Internet Security
1POP3
What is POP3?
Post Office Protocol Version 3(POP3) is the most commonly used protocol between email clients and server. POP3 server stores client’s email messages until clients fetch the mails. POP3 users usually use “offline” mode to view messages: From time to time, email clients download message to the local computer and disconnect upon completion. Hence, email messages are only temporarily stored on server.When the message is downloaded, it is removed from server automatically. In “online” mode, the client connects to the server while the user is checking email. Email messages are directly read from the server. Popular email clients supporting POP3 include: Outlook, Outlook Express, Internet Explorer, Netscape Messenger or Communicator, Eudora, Pegasus, NuPOP, Z-Mail and UNIX mail.
2Cookies
What arecookies?
You may have seen some “customize the site” settings online. Everytime you visit the site again, you will see a welcome message with your name on it. This may impress you that the site is a well-managed site. The technology behind the scene is “cookies”.
You can set your preference when you first go to any of those “customizable” sites. After you finish the setting, the server will store your preference to your computer. That Web site will use the piece of information, named cookie, to recognize your next visit and display your preference accordingly.
Most browsers are set to accept cookies, but you can override the setting as you need. In Internet Explorer 6, you can set up your preference according to the steps below:
- On the Internet Explorer Tools menu, click Internet Options(figure2.1).
Set up according to the explanation below:According to the description above, you may have already found that use of cookies is related to privacy and security. Actually, through cookies, all Web sites can obtain certain information from your computer, and use the information for promotion. If you found ads pop-up in your computer, you might have accepted some lousy cookies, which subsequently installed some spyware.
Figure 2.1
3Data Encryption
Methods of data encryption
Without encryption, sending information and email over the Internet is like sending postcards: everybody could read the message without your permission. To make things more secured, we encrypt the data before sending; when the encrypted data is received, recipient will then decrypt the data. Intervening transfer, the message is transformed into meaningless codes. Unless you can decode the message, you are not able to read the message.
Then how does encryption and decryption work? During World War II, telegram is the main communication channel. Telegram is classified as encrypted telegram and public telegram. Public telegram uses a set of public rules to encode the telegram into radio signals to send; the recipient then uses the same rule to decode the telegram. Encrypted telegram, instead, uses a set of private rules to perform the same process. Although the radio could be received by anyone, only the designated recipient can restore the message. The restoration process has then become an anti-spy mission. It is said that Japan has not used any telecommunication during the Pearl Harbor attack. This was to avoid data being blocked by Americans and it has made a success. However, the Japanese general was killed since Americans were able to decode their message over radio.
Transferring information over internet without encryption is like using public telegram. However, we can still use “encrypted telegram”: We can encrypt the data using our own rule set and send the rule set to the recipient via a secured channel. Data is more secured in this way. This method of encryption is called Single/Symmetrical Key Encryption.
Thatleads to another problem: how about sending information to over ten thousand recipients? To maintain the rule set is apparently inefficient and time-consuming. In addition how do we perform key exchange? If the key is acquired during transfer over the Internet, message sent thereafter is not secured.
Based on the Single Key Encryption technology, people developed another agile encryption method, called Double/Asymmetrical Key Encryption. In using Asymmetrical Key Encryption, everyone usesthe same public key to encrypt the message, while the recipient would use a different private key to decipher. The unique relation between private key and public key is best described below:
I made a unique key and a public key. Then I hang the public key outside the house.
A can is provided by post office for transferring information. There is no lock on the can. If my friends want to send me message, he would have to duplicate the key outside my house, and use it to lock the can.
Once the can is locked, only the private key I own could open it. Unless you are an expert in “unlock”, never a person could read information inside the can.
This way, the sender and recipient do not have to exchange key: Everyone can use the public key to publish on the network for others to download. People can then use the public key to encrypt any message and send to me. As the private key owner, I can decode the message once received. Using this methodology, keeping the private key from being stolen is the most important task.
Application of encryption
As aforementioned, you may have discovered the convenience and flexibility of Asymmetrical Key Encryption, but there are limitations on it:Asymmetrical Key Encryption uses more computation power;i.e. it is not as efficient as Symmetrical Key Encryption in terms of computation power.
People are intelligent in using technologies: when you have to send a batch of messages, use asymmetrical key encryption; when not in a large batch, use symmetrical key encryption. This resolves the convenience and efficiency dilemma. Nowadays, many servers / Web applications usea “hybrid” solution:
When client connects to the server, download the public key.
Client generates the session key using stochastic method
Client encrypts the session key with the public key and sends back to server.
Finally server uses the session key to encrypt data and start the transfer.
The case above is only a simplified case demonstrating the fundamental concepts;the actual operation is much more complicated.
Digital Signature
We could use Digital Signature in the Internet as an identity. Digital Signature is a unique value, encryption is done using user’s private key, and authentication through a public key. We could then ensure the authenticity of the private key; otherwise, deprecate the private key. In other words, digital signature is either authentic or unreliable.
Encryption and Digital Signature
Traditional signatures on paper are apparently not applicable on the Internet. Readers tried to buy things online may not have used digital signature in the transactions. Online shopping today is still very insecure: Without signature and phone verification, the bank still allows transaction as requested by the online shop. If digital signature is enforced, its “almost cannot be duplicated” nature could secure online shopping: while you are sopping online with your credit card and digital signature, the shop uses your credentials to request for authorization from bank, the bank only grants the transaction if there is no verification problem. This prevents the credit card being used by third-party and bogus transactions. The worst thing is the public lacks sense of network security and the bank, as the authority, ignores the risks and only looks for profits.
How to be “verified” online
To secure the visitors, most Web sites uses SSL (Security Socket layer) technology, that is developed by Netscape, to encrypt data nowadays. The technology works within the application and transfer layers in the OSI model and thus not binds to any protocol. To provide SSL service, both server and browser supports are needed. SSL digital certificates are now released by an American company called VeriSign ( To deploy SSL in a server, you must register in VeriSign.
You can also acquire personal digital id from the above company. Other than VeriSign, you can apply the personal id from any of the authorized organization, likeThawte (
If you buy online, SSL ensures that your credit card information is not available to any party other than the shop. If used with digital identity, more accurate verification can be performed and hence more secured.
We have learnt how to use encryption to protect our information over the Internet. However, if our computer is hacked in, and the password or keys are stolen, all our effort will be in vain.
How to secure the connection then? We could eliminate unwanted connections. The technology used to solve the problem is called Firewall and will be covered in later sections.
4Public Key Infrastructure (PKI)
Public Key Infrastructure Technology
Public Key Infrastructure (PKI) is a widely accepted IT security framework based on 'Public Key Cryptography'. The Government has laid a solid foundation for deployment of PKI through the enactment of the Electronic Transactions Ordinance and the establishment of a public Certification Authority (CA) through the Hong Kong Post.
Main Security Functions
PKI provides a management framework for enabling public key cryptography deployment. Public key cryptography processes data with a pair of keys, which are two distinct but corresponding computer codes. Encryption is done with one of the key-pair and decryption is only possible with the use of the other key in the same pair.
One of the keys in the pair is kept by the owner as a personal secret and therefore called 'private key'. The other key is publicly available, and hence called 'public key'.
Encryption is the means of PKI to ensure confidentiality. For instance, privacy of a message sent via email can be protected by encrypting it with the use of the recipient's public key. Since only the recipient's private key can decrypt the encrypted message, one can ensure that nobody other than the intended recipient can read the message.
For example,
1. John uses Mary's public key to encrypt the email and sends it to Mary.
2. Upon receiving the email, Mary decrypts the email with her own private key.
Digital signature is the means to ensure integrity, authenticity, and non-repudiation. A digital signature is derived by applying a mathematical function to compute the message digest of an electronic message or document, and then encrypting the result of the computation with the use of the signer's private key. Recipient can verify the digital signature with the use of the sender's public key.
For example,
1. John stamps his digital signature to the email by using his private key and then sends the email to Mary.
2. Upon receiving the email, Mary verifies the digital signature in the email with John's public key.
Taking email as an example, if a digitally signed email has not been tampered with during the course of transmission (integrity), the digital signature will be valid as verified by the recipient. Since the sender is the only person who has access to the corresponding private key, once digital signature is verified valid, the recipient can be certain that the email is indeed from the sender (authenticity); and the sender cannot deny to have signed the email (non-repudiation).
