How is online banking data decrypted securely?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

How is online banking data decrypted securely?

Post by mecha_godzilla »

Before I start, I'd like to make it quite clear that I'm interested in the theory and not the specifics... :)

I'm about to start work on two systems that hold sensitive client data - not payment information but details about medical history and financial status, etc. As usual, there is zero budget for either system but the information is already being captured and stored (insecurely) and so I've been asked to do what I can to "beef up" the security. I also have PHP and MySQL at my disposal (which is a good thing of course).

Now, I'm familiar with how symmetric/asymmetric encryption schemes work and intend to use GnuPG but my problem is this - not only does the data have to be encrypted (which I can do safely) but it also has to be accessible so the user can make changes to their data, with the problem obviously being that if I want to decrypt something I've got to have the private key and the passphrase on the same system (which weakens the security of the overall system).

I know that this can be done securely because it happens in online banking - I just enter a couple of passwords and can see everything - so I'm wondering what setup the banks have in place that allows them to securely decrypt my data once I've logged in. I know one of the recommendations the credit card companies make is that any keys held on the system should be encrypted themselves, but I can't quite work out how this might be done - do I create a unique 'user' private key for each account which can decrypt a copy of the 'master' private key, and if so how do I make sure that this system isn't compromised by someone guessing the passphrase for the 'user' key. Is it possible to create a 'one time' key, or split the key in some way? Also, is it even safe to 'work' with the passphrase or key in memory (on a shared system, I'd assume not)?

As may be obvious, I have a reasonable grasp of how it might be done but would appreciate any suggestions or input. Just to make it quite clear, the "you shouldn't be doing this if you don't know what you're doing" argument is moot because I have been asked to do it, there's no budget available and the alternative is to keep everything as it is and risk the organisations involved having their data compromised! In case that sounds abrupt, it certainly isn't meant to but I've seen that sort of reply come up time-and-again and it generally doesn't reflect the reality of the situation: people do sometimes get asked to do things that they don't necessarily know how to do, and you try getting the big banks to tell you how they do things ;)

Thank you in advance,

Mecha Godzilla
No, not the real one, just a poor facsimile...
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How is online banking data decrypted securely?

Post by kaisellgren »

Well, let me tell you first something. Encryption algorithms are made to help in cases where the encrypted data is exposed, but not the key itself. If someone has the key, and knows the algorithm behind it, the encryption is useless. So, the key is everything. If your server is compromised, chances are high that your key is stolen. One of the biggest points is to make it hard to steal the key, so, that hopefully the breach has already been taken care of before the key is stolen. Encryption is the last line of defense, and you must do everything you can in your power to stop anyone getting that deep in your system.

There are a couple of things that must be done to achieve a secure system. And there are different implementations and controls applied to different online banks. Here are a few things to consider.

Never send anything in clear
It's not totally uncommon to see a system where data is transmitted from a remote server without SSL/TLS. Databases are a good example here. Many systems allow you to setup schemes with remote databases, and they do not utilize SSL. This is very unlikely to happen in case of online banks, but almost every single WordPress blog that uses a remote database does not utilize SSL, thus, everything is transmitted in clear. This is not limited to database connection, but to any server-server connections, too.

Encrypting user assets
Each user should have their own "key" that is used to encrypt their data. The encryption key for a user must be also encrypted with a master key. The user key can be stored in the database along with the data, but the master key must not be on the web/database server. It must be on a separate server that is not connected to the Internet, and must not have anything than a basic Linux kernel on it. The master key is then encrypted using a launch-time password. When the master server is booted, it is given a password typed by the security chief so that the password is stored in the memory, and never on the disk/db and won't get logged into some system logs. The location of this password in the memory should be obfuscated to buy more time for the security personnel to identify breaches before anything bad happen. It must also be made sure that the password is never swapped out to the disk, or else an intruder could just look into pagefile.sys. It's also urgent to never keep encryption keys in the memory in your applications. After you have used a key, you throw it away. In PHP, you would set it to null and then unset it.

The encryption process
The encryption process is crucial. The used cipher must not be obsolete. Keys must be strong and (pseudo) random. Padding, IVs and cipher modes must be understood. Using Rijndael-256 is a pretty good choice. The cipher mode I recommend is either CBC or CFB. Counter modes are harder to implement for this situation as you must be sure that you never re-use an IV. The IV should be random and fresh each time. Padding scheme must be that of how PKCS# 12 defines it. The random data is gathered via /dev/random which is filled with random data gathered from sources such as radio active decay events.

Ultimately, it must be made sure no one gets into your system. That's the only real way of making sure no one can decrypt user data. Security is so much more than just encryption or key storage.
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: How is online banking data decrypted securely?

