iHTTP: Efficient Authentication of Non-confidential HTTP Traffic

  • Jason Gionta
  • Peng Ning
  • Xiaolan Zhang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7341)

Abstract

HTTPS is the standard protocol for protecting information sent over the World Wide Web. However, HTTPS adds substantial overhead to servers, clients, and networks [1, 2]. As a result, website owners often pass on HTTPS and resort to only HTTP for hosting websites, leaving clients and servers vulnerable to attacks [3, 4]. Techniques have been proposed to only enable authentication and integrity of HTTP (response) data [2, 5–7]. However, they all suffer from vulnerabilities and poor performance. In this paper, we propose iHTTP, a new approach for enabling lightweight, efficient authentication and verification of HTTP (response) data. We adaptively handle different data encodings to allow for better performance without effecting user experience. We introduce a novel technique, Sliding-Timestamps, to allow iHTTP clients to authenticate the freshness of response data to prevent replay attacks and amortize signing costs. We also introduce Opportunistic Hash Verification to reduce client public key operations required to authenticate full web pages. We show in our experimental evaluation that iHTTP provides similar performance to HTTP, and higher throughput and lower maximum response time than HTTPS and HTTPi, the most recent HTTP authentication approach [7], for Client-Static data.

Keywords

Client Request Hash Chain Hash Operation Cache Directive Message Body 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Coarfa, C., Druschel, P., Wallach, D.S.: Performance analysis of tls web servers. ACM Trans. Comput. Syst. 24, 39–69 (2006)CrossRefGoogle Scholar
  2. 2.
    Gaspard, C., Goldberg, S., Itani, W., Bertino, E., Nita-Rotaru, C.: Sine: cache-friendly integrity for the web. In: 5th IEEE Workshop on Secure Network Protocols, pp. 7–12 (2009)Google Scholar
  3. 3.
    Vratonjic, N., Freudiger, J., Hubaux, J.P.: Integrity of the web content: the case of online advertising. In: Proceedings of the 2010 International Conference on Collaborative Methods for Security and Privacy, CollSec 2010. USENIX Association, Berkeley (2010)Google Scholar
  4. 4.
    Stamm, S., Ramzan, Z., Jakobsson, M.: Drive-By Pharming. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 495–506. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Lesniewski-Laas, C.: Ssl splitting and barnraising: Cooperative caching with authenticity guarantees. Master’s thesis, Massachusetts Institute of Technology (2003)Google Scholar
  6. 6.
    Choi, T., Gouda, M.: Httpi: an http with integrity. In: Proceedings of 20th International Conference on Computer Communications and Networks (2011)Google Scholar
  7. 7.
    Singh, K., Wang, H., Moshchuk, A., Jackson, C., Lee, W.: Practical end-to-end web content integrity. In: Proceedings of the 21st International World Wide Web Conference, WWW 2012 (2012)Google Scholar
  8. 8.
    Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Rfc 2616, hypertext transfer protocol – http/1.1 (1999)Google Scholar
  9. 9.
    Rescorla, E.: Http over tls. Internet RFC 2818 (2000)Google Scholar
  10. 10.
    Rescorla, E., Schiffman, A.: The secure hypertext transfer protocol – shttp (1999)Google Scholar
  11. 11.
    Torvinen, V., Arkko, J., Naeslund, M.: Hypertext transfer protocol (http) digest authentication using authentication and key agreement version-2. Internet RFC 4169 (2005)Google Scholar
  12. 12.
    Erman, J., Gerber, A., Hajiaghayi, M.T., Pei, D., Spatscheck, O.: Network-aware forward caching. In: Proceedings of the 18th International Conference on World Wide Web, WWW 2009, pp. 291–300. ACM, New York (2009)CrossRefGoogle Scholar
  13. 13.
    Reis, C., Gribble, S.D., Kohno, T., Weaver, N.C.: Detecting in-flight page changes with web tripwires. In: Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation. NSDI 2008, pp. 31–44. USENIX Association, Berkeley (2008)Google Scholar
  14. 14.
    Menezes, A.J., Vanstone, S.A., Oorschot, P.C.V.: Handbook of Applied Cryptography, 1st edn. CRC Press, Inc., Boca Raton (1996)CrossRefGoogle Scholar
  15. 15.
    Perrig, A., Canetti, R., Tygar, J., Song, D.: Efficient authentication and signing of multicast streams over lossy channels. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 56–73 (2000)Google Scholar
  16. 16.
    Barker, E., Roginsky, A.: Transitions: Recommendation for transitioning the use of cryptographic algorithms and key lengths. SP-800-131a, U.S. DoC/National Institute of Standards and Technology (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Jason Gionta
    • 1
  • Peng Ning
    • 1
  • Xiaolan Zhang
    • 2
  1. 1.North Carolina State UniversityRaleighUSA
  2. 2.IBM T.J. Watson Research CenterHowthorneUSA

Personalised recommendations