17,536 research outputs found
Secure Web Forms with Client-Side Signatures
Abstract. The World Wide Web is evolving from a platform for infor-mation access into a platform for interactive services. The interaction of the services is provided by forms. Some of these services, such as bank-ing and e-commerce, require secure, non-repudiable transactions. This paper presents a novel scheme for extending the current Web forms lan-guage, XForms, with secure client-side digital signatures, using the XML Signatures language. The requirements for the scheme are derived from representative use cases. A key requirement, also for legal validity of the signature, is the reconstruction of the signed form, when validat-ing the signature. All the resources, referenced by the form, including client-side default stylesheets, have to be included within the signature. Finally, this paper presents, as a proof of concept, an implementation of the scheme and a related use case. Both are included in an open-source XML browser, X-Smiles.
The Value of User-Visible Internet Cryptography
Cryptographic mechanisms are used in a wide range of applications, including
email clients, web browsers, document and asset management systems, where
typical users are not cryptography experts. A number of empirical studies have
demonstrated that explicit, user-visible cryptographic mechanisms are not
widely used by non-expert users, and as a result arguments have been made that
cryptographic mechanisms need to be better hidden or embedded in end-user
processes and tools. Other mechanisms, such as HTTPS, have cryptography
built-in and only become visible to the user when a dialogue appears due to a
(potential) problem. This paper surveys deployed and potential technologies in
use, examines the social and legal context of broad classes of users, and from
there, assesses the value and issues for those users
To Share or Not to Share in Client-Side Encrypted Clouds
With the advent of cloud computing, a number of cloud providers have arisen
to provide Storage-as-a-Service (SaaS) offerings to both regular consumers and
business organizations. SaaS (different than Software-as-a-Service in this
context) refers to an architectural model in which a cloud provider provides
digital storage on their own infrastructure. Three models exist amongst SaaS
providers for protecting the confidentiality data stored in the cloud: 1) no
encryption (data is stored in plain text), 2) server-side encryption (data is
encrypted once uploaded), and 3) client-side encryption (data is encrypted
prior to upload). This paper seeks to identify weaknesses in the third model,
as it claims to offer 100% user data confidentiality throughout all data
transactions (e.g., upload, download, sharing) through a combination of Network
Traffic Analysis, Source Code Decompilation, and Source Code Disassembly. The
weaknesses we uncovered primarily center around the fact that the cloud
providers we evaluated were each operating in a Certificate Authority capacity
to facilitate data sharing. In this capacity, they assume the role of both
certificate issuer and certificate authorizer as denoted in a Public-Key
Infrastructure (PKI) scheme - which gives them the ability to view user data
contradicting their claims of 100% data confidentiality. We have collated our
analysis and findings in this paper and explore some potential solutions to
address these weaknesses in these sharing methods. The solutions proposed are a
combination of best practices associated with the use of PKI and other
cryptographic primitives generally accepted for protecting the confidentiality
of shared information
A comprehensive meta-analysis of cryptographic security mechanisms for cloud computing
The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.The concept of cloud computing offers measurable computational or information resources as a service over the Internet. The major motivation behind the cloud setup is economic benefits, because it assures the reduction in expenditure for operational and infrastructural purposes. To transform it into a reality there are some impediments and hurdles which are required to be tackled, most profound of which are security, privacy and reliability issues. As the user data is revealed to the cloud, it departs the protection-sphere of the data owner. However, this brings partly new security and privacy concerns. This work focuses on these issues related to various cloud services and deployment models by spotlighting their major challenges. While the classical cryptography is an ancient discipline, modern cryptography, which has been mostly developed in the last few decades, is the subject of study which needs to be implemented so as to ensure strong security and privacy mechanisms in today’s real-world scenarios. The technological solutions, short and long term research goals of the cloud security will be described and addressed using various classical cryptographic mechanisms as well as modern ones. This work explores the new directions in cloud computing security, while highlighting the correct selection of these fundamental technologies from cryptographic point of view
XML Security in Certificate Management - XML Certificator
The trend of rapid growing use of XML format in data/document management system reveals that security measures should be urgently considered into next generation's data/document systems. This paper presents a new certificate management system developed on the basis of XML security mechanisms. The system is supported by the theories of XML security as well as Object oriented technology and database. Finally it has been successfully implemented in using C&#, SQL, XML signature and XML encryption. An implementation metrics is evidently presented
Validating a Web Service Security Abstraction by Typing
An XML web service is, to a first approximation, an RPC service in which
requests and responses are encoded in XML as SOAP envelopes, and transported
over HTTP. We consider the problem of authenticating requests and responses at
the SOAP-level, rather than relying on transport-level security. We propose a
security abstraction, inspired by earlier work on secure RPC, in which the
methods exported by a web service are annotated with one of three security
levels: none, authenticated, or both authenticated and encrypted. We model our
abstraction as an object calculus with primitives for defining and calling web
services. We describe the semantics of our object calculus by translating to a
lower-level language with primitives for message passing and cryptography. To
validate our semantics, we embed correspondence assertions that specify the
correct authentication of requests and responses. By appeal to the type theory
for cryptographic protocols of Gordon and Jeffrey's Cryptyc, we verify the
correspondence assertions simply by typing. Finally, we describe an
implementation of our semantics via custom SOAP headers.Comment: 44 pages. A preliminary version appears in the Proceedings of the
Workshop on XML Security 2002, pp. 18-29, November 200
3PAC: Enforcing Access Policies for Web Services
Web services fail to deliver on the promise of ubiquitous deployment and seamless interoperability due to the lack of a uniform, standards-based approach to all aspects of security. In particular, the enforcement of access policies in a service oriented architecture is not addressed adequately. We present a novel approach to the distribution and enforcement of credentials-based access policies for Web services (3PAC) which scales well and can be implemented in existing deployments
- …