a way to have an asymmetric decryption key inside of my program and it should be virtually impossible for anyone to be able to get that key out of it while it ether stored or running on a server.

Possible disgruntle employee or industrial espionage or terrorist bent on disrupting economy.

Terrorists?

This thread has gone beyond BS. This is sort of like the head of the Army going into the America's Army forums and asking geeks across the USA how to best storm a bunker. What makes you think that your application is SO IMPORTANT that hackers will drop what they are doing to come after you?

If you have the qualifications you say you do, I am not really sure why you are posting here.. after all, its a webhosting forum.

Maybe this answer will help you: 100% assurance of security is impossible. I dont know why you cant seem to understand that this is about risk stratification, and that security has to be applied in layers. You would rather hunt around for a magic security blanket that doesnt exist.

Once more, I challenge you to find even a single incident of someone breaking a well-designed online billing system and stealing credit card numbers or personal information.

webhosts use CC too. This is Programming Discussion and I posted programming question. Security layer and no 100% - everyone knows about it.

Well designed - why do you think you would ever know about 1% of all incidents ?
And there are many. Like one just last week with Japanese bank. just search the net. http://www.techweb.com/wire/security/159901593

what about the incident where collage students info got compromised or SSN were possible to hack

same way as there is no 100% security there is no 100% design

Rather than bashing me, ether suggest something usable or just abstain from posting.

lmfao, omg this thread is so out of control, it's becoming a bloody rant.

Sorry to have so much confidence in Zend, IonCube and Source Guardian, seems they have been hacked time and time again by the big boys ONLY.

Everything depends on how bad this guy wants the CC #, he can get past anything if he tries hard enough.

The bank heist depended on a keylogger. Did you read the story?

Other breakins of late, choicepoint and various college student info (SSN's) were either done by social engineering or really really dumb sysadmins who store that data in plaintext.

At least get your stories straight.

that is the point. there is no 100% design. don't want to waist my time finding someone getting credit cards, but i remember hearing more than once on the news. not counting that most companies woould never report anything like that. and try to keep it out of news

Originally posted by AlphaOne
1. Its my own project. "I am the hired help" - simply meant in a context that I am like the once you want me to hire.

No, you're not. Please realise that you are beyond what you are capable of at this point in time.

Right now you sound like a handy-man who wants to setup the electrical wiring in a 10 story office complex, but do not want to hire an electrician -- and basically believes that these fuses that everyone is talking about is just bogus.

Go read some books, do some programming and test stuff out -- and then return to this project in half a year or a year. Things will probably look different then.

3. System is well defined with UML diagrams

Then please post those UML diagrams.

I need a way to have an asymmetric decryption key inside of my program and it should be virtually impossible for anyone to be able to get that key out of it while it ether stored or running on a server.

I think I have told you a few times now, that you want to use a seperate tamper-proof hardware devices that is connected to the server, which would allow you to do decryptions without actually getting the decryption key.

Take a look at for example this microcontroller:

http://www.maxim-ic.com/quick_view2.cfm/qv_pk/2949

It's not exactly what you need, but if you examine the user guides you will see some of the techniques that you could use. Bear in mind that there's both "tamper resistant" and "tamper proof" devices -- it's not the same thing.

Originally posted by AlphaOne
that is the point. there is no 100% design.

I don't agree with that fully.

If you determine a level of abstraction for your design, there are formal verification methods to _prove_ that your design is correct (prove as in mathematical proof).

don't want to waist my time finding someone getting credit cards

I think we have gotten the message. You do not want to use any time, but we should help you with all the time we've got and stop sending you all the suggestions that you have already thought of.

Based on the content of this thread and a brief email conversation with the OP, I find it is hard to believe that this is anything more than a paper term project, which is not bad in terms of exploring the possibilities. But to present it as stated in this thread is a bit disingenuous. What described is an interesting scenario, but very improbable and certainly not the top concern in real world system designs.

This 100% hand-waving and free opinion is based on 1% personal observation and 99% gut feeling of an experienced system designer. And if past results is any prediction, it could be 101% wrong in 19 times out of 20 with a margin of 3%. Wouldn't you love picking random probability out of thin air? ;)

Anyway, it seems to me the OP really wants to know the probability of a successful break-in, preferably in the order of 1e-40 or something. But that is impossible to know without formally specifying the whole system, including all related components, the hackers and their skills, then assigning separate probabilities to all components, and then working out their interactions.

