Abstract
How to protect the security of web application code and sensitive data has become one of the primary concerns in web services. In this paper, symmetric cryptosystem combined with identity-based public key cryptosystem is proposed to protect web application programs and sensitive data. The key generation center generates the private and public key pairs for the web server and users, which are used to implement identity authentication and data integrity. When web application code and sensitive data are transmitted between the web server and the user’s browser, a random session key is generated for encrypting the web application code and sensitive data. Meanwhile, a digital signature is generated and added to the encrypted program code and sensitive data. The security analysis shows that the proposed security scheme can ensure the confidentiality, integrity and authentication of web application code and sensitive data.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Tabrizchi, H., Rafsanjani, M.K.: A survey on security challenges in cloud computing: issues, threats, and solutions. J. Supercomput. 76(12), 9493–9532 (2020). https://doi.org/10.1007/s11227-020-03213-1
Tawalbeh, L.A., Saldamli, G.: Reconsidering big data security and privacy in cloud and mobile cloud systems. J. King Saud Univ. – Comput. Inform. Sci. (in press). Available online 29 May 2019
Khan, R., Kumar, P., Jayakody, D.N.K., Liyanage, M.: A survey on security and privacy of 5G technologies: potential solutions, recent advancements, and future directions. IEEE Commun. Surv. Tutorials 22(1), 196–248 (2020)
Mena, D.M., Papapanagiotou, I., Yang, B.: Internet of things: survey on security. Inform. Security J.: Global Perspect. 27(3), 162–182 (2018)
Toch, E., et al.: The privacy implications of cyber security systems: a technological survey. ACM Comput. Surv 51(2), 1–27 (2018)
Awad, M., Ali, M., Takruri, M., Ismail, S.: Security vulnerabilities related to web-based data. Telkomnika Telecommun. Comput. Electron. Control 17(2), 852–856 (2019)
Razzaq, A., Latif, K., Ahmad, H.F., Hur, A., Anwar, Z., Bloodsworth, P.C.: Semantic security against web application attacks. Inform. Sci. 254(3), 19–38 (2014)
Futoransky, A., Gutesman, E., Waissbein, A.: A dynamic technique for enhancing the security and privacy of web applications. In: Proc. of Black Hat USA, Las Vegas (2007)
Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: 2010 23rd IEEE Computer Security Foundations Symposium, Edinburgh, UK, pp. 290–304 (2010)
Jensen, M., Gruschka, N., Herkenhoener, R.: A survey of attacks on web services. Comput. Sci. Res. Dev. 24(4), 185–197 (2009)
Wassermann, G., Su, Z: Static detection of cross-site scripting vulnerabilities. In: ICSE-ACM/IEEE International Conference on Software Engineering, Germany, pp. 171–180 (2008)
Shahriar, H., Zulkernine, M.: MUTEC: mutation-based testing of cross site scripting. In: Proc. of the 5th ICSE Workshop SESS, Vancouver, Canada, pp. 47–53 (2009)
Shahriar, H., Zulkernine, M.: Injecting comments to detect JavaScript code injection attacks. In: COMPSACW-IEEE 35th Annual Computer Software & Applications Conference Workshops, IEEE, pp. 104–109 (2011)
Stark, E.: From Client-side Encryption to Secure Web Applications. Thesis. Massachusetts Institute of Technology (2013)
Dong, X., Chen, Z., Siadati, H., Tople, S., Saxena, P., Liang, Z.: Protecting sensitive web content from client-side vulnerabilities with cryptons. In: CCS 2013: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1311–1324 (2013)
Tople, S., Shinde, S., Chen, Z., Saxena, P.: AUTOCRYPT: enabling homomorphic computation on servers to protect sensitive web content. In: CCS 2013: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1297–1310 (2013)
Wei, R., Zheng, F.Y., Lin, J.Q.: Implementation of a general-purpose cryptography library supporting domestic algorithm with JavaScript. J. Cryptologic Res 7(5), 595–604 (2020)
Cairns, K., Halpin, H., Steel, G.: Security Analysis of the W3C Web Cryptography API. In: Chen, L., McGrew, D., Mitchell, C. (eds.) SSR 2016. LNCS, vol. 10074, pp. 112–140. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49100-4_5
Sleevi, R., Watson, M.: Web cryptography API. Candidate recommendation, IETF (2014)
Halpin, H.: The W3C web cryptography API: motivation and overview. In Proceedings of the Companion Publication of the 23rd International Conference on World Wide Web Companion-WWWCompanion 2014, Switzerland, pp. 959–964 (2014)
Stark, E., Hamburg, M., Boneh, D.: Symmetric cryptography in Javascript. In: Proceedings of the 2009 Annual Computer Security Applications Conference-ACSAC 2009, Washington, DC, USA, pp. 373–381 (2009)
Matasano Security: Javascript cryptography considered harmful. http://www.matasano.com/articles/javascript-cryptography/
Daemen, J., Rijmen, V.: AES Proposal: Rijndael. NIST AES Algorithm Submission (1999)
GM/T 0002-2012: SM4 block cipher algorithm. Chinese Cryptography Standard (2012)
GM/T 0003.1-0003.5-2012: Public key cryptographic algorithm SM2 based on elliptic curves. Chinese Cryptography Standard (2012)
National Institute of Standards and Technology: FIPS PUB 186-4: Digital Signature Standard (DSS) (2013)
GM/T 0044.1-2016: Identity-based cryptographic algorithms SM9. Chinese Cryptography Standard (2012)
GM/T 0004-2012: SM3 cryptographic hash algorithm. Chinese Cryptography Standard (2012)
Phung, P., Pham, Huu-Danh., Armentrout, J., Hiremath, P., Tran-Minh, Q.: A user-oriented approach and tool for security and privacy protection on the web. SN Comput. Sci. 1(4), 1–16 (2020). https://doi.org/10.1007/s42979-020-00237-5
Shimamoto, H., Yanai, N., Okamura, S., Cruz, J.P., Okubo, T.: Towards further formal foundation of web security: expression of temporal logic in alloy and its application to a security model with cache. IEEE Access 7, 74941–74960 (2019)
Figueiredo, A., Lide, T., Matos, D., Correia, M.: MERLIN: multi-language web vulnerability detection. In: 2020 IEEE 19th International Symposium on Network Computing and Applications (NCA), IEEE, pp. 1–9 (2020)
Caturano, F., Perrone, G., Romano, S.P.: Discovering reflected cross-site scripting vulnerabilities using a multiobjective reinforcement learning environment. Comput. Security 103 (2021)
Mohammadi, M., Chu, B., Lipford, H.R.: Automated repair of cross-site scripting vulnerabilities through unit testing. In: 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), IEEE (2019)
Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.: White-box cryptography and an AES implementation. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_17
Acknowledgments
This work was supported by project of State Grid Shandong Electric Power Company (No.520627200001).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Ni, J., Liu, Z., Li, N., Zhang, C., Cui, B., Kong, H. (2021). Protecting Web Application Code and Sensitive Data with Symmetric and Identity-Based Cryptosystems. In: Zeng, J., Qin, P., Jing, W., Song, X., Lu, Z. (eds) Data Science. ICPCSEE 2021. Communications in Computer and Information Science, vol 1452. Springer, Singapore. https://doi.org/10.1007/978-981-16-5943-0_17
Download citation
DOI: https://doi.org/10.1007/978-981-16-5943-0_17
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-16-5942-3
Online ISBN: 978-981-16-5943-0
eBook Packages: Computer ScienceComputer Science (R0)