iHTTP: efficient authentication of non-confidential HTTP traffic

  • Authors:

  • Jason Gionta;Peng Ning;Xiaolan Zhang

  • Affiliations:

  • North Carolina State University, Raleigh, NC;North Carolina State University, Raleigh, NC;IBM T.J. Watson Research Center, Howthorne, NY

  • Venue:
  • ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
  • Year:
  • 2012

Quantified Score

Hi-index 0.00

Visualization

Abstract

HTTPS is the standard protocol for protecting information sent over the World Wide Web. However, HTTPS adds substantial overhead to servers, clients, and networks [1, 2]. As a result, website owners often pass on HTTPS and resort to only HTTP for hosting websites, leaving clients and servers vulnerable to attacks [3, 4]. Techniques have been proposed to only enable authentication and integrity of HTTP (response) data [2, 5---7]. However, they all suffer from vulnerabilities and poor performance. In this paper, we propose iHTTP, a new approach for enabling lightweight, efficient authentication and verification of HTTP (response) data. We adaptively handle different data encodings to allow for better performance without effecting user experience. We introduce a novel technique, Sliding-Timestamps, to allow iHTTP clients to authenticate the freshness of response data to prevent replay attacks and amortize signing costs. We also introduce Opportunistic Hash Verification to reduce client public key operations required to authenticate full web pages. We show in our experimental evaluation that iHTTP provides similar performance to HTTP, and higher throughput and lower maximum response time than HTTPS and HTTPi, the most recent HTTP authentication approach [7], for Client-Static data.