Secure Online Purchases

Using Open Source To Secure Online Purchases

Lokitech Inc., a small software security firm in suburban Washington, D.C., has crafted an Open Source-based security solution for credit card processing that will run with .NET and Java enterprise systems.

Lokitech’s approach allows a business to store encrypted credit card lists and other sensitive information, says the company’s CEO, Serge Knystautas. Lokitech developed the encryption solution for an Internet-based casino project, involving teams in the U.S., Canada, U.K. and Costa Rica, but the resultant easy-to-deploy two-way encryption platform is finding a larger audience, taking the risk out of using Open Source solutions for securing mission-critical data.

“We needed a way to store credit card numbers and account information without making the integration between different teams overly complicated. The technique we came up with allowed us to ensure that backups and communication were secure without adding significant costs or complexity,” Knystautas added.

Lokitech also needed to find a method that would help eliminate developer error. Company engineers hit on a solution that, with a little re-engineering and some Open Source libraries, moved the encryption function from the application layer to the data layer.

The encryption/decryption libraries are available as Crytpo++, an Open Source (and free) C++ Class library for encryption. To make the transfer of the encryption logic to the database layer, Lokitech wrapped the C++ encryption code inside extended stored procedures of an off-the-shelf SQL database (in this case, the casino used Microsoft SQL Server). Using the .NET Framework Class Library, Lokitech took advantage of many encryption APIs that can be called from any .NET-capable language, such as VB .NET, VC++ or C#

In addition, the Lokitech team also leveraged HTTS, actually inserting a layer on small pieces of data to ensure added security.

Moving the encryption logic, Knystautas said, can help eliminate developer error. In particular, the approach means that developers can secure their data, “and you don’t have to figure out XML encryption” or other new security processes, he claimed.

Lokitech uses Crypto++ to encrypt passwords (based on SHA hashes) and encrypt/decrypt credit card numbers with triple DES. The Crypto++ library can handle the encryption logic within (and among) distributed databases — with Microsoft’s SQL Server, it works with ANSI C; and in J2EE application servers, Crypto++ libraries are slated to be bundled with JDK 1.4. Further, Crypto++ works with standard X.509 technologies.

Another benefit? Performance can actually increase, depending on the application. “The amount of data encrypted is very small, compared to doing something with an entire application,” Knystautas said.

Hands-On: Inside Crypto++, with Code Sample
Crypto++ has an object-oriented class hierarchy and uses internal C++ templates heavily. Key concepts in Crypto++ are data sources, filters and sinks. In general, the process works like this: Plain text data originates from a source, undergoes a series of filters (encryption algorithms), and emerges at a sink as the cipher text. The converse happens with decryption. The sources and sinks can be files, I/O or network streams, or C++ strings.
Crypto++ covers most popular encryption algorithms, including:

  • DES, Triple-DES, Blowfish and other Symmetric block ciphers;
  • RSA, DSA and other public key cryptography, as well as padding schemes for public key systems;
  • SHA-1, SHA-2, MD4, MD5 and one-way hash functions;
  • Stream ciphers: Panama, ARC4, etc.; and
  • Key agreement schemes: Diffie-Hellman (DH), etc.

Go to the Crypto ++ library. Also, a detailed Crypto++ FAQ is available.

The Lokitech code samples below perform two key functions:

  1. Password protection and
  2. Simple credit card number encryption using Crypto++ and DES encryption and decryption.

Future of Open Source in the Enterprise
OET asked Knystautas whether he met any resistance from his clients about using Open Source for a security project.

“The nature of custom projects has changed,” Knystautas replied, matter-of-factly. And that shift will work to Open Source’s benefit, he said.

“It used to be custom projects had big budgets, and that meant when they worked with consultants, they wanted to use the most elaborate software — or even to build what they wanted from scratch,” Knystautas told OET. “Now, people hiring technology and business constants want more guidance as to how and what they should be doing with technology, and that, for us, means an increasing use of Open Source.”

Knystautas said Lokitech has been using Open Source since 1997, and has had employees participate in the Apache Software Foundation since 1999. The virtues of Open Source, he said, are becoming more apparent to his clients. “It has really changed the way projects happen,” he said. “If an Open Source application or solution can offer 80% of the functionality of a [commercial option] really quickly, that is attracting attention. The advantage of an Open Source library is that virtually all businesses can use it, since there are no extra software fees and it’s more easily adapted to whatever platform the business uses,” Knystautas explained.

But the magic of Open Source is evident in the way the developer/consultant can mold it to the customer’s needs — and not in the fact that it may (or may not) be free, Knystautas hastened to add. “Open Source is changing from just a development environment to an integration environment. With Open Source, the sheer volume of projects getting created will expand as different businesses are taking a look at how it can be used in their enterprise.”

Lokitech is already spreading the word in metro Washington, D.C., and Knystautas told OET that a number of national trade associations and nonprofits based in the area are interested in learning more about the Open Source-based security options. “Trade associations are a natural for this,” Knystautas explained.

“If you think about it, most associations you give money to know everything a hacker would need for identity theft — name, address, credit card number and, in some cases, Social Security number.” Knystautas said.