Skip to main content
Springer Nature Link
Log in

On the Security of a Popular Web Submission and Review Software (WSaR) for Cryptology Conferences

  • Conference paper
Information Security Applications (WISA 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4867))

Included in the following conference series:

Abstract

Most, if not all, conferences use an online system to handle paper submissions and reviews. Introduction of these systems has significantly facilitated the administration, submission and review process compared to traditional paper-based ones. However, it is crucial that these systems have strong resistance against Web attacks as they involve confidential data and privacy. Some submissions could be leading edge breakthroughs that authors do not wish to leak out and be subtly plagiarized. Also, security of the employed system will attract more submissions to conferences that use it and gives confidence of the quality that the conferences uphold. In this paper, we analyze the security of the Web-Submission-and-Review (WSaR) software - latest version 0.53 beta at the time of writing; developed by Shai Halevi from IBM Research. WSaR is currently in use by top cryptology and security-related conferences including Eurocrypt 2007 & 2008, Crypto 2007, and Asiacrypt 2007, annually sponsored by the International Association for Cryptologic Research (IACR). We present detailed analysis on WSaR’s security features. In particular, we first discuss the desirable security features that are designed into WSaR and what attacks these features defend against. Then, we discuss how some untreated security issues may lead to problems, and we show how to enhance WSaR security features to take these issues into consideration. Our results are the first known careful analysis of WSaR, or any type of online submission system for that matter.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. AICT Security - Empty your Cache. Available online at https://www.ualberta.ca/AICT/Security/BrowserCache.html#private

  2. Archer, T.: Are Hash Codes Unique? Available online at http://blogs.msdn.com/tomarcher/archive/2006/05/10/594204.aspx

  3. Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)

    Google Scholar 

  4. CIBC - Clear Your Browser’s Cache. Available online at http://www.cibc.com/ca/legal/clear-browsers-cache.html

  5. Conklin, W.A., White, G.B., Cothren, C., Williams, D., Davis, R.L.: Principles of Computer Security: Security+ TM and Beyond. McGraw-Hill, New York (2005)

    Google Scholar 

  6. EasyChair Conference System. Available online at http://www.easychair.org/

  7. Foster, J.C.: Defense Tactics for SQL Injection Attacks. Available online at http://searchappsecurity.techtarget.com/tip/0,289483,sid92_gci1219912,00.html

  8. Fyre, C.: One Simple Rule to Make your Web Apps more Secure (2006), Available online at http://searchappsecurity.techtarget.com/qna/0,289202,sid92_gci1225425,00.html

  9. Google Mail. Available online at http://gmail.google.com

  10. Halevi, S.: Web Submission and Review Software. Available online at http://theory.csail.mit.edu/~shaih/websubrev

  11. IACR Conferences. Available online at http://www.iacr.org/conferences/

  12. McClure, S., Shah, S., Shah, S.: Web Hacking: Attacks and Defense. Addison-Wesley, Reading (2003)

    Google Scholar 

  13. Microsoft Corporation. Microsoft’s Conference Management Toolkit. Available online at http://msrcmt.research.microsoft.com/cmt/

  14. Password Cracking: Information from Answers.com (2006), Available online at http://www.answers.com/topic/password-cracking

  15. Peikari, C., Chuvakin, A.: Security Warrior. O’Reilly (2004)

    Google Scholar 

  16. Phan, R.C.-W., Goi, B.-M.: Flaw in IEEE Trans on Consumer Electronics Online Submission System. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, Springer, Heidelberg (2005)

    Google Scholar 

  17. Phan, R.C.-W., Ling, H.-C.: On the Insecurity of the Microsoft Research Conference Management Tool (MSRCMT) System. In: CITA 2005. Proceedings of International Conference on IT in Asia, pp. 75–79 (2005) Also presented at the rump session of Asiacrypt 2004, Jeju Island, Korea

    Google Scholar 

  18. PHP Manual. Full version available online at http://www.php.net/manual/en/

  19. Regular Expressions (2006),Available online at http://searchappsecurity.techtarget.com/sDefinition/0,290660,sid92_gci517740,00.html

  20. ScholarOne, Inc. Manuscript Central: About Manuscript Central. Available online at http://www.scholarone.com/products_manuscriptcentral_aboutMC.shtml

  21. Security Information Clearing Browser Cache and History. Available online at http://www.hlasset.com/files/Clearing_Cache_History.pdf

  22. SoftConf.com - Software for Conferences. Available online at http://www.softconf.com/index.html

  23. SourceForge.net: Web Submission and Review Software. Available online at http://sourceforge.net/projects/websubrev

  24. What is SQL Injection? (2006), Available online at http://searchappsecurity.techtarget.com/sDefinition/0,290660,sid92_gci1003024,00.html

  25. The Ten Most Critical Web Application Security Vulnerabilities (2004) Available online at http://osdn.dl.sourceforge.net/sourceforge/owasp/OWASPTopTen2004.pdf

  26. Ware, M.: Online Submission and Peer-Review System (2005) Available online at www.zen34802.zen.co.uk/Learned_Publishing_offprint.pdf

Download references

Author information

Authors and Affiliations

  1. School of Electrical & Electronics Engineering & Computer Science, Kyungpook National University, Sankyuk-dong, Buk-gu, Daegu, 702-701, Korea

    Swee-Won Lo

  2. Laboratoire de sécurité et de cryptographie (LASEC), Ecole Polytechnique Fédérale de Lausanne (EPFL), CH-1015 Lausanne, Switzerland

    Raphael C. -W. Phan

  3. Centre for Cryptography and Information Security (CCIS), Faculty of Engineering, Multimedia University, 63100, Cyberjaya, Malaysia

    Bok-Min Goi

Authors
  1. Swee-Won Lo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Raphael C. -W. Phan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bok-Min Goi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Industrial Engineering, KAIST, 373-1, Guseong-dong, Yuseong-gu, 305-701, Daejeon, Korea

    Sehun Kim

  2. RSA Labs, EMC Corp. and Department of Computer Science, Columbia University,, USA

    Moti Yung

  3. Div. Computer Information of Software, Hanshin University, 411, Yangsan-dong, 447-791, Osan, Gyunggi, South Korea

    Hyung-Woo Lee

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lo, SW., Phan, R.C.W., Goi, BM. (2007). On the Security of a Popular Web Submission and Review Software (WSaR) for Cryptology Conferences. In: Kim, S., Yung, M., Lee, HW. (eds) Information Security Applications. WISA 2007. Lecture Notes in Computer Science, vol 4867. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77535-5_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-77535-5_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-77534-8

  • Online ISBN: 978-3-540-77535-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics