Skip to main content
SpringerLink
Log in

F3ildCrypt: End-to-End Protection of Sensitive Information in Web Services

  • Conference paper
Book cover Information Security (ISC 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5735))

Included in the following conference series:

Abstract

The frequency and severity of a number of recent intrusions involving data theft and leakages has shown that online users’ trust, voluntary or not, in the ability of third parties to protect their sensitive data is often unfounded. Data may be exposed anywhere along a corporation’s web pipeline, from the outward-facing web servers to the back-end databases. The problem is exacerbated in service-oriented architectures (SOAs) where data may also be exposed as they transit between SOAs. For example, credit card numbers may be leaked during transmission to or handling by transaction-clearing intermediaries.

We present F3ildCrypt, a system that provides end-to-end protection of data across a web pipeline and between SOAs. Sensitive data are protected from their origin (the user’s browser) to their legitimate final destination. To that end, F3ildCrypt exploits browser scripting to enable application- and merchant-aware handling of sensitive data. Such techniques have traditionally been considered a security risk; to our knowledge, this is one of the first uses of web scripting that enhances overall security.Our approach scales well in the number of public key operations required for web clients and does not reveal proprietary details of the logical enterprise network. We evaluate F3ildCrypt and show an additional cost of 40 to 150 ms when making sensitive transactions from the web browser, and a processing rate of 100 to 140 protected fields/second on the server. We believe such costs to be a reasonable tradeoff for increased sensitive-data confidentiality.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Lemos, R.: TJX theft tops 45.6 million card numbers (March 2008), http://www.securityfocus.com/news/11455

  2. Card data stolen from grocery chain (March 2008), http://www.securityfocus.com/brief/704

  3. Institute, T.P.: 2007 Annual Study: Cost of a Data Breach(November 2007), http://www.ponemon.org/press/PR_Ponemon_2007-COB_071126_F.pdf

  4. Saltzer, J.H., Reed, D.P., Clark, D.D.: End-to-end arguments in system design. ACM Transactions on Computer Systems (TOCS) 2(4), 277–288 (1984)

    Article  Google Scholar 

  5. Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000. Official Journal of the European Communities (December 2001)

    Google Scholar 

  6. Cai, L., Yang, X.: A reference model and system architecture for database firewall. In: Proceedings of IEEE SMC 2005, pp. 504–509 (2005)

    Google Scholar 

  7. Bai, K., Wang, H., Liu, P.: Towards Database Firewall: Mining the Damage Spreading Patterns. In: Proceedings of ACSAC 2006, pp. 178–192 (2006)

    Google Scholar 

  8. Garrett, J.J.: Ajax: A New Approach to Web Applications (February 2005), http://www.adaptivepath.com/ideas/essays/archives/000385.php

  9. Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)

    Article  Google Scholar 

  10. Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. In: Proceedings of the 12th Annual Network and Distributed Systems Security Symposium, NDSS 2005 (2005)

    Google Scholar 

  11. Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 127–144. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  12. JHU-MIT Proxy Re-cryptography Library (March 2008), http://spar.isi.jhu.edu/~mgreen/prl/

  13. Maruyama, H., Imamura, T.: Element-Wise XML Encryption(April 2000), http://lists.w3.org/Archives/Public/xml-encryption/2000Apr/att-0005/01-xmlenc

  14. Cisco ACE XML Gateway (March 2008), http://www.cisco.com/en/US/products/ps7314/index.html

  15. WebSphere DataPower XML Security Gateway XS40 (March 2008), http://www-306.ibm.com/software/integration/datapower/xs40/

  16. Damiani, E., di Vimercati, S.D.C., Paraboschi, S., Samarati, P.: A fine-grained access control system for XML documents. ACM Transactions on Information and System Security (TISSEC) 5(2), 169–202 (2002)

    Article  Google Scholar 

  17. Luo, B., Lee, D., Lee, W.C., Liu, P.: QFilter: fine-grained run-time XML access control via NFA-based query rewriting. In: The Thirteenth ACM International Conference on Information and Knowledge Management, pp. 543–552 (2004)

    Google Scholar 

  18. Fundulaki, I., Marx, M.: Specifying access control policies for XML documents with XPath. In: Proceedings of the ninth ACM symposium on Access control models and technologies, pp. 61–69 (2004)

    Google Scholar 

  19. OASIS eXtensible Access Control Markup Language (XACML) (2005), http://www.oasis-open.org/committees/security/

  20. Stavrou, A., Locasto, M., Keromytis, A.: W3bcrypt: Encryption as a stylesheet. In: Zhou, J., Yung, M., Bao, F. (eds.) ACNS 2006. LNCS, vol. 3989, pp. 349–364. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  21. Li, F., Luo, B., Liu, P., Lee, D., Chu, C.H.: Automaton segmentation: A new approach to preserve privacy in XML information brokering. In: Proceedings of the 14th ACM conference on Computer and Communications Security (CCS) (2007)

    Google Scholar 

  22. Mahmoud, Q.H.: Securing Web Services and the Java WSDP 1.5 XWS-Security Framework (March 2005), http://java.sun.com/developer/technicalArticles/WebServices/security/

  23. Singaravelu, L., Pu, C.: Fine-grain, end-to-end security for web service compositions. In: IEEE International Conference on Services Computing (SCC 2007), pp. 212–219 (2007)

    Google Scholar 

  24. Chafle, G., Chandra, S., Mann, V., Nanda, M.G.: Orchestrating composite web services under data flow constraints. In: Proceedings of the IEEE International Conference on Web Services, pp. 211–218 (2005)

    Google Scholar 

  25. Boneh, D., Franklin, M.: Identity-based encryption from the Weil Pairing. SIAM Journal of Computing 32(2), 586–615 (2003)

    Article  MathSciNet  MATH  Google Scholar 

  26. Keromytis, A.D., Wright, J.L., de Raadt, T.: The Design of the OpenBSD Cryptographic Framework. In: Proceedings of the USENIX Annual Technical Conference, June 2003, pp. 181–196 (2003)

    Google Scholar 

  27. Cranor, L., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J.: The Platform for Privacy Preferences 1.0 (P3P1.0) Specifcation (April 2002)

    Google Scholar 

  28. Jackson, C., Boneh, D., Mitchell, J.: Transaction generators: Root kits for the web. In: Proceedings of the 2nd USENIX Workshop on Hot Topics in Security (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Columbia University in the City of New York, USA

    Matthew Burnside & Angelos D. Keromytis

Authors
  1. Matthew Burnside
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Angelos D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Tecnologie dell’ Informazione, Università degli Studi di Milano, Via Bramante 65, 26013, Crema, (CR), Italy

    Pierangela Samarati

  2. Computer Science Department, Google Inc. and Columbia University, Room 464, S.W. Mudd Building, 10027, New York, NY, USA

    Moti Yung

  3. Information Security Group, Pisa Research Area, Istituto di Informatica e Telematica - IIT Consiglio Nazionale delle Ricerche - C.N.R., Via. G. Moruzzi 1, 56125, Pisa, Italy

    Fabio Martinelli

  4. Dipartimento di Tecnologie dell’Informazione, Università degli Studi di Milano, Via Bramante, 65, 26013, Crema, (CR), Italy

    Claudio A. Ardagna

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Burnside, M., Keromytis, A.D. (2009). F3ildCrypt: End-to-End Protection of Sensitive Information in Web Services. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds) Information Security. ISC 2009. Lecture Notes in Computer Science, vol 5735. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04474-8_38

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04474-8_38

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04473-1

  • Online ISBN: 978-3-642-04474-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation