Security

We have taken into consideration a wide variety of potential areas of concern and implemented the newest and most effective technologies to combat those who would slow the growth of the world’s fastest growing medium of media and commerce. We are confident that, through the use multiple levels of encryption and account verification, the Members of our service will experience seamless, safe Internet communication with our wagering software.

VIPsports has adopted the following security creed as the basis for system development and account activity management: "Never underestimate the time, expense and effort a hacker will expend to break our code and infiltrate our system." Although VIPsports is confident in the security built into the design of our system, VIPsports will continue as an ongoing activity to evaluate system security as Internet security technologies and, unfortunately, code-breaking or hacking techniques continue to develop.

VIPsports is aware that security attacks on our Web site are inevitable, and will use the following cryptographic technologies as a means to prevent any breakthroughs:

• Secure Sockets Layer 3.0 (SSL) Encryption
• Authentication
• Private and public keys
• Certificate authorities

Secure Sockets Layer (SSL)

The SSL protocol operates "lower down" between the application level and the transport (TCP/IP) layer. This strategy allows SSL to encrypt the data stream itself, thereby establishing a secure transmission channel for any Internet application, independent of protocol. SSL and S-HTTP are not, however, mutually exclusive. Because they operate on different levels, the protocols could be layered to double-encrypt the data.

In addition to a secure data pipe, SSL includes provisions to authenticate the identity of each VIPsports server session and the VIPsports member using RSA’s system of digital signatures. SSL also attaches an encrypted ID to each secure session. This ID, which is cached by both parties, allows an VIPsports member and the VIPsports server that previously established an SSL connection to reestablish a secure channel without repeating the entire handshaking process.

The VIPsports SSL handshake has been designed to make its security services as transparent as possible to VIPsports members. Typically, VIPsports members will click a link or a button on a page that connects to the VIPsports SSL-capable server. The VIPsports SSL Web server will accept SSL connection requests on a different port (port 443 by default) than standard HTTP requests (port 80 by default). When the VIPsports Web browser member connects to this port, it initiates a handshake that establishes the SSL session. After the handshake finishes, communication between the VIPsports SSL-enabled Web server and VIPsports member’s browser is encrypted and message integrity checks are performed until the SSL session expires. The VIPsports SSL handshake creates a session during which the handshake needs to happen only once.

The following high-level events take place during the VIPsports SSL handshake:

The VIPsports member’s Web browser and the VIPsports Web server exchange X.509 certificates to prove their identity. This exchange may optionally include an entire certificate chain, up to some root certificate. Certificates are verified by checking validity dates and verifying that the certificate bears the signature of a trusted certificate authority.

The VIPsports member’s Web browser randomly generates a set of keys that will be used for encryption and calculating MACs. The keys are encrypted using the server’s public key and securely communicated to the server. Separate keys are used for member to server and server to member communications for a total of four keys.

A message encryption algorithm (for encryption) and hash function (for integrity) are negotiated. In VIPsports’ SSL implementation, the member presents a list of all the algorithms it supports, and the VIPsports server selects the strongest cipher available. VIPsports retains the ability to turn particular ciphers on and off.

SSL is an industry-standard protocol that makes substantial use of public-key technology. SSL is widely deployed over the public Internet in the form of SSL-capable servers and members from the leading vendors including Microsoft, IBM, Spyglass, Netscape and Open Market. All applications used and supported by the VIPsports Web site will incorporate SSL to provide advanced security services. SSL provides three fundamental security services, all of which use public-key techniques:

Diagram

Encryption and Authentication Employed by Microsoft

Microsoft is pursuing an effort to create a single standard for the transfer of secure business and personal communications over insecure phone lines. A central component of this effort is to develop a method of authentication. Encryption and authentication go hand-in-hand in a secure Internet environment. Each, though distinctly different, play an important role in allowing users to pass information that is unreadable except by the intended recipient and in verifying the identify of the sender.

Authentication in a digital setting is a process whereby the receiver of a digital message can be confident of the identity of the sender and/or the integrity of the message. Authentication protocols are based on public-key cryptosystems from RSA. In public-key systems, authentication uses digital signatures, which are the equivalent of handwritten signatures for printed documents. The signature is an unforgeable piece of data asserting that a named person wrote or otherwise agreed to the document on which the signature appears. The recipient, as well as a third party, can verify both that the document did indeed originate from the person who signed it and that the document has not been altered since it was signed. A secure digital signature system thus consists of two parts:

• A method of signing a document so that forgery is unfeasible and
• A method of signature verification.

Furthermore, secure digital signatures cannot be repudiated; that is, the signer of a document cannot later disown it by claiming it was forged, since each digital signature is registered with a so-called Certificate Authority (CA).

