SecureWeb: Protecting Sensitive Information Through the Web Browser Extension with a Security Token

Shuang Liang; Yue Zhang; Bo Li; Xiaojie Guo; Chunfu Jia; Zheli Liu

doi:10.26599/TST.2018.9010015

Tsinghua Science and Technology 2018, 23(5): 526-538 https://doi.org/10.26599/TST.2018.9010015

Open Access | Issue | Published: 17 September 2018

SecureWeb: Protecting Sensitive Information Through the Web Browser Extension with a Security Token

Show Author's Information Hide Author's Information Shuang Liang, Yue Zhang, Bo Li, Xiaojie Guo, Chunfu Jia, Zheli Liu(

)

College of Cyberspace Security, Nankai University, Tianjin 300350, China.

Information Security Evaluation Center of Civil Aviation, Civil Aviation University of China, Tianjin

300300

Key Lab on High Trusted Information System in Hebei Province, Baoding 071002, China.

Keywords:

password manager, data privacy, format-preserving encryption, Shadow Document Object Model (DOM)

Cite this article:

Liang S, Zhang Y, Li B, et al. SecureWeb: Protecting Sensitive Information Through the Web Browser Extension with a Security Token. Tsinghua Science and Technology, 2018, 23(5): 526-538. https://doi.org/10.26599/TST.2018.9010015

Download citation

EndNote(RIS)

BibTeX

429

Views

Downloads

Citations

Crossref

N/A

WoS

Scopus

CSCD

Abstract Full text About this article

Abstract

The leakage of sensitive data occurs on a large scale and with increasingly serious impact. It may cause privacy disclosure or even property damage. Password leakage is one of the fundamental reasons for information leakage, and its importance is must be emphasized because users are likely to use the same passwords for different Web application accounts. Existing approaches use a password manager and encrypted Web application to protect passwords and other sensitive data; however, they may be compromised or lack accessibility. The paper presents SecureWeb, which is a secure, practical, and user-controllable framework for mitigating the leakage of sensitive data. SecureWeb protects users’ passwords and aims to provide a unified protection solution to diverse sensitive data. The efficiency of the developed schemes is demonstrated and the results indicate that it has a low overhead and are of practical use.

Full text

Abstract

Full text

Outline

About this article

SecureWeb: Protecting Sensitive Information Through the Web Browser Extension with a Security Token

Show Author's information Hide Author's Information Shuang Liang, Yue Zhang, Bo Li, Xiaojie Guo, Chunfu Jia, Zheli Liu(

)

College of Cyberspace Security, Nankai University, Tianjin 300350, China.

Information Security Evaluation Center of Civil Aviation, Civil Aviation University of China, Tianjin

300300

Key Lab on High Trusted Information System in Hebei Province, Baoding 071002, China.

Abstract

Keywords: password manager, data privacy, format-preserving encryption, Shadow Document Object Model (DOM)

References(33)

[1]

W. Alcorn, C. Frichot, and M. Orrù, Browser Hacker’s Handbook. Indianapolis, IN, USA: John Wiley & Sons, 2014.

[2]

J. Kiesel, B. Stein, and S. Lucks, A large-scale analysis of the mnemonic password advice, in Network and Distributed System Security Symp., San Diego, CA, USA, 2017.

DOI

[3]

D. L. Wheeler, Zxcvbn: Low-budget password strength estimation, in Proc. 25th USENIX Security Symp., Austin, TX, USA, 2016, pp. 157-173.

[4]

M. Dell, P. Michiardi, and Y. Roudier, Password strength: An empirical analysis, in Proc. IEEE INFOCOM, San Diego, CA, USA, 2010, pp. 1-9.

[5]

C. S. Yuan, X. M. Sun, and R. Lv, Fingerprint liveness detection based on multi-scale LPQ and PCA, China Commun., vol. 13, no. 7, pp. 60-65, 2016.

