WebTrust – A Comprehensive Authenticity and Integrity Framework for HTTP

  • Michael Backes
  • Rainer W. Gerling
  • Sebastian Gerling
  • Stefan Nürnberger
  • Dominique Schröder
  • Mark Simkin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8479)


HTTPS is the standard for confidential and integrity-protected communication on the Web. However, it authenticates the server, not its content. We present WebTrust, the first comprehensive authenticity and integrity framework that allows on-the-fly verification of static, dynamic, and real-time streamed Web content from untrusted servers. Our framework seamlessly integrates into HTTP and allows to validate streamed content progressively at arrival. Our performance results demonstrate both the practicality and efficiency of our approach.


HTTP Integrity Authenticity Verifiable Data Streaming 


  1. 1.
    Ateniese, G., de Medeiros, B.: On the Key Exposure Problem in Chameleon Hashes. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 165–179. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Bayardo, R.J., Sorensen, J.S.: Merkle tree authentication of HTTP responses. In: Proc. of the 14th International Conference on World Wide Web (WWW 2005), pp. 1182–1183. ACM (2005)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: Proc. of the 1st ACM Conference on Computer and Communication Security (CCS 1993), pp. 62–73. ACM (1993)Google Scholar
  4. 4. The Legion of the Bouncy Castle (2013),
  5. 5.
    Catalano, D., Fiore, D., Gennaro, R.: Certificateless onion routing. In: Proc. of the 16th ACM Conference on Computer and Communication Security (CCS 2009), pp. 151–160. ACM (2009)Google Scholar
  6. 6.
    Choi, T., Gouda, M.G.: HTTPI: An HTTP with Integrity. In: Proc. of the 20th International Conference on Computer Communications and Networks (ICCCN 2011), pp. 1–6. IEEE Computer Society (2011)Google Scholar
  7. 7.
    The Chromium Projects (2014),
  8. 8.
    Devanbu, P., Gertz, M., Kwong, A., Martel, C., Nuckolls, G., Stubblebine, S.G.: Flexible Authentication Of XML documents. In: Proc. of the 8th ACM Conference on Computer and Communication Security (CCS 2001), pp. 136–145. ACM (2001)Google Scholar
  9. 9.
    Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: RFC 2616 - Hypertext Transfer Protocol – HTTP/1.1 (1999),
  10. 10.
    Fox, A., Brewer, E.A.: Reducing WWW Latency and Bandwidth Requirements by Real-Time Distillation. In: Proc. of the 5th International Conference on World Wide Web (WWW 1996), pp. 1445–1456. Elsevier (1996)Google Scholar
  11. 11.
    Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication (1999),
  12. 12.
    Gaspard, C., Goldberg, S., Itani, W., Bertino, E., Nita-Rotaru, C.: Sine: Cache-friendly integrity for the web. In: Proc. of the 5th IEEE Workshop on Secure Network Protocols (NPSec 2009), pp. 7–12. IEEE Computer Society (2009)Google Scholar
  13. 13.
    Gennaro, R., Rohatgi, P.: How to sign digital streams. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 180–197. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  14. 14.
    Gionta, J., Ning, P., Zhang, X.: iHTTP: Efficient Authentication of Non-confidential HTTP Traffic. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 381–399. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  15. 15.
    Hohenberger, S., Waters, B.: Realizing Hash-and-Sign Signatures under Standard Assumptions. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 333–350. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Katz, J., Lindell, Y.: Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series). Chapman and Hall/CRC (2007)Google Scholar
  17. 17.
