Keys to the cloud: formal analysis and concrete attacks on encrypted web storage

Authors:
Chetan Bansal;Karthikeyan Bhargavan;Antoine Delignat-Lavaud;Sergio Maffeis
Affiliations:
BITS Pilani-Goa, India;INRIA Paris-Rocquencourt, France;INRIA Paris-Rocquencourt, France;Imperial College London, UK
Venue:
POST'13 Proceedings of the Second international conference on Principles of Security and Trust
Year:
2013

Citing 15
Cited 1

Mobile values, new names, and secure communication

POPL '01 Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Secure Applications of Low-Entropy Keys

ISW '97 Proceedings of the First International Workshop on Information Security
Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Robust defenses for cross-site request forgery

Proceedings of the 15th ACM conference on Computer and communications security
Helios: web-based open-audit voting

SS'08 Proceedings of the 17th conference on Security symposium
Automatic verification of correspondences for security protocols

Journal of Computer Security
Alloy: a logical modelling language

ZB'03 Proceedings of the 3rd international conference on Formal specification and development in Z and B
Towards a Formal Foundation of Web Security

CSF '10 Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium
Rootkits for JavaScript environments

WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies
Featherweight Firefox: formalizing the core of a web browser

WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
Cryptographic cloud storage

FC'10 Proceedings of the 14th international conference on Financial cryptograpy and data security
Browser model for security analysis of browser-based protocols

ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
Privacy supporting cloud computing: confichair, a case study

POST'12 Proceedings of the First international conference on Principles of Security and Trust
Discovering Concrete Attacks on Website Authorization by Formal Analysis

CSF '12 Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium
Web-based attacks on host-proof encrypted storage

WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies

Language-based defenses against untrusted browser origins

SEC'13 Proceedings of the 22nd USENIX conference on Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

To protect sensitive user data against server-side attacks, a number of security-conscious web applications have turned to client-side encryption, where only encrypted user data is ever stored in the cloud. We formally investigate the security of a number of such applications, including password managers, cloud storage providers, an e-voting website and a conference management system. We find that their security relies on both their use of cryptography and the way it combines with common web security mechanisms as implemented in the browser. We model these applications using the WebSpi web security library for ProVerif, we discuss novel attacks found by automated formal analysis, and we propose robust countermeasures.