Advertisement

Pseudo-randomness Inside Web Browsers

  • Zhi Guan
  • Long Zhang
  • Zhong Chen
  • Xianghao Nan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5308)

Abstract

With the increasing concerns over the security and privacy of Web based applications, many solutions based on strong cryptography have been proposed to protect client side Web applications against attacks such as phishing, pharming and even server side attacks. While strong cryptography is used, one critical building block in cryptosystem, the random number generator, is often neglected. Considering this situation, in this paper we design and implement a pseudo-random number generator only rely on ubiquitous Web browser abilities - JavaScript, HTML and AJAX. We also provide a mechanism called Pseudo-cookie for JavaScript programs to access operating system services for retrieving random or entropy values without changing Web browser security policies. The security model, analysis and performance evaluation demonstrate that our method is secure and efficient.

Keywords

Elliptic Curve Block Cipher Symmetric Encryption Elliptic Curve Digital Signature Algorithm True Random Number Generator 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Adida, B.: Beamauth: two-factor web authentication with a bookmark. In: CCS 2007: Proceedings of the 14th ACM conference on Computer and communications security, pp. 48–57. ACM, New York (2007)Google Scholar
  2. 2.
    Guan, Z., Cao, Z., Zhao, X., Chen, R., Chen, Z., Nan, X.: WebIBC: Identity Based Cryptography for the Client Side Security of Web Based Applications. In: Proceedings of ICDCS (2008)Google Scholar
  3. 3.
    Barulli, M., Solaroli, G.C.: Clipperz: the free and anonymous online password manager (2007)Google Scholar
  4. 4.
    Menezes, A., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefzbMATHGoogle Scholar
  5. 5.
    Debian Security Advisory: DSA-1571-1 openssl – predictable random number generator (2008), http://www.debian.org/security/2008/dsa-1571
  6. 6.
    Wenz, C.: JavaScript und AJAX. Galileo Computing (2007)Google Scholar
  7. 7.
    ECMA: Standard ECMA-262, ECMAScript Language Specification 3rd (1999), http://www.ecma-international.org/publications/standards/Ecma-262.htm
  8. 8.
    Gutmann, P.: The design and verification of a cryptographic security architecture. submitted thesis (2000), http://www.cs.auckland.ac.nz/pgut001/pubs/thesis.html
  9. 9.
    Gutmann, P.: Software generation of practically strong random numbers. In: Proceeding of 7th USENIS Security Symposium (1998)Google Scholar
  10. 10.
    Barak, B., Halevi, S.: A model and architecture for pseudo-random generation with applications to /dev/random. In: Atluri, V., Meadows, C., Juels, A. (eds.) ACM Conference on Computer and Communications Security, pp. 203–212. ACM, New York (2005)Google Scholar
  11. 11.
    Dorrendorf, L., Gutterman, Z., Pinkas, B.: Cryptanalysis of the windows random number generator. In: Ning, P., di Vimercati, S.D.C., Syverson, P.F. (eds.) ACM Conference on Computer and Communications Security, pp. 476–485. ACM, New York (2007)Google Scholar
  12. 12.
    Gutterman, Z., Pinkas, B., Reinman, T.: Analysis of the linux random number generator. In: S&P, pp. 371–385. IEEE Computer Society, Los Alamitos (2006)Google Scholar
  13. 13.
    Hankerson, D., Menezes, A., Vanstone, S.: Guide to elliptic curve cryptography. Springer, Heidelberg (2004)zbMATHGoogle Scholar
  14. 14.
    Zheng, Y., Matsumoto, T.: Breaking Real-World Implementations of Cryptosystems by Manipulating their Random Number Generation. In: Proceedings of the 1997 Symposium on Cryptography and Informations Security (1997)Google Scholar
  15. 15.
    Bellare, M., Goldwasser, S., Micciancio, D.: Pseudo-random number generation within cryptographic algorithms: The dds case. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 277–291. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  16. 16.
    Mozilla.org: Signed Scripts in Mozilla (2007), http://www.mozilla.org/projects/security/components/signed-scripts.html
  17. 17.
    W3C: W3C Recommendation on XML-Signature Syntax and Processing (2002), http://www.w3.org/TR/xmldsig-core/
  18. 18.
    RSA Laboratary: PKCS5: Password-Based Cryptography Standard version 2.0 (1999), ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-5v2/pkcs-5v2-0a1.pdf
  19. 19.
    RSA Laboratary: PKCS7: Cryptographic Message Syntax Standard version 1.6 (1997), ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-7/pkcs-7v16.pdf
  20. 20.
    Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness extraction and key derivation using the cbc, cascade and hmac modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  21. 21.
    FIPS 186: Digital Signature Standard. FIPS Publication 186, U.S. Department of Commerce/NIST, National Technical Information Service, Springfield, Virginia (1994)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Zhi Guan
    • 1
  • Long Zhang
    • 1
  • Zhong Chen
    • 1
  • Xianghao Nan
    • 1
  1. 1.Institute of Software, School of EECS, Peking University., Key Lab of High Confidence Software Technologies (Peking Univ.), Ministry of EducationChina

Personalised recommendations