    Krawczyk, H., Rabin, T.: Chameleon Signatures. In: Proc. of the 7th Annual Network and Distributed System Security Symposium (NDSS 2000). The Internet Society (2000)Google Scholar
  18. 18.
    Lesniewski-Laas, C., Kaashoek, M.F.: SSL Splitting: Securely Serving Data from Untrusted Caches. In: Proc. of the 12th Usenix Security Symposium, pp. 187–199. Usenix Association (2003)Google Scholar
  19. 19.
    Lesniewski-Laas, C., Kaashoek, M.F.: SSL splitting: Securely serving data from untrusted caches. Computer Networks 48(5), 763–779 (2005)CrossRefGoogle Scholar
  20. 20.
    Lin, C.Y., Chang, S.F.: Generating robust digital signature for image/video authentication. In: Proc. of the 1st Workshop on Multimedia and Security at ACM Multimedia 1998, vol. 98, pp. 94–108. ACM (1998)Google Scholar
  21. 21.
    Merkle, R.C.: Method of Providing Digital Signatures (US Patent: US4309569A) (1979)Google Scholar
  22. 22.
    Miller, V.S.: Use of Elliptic Curves in Cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  23. 23.
    Moyer, T., Butler, K.R.B., Schiffman, J., McDaniel, P., Jaeger, T.: Scalable Web Content Attestation. IEEE Transactions on Computers 61(5), 686–699 (2012)CrossRefMathSciNetGoogle Scholar
  24. 24.
    NIST: Recommendation for Key Management. Special Publication 800-57 Part 1 Rev. 3 (2012)Google Scholar
  25. 25.
    OpenSSL. (2014),
  26. 26.
    Oracle: Java Cryptography Architecture – Oracle Providers Documentation (2013),
  27. 27.
    Pannetrat, A., Molva, R.: Efficient Multicast Packet Authentication. In: Proc. of the 10th Annual Network and Distributed System Security Symposium (NDSS 2003). The Internet Society (2003)Google Scholar
  28. 28.
    Perrig, A., Canetti, R., Tygar, D., Song, D.: Efficient authentication and signing of multicast streams over lossy channels. In: Proc. of the 2000 IEEE Symposium on Security and Privacy (Oakland 2000), pp. 56–73. IEEE Computer Society (2000)Google Scholar
  29. 29.
    Ray, I., Kim, E.: Collective Signature for Efficient Authentication of XML Documents. In: Deswarte, Y., Cuppens, F., Jajodia, S., Wang, L. (eds.) Security and Protection in Information Processing Systems. IFIP, vol. 147, pp. 411–424. Springer, Boston (2004)CrossRefGoogle Scholar
  30. 30.
    Reis, C., Gribble, S.D., Kohno, T., Weaver, N.C.: Detecting In-Flight Page Changes with Web Tripwires. In: Proc. of the 5th Usenix Symposium on Networked Systems Design and Implementation (NSDI 2008), pp. 31–44. Usenix Association (2008)Google Scholar
  31. 31.
    Rescorla, E.: RFC 2818 - HTTP Over TLS (2000),
  32. 32.
    Rescorla, E., Schiffman, A.: RFC 2660 - The Secure HyperText Transfer Protocol (1999),
  33. 33.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM (CACM) 21(2), 120–126 (1978)CrossRefzbMATHMathSciNetGoogle Scholar
  34. 34.
    Schröder, D., Schröder, H.: Verifiable data streaming. In: Proc. of the 19th ACM Conference on Computer and Communication Security (CCS 2012), pp. 953–964. ACM (2012)Google Scholar
  35. 35.
    Shamir, A., Tauman, Y.: Improved Online/Offline Signature Schemes. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 355–367. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  36. 36.
  37. 37.
    Singh, K., Wang, H.J., Moshchuk, A., Jackson, C., Lee, W.: Practical End-to-End Web Content Integrity. In: Proc. of the 21st International Conference on World Wide Web (WWW 2012), pp. 659–668. ACM (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Michael Backes
    • 1
  • Rainer W. Gerling
    • 2
  • Sebastian Gerling
    • 1
  • Stefan Nürnberger
    • 1
  • Dominique Schröder
    • 1
  • Mark Simkin
    • 1
  1. 1.CISPASaarland UniversityGermany
  2. 2.University of Applied Sciences MunichGermany

Personalised recommendations