Website Security
Security is an important are that is important to the success of commercial transactions on the Internet. This is a serious topic and Gameday takes a serious attiude.
We have taken into consideration a plethora of potential areas of concern and implemented effective technologies to combat those who wish to hack or damage our systems. We are sure that, through the use multiple levels of encryption and account verification, that our Members will have a seamless, safe Internet communication with our software.
Gameday has adopted the following security creed as the basis for system development and account activity management: "
Never underestimate the amount of effort a hacker will expend to break our code and infiltrate our system." Although Gameday is confident in the security built into the design of our system, Gameday will continue as an ongoing activity to evaluate system security as Internet security technologies and, unfortunately, code-breaking or hacking techniques continue to move forward
Gameday is aware that security attacks on our Web site are inevitable, and we will use advanced technologies as a means to prevent any breakthroughs:
If more information is necessary to fully explain the safety of our system feel free to e-mail us at
support@GameDayCasino.com for answers to specific questions.
Secure Sockets Layer (SSL)
The SSL protocol operates "lower down" between the application level and the transport (TCP/IP) layer. This strategy allows SSL to encrypt the data stream itself, thereby establishing a secure transmission channel for any Internet application, independent of protocol. SSL and S-HTTP are not, however, mutually exclusive. Because they operate on different levels, the protocols could be layered to
double-encrypt the data.
In addition to a secure data pipe, SSL allows us to authenticate the identity of each Gameday server session and the Gameday member using RSA’s system of digital signatures. SSL also attaches an encrypted ID to each secure session. This ID, which is cached by both parties, allows an Gameday member and the Gameday server that previously established an SSL connection to reestablish a secure channel without repeating the entire handshaking process.
The Gameday SSL handshake has been designed to make its security services as transparent as possible to Gameday members. Typically, Gameday members will click a link or a button on a page that connects to the Gameday SSL-capable server. The Gameday SSL Web server will accept SSL connection requests on a different port (port 443 by default) than standard HTTP requests (port 80 by default). When the Gameday Web browser member connects to this port, it initiates a handshake that establishes the SSL session. After the handshake finishes, communication between the Gameday SSL-enabled Web server and Gameday member’s browser is encrypted and message integrity checks are performed until the SSL session expires. The Gameday SSL handshake creates a session during which the handshake needs to happen only once.
The following top events take place during the Gameday SSL handshake:
The Gameday member’s Web browser and the Gameday server exchange X.509 certificates to prove their identity. This exchange may optionally include an entire certificate chain, up to some root certificate. Certificates are verified by checking validity dates and verifying that the certificate bears the signature of a trusted certificate authority.
The Gameday member’s Web browser randomly produces a set of keys that will be used for encryption and calculating MACs. The keys are encrypted using the server’s public key and securely communicated to the server. Separate keys are used for member to server and server to member communications for a total of four keys.
A message encryption algorithm (for encryption) and hash function (for integrity) are negotiated. In Gameday’ SSL implementation, the member presents a list of all the algorithms it supports, and the Gameday server selects the strongest cipher available. Gameday retains the ability to turn particular ciphers on and off.
SSL is an industry-standard protocol that uses
public-key technology. SSL is widely used over the public Internet in the form of SSL-capable servers and members from the leading sellers including Microsoft, IBM, Spyglass, Netscape and Open Market. All applications used and supported by the Gameday Web site will incorporate SSL to provide advanced security. SSL provides three fundamental security services, which employ the use of public-key techniques:
| Service |
Underlying Technology |
Protection Against |
| Message privacy |
Encryption |
Eavesdropper |
| Message integrity |
Message authentication code |
Vandals |
| Mutual authentication |
X.509 certs |
Impostors |
Microsoft is pursuing an effort to create a single standard for the transfer of secure business and personal communications over telephone lines. A central issue of this is to create a method of authentication. Encryption and authentication should be at one with a secure web environment. Each plays a role in allowing users to pass information that is not readable except by the intended receiver and in confirming the identify of the sender.
Authentication is a process where the receiver of a message can be confident of the identity of the sender and/or the legitimacy of the message. Authentication protocols are based on public-key crypto-systems from
RSA. In public-key systems, digital signatures are used for authentication purposes, which are the equivalent of handwritten signatures for printed documents. The signature is a unique piece of data asserting that a named person wrote / agreed to the document on which the signature appears. The recipient, as well as a third party, can verify that the document did indeed originate from the individual who signed it and that the document has not been altered since 'signed'. A digital signature system therefore consists of two parts:
- A method of signing documents so that a forgery is impossible and
- Finding a means of signature verification.
Furthermore, secure digital signatures cannot be repudiated; that is, the signer of the document cannot later deny it by claiming it was forged, since each digital signature is registered with the Certificate Authority (CA).
Microsoft created Transport Layer Security (TLS). This specification starts with Netscape’s SSL version 3.0 and adds features from Microsoft’s PCT version 2.0 based on feedback from cryptographers and implementers. It is intended to provide a simpler and more robust implementation than SSL or PCT, with added scalability, improved security, and the additional functionality needed for wider application of the specification.
As the TLS protocol is fully working and integrated into Microsoft’s current Internet offering, Gameday will stick to these newer, robust standards.
Both symmetric-key and public-key techniques are used in popular security protocols such as SSL because symmetric-key algorithms are usually faster than public key algorithms.
- The Gameday member generates a random number (key) used for encrypting the message being sent to Gameday.
- The member encrypts the random number (key) with Gameday’ public key.
- Gameday 'solves' the random number with its private key. Now Gameday can encrypt and decrypt messages with a secret shared with only with that particular member.
- Once a session has been established between Gameday and the Gameday member, all information transferred between the web browser member and the Gameday server is encrypted and secure and cannot be intercepted or altered.
This process also facilitates speed which is in the interests of the Gameday customer.
In real life, most secure protocols are far more complicated than this, but the four-step process above is a good example of security fundamentals. SSL is an excellent example of a security protocol that uses the above techniques to safeguard communications.
Private-Key cryptography
Symmetric-key or private-key cryptography uses the same key to code and decode messages and their advantage is speed. This is a familiar real-world phenomenon: we use the same key to unlock and lock our car doors, for example. The problem with symmetric-key cryptography is having the sender and receiver agree on the secret key without anyone else finding out. The current methods for achieving this are using telephone or fax machines, mailing on a floppy disk and using a courier, but all of these are slow and potentially error-prone techniques. In addition, the number of 'keys' tends to be much larger than the number of nodes; that is.
A major disadvantage of private key cryptography, however, is key management, since each pair of individuals who wishes to communicate must have a unique shared key. For example, for Gameday to use private key encrypted communication, each Gameday member would need a separate private key to keep account data and transactions secure (using the same private key with all of Gameday’ member would allow each member to access other member’s account information).
Public-Key cryptography
Public-key cryptography is there to solve the problem inherent in private key cryptography described above. With public-key cryptography, each person gets a pair of keys, a public and a private key. Each person’s public key is published, while the private key is kept secret. For example, when a member wants to establish a secure connection to the Gameday Web site, the member encrypts the connection using Gameday’ public key. When Gameday receives the message, Gameday decrypts it using the Gameday private key. The member and Gameday no longer have to share secret information before secure communication is possible.
In other words, each key actually consists of two parts: an encryption half (the "public key") and a decryption half (the "private key," which unlocks data encrypted with the matching public key). This fail-safe system allows a more convenient key distribution method—members wishing to communicate with Gameday can use the Gameday public key. Moreover, intruders can not use an intercepted public key to decrypt files. The downside is that public key cryptosystems are typically slower than private ones.
Public-key cryptosystems are based on 'trapdoor' 'one-way' functions. A one-way function is a mathematical function that is significantly easier to perform in one direction (the forward direction) than in the inverse direction. One might, for example, deduce the function in minutes but only be able to compute the inverse in months or years. A trapdoor one-way function is a one-way function where the inverse direction is easy if you know a certain piece of information (the trapdoor), but it is difficult without. The public key gives information about the particular instance of the function; the private key gives information about the trapdoor.
In almost all public-key systems, the larger the key, the greater the difference between the efforts necessary to compute the function in the forward and inverse directions. For a digital signature to be secure for years, for example, it is necessary to use a trapdoor one-way function with inputs great enough that someone without the trapdoor would need many years to compute the inverse function. Despite the improbability of breaking the Gameday algorithm, the Gameday cryptosystem has an additional layer of security which mandates that all digital keys expire after one year.
Gameday usws certificate authentication services and digital IDs from
Verisign , a leading provider of digital authentication services for electronic commerce and other forms of highly secure communications. A digital ID locks a person's or company's identity to a digital key which can be used to conduct secure communications or transactions. This locking is achieved through a careful assurance process conducted by a trusted third party which also electronically signs the Digital ID so that parties accepting it in a transaction trust in its origin. The Digital ID can be attached to electronic transactions or communications as the critical authentication component. Verisign will validate the authenticity of each certificate request. The approval process
helps Gameday Member protection. On approval, Verisign will digitally sign the request and return the certificate to Gameday.
| | | |
| | | | |
Copyright © 1998-2005 GameDay