Recently, Microsoft created Transport Layer Security (TLS). This specification starts with Netscape’s SSL version 3.0 and adds features from Microsoft’s PCT version 2.0 based on feedback from cryptographers and implementers. It is intended to provide a simpler and more robust implementation than SSL or PCT, with added scalability, improved security, and the additional functionality needed for wider application of the specification.

As the TLS protocol is fully developed and integrated into Microsoft’s current Internet product offering, VIPsports will adhere to these newer, more robust standards.

Private and Public Key Encryption

In practice, both symmetric-key and public-key techniques are used in popular security protocols such as SSL because symmetric-key algorithms tend to be much faster than public-key algorithms. To communicate securely and quickly, here is what VIPsports will do:

• The VIPsports member generates a random number (key) that will be used for actually encrypting the message being sent to VIPsports.
• The member encrypts the random number (key) with VIPsports’ public key.
• VIPsports decrypts the random number with its private key. Now VIPsports can encrypt and decrypt messages with a secret shared with only with that particular member.
• Once a secure session has been established between VIPsports and the VIPsports member, ALL information transferred between the Web browser member and the VIPsports server is encrypted and secure and cannot be ‘listened to’, intercepted, or altered.

In reality, most security protocols are much more complicated than this, but the four-step process above is illustrative of security fundamentals. SSL is an excellent example of a security protocol that uses these techniques to safeguard communications.

Private-Key cryptography

Symmetric-key or private-key cryptography uses the same key to encrypt and decrypt messages and their advantage is speed. This is a familiar real-world phenomenon: we use the same key to unlock and lock our car doors, for instance. The problem with symmetric-key cryptography is having the sender and receiver agree on a secret key without anyone else finding out. The current methods for achieving this are using telephone or fax machines, mailing on a floppy disk and using a courier, but all of these are cumbersome, slow and error-prone techniques. In addition, the number of Keys tends to be much larger than the number of nodes; that is, people may have multiple keys they use for different purposes.

A major disadvantage of private key cryptography, however, is key management, since each pair of individuals who wishes to communicate must have a unique shared key. For example, for VIPsports to use private key encrypted communication, each VIPsports member would need a separate private key to keep account data and transactions secure (using the same private key with all of VIPsports’ member would allow each member to access other member’s account information).

Public-Key cryptography

Public-key cryptography was invented to solve the problem inherent in private key cryptography described above. With public-key cryptography, each person gets a pair of keys, a public key and a private key. Each person’s public key is published, while the private key is kept secret. For example, when a member wishes to establish a secure connection to the VIPsports Web site, the member encrypts the connection using VIPsports’ public key. When VIPsports receives the message, VIPsports decrypts it using the VIPsports private key. The member and VIPsports no longer have to share secret information before secure communication is possible.

In other words, each key actually consists of two parts: an encryption half (the "public key") and a decryption half (the "private key," which unlocks data encrypted with the matching public key). This fail-safe system allows a more convenient key distribution method—members wishing to communicate with VIPsports can use the VIPsports public key. Moreover, intruders can not use an intercepted public key to decrypt files. The downside is that public key cryptosystems are typically slower than private ones.

Public-key cryptosystems are based on trapdoor one-way functions. A one-way function is a mathematical function that is significantly easier to perform in one direction (the forward direction) than in the inverse direction. One might, for example, compute the function in minutes but only be able to compute the inverse in months or years. A trapdoor one-way function is a one-way function where the inverse direction is easy if you know a certain piece of information (the trapdoor), but is difficult otherwise. The public key gives information about the particular instance of the function; the private key gives information about the trapdoor. Whoever knows the trapdoor can perform the function easily in both directions, but anyone not knowing the trapdoor can perform the function only in the forward direction. The forward direction is used for encryption and signature verification; the inverse direction is used for decryption and signature generation.

In almost all public-key systems, the larger the key, the greater the difference between the efforts necessary to compute the function in the forward and inverse directions. For a digital signature to be secure for years, for example, it is necessary to use a trapdoor one-way function with inputs great enough that someone without the trapdoor would need many years to compute the inverse function. Despite the improbability of breaking the VIPsports algorithm, the VIPsports cryptosystem has an additional layer of security which mandates that all digital keys expire after one year.

Certificate Authorities

VIPsports utilizes certificate authentication services and Digital IDs from Verisign, the leading provider of digital authentication services and products for electronic commerce and other forms of secure communications.

A Digital ID binds a person's or company's identity to a digital key which can be used to conduct secure communications or transactions. This binding is accomplished through a strict assurance process conducted by a trusted third party which also electronically signs the Digital ID so that parties accepting it in a transaction have confidence in its origin. The Digital ID can then be attached to electronic transactions and communications as the critical authentication component.

Verisign will verify the authenticity of each certificate request (making sure requesters are who they claim to be). The approval process helps protect VIPsports Members, VIPsports, and Verisign. Upon approval, Verisign digitally signs the request and returns the unique digitally signed certificate to VIPsports.