Browse > Article
http://dx.doi.org/10.7472/jksii.2016.17.3.55

A Study on Data Security of Web Local Storage  

Kim, Ji-soo (CIST (Center for Information Security Technologies), Korea Univ. Anam Campus)
Moon, Jong-sub (CIST (Center for Information Security Technologies), Korea Univ. Anam Campus)
Publication Information
Journal of Internet Computing and Services / v.17, no.3, 2016 , pp. 55-66 More about this Journal
Abstract
A local storage of HTML5 is a Web Storage, which is stored permanently on a local computer in the form of files. The contents of the storage can be easily accessed and modified because it is stored as plaintext. Moreover, because the internet browser classifies the local storages of each domain using file names, the malicious attacker can abuse victim's local storage files by changing file names. In the paper, we propose a scheme to maintain the integrity and the confidentiality of the local storage's source domain and source device. The key idea is that the client encrypts the data stored in the local storage with cipher key, which is managed by the web server. On the step of requesting the cipher key, the web server authenticates whether the client is legal source of local storage or not. Finally, we showed that our method can detect an abnormal access to the local storage through experiments according to the proposed method.
Keywords
Local Storage; Integrity; Confidentiality; Encrypt; Hash;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 W3C, "HTML 5.1" September 2015. http://www.w3.org/TR/html51/
2 W3C, "Web Storage (Second Edition)" June 2015, http://www.w3.org/TR/webstorage/
3 W3C, "HTTP Specifications and Drafts" March 2002, http://www.w3.org/Protocols/Specs.html
4 OWASP, "Cross-site Scripting(XSS)" April 2014, https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
5 J.S. Park, R. Sandhu, "Secure cookies on the Web." IEEE internet computing 4.4 (2000): 36. http://dx.doi.org/10.1109/4236.865085   DOI
6 M. Ter Louw, K.T. Ganesh, V. N. Venkatakrishnan, "AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements." USENIX Security Symposium. 2010. http://static.usenix.org/event/sec10/tech/full_papers/TerLouw.pdf
7 J.P. Yang, K.H. Rhee, "The design and implementation of improved secure cookies based on certificate." Progress in Cryptology-INDOCRYPT 2002. Springer Berlin Heidelberg, 2002. 314-325. http://dx.doi.org/10.1007/3-540-36231-2_25   DOI
8 H. Wu, W. Chen, Z. Ren, "Securing cookies with a MAC address encrypted key ring." Networks Security Wireless Communications and Trusted Computing (NSWCTC), 2010 Second International Conference on. Vol. 2. IEEE, 2010. http://dx.doi.org/10.1109/nswctc.2010.151
9 M. Jemel, Mayssa, A. Serhrouchni, "Security assurance of local data stored by HTML5 web application." Information Assurance and Security (IAS), 2014 10th International Conference on. IEEE, 2014. http://dx.doi.org/10.1109/isias.2014.7064619
10 R. Zhao, C. Yue, "All your browser-saved passwords could belong to us: A security analysis and a cloud-based new design." in Proceedings of the Third ACM Conference on Data and Application Security and Privacy, ser. CODASPY,13. ACM, 2013, pp. 333-340. http://dx.doi.org/10.1145/2435349.2435397   DOI
11 H.W. Myeong, J.H. Paik, D.H. Lee, "Study on implementation of Secure HTML5 Local Storage" Journal of Korean Socieity for Internet Information, 2012, 4: 83-93. http://dx.doi.org/10.7472/jksii.2012.13.4.83   DOI
12 OWASP, "Top 10 2013-A10-Unvalidated Redirects and Forwards" June 2013. https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards
13 J Ruderman, "The Same Origin Policy" August 2001. http://www-archive.mozilla.org/projects/security/components/same-origin.html
14 W3C, "Same Origin Policy" January 2010. http://www.w3.org/Security/wiki/Same_Origin_Policy
15 MDN, "Same-origin policy" July 2015. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
16 J. Mott, "crypto-js" https://code.google.com/p/crypto-js/
17 J. Daemen, V. Rijmen,"The design of Rijndael: AES-the advanced encryption standard" Springer Science & Business Media, 2013.
18 P. Gauravaram, et al. "Grostl-a SHA-3 candidate." Submission to NIST, 2008. http://drops.dagstuhl.de/opus/volltexte/2009/1955/
19 A.B. MySQL, "MySQL." (2001).
20 J. Jong, "math.js" http://mathjs.org/index.html/
21 T. Wu, "JSEncrypt" http://travistidwell.com/jsencrypt/
22 M. Bellare, P. Rogaway, "The exact security of digital signatures-How to sign with RSA and Rabin." Advances in Cryptology-Eurocrypt'96. Springer Berlin Heidelberg, 1996. http://dx.doi.org/10.1007/3-540-68339-9_34