DOI Google Scholar

[6]

T. H. Ma, J. J. Zhou, M. L. Tang, Y. Tian, A. Al-Dhelaan, M. Al-Rodhaan, and S. Lee, Social network and tag sources based augmenting collaborative recommender system, IEICE Trans. Inf. Syst., vol. E98-D, no. 4, pp. 902-910, 2015.

DOI Google Scholar

[7]

S. D. Xie and Y. X. Wang, Construction of tree network with limited delivery latency in homogeneous wireless sensor networks, Wirel. Pers. Commun., vol. 78, no. 1, pp. 231-246, 2014.

DOI Google Scholar

[8]

W. He, D. Akhawe, S. Jain, E Shi, and D. Song, ShadowCrypt: Encrypted web applications for everyone, in Proc. 2014 ACM SIGSAC Conf. Computer and Communications Security, Scottsdale, AZ, USA, 2014, pp. 1028-1039.

DOI

[9]

Y. J. Ren, J. Shen, J. Wang, J. Han, and S. Y. Lee, Mutual verifiable provable data auditing in public cloud storage, J. Internet Technol., vol. 16, no. 2, pp. 317-323, 2015.

Google Scholar

[10]

J. Shen, H. W. Tan, J. Wang, J. W. Wang, and S. Y. Lee, A novel routing protocol providing good transmission reliability in underwater sensor networks, J. Internet Technol., vol. 16, no. 1, pp. 171-178, 2015.

Google Scholar

[11]

Z. J. Fu, J. G. Shu, J. Wang, Y. L. Liu, and S. Y. Lee, Privacy-preserving smart similarity search based on Simhash over encrypted data in cloud computing, J. Internet Technol., vol. 16, no. 3, pp. 453-460, 2015.

Google Scholar

[12]

Team of LastPass, Cross site scripting vulnerability reported, https://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability-reported-fixed.html/, 2011.

[13]

J. Lee, RoboForm everywhere, http://wwwroboformcom/everywhere, 2018.

[14]

B. Stock and J. Martin, Protecting users against XSS-based password manager abuse, in Proc. 9th ACM Symp. on Information Computer and Communications Security, Kyoto, Japan, 2014, pp. 183-194.

DOI

[15]

R. Zhao and C. Yue, Toward a secure and usable cloudbased password manager for web browsers, Comput. Secur., vol. 46, pp. 32-47, 2014.

DOI Google Scholar

[16]

Z. W. Li, W. R. He, D. Akhawe, and D. Song, The emperor’s new password manager: Security analysis of Web-based password managers, in Proc. 23rd USENIX Security Symp. (USENIX Security 14), San Diego, CA, USA, 2014, pp. 465-479.

DOI

[17]

Team SIK, Password-manager-apps, https://teamsik.org/trentportfolio/password-manager-apps/, 2017.

[18]

Team of 1password, Go ahead. Forget your passwords, https://1passwordcom/, 2017.

[19]

W. Melicher, B. Ur, S. M. Segreti, S. Komanduri, L. Bauer, N. Christin, and L. F. Cranor, Fast, lean, and accurate: Modeling password guessability using neural networks, in Proc. 23rd USENIX Security Symp., Austin, TX, USA, 2016, pp. 175-191.

[20]

B. Ur, S. M. Segreti, L. Bauer, N. Christin, L. F. Cranor, S. Komanduri, D. Kurilova, M. L. Mazurek, W. Melicher, and R. Shay Measuring real-world accuracies and biases in modeling password guessability, in Proc. 24th USENIX Conf. Security Symp., Washington, DC, USA, 2015, pp. 463-481.

[21]

D. Wang, Z. J. Zhang, P. Wang, J Yan, and X. Y. Huang, Targeted online password guessing: An underestimated threat, in Proc. 2016 ACM SIGSAC Conf. Computer and Communications Security, Vienna, Austria, 2016, pp. 1242-1254.