Certification Authorities and Digital Certificates
The effective operation of PKI very much depends on the support of CA. The main role of a CA is to act as a trusted third party to verify the identity of digital certificates subscribers.
The subscriber can generate the public/private key pair through an application, for example, a browser running on a workstation. The browser then automatically sends the public key, together with a certificate request, to the CA server. The CA server then creates and digitally signs the subscriber's certificate subject to the positive verification of the subscriber's identity; and sends one copy of the certificate to a Directory Server, while another copy to the subscriber. Upon receiving the certificate copy, the subscriber can export it together with the generated keys to a token, such as floppy diskette or smart card, for portability among PKI-enabled applications on various platforms.
The Hong Kong Post is the first public recognized CA under the Electronic Transactions Ordinance ("ETO") (Cap. 553), from whom any organization and member of the public can buy digital certificates in Hong Kong. It has issued different types of digital certificates such as e-Certs, Bank-Certs and Mobile e-Certs. There are also other recognized CAs under the Electronic Transactions Ordinance such as the Digi-Sign Certification Services Limited and the HiTRUST.COM (HK) Incorporated Limited.
5Two-Factor Authentication
What is two-factor authentication?
Two-Factor Authentication combines PKI with another authentication method into one single process to increase security. This authentication method makes use of smartcard. This authentication method can be used in different areas, including network authentication, system authentication and entrance authentication. To use this method adequately, we have to understand how it works and the potential security problems. We are going to cover these two topics in this section.
How does it work?
Public Key Infrastructure was introduced in last section; readers should have known this technology a bit. The “another authentication method” as mentioned lately, can be one of the following:
Password: Every user has a password and a smart card. Upon every encryption, user must present both “keys”. Because of cost concern and scope of application, it is commonly adopted.
Fingerprint / pupil: User has to present their smart card and fingerprint/pupil during authentication. Since the machine for authenticating fingerprint/pupil requires a very high accuracy, it costs much. As a result, this solution is only used in extreme security systems.
Security concern
There isn’t any bullet-proof security solution in the world. To minimize the security risk, we have to know the holes in each security system, and take suitable measures. As Two-Factor Authentication uses smart card and another existing authentication method, leakage of any of the two credentials could cause certain level of security risk. Most Two-Factor Authentication methods use password as the other authentication method, leakage of password leads to a security concern. You may be familiar with risks to leakage of password; we hereby sum up the points for your reference:
Do not tell anyone your password
Use different passwords in different systems.
Do not write your password down; even you have written it down, do not bring it with you.
In addition to secure your password, you have to take care of the smart card as well. Despite the advances of technology and security in smart card, we cannot ignore the jeopardy caused by data loss.
The private key in the smartcard is actually some encrypted data stored in the card. If the smart card is taken or duplicated, they could get your information together in case they have your password. This is analogous to loss of credit card and debit card. To avoid your card being stolen, do not borrow your card to others.
Daily example: Smart ID
As a cosmopolitan city, the Hong Kong government has announced the schedule of Smart ID renewal. I believe that you have heard about the e-cert in smart card. This e-cert could serve as the public key in Two-factor Authentication. When you use your smart id for online transaction, you must enter your password; without any of them will fail the process. If you already have the smart ID, you can go to ESDLife( to try out Two-factor Authentication.
6Firewall
What is firewall﹖
“Firewall” is originated from a term in building construction, in which the word means “structure used as a barrier to prevent the spread of fire”. Firewall in networking is to guard your system from hazardous and insecure connections. There are two common types of firewall: filter and proxy. If not specified, firewall refers to filter.
From the perspective of security, proxy is more secured than filter: It only allows selected connections and blocks all other things. And it shields the internal network so that the internal network is transparent to the external. In addition, proxy can be used to share a modem/ADSL connection by setting all internal computers to use the internet-connected computer as proxy server. It could save you a lot from the ISP bill. The proxy firewall mainly acts as an agent. Proxy could be classified as application proxy and socks proxy. Proxy refers to application proxy if not specified.