Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

InternetSecurity

advertisement 
Internet Security
1 POP3
What is POP3?
Post Office Protocol Version 3 (POP3) is the most commonly used protocol between
email clients and server. POP3 server stores client’s email messages until clients
fetch the mails. POP3 users usually use “offline” mode to view messages: From time
to time, email clients download message to the local computer and disconnect upon
completion. Hence, email messages are only temporarily stored on server. When the
message is downloaded, it is removed from server automatically. In “online” mode,
the client connects to the server while the user is checking email. Email messages
are directly read from the server. Popular email clients supporting POP3 include:
Outlook, Outlook Express, Internet Explorer, Netscape Messenger or Communicator,
Eudora, Pegasus, NuPOP, Z-Mail and UNIX mail.
2 Cookies
What are cookies?
You may have seen some “customize the site” settings online. Every time you visit the
site again, you will see a welcome message with your name on it. This may impress
you that the site is a well-managed site. The technology behind the scene is
“cookies”.
You can set your preference when you first go to any of those “customizable” sites.
After you finish the setting, the server will store your preference to your computer.
That Web site will use the piece of information, named cookie, to recognize your next
visit and display your preference accordingly.
Most browsers are set to accept cookies, but you can override the setting as you
need. In Internet Explorer 6, you can set up your preference according to the steps
below:
1.
On the Internet Explorer Tools menu, click Internet Options (figure2.1).
Set up according to the explanation below: According to the description above, you
may have already found that use of cookies is related to privacy and security. Actually,
through cookies, all Web sites can obtain certain information from your computer, and
use the information for promotion. If you found ads pop-up in your computer, you
might have accepted some lousy cookies, which subsequently installed some
spyware.
1
Figure 2.1
3 Data Encryption
Methods of data encryption
Without encryption, sending information and email over the Internet is like sending
postcards: everybody could read the message without your permission. To make
things more secured, we encrypt the data before sending; when the encrypted data is
received, recipient will then decrypt the data. Intervening transfer, the message is
transformed into meaningless codes. Unless you can decode the message, you are
not able to read the message.
Then how does encryption and decryption work? During World War II, telegram is the
main communication channel. Telegram is classified as encrypted telegram and
public telegram. Public telegram uses a set of public rules to encode the telegram into
radio signals to send; the recipient then uses the same rule to decode the telegram.
Encrypted telegram, instead, uses a set of private rules to perform the same process.
Although the radio could be received by anyone, only the designated recipient can
restore the message. The restoration process has then become an anti-spy mission.
It is said that Japan has not used any telecommunication during the Pearl Harbor
attack. This was to avoid data being blocked by Americans and it has made a success.
However, the Japanese general was killed since Americans were able to decode their
message over radio.
Transferring information over internet without encryption is like using public telegram.
However, we can still use “encrypted telegram”: We can encrypt the data using our
own rule set and send the rule set to the recipient via a secured channel. Data is more
2
secured in this way. This method of encryption is called Single/Symmetrical Key
Encryption.
That leads to another problem: how about sending information to over ten thousand
recipients? To maintain the rule set is apparently inefficient and time-consuming. In
addition how do we perform key exchange? If the key is acquired during transfer over
the Internet, message sent thereafter is not secured.
Based on the Single Key Encryption technology, people developed another agile
encryption method, called Double/Asymmetrical Key Encryption. In using
Asymmetrical Key Encryption, everyone uses the same public key to encrypt the
message, while the recipient would use a different private key to decipher. The unique
relation between private key and public key is best described below:



I made a unique key and a public key. Then I hang the public key outside the
house.
A can is provided by post office for transferring information. There is no lock on
the can. If my friends want to send me message, he would have to duplicate the
key outside my house, and use it to lock the can.
Once the can is locked, only the private key I own could open it. Unless you are
an expert in “unlock”, never a person could read information inside the can.
This way, the sender and recipient do not have to exchange key: Everyone can use
the public key to publish on the network for others to download. People can then use
the public key to encrypt any message and send to me. As the private key owner, I
can decode the message once received. Using this methodology, keeping the private
key from being stolen is the most important task.
Application of encryption
As aforementioned, you may have discovered the convenience and flexibility of
Asymmetrical Key Encryption, but there are limitations on it: Asymmetrical Key
Encryption uses more computation power; i.e. it is not as efficient as Symmetrical Key
Encryption in terms of computation power.
People are intelligent in using technologies: when you have to send a batch of
messages, use asymmetrical key encryption; when not in a large batch, use
symmetrical key encryption. This resolves the convenience and efficiency dilemma.
Nowadays, many servers / Web applications use a “hybrid” solution:

When client connects to the server, download the public key.

Client generates the session key using stochastic method

Client encrypts the session key with the public key and sends back to server.

