Two month ago while the Store module was in the release tracker, Brandon Haynes from the Core Team conducted a security review. Brandon is well aware about security risks, PCI compliancy and CWE rules. His helpful advices have revealed some possible security holes. Thanks again Brandon for your hard work!
One of his advices was about cookie encryption. Currently only order ID and cart ID are stored in a session cookie. This is not a real security breach, but this violates some CWE rules. An attacker can forge a cookie and try to access to the cart content of someone else. The cart ID is a GUID generated by the .Net framework when a visitor adds the first product to his cart. Even if it’s difficult to discover a valid cart ID, it’s more secure to encrypt it. Concerning the order number, no one (except Admin) can access orders from someone else; but expose this value could be a limitation if a PCI security audit is conducted.
First I looked at the PortalSecurity class from the DotNetNuke.Security namespace; two methods allow you to manage encryption, Encrypt(string strKey, string strData) and Decrypt(string strKey, string strData). The main drawback of those methods is the encryption algorithm used. Many applications, including DotNetNuke, uses the DES algorithm to encrypt sensitive data while it is well known that this algorithm can be easily broken. This is not really a problem for most web sites, but again it could be a limitation in case of PCI security audit.
The .Net framework provides several classes to manage encryption needs. They are of three kinds: Hash, Symmetric and Asymmetric. The Store encryption helper class covers only symmetric algorithms. Given that the store module requires strong encryption, I write a class to facilitate the use of these algorithms. Use an encryption algorithm is never really easy and requires a general understanding of their functioning. Because the misuse of such an algorithm may expose you to security holes while you expect to be protected by encryption.
In the next part we will see how works symmetric algorithms and what are requirements to use them. If you can’t wait, download the class from the SVN repository at Codeplex. The SymmetricHelper class is full of comments, read them!
Gilles