Abstract
HTTPS is the standard for confidential and integrity-protected communication on the Web. However, it authenticates the server, not its content. We present WebTrust, the first comprehensive authenticity and integrity framework that allows on-the-fly verification of static, dynamic, and real-time streamed Web content from untrusted servers. Our framework seamlessly integrates into HTTP and allows to validate streamed content progressively at arrival. Our performance results demonstrate both the practicality and efficiency of our approach.
Chapter PDF
Similar content being viewed by others
References
Ateniese, G., de Medeiros, B.: On the Key Exposure Problem in Chameleon Hashes. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 165–179. Springer, Heidelberg (2005)
Bayardo, R.J., Sorensen, J.S.: Merkle tree authentication of HTTP responses. In: Proc. of the 14th International Conference on World Wide Web (WWW 2005), pp. 1182–1183. ACM (2005)
Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: Proc. of the 1st ACM Conference on Computer and Communication Security (CCS 1993), pp. 62–73. ACM (1993)
bouncycastle.org: The Legion of the Bouncy Castle (2013), http://www.bouncycastle.org/
Catalano, D., Fiore, D., Gennaro, R.: Certificateless onion routing. In: Proc. of the 16th ACM Conference on Computer and Communication Security (CCS 2009), pp. 151–160. ACM (2009)
Choi, T., Gouda, M.G.: HTTPI: An HTTP with Integrity. In: Proc. of the 20th International Conference on Computer Communications and Networks (ICCCN 2011), pp. 1–6. IEEE Computer Society (2011)
The Chromium Projects (2014), http://www.chromium.org/
Devanbu, P., Gertz, M., Kwong, A., Martel, C., Nuckolls, G., Stubblebine, S.G.: Flexible Authentication Of XML documents. In: Proc. of the 8th ACM Conference on Computer and Communication Security (CCS 2001), pp. 136–145. ACM (2001)
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: RFC 2616 - Hypertext Transfer Protocol – HTTP/1.1 (1999), http://tools.ietf.org/html/rfc2616
Fox, A., Brewer, E.A.: Reducing WWW Latency and Bandwidth Requirements by Real-Time Distillation. In: Proc. of the 5th International Conference on World Wide Web (WWW 1996), pp. 1445–1456. Elsevier (1996)
Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication (1999), http://tools.ietf.org/html/rfc2617
Gaspard, C., Goldberg, S., Itani, W., Bertino, E., Nita-Rotaru, C.: Sine: Cache-friendly integrity for the web. In: Proc. of the 5th IEEE Workshop on Secure Network Protocols (NPSec 2009), pp. 7–12. IEEE Computer Society (2009)
Gennaro, R., Rohatgi, P.: How to sign digital streams. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 180–197. Springer, Heidelberg (1997)
Gionta, J., Ning, P., Zhang, X.: iHTTP: Efficient Authentication of Non-confidential HTTP Traffic. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 381–399. Springer, Heidelberg (2012)
Hohenberger, S., Waters, B.: Realizing Hash-and-Sign Signatures under Standard Assumptions. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 333–350. Springer, Heidelberg (2009)
Katz, J., Lindell, Y.: Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series). Chapman and Hall/CRC (2007)
Krawczyk, H., Rabin, T.: Chameleon Signatures. In: Proc. of the 7th Annual Network and Distributed System Security Symposium (NDSS 2000). The Internet Society (2000)
Lesniewski-Laas, C., Kaashoek, M.F.: SSL Splitting: Securely Serving Data from Untrusted Caches. In: Proc. of the 12th Usenix Security Symposium, pp. 187–199. Usenix Association (2003)
Lesniewski-Laas, C., Kaashoek, M.F.: SSL splitting: Securely serving data from untrusted caches. Computer Networks 48(5), 763–779 (2005)
Lin, C.Y., Chang, S.F.: Generating robust digital signature for image/video authentication. In: Proc. of the 1st Workshop on Multimedia and Security at ACM Multimedia 1998, vol. 98, pp. 94–108. ACM (1998)
Merkle, R.C.: Method of Providing Digital Signatures (US Patent: US4309569A) (1979)
Miller, V.S.: Use of Elliptic Curves in Cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)
Moyer, T., Butler, K.R.B., Schiffman, J., McDaniel, P., Jaeger, T.: Scalable Web Content Attestation. IEEE Transactions on Computers 61(5), 686–699 (2012)
NIST: Recommendation for Key Management. Special Publication 800-57 Part 1 Rev. 3 (2012)
OpenSSL. (2014), http://www.openssl.org/
Oracle: Java Cryptography Architecture – Oracle Providers Documentation (2013), http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
Pannetrat, A., Molva, R.: Efficient Multicast Packet Authentication. In: Proc. of the 10th Annual Network and Distributed System Security Symposium (NDSS 2003). The Internet Society (2003)
Perrig, A., Canetti, R., Tygar, D., Song, D.: Efficient authentication and signing of multicast streams over lossy channels. In: Proc. of the 2000 IEEE Symposium on Security and Privacy (Oakland 2000), pp. 56–73. IEEE Computer Society (2000)
Ray, I., Kim, E.: Collective Signature for Efficient Authentication of XML Documents. In: Deswarte, Y., Cuppens, F., Jajodia, S., Wang, L. (eds.) Security and Protection in Information Processing Systems. IFIP, vol. 147, pp. 411–424. Springer, Boston (2004)
Reis, C., Gribble, S.D., Kohno, T., Weaver, N.C.: Detecting In-Flight Page Changes with Web Tripwires. In: Proc. of the 5th Usenix Symposium on Networked Systems Design and Implementation (NSDI 2008), pp. 31–44. Usenix Association (2008)
Rescorla, E.: RFC 2818 - HTTP Over TLS (2000), http://tools.ietf.org/html/rfc2818
Rescorla, E., Schiffman, A.: RFC 2660 - The Secure HyperText Transfer Protocol (1999), http://tools.ietf.org/html/rfc2660
Rivest, R.L., Shamir, A., Adleman, L.M.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM (CACM) 21(2), 120–126 (1978)
Schröder, D., Schröder, H.: Verifiable data streaming. In: Proc. of the 19th ACM Conference on Computer and Communication Security (CCS 2012), pp. 953–964. ACM (2012)
Shamir, A., Tauman, Y.: Improved Online/Offline Signature Schemes. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 355–367. Springer, Heidelberg (2001)
Siege Home (2014), http://www.joedog.org/siege-home/
Singh, K., Wang, H.J., Moshchuk, A., Jackson, C., Lee, W.: Practical End-to-End Web Content Integrity. In: Proc. of the 21st International Conference on World Wide Web (WWW 2012), pp. 659–668. ACM (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Backes, M., Gerling, R.W., Gerling, S., Nürnberger, S., Schröder, D., Simkin, M. (2014). WebTrust – A Comprehensive Authenticity and Integrity Framework for HTTP. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds) Applied Cryptography and Network Security. ACNS 2014. Lecture Notes in Computer Science, vol 8479. Springer, Cham. https://doi.org/10.1007/978-3-319-07536-5_24
Download citation
DOI: https://doi.org/10.1007/978-3-319-07536-5_24
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07535-8
Online ISBN: 978-3-319-07536-5
eBook Packages: Computer ScienceComputer Science (R0)