research-article

SECRET: On the Feasibility of a Secure, Efficient, and Collaborative Real-Time Web Editor

Authors:
Dennis Felsch

Ruhr-University Bochum, Bochum, Germany

Ruhr-University Bochum, Bochum, Germany
View Profile

,
Christian Mainka

Ruhr-University Bochum, Bochum, Germany

Ruhr-University Bochum, Bochum, Germany
View Profile

,
Vladislav Mladenov

Ruhr-University Bochum, Bochum, Germany

Ruhr-University Bochum, Bochum, Germany
View Profile

,
Jörg Schwenk

Ruhr-University Bochum, Bochum, Germany

Ruhr-University Bochum, Bochum, Germany
View Profile

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityApril 2017Pages 835–848https://doi.org/10.1145/3052973.3052982

Published:02 April 2017Publication History

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 835–848

ABSTRACT

Real-time editing tools like Google Docs, Microsoft Office Online, or Etherpad have changed the way of collaboration. Many of these tools are based on Operational Transforms (OT), which guarantee that the views of different clients onto a document remain consistent over time. Usually, documents and operations are exposed to the server in plaintext -- and thus to administrators, governments, and potentially cyber criminals. Therefore, it is highly desirable to work collaboratively on encrypted documents. Previous implementations do not unleash the full potential of this idea: They either require large storage, network, and computation overhead, are not real-time collaborative, or do not take the structure of the document into account. The latter simplifies the approach since only OT algorithms for byte sequences are required, but the resulting ciphertexts are almost four times the size of the corresponding plaintexts.

We present SECRET, the first secure, efficient, and collaborative real-time editor. In contrast to all previous works, SECRET is the first tool that (1.) allows the encryption of whole documents or arbitrary sub-parts thereof, (2.) uses a novel combination of tree-based OT with a structure preserving encryption, and (3.) requires only a modern browser without any extra software installation or browser extension.

We evaluate our implementation and show that its encryption overhead is three times smaller in comparison to all previous approaches. SECRET can even be used by multiple users in a low-bandwidth scenario. The source code of SECRET is published on GitHub as an open-source project:https://github.com/RUB-NDS/SECRET/