In short, not something easily discuss on a public forum if the intended result is to be as as serious as described.

If this is not a hypothetical question, then go hire a team of experts and let them work out the system design and its strength/weakness under specific conditions. Start with the top experts such as http://www.rsasecurity.com/, and work your way up or down the ladder as your (employer's) budget would allow. Or pay me and I will provide expert opinion on what is wrong with the proposed design. Serious money will result in properly analyzed and considered answers with recommendations. Increase the amount sufficiently and you will get second opinions from other experts of your choice.

Originally posted by TekPrime
But that is impossible to know without formally specifying the whole system, including all related components, the hackers and their skills, then assigning separate probabilities to all components, and then working out their interactions.

It might be possible without actually specifying the hacker itself. The methods I'm working on in my research for example allows reasoning about security without specifying the hacker.

Whether that is possible in this scenario or not is hard to say from the information available in this thread. It all depends on the level of abstraction that can be accepted in the formalisation of the system.

"You do not want to use any time,"

- almost everyone knows that CC had been stolen in the past on the internet from what someone thought were 100% designed billing systems, no point for me wasting time finding exact news article. Plus, I know about one brake in a well known brokerage house where many accounts were compromised and it wasn't in the news. Mind you each account had magnitudes more money on them than any CC would have.

Dudes, stop picking on the numbers. I appreciate some of the suggestions, but I told you they show magnitude and not exact. Not sure how much you had progressed in SCIENCE of coming up with hard numbers from nonexistent data, but I can only come up with guesstimates like I did when statistical information necessary to calculate that DOESN'T EXIST. Maybe you have access to reliable statistics on how many employees become disgruntle and try to compromise their previous employer's systems or how many undiscovered bags in combined soup of all software that server will run that will make it compromisble and so on. By nature of things some stuff like that can't even exist. Same way you don't know shape of the underwater iceberg, looking at 2D picture of one of its sides above water part.

But here is one of the ways how its solved. Its completely taken out of the equation. As I said, just substitute those numbers with "extremely difficult" and "virtually impossible"

Posting design of the security system will compromise it - you should know that. The more hacker tries to discover exact design the more alarms he will trip. More time I will have to trace him back. And there is no 100% of anything. There is always % of error. Math is the only thing that we think is 100%, but almost nothing else.

Project is real and I can spend as much time on it as I please, since additional security i am working on right now is just extra protection from terrorist like attack.

I understand that you became intrigued, but I can't afford to pay out of my packet. I have to use money for the server and bandwidth and business stuff. That is the reason I asked public forum for guidance. You are welcome to help if you can and when the company well on its way and making money then there may be something there. Or you can just perfect the implementation of security concept and reuse it on some other paying project as ready and tested product.

That is the only thing that I can offer.

Originally posted by AlphaOne
Not sure how much you had progressed in SCIENCE of coming up with hard numbers from nonexistent data, but I can only come up with guesstimates like I did when statistical information necessary to calculate that DOESN'T EXIST. Maybe you have access to reliable statistics on how many employees become disgruntle and try to compromise their previous employer's systems or how many undiscovered bags in combined soup of all software that server will run that will make it compromisble and so on. By nature of things some stuff like that can't even exist. Same way you don't know shape of the underwater iceberg, looking at 2D picture of one of its sides above water part.

Are you for real?

Try actually spending some time to get to know an area before just dismissing things as "not existing" or "impossible". Whole educations are devoted to learning how to develop statistics from incomplete data sets.

And the part about the iceberg... well, it's pretty common knowledge that what we see above water is only "the tip of the iceberg". By reasoning about the relative density of ice compared to sea water and looking at historic data, scientist have long ago found out that a normal ice berg is about 7/8ths below water and 1/8th above water. They probably also stuff like the length and widths of the part under water compared to the part above water.

It's the same with disgruntled employees. You look at historic data from similar companies, you look at any reasons they might have for being disgruntled, etc. and you develop an estimate through some method.

Posting design of the security system will compromise it - you should know that.

Why do you act like you know everything much better than the forum you're asking for help?

What you are describing is commonly known as "security by obscurity". You can read about the disadvantages of that approach here:

http://en.wikipedia.org/wiki/Security_through_obscurity

Math is the only thing that we think is 100%, but almost nothing else.

And you don't think there is any maths in computers? :-)

Project is real and I can spend as much time on it as I please, since additional security i am working on right now is just extra protection from terrorist like attack.

So you're saying that your time is free? or at least very cheap?

Come on. This whole thing sounds very fishy.

You run a system that processes hundreds of thousands of dollars each day. You have got all the time in the world to make it better -- but you can't spend a dime on it. You've also got all the books in the world, but you do not want to read them. In addition, the whole thing is so important that terrorist will target your system almost for sure.

Originally posted by AlphaOne
I understand that you became intrigued, but I can't afford to pay out of my packet. I have to use money for the server and bandwidth and business stuff. That is the reason I asked public forum for guidance. You are welcome to help if you can and when the company well on its way and making money then there may be something there. Or you can just perfect the implementation of security concept and reuse it on some other paying project as ready and tested product.


Ah. Now it sounds like something we all know.

The traditional "I've-just-started-my-own-internet-company". And it's even combined with the traditional "my-prices-will-give-me-a-profit-of-5$-more-than-the-server-costs".

Basically, you need to stop and think about what you're doing for a second.

A company that relies heavily on security but has no money to spend on it is doomed to fail. If all your income goes to pay for the server, and there's nothing left for development, support, etc.... it won't last. Ask all the web hosting companies that failed. You need to be able to afford paying salary after a short period of time in business (for example 1 year) -- otherwise it's simply not going to work in the long run.

You want people to help and "perfect the implementation", but you have publicised almost nothing about the system, and zip about your implementation. Do you expect us to be mind readers?

Publicise the details about your system and people will be more than willing to help you on specific questions. Just asking for people to guess how your system works and demanding that they do your home work is not going to work.

I was careful to say "shape" of an obscured from view 3D object from 2D picture of only one visible sides of it, not size or general length. Its doubly obscured problem. With no statistical data on specific shape available anywhere. No one would even try to catalog exact shapes (not approximate) of underwater parts of icebergs. Its like cataloging grains of sand. 99% pointless. and 100% impossible.

"security by obscurity" does have its draw backs, I agree.

C'mon there is math in computers, but not in humans that design them or software for them.

You run a system that processes hundreds of thousands of dollars each day

Dud, did you got amnesia. I said "I am just designing and testing the system. Its not yet processing anything. But once operational it will have that kind of volume."

Interesting work on DNS stuff, BTW.

obscurity of unproven security methods is bad. I only use proven methods, but in what order and which once is part of layered security.

For now I just want to find a way to make asymmetric key used in my program on a server extremely long time to get even if someone got copy of the program or were able to test run it on the server where it should but with bunch of hacking tools.

If you like, I can give out that part.

Originally posted by AlphaOne
I was careful to say "shape" of an obscured from view 3D object from 2D picture of only one visible sides of it, not size or general length. Its doubly obscured problem. With no statistical data on specific shape available anywhere. No one would even try to catalog exact shapes (not approximate) of underwater parts of icebergs. Its like cataloging grains of sand. 99% pointless. and 100% impossible.

Then your example is bad. The statistics in trying to asses the security of a system does not need to be 100% exact. I.e. you do not have to look at the exact shape of the ice berg, more like you want to find the least rectangular box that you can fit the ice berg in.

C'mon there is math in computers, but not in humans that design them or software for them.

I don't know about you, but I think there's a lot of maths in me :-)

Interesting work on DNS stuff, BTW.

Thanks!

Its known fact that people make mistakes and software they write is buggy, i.e. not math.

Originally posted by AlphaOne
obscurity of unproven security methods is bad. I only use proven methods

This is actually one of the problems with security by obscurity. Everyone that uses it seems to think that they are better than everyone else, and thus have this: "Oh, _I_ can use security by obscurity. It only fails for the other idiots."

The problem is that because it's security by obscurity, the only ones that can know if it is "proven" methods is the ones designing the system.

but in what order and which once is part of layered security.

You should be aware that not all methods enjoy "full abstraction". I.e. the security of a "proven method" might disappear when used together with another "proven method".

For now I just want to find a way to make asymmetric key used in my program on a server extremely long time to get even if someone got copy of the program or were able to test run it on the server where it should but with bunch of hacking tools.

I have told you three or four times how to do that. Haven't you read it?

If you like, I can give out that part.

Yes, do that.

Originally posted by AlphaOne
Its known fact that people make mistakes and software they write is buggy, i.e. not math.

You're confusing things. I do not want to discuss it, but my opinion is that people are filled with math and logic. Some more than others, but nevertheless.

If you want, I can point you to formal methods that allow specifying systems and protocols formally and afterwards proving their security in a mathematical way.