Post by mecha_godzilla »

Thanks Kai - lots of good advice there :)

Please excuse my use of a pseudonym instead of giving my real name out, I just don't want anyone linking me to the sites in question (for obvious reasons.)

I think I've understood what you're saying, but if you have the time I'd be grateful if you could answer a couple more questions:

1. You say that the master key needs to be on a separate server that is not connected to the Internet. Does this mean that it needs to be locally connected to the web server in some way (but not directly accessible from the Internet) or are we saying that it needs to be completely separate from any machine and not connected to any network, so that the key can't be compromised in any way?

2. The master key can't be stored in the database but it needs to be available at runtime to decrypt each user's key. This means that an encrypted copy of the master key must be stored or saved somewhere, and when it's needed it's then decrypted with the password that was saved to main memory when the server was booted. Does that mean that the encrypted master key should also be saved to main memory as well or, if not, where does it need to go?

I agree with your last point that encryption won't necessarily protect anything if the system is compromised so I'll need to find out more information about their hosting arrangements. The main problem is that there won't be a dedicated sysadmin available to keep an eye on things so the hosting company will be responsible for 'managing' the server's security (which might amount to very little 'managing' at all, of course.) I think what I might do is try to segregate the data into 'low' and 'high' risk categories, and only the 'low' risk data would be accessible from the web site. I had thought about the possibility of using some kind of hardware token. Although this would be impractical for the basic accounts (because of the amount of users they have) it might be viable for the small number of managers (who need to have access to everything).

Thanks again - much appreciated!

Mecha Godzilla
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How is online banking data decrypted securely?

Post by kaisellgren »

mecha_godzilla wrote:1. You say that the master key needs to be on a separate server that is not connected to the Internet. Does this mean that it needs to be locally connected to the web server in some way (but not directly accessible from the Internet) or are we saying that it needs to be completely separate from any machine and not connected to any network, so that the key can't be compromised in any way?
The master key server should be in a local network connected to the web servers.
mecha_godzilla wrote:2. The master key can't be stored in the database but it needs to be available at runtime to decrypt each user's key. This means that an encrypted copy of the master key must be stored or saved somewhere, and when it's needed it's then decrypted with the password that was saved to main memory when the server was booted. Does that mean that the encrypted master key should also be saved to main memory as well or, if not, where does it need to go?
The master key would be encrypted and stored in disk on its own server. The password-decrypted version of it is in the memory.

Many setups I've seen decrypt data on the master key server so that the master key is never given to the web/database server(s). Thus, cracking the web/database server(s) will not give criminal the master key.

Also, I highly recommend installing hardware and web application firewalls. And I hope you are not taking any responsibility as you have no budget. It should be your boss who's taking the responsibility.
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: How is online banking data decrypted securely?

Post by mecha_godzilla »

Thanks Kai - I think I understood all of that.

The organisations will take overall responsibility for the protection of the data (they're legally obliged to, of course) but at this point in time they can't afford to have somebody in-house looking after the servers - this was what I meant by the hosting company being 'responsible' for the server security. I haven't been told which company they're with but they would be willing to change the provider if I think the measures in place aren't sufficient. I have a reasonably good knowledge of Linux security in a theoretical sense (I've read quite a bit on the subject) but I'm not at the stage yet where I could set up a new server and be confident that I'd done it securely.

I don't know if you ever read the UK news but we've had a number of very high-profile data breaches over the past couple of years (some of which haven't been made public) but this still doesn't seem to have been the "wake up call" that it should have been. Part of the problem is that some companies still make the assumption that the risks are neglible, mainly because they can't appreciate why someone would go to the trouble of stealing their information because they're not holding credit card numbers. Another problem is when people hide behind the defence of not being "IT literate" or not "knowing anything about computers" as a way to transfer responsibility to the web developer, a problem which is then made worse if the web developer outsources the work to someone else that doesn't have any appreciation of the data protection requirements. I'm not necessarily criticising outsource companies for this but some companies will do exactly what you tell them to do and no more, and won't go beyond the original design specification to implement anything other than a very basic password system unless they're specifically told to. One final problem (and I assume this isn't specific to the UK) is that a lot of web development work never gets tendered but instead gets handed out to individuals or small companies with which one of the directors has worked with in the past or has been recommended to use by a friend/associate/colleague. This isn't a bad thing as such but it does mean that there are quite a lot of "rogue" developers out there that are taking on big contracts that they can't manage, and nobody is ever questioning their competency - again, people using the "I don't know anything about computers" argument as a way to side-step the problem.

And with that, I think I've now finished ranting now...

Thanks again for your help - and make sure you have a good weekend :drunk:

Mecha Godzilla
Post Reply