References

L. Adkinson-Orellana, D. A. Rodrıguez-Silva, F. Gil-Castineira, and J. C. Burguillo-Rial. Privacy for google docs: Implementing a transparent encryption layer. In CloudViews, pages 20--21, 2010.Google Scholar
A. Barth. The Web Origin Concept. RFC 6454 (Proposed Standard), Dec. 2011. URL http://www.ietf.org/rfc/rfc6454.txt.Google Scholar
A. Barth, C. Jackson, and J. C. Mitchell. Securing frame communication in browsers. In USENIX Security, 2008. Google ScholarDigital Library
M. Bellare, O. Goldreich, and S. Goldwasser. Incremental cryptography: The case of hashing and signing. In CRYPTO, pages 216--233. Springer, 1994. Google ScholarDigital Library
T. Bray. The JavaScript Object Notation (JSON) Data Interchange Format. RFC 7159 (Proposed Standard), Mar. 2014. URL http://www.ietf.org/rfc/rfc7159.txt.Google Scholar
T. Bray, F. Yergeau, E. Maler, J. Paoli, and M. Sperberg-McQueen. Extensible markup language (XML) 1.0 (fifth edition). W3C recommendation, W3C, Nov. 2008.Google Scholar
E. Buonanno, J. Katz, and M. Yung. Incremental unforgeable encryption. In FSE, pages 109--124. Springer, 2001. Google ScholarDigital Library
M. Clear, K. Reid, D. Ennis, A. Hughes, and H. Tewari. Collaboration-preserving authenticated encryption for operational transformation systems. In ISC, pages 204--223. Springer, 2012. Google ScholarDigital Library
G. D'Angelo, F. Vitali, and S. Zacchiroli. Content cloaking: preserving privacy with google docs and other web applications. In SAC, pages 826--830. ACM, 2010. Google ScholarDigital Library
A. H. Davis, C. Sun, and J. Lu. Generalizing operational transformation to the standard general markup language. In CSCW, pages 58--67. ACM, 2002. Google ScholarDigital Library
C. A. Ellis and S. J. Gibbs. Concurrency control in groupware systems. In SIGMOD, volume 18, pages 399--407. ACM, 1989. Google ScholarDigital Library
A. J. Feldman, W. P. Zeller, M. J. Freedman, and E. W. Felten. SPORC: Group collaboration using untrusted cloud resources. In OSDI, pages 337--350, 2010. Google ScholarDigital Library
I. Fette and A. Melnikov. The WebSocket Protocol. RFC 6455 (Proposed Standard), Dec. 2011. URL http://www.ietf.org/rfc/rfc6455.txt.Google Scholar
J. Gentle, N. Smith, and Others. ShareJS. https://github.com/share/ShareJS/tree/0.6. (Retrieved: October 2016).Google Scholar
P. Grubbs, R. McPherson, M. Naveed, T. Ristenpart, and V. Shmatikov. Breaking web applications built on top of encrypted data. In CCS, pages 1353--1364. ACM, 2016. Google ScholarDigital Library
F. Hirsch, T. Roessler, J. Reagle, and D. Eastlake. XML encryption syntax and processing version 1.1. W3C recommendation, W3C, Apr. 2013.Google Scholar
Y. Huang and D. Evans. Private editing using untrusted cloud services. In ICDCSW, pages 263--272. IEEE, 2011. Google ScholarDigital Library
C.-L. Ignat and G. Oster. Peer-to-peer collaboration over xml documents. In CDVE. Springer, 2008. Google ScholarDigital Library
C. L. Ignat, G. Oster, et al. Flexible reconciliation of xml documents in asynchronous editing. In ICEIS, pages 359--368, 2007.Google Scholar
M. Jones and J. Hildebrand. JSON Web Encryption (JWE). RFC 7516 (Proposed Standard), May 2015. URL http://www.ietf.org/rfc/rfc7516.txt.Google Scholar
H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication. RFC 2104 (Informational), Feb. 1997. URL http://www.ietf.org/rfc/rfc2104.txt. Updated by RFC 6151. Google ScholarDigital Library
J. Li, M. N. Krohn, D. Mazières, and D. Shasha. Secure untrusted data repository (SUNDR). In OSDI, page 9, 2004. Google ScholarDigital Library
P. Mahajan, S. Setty, S. Lee, A. Clement, L. Alvisi, M. Dahlin, and M. Walfish. Depot: Cloud storage with minimal trust. In TOCS. ACM, 2011. Google ScholarDigital Library
N. Mehta, J. Sicking, E. Graff, A. Popescu, J. Orlow, and J. Bell. Indexed database API. Recommendation, W3C, Jan. 2015.Google Scholar
R. C. Merkle. A digital signature based on a conventional encryption function. In CRYPTO, pages 369--378. Springer, 1987. Google ScholarDigital Library
D. Micciancio. Oblivious data structures: applications to cryptography. In STOC, pages 456--464. ACM, 1997. Google ScholarDigital Library
A. Michalas and M. Bakopoulos. SecGOD Google Docs: Now I feel safer! In ICITST. IEEE, 2012.Google Scholar
D. A. Nichols, P. Curtis, M. Dixon, and J. Lamping. High-latency, low-bandwidth windowing in the jupiter collaboration system. In UIST. ACM, 1995. Google ScholarDigital Library
G. Oster, H. Skaf-Molli, P. Molli, H. Naja-Jazzar, et al. Supporting collaborative writing of xml documents. In ICEIS, pages 335--341, 2007.Google Scholar
R. A. Popa, E. Stark, S. Valdez, J. Helfer, N. Zeldovich, and H. Balakrishnan. Building web applications on top of encrypted data using mylar. In NSDI, pages 157--172, 2014. Google ScholarDigital Library
M. Ressel, D. Nitsche-Ruhland, and R. Gunzenhauser. An integrating, transformation-oriented approach to concurrency control and undo in group editors. In phCSCW, pages 288--297. ACM, 1996. Google ScholarDigital Library
A. Shraer, C. Cachin, A. Cidon, I. Keidar, Y. Michalevsky, and D. Shaket. Venus: Verification for untrusted cloud storage. In CCSW. ACM, 2010. Google ScholarDigital Library
C. Sun, X. Jia, Y. Zhang, Y. Yang, and D. Chen. Achieving convergence, causality preservation, and intention preservation in real-time cooperative editing systems. TOCHI, 5 (1): 63--108, 1998. Google ScholarDigital Library
M. Watson. Web cryptography API. W3C recommendation, Jan. 2017.Google Scholar
WHATWG. Html -- posting messages. Online, https://html.spec.whatwg.org/#posting-messages, October 2015.Google Scholar
WHATWG. Dom -- mutation observers. Online, https://dom.spec.whatwg.org/#mutation-observers, May 2016.Google Scholar
C. Zhang, J. Jin, E.-C. Chang, and S. Mehrotra. Secure quasi-realtime collaborative editing over low-cost storage services. In SDM, pages 111--129. Springer, 2012.Google ScholarCross Ref

Index Terms

SECRET: On the Feasibility of a Secure, Efficient, and Collaborative Real-Time Web Editor
1. Information systems
  1. Information systems applications
    1. Collaborative and social computing systems and tools

Recommendations

ID-based secret-key cryptography

This paper introduces ID-based secret-key cryptography, in which secret keys are privately and uniquely binded to an identity. This enables to extend public-key cryptography features at the high throughput rate of secret-key cryptography. As ...
Read More
SECRET: smartly EnCRypted energy efficient non-volatile memories
DAC '16: Proceedings of the 53rd Annual Design Automation Conference

Data persistence in emerging non-volatile memories (NVMs) poses a multitude of security vulnerabilities, motivating main memory encryption for data security. However, practical encryption algorithms demonstrate strong diffusion characteristics that ...
Read More
Secret Public Key Protocols Revisited
Security Protocols

Password-based protocols are important and popular means of providing human-to-machine authentication. The concept of secret public keys was proposed more than a decade ago as a means of securing password-based authentication protocols against off-line ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security
April 2017
952 pages
ISBN:9781450349444
DOI:10.1145/3052973
General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 April 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
JSON
XML encryption
collaborative editing
operational transforms
structure preserving encryption
Qualifiers
- research-article
Conference

Acceptance Rates
ASIA CCS '17 Paper Acceptance Rate67of359submissions,19%Overall Acceptance Rate418of2,322submissions,18%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 3
  Total Citations
  View Citations
- 183
  Total Downloads
- Downloads (Last 12 months)19
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

SECRET: On the Feasibility of a Secure, Efficient, and Collaborative Real-Time Web Editor

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

ID-based secret-key cryptography

SECRET: smartly EnCRypted energy efficient non-volatile memories

Secret Public Key Protocols Revisited