Technical Articles

Technical Articles

Currently, there are a large number of users who haven’t realized the importance of email security yet. In fact, most email users hold the idea that there is no secret in their emails, so they don’t pay any attention to email security. Unfortunately, some of them misunderstand the meaning of the word “secret”. Some things users believe useless might leave an opportunity for malicious people to do bad things. Users can only prevent their private information from being leaked out by enhancing the email security.
Solutions to enhancing Gmail security
As we have mentioned before, email security is extremely important in today’s era. Gmail is one of the most popular emails, so Gmail security also deserves much attention of users. Now, we will offer some solutions, including email encryption and digital signature to helping users enhance Gmail security. 1. Question: if all mailboxes of users are Gmail or Google Apps and they are using IMAP, has the SSL encryption (one kind of email encryption) already been built in these mailboxes? Solution: if users access Gmail or Google Apps via web page, they will be encrypted by default. Once users access Gmail or Google Apps through email client software, the mailboxes will also be encrypted by default as long as they are using IMAP or SMTP. However, if POP is adopted in users’ Gmail account, there will be no email encryption. 2. Question: is SSH Tunnel or SOCKS Proxy (two different forms of email encryption) available to enhance Gmail security in this situation? Solution: of course, SSH Tunnel or SOCKS Proxy will be helpful. In fact, SSL relies on Public Key Infrastructure which has a fatal flaw: it will consider all Certificate Authorities (CA) as safe by default. Therefore, users had better encrypt their mailboxes by making use of SSH Tunnel or SOCKS Proxy if they want to enhance email security. 3. Question: is digital signature necessary after users know the existence of SSL, SSH Tunnel and SOCKS Proxy? Solution: of course, it is necessary since SSL, SSH Tunnel, SOCKS Proxy and digital signature are used to solve problems in different level. SSL, SSH Tunnel and SOCKS Proxy are only used to help users connect Gmail server safely so as to send and receive emails; they are not able to ensure the communication safety between recipients and senders. For example, if users’ email has not been encrypted or there is no digital signature when they send it to a 163 mailbox user through Gmail, eavesdropping and forgery are likely to occur. 4. Question: if users’ Wi-Fi is WPA or WPA2, is it necessary to use a VPN from the perspective of encryption? Solution: certainly, the answer is positive. WPA or WPA2 is only able to guarantee the secure connection between computer and router. To guarantee the secure connection between router and ISP and ISP and network, users may as well adopt a VPN.
We believe users can optimize the email security after paying much attention to above aspects.

The gradually optimized Web crawler technologies bring website operators more and more profits, but Web security issues still come along. The exact reason will be explained in the following text. To begin with, we would like to make a brief introduction to the term. A briefing to Web crawler Being universally applied in Internet area, Web crawler, also Web spider or Web robot is a kind of program or script which is able to automatically fetch information on the Internet. By using it, search engine is able to access, organize and administrate information such as files, images, audios and videos presented on the website. Then, it will supply the fetched information for users' query. Web Security Issues Brought by Web Crawler Since the main information fetch mode of certain program is to access high-value information, web bandwidth consumption and processing workload of Web server will increase correspondingly during certain course. Moreover, some webmasters of small-sized websites find obvious increase in network traffic while the crawler is fetching website information. Malicious users may use certain flaw to implement DoS attacks. What's worse, the sensitive information fetched by crawler is most likely to bring webmaster unexpected losses. Solutions to Eliminating Threats Taking the possible menaces brought by Web crawler into consideration, many website managers may want to restrict access to information. As a matter of fact, it is advisable to treat certain procedure or descript according to actual demands. For websites where confidential and sensitive data are stored, website managers can strictly restrict access. And the following are detailed solutions to hardening Web security. 1. Set robots.txt file To set robots.txt file is the simplest way to block Web crawler. Robots.txt is the first file to be checked by search engine, and it tells crawler what server files will be checked. For instance, "Disallow: /" means that all paths are not allowed to be checked. It is a pity that not all crawlers will conform to the regulation. Thus, to set robots.txt file is far from being enough to impede crawlers. 2. Set User Agent identification and restrictions To restrict crawlers which do not abide by robots.txt regulations, website managers should firstly identify and classify network traffic brought by crawlers and network traffic brought by common users. For general crawlers, the User Agent field in HTTP queries can identify the using operating system, CPU, browser version, browser render engine and browser language. However, the User Agent field in browser is different from that of Web crawlers. That is why website managers can filter out unneeded crawlers by setting User Agent field. 3. Identify and restrict crawlers according to behavioral traits To deal with Web crawlers which disguise as browser in User Agent, website managers can identify them on the basis of behavioral traits. Crawlers regularly visit websites, while true users casually.

