Top

Mobile Networks and Applications

Published in:

22-02-2020

ShadowFPE: New Encrypted Web Application Solution Based on Shadow DOM

Authors: Xiaojie Guo, Yanyu Huang, Jinhui Ye, Sijie Yin, Min Li, Zhaohui Li, Siu-Ming Yiu, Xiaochun Cheng

Published in: Mobile Networks and Applications | Issue 4/2021

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Most of users hesitate to use third-party web applications because of security and privacy concerns. An ideal solution would be to allow apps to work with encrypted data, so that users might be more willing to provide just the encrypted version of their sensitive data. ShadowCrypt, proposed in CCS 2014, is the first and so far only solution that can achieve this by leveraging the encapsulation provided by Shadow DOM V0, without the need for the users to trust neither server nor client codes of web applications. Unfortunately, researchers have shown that ShadowCrypt is vulnerable to several attacks. Note that ShadowCrypt is no longer compliant to the updated W3C standard since 2015. Furthermore, some attacks on ShadowCrypt have been proposed. Hence, currently there is no effective and secure solution to guarantee the privacy of users. In this paper, we present ShadowFPE, a novel format-preserving encryption that makes use of a robust property in Shadow DOM to obtain a feasible solution. Compared with ShadowCrypt, ShadowFPE does not destroy the data format and makes the data usable in most of cloud web applications. We confirmed the effectiveness and security of ShadowFPE through case studies on web applications. Our results show that ShadowFPE is practical since it has low computational overhead and requires minimal modification in existing applications.

previous article Research on Intelligent Detection of Command Level Stack Pollution for Binary Program Analysis

next article Convergence of 5G Technologies, Artificial Intelligence and Cybersecurity of Networked Societies for the Cities of Tomorrow

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

ATZelektronik

Die Fachzeitschrift ATZelektronik bietet für Entwickler und Entscheider in der Automobil- und Zulieferindustrie qualitativ hochwertige und fundierte Informationen aus dem gesamten Spektrum der Pkw- und Nutzfahrzeug-Elektronik.

Lassen Sie sich jetzt unverbindlich 2 kostenlose Ausgabe zusenden.

inform now

ATZelectronics worldwide

ATZlectronics worldwide is up-to-speed on new trends and developments in automotive electronics on a scientific level with a high depth of information.

Order your 30-days-trial for free and without any commitment.

inform now

Kamara S, Papamanthou C, Roeder T (2012) Dynamic searchable symmetric encryption. In: Proceedings of the 2012 ACM conference on computer and communications security (CCS). ACM, pp 965–976

Cheng R, Yan J, Guan C, Zhang F, Ren K (2015) Verifiable searchable symmetric encryption from indistinguishability obfuscation. In: Proceedings of the 2015 ACM conference on computer and communications security (CCS). ACM, pp 621–626

Popa RA, Redfield C, Zeldovich N, Balakrishnan H (2011) CryptDB: protecting confidentiality with encrypted query processing. In: Proceedings of the twenty-third ACM symposium on operating systems principles. ACM, pp 85–100

He W, Akhawe D, Akhawe S, Shi E, Song D (2014) Shadowcrypt: encrypted web applications for everyone. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security (CCS). ACM, pp 1028–1039

John B, Phillip R (2002) Ciphers with arbitrary finite domains. Topics Cryptol–CT-RSA Springer 2271:114–130MathSciNetMATH

Spies T (2008) Feistel finite set encryption mode. NIST Proposed Encryption Mode

Morris B, Rogaway P, Stegers T (2009) How to encipher messages on a small domain. In: Advances in cryptology-CRYPTO 2009. Springer, pp 286–302

Liu Z, Jia C, Li J (2010) Format-Preserving encryption for datetime. In: 2010 IEEE International conference on intelligent computing and intelligent systems. IEEE, pp 201–205

Bellare M, Rogaway P, Spies T (2010) The FFX mode of operation for format-preserving encryption NIST submission

10.

Christodorescu M (2008) Private use of untrusted web servers via opportunistic encryption. W2SP 2008: Web 2.0 Security and Privacy

11.

Popa RA, Stark E, Valdez S, Helfer J, Zeldovich N, Balakrishnan H (2014) Securing web applications by blindfolding the server. In: Proceedings of the USENIX symposium of networked systems design and implementation (NDSI)

12.

Lastpass blog (2011) Cross site scripting vulnerability reported fixed. http://goo.gl/4MDNjU

13.

Cryptocat blog (2012) Xss vulnerability discovered and fixed. http://goo.gl/Nq7tVk

14.

Fung B, Wang K, Chen R, Yu PS (2010) Privacy-preserving data publishing: a survey of recent developments. ACM Comput Surv (CSUR) 42(4):14CrossRef

15.

Ruoti S, Zappala D, Seamons K (2015) MessageGuard: retrofitting the web with user-to-user encryption. arXiv:1510.08943

16.

Mihir B, Viet TH (2017) Identity-based format-preserving encryption. CCS

Title: ShadowFPE: New Encrypted Web Application Solution Based on Shadow DOM
Authors: Xiaojie Guo
Yanyu Huang
Jinhui Ye
Sijie Yin
Min Li
Zhaohui Li
Siu-Ming Yiu
Xiaochun Cheng
Publication date: 22-02-2020
Publisher: Springer US
Published in: Mobile Networks and Applications / Issue 4/2021
Print ISSN: 1383-469X
Electronic ISSN: 1572-8153
DOI: https://doi.org/10.1007/s11036-019-01509-y

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

ATZelektronik

ATZelectronics worldwide

Other articles of this Issue 4/2021

An Evolutionary-Based Black-Box Attack to Deep Neural Network Classifiers

An Efficient Bounded Model Checking Approach for Web Service Composition

Intrusion Detection System for IoT Heterogeneous Perceptual Network

Research on Intelligent Detection of Command Level Stack Pollution for Binary Program Analysis

Role-Based Access Control Model for Cloud Storage Using Identity-Based Cryptosystem

A Confidence-Guided Evaluation for Log Parsers Inner Quality