Journal of Internet Computing and Services (인터넷정보학회논문지)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on Data Security of Web Local Storage

웹 로컬스토리지 데이터 보안을 위한 연구

  • Kim, Ji-soo (CIST (Center for Information Security Technologies), Korea Univ. Anam Campus) ;
  • Moon, Jong-sub (CIST (Center for Information Security Technologies), Korea Univ. Anam Campus)
  • Received : 2016.03.07
  • Accepted : 2016.04.11
  • Published : 2016.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

A local storage of HTML5 is a Web Storage, which is stored permanently on a local computer in the form of files. The contents of the storage can be easily accessed and modified because it is stored as plaintext. Moreover, because the internet browser classifies the local storages of each domain using file names, the malicious attacker can abuse victim's local storage files by changing file names. In the paper, we propose a scheme to maintain the integrity and the confidentiality of the local storage's source domain and source device. The key idea is that the client encrypts the data stored in the local storage with cipher key, which is managed by the web server. On the step of requesting the cipher key, the web server authenticates whether the client is legal source of local storage or not. Finally, we showed that our method can detect an abnormal access to the local storage through experiments according to the proposed method.

HTML5의 로컬스토리지는 HTML5에서 지원하는 웹 스토리지로, 디바이스에 파일 형태로 저장되어 온 오프라인 모두에서 호환 가능하고 영구 보관이 가능하다는 특징을 가진다. 그러나 로컬스토리지는 데이터를 평문상태로 저장하기 때문에, 파일에 대한 접근 및 수정이 가능하다. 또한 각 도메인에 대한 로컬스토리지를 파일명을 통해 분류하기 때문에, 파일명이 변조되거나 다른 디바이스로 유출되면 로컬스토리지 파일의 재사용이 가능하다는 문제점이 존재한다. 본 논문에서는 로컬스토리지 파일이 생성된 도메인 및 디바이스에 대한 무결성, 기밀성 보장을 위한 방법을 제안한다. 로컬스토리지에 저장되는 데이터를 암 복호화하여 보관하는 방법으로, 암호키는 서버에 보관되며 암호키를 요청하는 단계에서 로컬스토리지를 생성한 디바이스 및 도메인에 대한 인증이 이루어진다. 이를 통해 로컬스토리지의 도메인 및 디바이스간의 기밀성과 무결성을 보장한다. 최종적으로, 제안 방법에 따른 실험을 진행하여 본 논문에서 설명하는 로컬스토리지에 대한 비정상적인 접근에 대해 탐지하는 것을 보였다.

Keywords

References

  1. W3C, "HTML 5.1" September 2015. http://www.w3.org/TR/html51/
  2. W3C, "Web Storage (Second Edition)" June 2015, http://www.w3.org/TR/webstorage/
  3. W3C, "HTTP Specifications and Drafts" March 2002, http://www.w3.org/Protocols/Specs.html
  4. OWASP, "Cross-site Scripting(XSS)" April 2014, https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
  5. J.S. Park, R. Sandhu, "Secure cookies on the Web." IEEE internet computing 4.4 (2000): 36. http://dx.doi.org/10.1109/4236.865085
  6. M. Ter Louw, K.T. Ganesh, V. N. Venkatakrishnan, "AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements." USENIX Security Symposium. 2010. http://static.usenix.org/event/sec10/tech/full_papers/TerLouw.pdf
  7. J.P. Yang, K.H. Rhee, "The design and implementation of improved secure cookies based on certificate." Progress in Cryptology-INDOCRYPT 2002. Springer Berlin Heidelberg, 2002. 314-325. http://dx.doi.org/10.1007/3-540-36231-2_25
  8. H. Wu, W. Chen, Z. Ren, "Securing cookies with a MAC address encrypted key ring." Networks Security Wireless Communications and Trusted Computing (NSWCTC), 2010 Second International Conference on. Vol. 2. IEEE, 2010. http://dx.doi.org/10.1109/nswctc.2010.151
  9. M. Jemel, Mayssa, A. Serhrouchni, "Security assurance of local data stored by HTML5 web application." Information Assurance and Security (IAS), 2014 10th International Conference on. IEEE, 2014. http://dx.doi.org/10.1109/isias.2014.7064619
  10. R. Zhao, C. Yue, "All your browser-saved passwords could belong to us: A security analysis and a cloud-based new design." in Proceedings of the Third ACM Conference on Data and Application Security and Privacy, ser. CODASPY,13. ACM, 2013, pp. 333-340. http://dx.doi.org/10.1145/2435349.2435397
  11. H.W. Myeong, J.H. Paik, D.H. Lee, "Study on implementation of Secure HTML5 Local Storage" Journal of Korean Socieity for Internet Information, 2012, 4: 83-93. http://dx.doi.org/10.7472/jksii.2012.13.4.83
  12. J Ruderman, "The Same Origin Policy" August 2001. http://www-archive.mozilla.org/projects/security/components/same-origin.html
  13. W3C, "Same Origin Policy" January 2010. http://www.w3.org/Security/wiki/Same_Origin_Policy
  14. MDN, "Same-origin policy" July 2015. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
  15. OWASP, "Top 10 2013-A10-Unvalidated Redirects and Forwards" June 2013. https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards
  16. J. Mott, "crypto-js" https://code.google.com/p/crypto-js/
  17. J. Daemen, V. Rijmen,"The design of Rijndael: AES-the advanced encryption standard" Springer Science & Business Media, 2013.
  18. P. Gauravaram, et al. "Grostl-a SHA-3 candidate." Submission to NIST, 2008. http://drops.dagstuhl.de/opus/volltexte/2009/1955/
  19. A.B. MySQL, "MySQL." (2001).
  20. J. Jong, "math.js" http://mathjs.org/index.html/
  21. T. Wu, "JSEncrypt" http://travistidwell.com/jsencrypt/
  22. M. Bellare, P. Rogaway, "The exact security of digital signatures-How to sign with RSA and Rabin." Advances in Cryptology-Eurocrypt'96. Springer Berlin Heidelberg, 1996. http://dx.doi.org/10.1007/3-540-68339-9_34