Finally server uses the session key to encrypt data and start the transfer.
The case above is only a simplified case demonstrating the fundamental concepts;
the actual operation is much more complicated.
3
Digital Signature
We could use Digital Signature in the Internet as an identity. Digital Signature is a
unique value, encryption is done using user’s private key, and authentication through
a public key. We could then ensure the authenticity of the private key; otherwise,
deprecate the private key. In other words, digital signature is either authentic or
unreliable.
Encryption and Digital Signature
Traditional signatures on paper are apparently not applicable on the Internet. Readers
tried to buy things online may not have used digital signature in the transactions.
Online shopping today is still very insecure: Without signature and phone verification,
the bank still allows transaction as requested by the online shop. If digital signature is
enforced, its “almost cannot be duplicated” nature could secure online shopping:
while you are sopping online with your credit card and digital signature, the shop uses
your credentials to request for authorization from bank, the bank only grants the
transaction if there is no verification problem. This prevents the credit card being used
by third-party and bogus transactions. The worst thing is the public lacks sense of
network security and the bank, as the authority, ignores the risks and only looks for
profits.
How to be “verified” online
To secure the visitors, most Web sites uses SSL (Security Socket layer) technology,
that is developed by Netscape, to encrypt data nowadays. The technology works
within the application and transfer layers in the OSI model and thus not binds to any
protocol. To provide SSL service, both server and browser supports are needed. SSL
digital certificates are now released by an American company called VeriSign
(http://www.verisign.com). To deploy SSL in a server, you must register in VeriSign.
You can also acquire personal digital id from the above company. Other than VeriSign,
you can apply the personal id from any of the authorized organization, like Thawte
(http://www.thawte.com/html/RETAIL/index.html).
4
If you buy online, SSL ensures that your credit card information is not available to any
party other than the shop. If used with digital identity, more accurate verification can
be performed and hence more secured.
We have learnt how to use encryption to protect our information over the Internet.
However, if our computer is hacked in, and the password or keys are stolen, all our
effort will be in vain.
How to secure the connection then? We could eliminate unwanted connections. The
technology used to solve the problem is called Firewall and will be covered in later
sections.
4 Public Key Infrastructure (PKI)
Public Key Infrastructure Technology
Public Key Infrastructure (PKI) is a widely accepted IT security framework based on
'Public Key Cryptography'. The Government has laid a solid foundation for
deployment of PKI through the enactment of the Electronic Transactions Ordinance
and the establishment of a public Certification Authority (CA) through the Hong Kong
Post.
Main Security Functions
PKI provides a management framework for enabling public key cryptography
deployment. Public key cryptography processes data with a pair of keys, which are
two distinct but corresponding computer codes. Encryption is done with one of the
key-pair and decryption is only possible with the use of the other key in the same pair.
5
One of the keys in the pair is kept by the owner as a personal secret and therefore
called 'private key'. The other key is publicly available, and hence called 'public key'.
Encryption is the means of PKI to ensure confidentiality. For instance, privacy of a
message sent via email can be protected by encrypting it with the use of the
recipient's public key. Since only the recipient's private key can decrypt the encrypted
message, one can ensure that nobody other than the intended recipient can read the
message.
For example,
1. John uses Mary's public key to encrypt the email and sends it to Mary.
2. Upon receiving the email, Mary decrypts the email with her own private key.
Digital signature is the means to ensure integrity, authenticity, and non-repudiation. A
digital signature is derived by applying a mathematical function to compute the
message digest of an electronic message or document, and then encrypting the
result of the computation with the use of the signer's private key. Recipient can verify
the digital signature with the use of the sender's public key.
For example,
1. John stamps his digital signature to the email by using his private key and then
sends the email to Mary.
2. Upon receiving the email, Mary verifies the digital signature in the email with John's
public key.
Taking email as an example, if a digitally signed email has not been tampered with
during the course of transmission (integrity), the digital signature will be valid as
verified by the recipient. Since the sender is the only person who has access to the
corresponding private key, once digital signature is verified valid, the recipient can be
certain that the email is indeed from the sender (authenticity); and the sender cannot
deny to have signed the email (non-repudiation).
Certification Authorities and Digital Certificates
The effective operation of PKI very much depends on the support of CA. The main
role of a CA is to act as a trusted third party to verify the identity of digital certificates
subscribers.
The subscriber can generate the public/private key pair through an application, for
example, a browser running on a workstation. The browser then automatically sends
the public key, together with a certificate request, to the CA server. The CA server
6
then creates and digitally signs the subscriber's certificate subject to the positive
verification of the subscriber's identity; and sends one copy of the certificate to a
Directory Server, while another copy to the subscriber. Upon receiving the certificate
copy, the subscriber can export it together with the generated keys to a token, such
as floppy diskette or smart card, for portability among PKI-enabled applications on
various platforms.
The Hong Kong Post is the first public recognized CA under the Electronic
Transactions Ordinance ("ETO") (Cap. 553), from whom any organization and
member of the public can buy digital certificates in Hong Kong. It has issued different
types of digital certificates such as e-Certs, Bank-Certs and Mobile e-Certs. There are
also other recognized CAs under the Electronic Transactions Ordinance such as the
Digi-Sign Certification Services Limited and the HiTRUST.COM (HK) Incorporated
Limited.
5 Two-Factor Authentication
What is two-factor authentication?
Two-Factor Authentication combines PKI with another authentication method into one
single process to increase security. This authentication method makes use of
smartcard. This authentication method can be used in different areas, including
network authentication, system authentication and entrance authentication. To use
this method adequately, we have to understand how it works and the potential
security problems. We are going to cover these two topics in this section.
How does it work?
Public Key Infrastructure was introduced in last section; readers should have known
this technology a bit. The “another authentication method” as mentioned lately, can
be one of the following:


Password: Every user has a password and a smart card. Upon every encryption,
user must present both “keys”. Because of cost concern and scope of application,
it is commonly adopted.
Fingerprint / pupil: User has to present their smart card and fingerprint/pupil
during authentication. Since the machine for authenticating fingerprint/pupil
requires a very high accuracy, it costs much. As a result, this solution is only used
in extreme security systems.
7
Security concern
There isn’t any bullet-proof security solution in the world. To minimize the security risk,
we have to know the holes in each security system, and take suitable measures. As
Two-Factor Authentication uses smart card and another existing authentication
method, leakage of any of the two credentials could cause certain level of security
risk. Most Two-Factor Authentication methods use password as the other
authentication method, leakage of password leads to a security concern. You may be
familiar with risks to leakage of password; we hereby sum up the points for your
reference:


Do not tell anyone your password
Use different passwords in different systems.

Do not write your password down; even you have written it down, do not bring it
with you.
In addition to secure your password, you have to take care of the smart card as well.
Despite the advances of technology and security in smart card, we cannot ignore the
jeopardy caused by data loss.
The private key in the smartcard is actually some encrypted data stored in the card. If
the smart card is taken or duplicated, they could get your information together in case
they have your password. This is analogous to loss of credit card and debit card. To
avoid your card being stolen, do not borrow your card to others.
Daily example: Smart ID
As a cosmopolitan city, the Hong Kong government has announced the schedule of
Smart ID renewal. I believe that you have heard about the e-cert in smart card. This
e-cert could serve as the public key in Two-factor Authentication. When you use your
smart id for online transaction, you must enter your password; without any of them will
fail the process. If you already have the smart ID, you can go to ESDLife
(http://www.esdlife.com/) to try out Two-factor Authentication.
6 Firewall
What is firewall﹖
“Firewall” is originated from a term in building construction, in which the word means
“structure used as a barrier to prevent the spread of fire”. Firewall in networking is to
8
guard your system from hazardous and insecure connections. There are two common
types of firewall: filter and proxy. If not specified, firewall refers to filter.
From the perspective of security, proxy is more secured than filter: It only allows
selected connections and blocks all other things. And it shields the internal network
so that the internal network is transparent to the external. In addition, proxy can be
used to share a modem/ADSL connection by setting all internal computers to use the
internet-connected computer as proxy server. It could save you a lot from the ISP bill.
The proxy firewall mainly acts as an agent. Proxy could be classified as application
proxy and socks proxy. Proxy refers to application proxy if not specified.
Firewall set-up
According to the operation described above, we could set rules to protect important
machines and only allow certain machine to access. In other words, we could block
external hackers. However, some advanced hackers could break down the firewall by
attacking any of the security holes. For examples, they may use Denial of Service
(DoS) method to get over the “deny list” or change its IP address from time to time to
get over it. Some advanced firewall programs could detect common hackers practices.
Once the hacking activity is detected, it alerts the network administrator and trace
back the attack or cut off that connection.
Using different systems to set up layers of firewall could build a stronger shield.
Hackers could pass through all the firewalls only if they are familiar with different
firewall systems. While the second firewall is behind the first firewall, detecting the
second firewall is much harder. With multi-layer firewall, the set up would be more
complicated. If the rules are too strict, it may block some of the network programs or
decrease the network efficiency.
Designing an all-rounded rule set could be a challenging task. It is time-consuming
but essential to test security holes. To a high traffic network, pre-deployment test
shows its importance: You could not re-set the firewall rules after tons of complaints.
While setting up firewall, using DMZ (Demilitarized Zone) could save you from a lot of
troubles:
9
We could set firewall rules to allow direct access to servers in DMZ through specific
protocols, like DNS, WWW, FTP, and MAIL. Internal network, without getting through
the firewall, could also access these services. Other services are blocked from
external access. Internal network, on the other hand, could access any external
resources through proxy. We could also use rsync protocol to synchronize data from
DMZ. Generally, we would not put servers with important data in DMZ. Mail is first
sent to DMZ and later on retrieved by an internal machine. In this case, even the DMZ
is cracked, the loss is still minimized.
10
Related documents
APP WORLD EXPORT CONTROLS CHECKLIST 1. Does your
APP WORLD EXPORT CONTROLS CHECKLIST 1. Does your
17.1 Case Study Worksheet1
17.1 Case Study Worksheet1
NOTICE to potential Bidders: MMIS Access provisions are currently
NOTICE to potential Bidders: MMIS Access provisions are currently
Exam #1 - My FIT
Exam #1 - My FIT
cryptography and network security
cryptography and network security
Test 2 Study Guide
Test 2 Study Guide
Inter Bank Fund Transfer in Distributed Network
Inter Bank Fund Transfer in Distributed Network
Download
advertisement