DOI

[22]

S. Ruoti, D. Zappala, and K. Seamons, MessageGuard: Retrofitting the web with user-to-user encryption, http://arxiv.org/abs/1510.08943v1, 2015.

[23]

Z. J. Fu, K. Ren, J. G. Shu, X. M. Sun, and F. X. Huang, Enabling personalized search over encrypted outsourced data with efficiency improvement, IEEE Trans. Parallel Distrib. Syst., vol. 27, no. 9, pp. 2546-2559, 2016, .

DOI Google Scholar

[24]

Z J. Fu, X. M. Sun, Q. Liu, L. Zhou, and J. G. Shu, Achieving efficient cloud search services: Multi-keyword ranked search over encrypted cloud data supporting parallel computing, IEICE Trans. Commun., vol. E98-B, no. 1, pp. 190-200, 2015.

DOI Google Scholar

[25]

Z. L. Liu, C. F. Jia, J. W. Li, and X. C. Cheng, Format-preserving encryption for datetime, in Proc. 2010 IEEE Int. Conf. Intelligent Computing and Intelligent Systems, Xiamen, China, 2010, pp. 201-205.

[26]

B. Morris, P. Rogaway, and T. Stegers, How to encipher messages on a small domain, in Advances in Cryptology- CRYPTO 2009, S. Halevi, ed. Santa Barbara, CA, USA: Springer, 2009, pp. 286-302.

DOI

[27]

Z. L. Liu, C. F. Jia, J. Yang, and K. Yuan, Format-preserving fuzzy query mechanism, in Proc. 2013 4th Int. Conf. on Emerging Intelligent Data and Web Technologies, Xi’an, China, 2013, pp. 220-226.

DOI

[28]

J. W. Li, Z. L. Liu, L. Xu, and C. F. Jia, An efficient format-preserving encryption mode for practical domains, Wuhan Univ. J. Nat. Sci., vol. 17, no. 5, pp. 428-434, 2012.

DOI Google Scholar

[29]

M. Bellare, P. Rogaway, and T. Spies, The FFX mode of operation for format-preserving encryption, Unpublished Nist Proposal, vol. 136, no. 9, pp. 633-850, 2010.

Google Scholar

[30]

Z. J. Fu, X. L. Wu, C. W. Guan, X. M. Sun, and K. Ren, Toward efficient multi-keyword fuzzy search over encrypted outsourced data with accuracy improvement, IEEE Trans. Inf. Forensics Secur., vol. 11, no. 12, pp. 2706-2716, 2016, .

DOI Google Scholar

[31]

Z. H. Xia, X. H. Wang, L. G. Zhang, Z. Qin, X. M. Sun, and K. Ren, A privacy-preserving and copy-deterrence content-based image retrieval scheme in cloud computing, IEEE Trans. Inf. Forensics Secur., vol. 11, no. 11, pp. 2594-2608, 2016.

DOI Google Scholar

[32]

T. Spies, Feistel finite set encryption mode, https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/proposed-modes/ffsem/ffsem-spec.pdf, 2008.

[33]

Y. X. Dai and J. Steinberger, Indifferentiability of 8-round feistel networks, in Proc. 36th Annu. Int. Cryptology Conf., Santa Barbara, CA, USA, 2016, pp. 95-120.

DOI

About this article

Publication history

Acknowledgements

Rights and permissions

Publication history

Received: 14 June 2017

Revised: 07 September 2017

Accepted: 10 September 2017

Published: 17 September 2018

Issue date: October 2018

Copyright

Acknowledgements

This work was supported by the National Key Basic Research Program of China (No. 2013CB834204), the National Natural Science Foundation of China (Nos. 61672300 and 61772291), the Natural Science Foundation of Tianjin, China (Nos. 16JCYBJC15500 and 17JCZDJC30500), and the Open Project Foundation of Information Security Evaluation Center of Civil Aviation, and Civil Aviation University of China (No. CAAC-ISECCA-201702).