For many years, network information security has always been an important research direction in data communication field. In fact, there is a huge possibility that data will be stolen or damaged in the process of network transmission because of the insecurity of TCP/IP protocol. In this situation, information encryption becomes an effective method to ensure communication security. Now, we will talk about cipher system, which makes information encryption possible.

Introduction to cipher system
Cipher system refers to a system which is able to completely solve the problems related to communication security, including confidentiality, data integrity, authentication, identification, controllability and non-repudiation. Actually, cipher system is used to complete the algorithms of encryption and decryption. In general, the encryption process and decryption process of data are both controlled by cipher system and password. Security of cipher system relies on that of password. In modern cryptography, people always pursue encryption algorithm’s integrity, instead of confidentiality.

Classification of cipher system
At present, there are two cipher systems which have been used widely to ensure communication security: private-key cryptosystem and public-key cryptosystem.

  • Private-key cryptosystem: private-key cryptosystem is also called single-key cryptosystem or symmetric cryptosystem because its encryption key and decryption key are the same. Both parties involved in communication must appoint a key for their communication through a safe way in order to ensure communication security.
  • Therefore, in private-key cryptosystem, the protection of encryption key has the same importance with that of decryption key. The security of encryption key and decryption key will have a direct impact on the whole system. DES and IDEA are two typical encryption algorithms of private-key cryptosystem.

  • Public-key cryptosystem: another name of public-key cryptosystem is asymmetric cryptosystem. In this system, the encryption key (Ke) and decryption key (Kd) are different. Therefore, the openness of encryption key has no relation to the security of decryption key. RSA and Elliptic Curve are two common public-key cryptosystems.

Communicating through the public-key cryptosystem, users are required to save a lot of public keys (similar to address book). This is actually a big burden for users. At present, Key Distribution Center (KDC) is recognized as an effective solution to managing and distributing public keys. Users only need to save their own private key and the public key of Key Distribution Center in the communication process. In this way, users can also obtain the public key of other users through Key Distribution Center.

In practice, public key is always used in combination with private key. The public key is responsible for sending encryption keys while the private key is responsible for sending encrypted information. However, no matter what kind of cipher system (private-key cryptosystem, public-key cryptosystem or the combination of them) users have adopted, it is necessary for them to save keys safely.

Although cipher system is widely used to protect data in communication process, it has two obvious defects. The first one is that the passwords used by users to protect keys are difficult to remember. The second one is that the passwords are likely to be deciphered by hackers easily through a variety of methods. As a result, a safer method – combining automatic fingerprint authentication with cipher system is needed to improve the situation.

Automatic fingerprint authentication technology
Biometric authentication means that the identity authentication will be finished by making use of the biological characteristics, such as voice, fingerprint, iris and signature. With the development of computer technology and the continuous improvement of various algorithms, automatic fingerprint authentication technology becomes an accurate, fast and efficient authentication method that has been used widely in a lot of fields.

Based on the theory of pattern recognition, automatic fingerprint authentication technology is used to realize identity confirmation according to fingerprint by using computer and image processing technology. The reason why automatic fingerprint authentication technology can be used to confirm identity is that every fingerprint is unique and will not change for a life time. Recently, with the continuous development of image processing, pattern recognition and computer science, the performance of automatic fingerprint authentication system has been enhanced greatly. Besides, the application fields of automatic fingerprint authentication system are extended from original legal field and public security filed to financial field and information security field. Fingerprint authentication system can be used as a method to confirm computer users; it can be used as an information security technology to access network resources; it can also be used in the ATM card and credit card of banks.

In general, it will take two steps for a fingerprint authentication system to confirm users’ fingerprints. Firstly, system will take out the corresponding pattern fingerprint features from fingerprint database according to the information, such as name and username provided by users. Secondly, system will match the fingerprint inputted by users with the pattern fingerprint to determine whether these two fingerprints are from the same finger so as to confirm users’ identity.

Advantages of fingerprint authentication
Compared with conventional password authentication, fingerprint authentication has incomparable advantages. For hackers, the password is easy to be deciphered. However, the uniqueness of fingerprint combination makes it almost impossible to be deciphered. In this way, users’ keys can be stored safely in key distribution center. Apart from that, users can employ several fingerprints to perform multi-layer encryption to RSA private key in order to achieve higher safety performance.

In fingerprint authentication process, the fingerprint gray scale image inputted from client will be transmitted over the network to key distribution center after the feature points have been extracted. This can not only reduce the burden of network transmission, but also improve the speed of fingerprint authentication. We can imagine that automatic fingerprint authentication technology will be used more and more widely in the near future.