Keys to the cloud: Formal analysis and concrete attacks on encrypted web storage

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 7796 LNCS, Issue , 2013, Pages 126-146

  Bansal, Chetan ^a   Bhargavan, Karthikeyan ^b   Delignat Lavaud, Antoine ^b   Maffeis, Sergio ^c  

^a BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE   (India)

^b INRIA ROCQUENCOURT   (France)

^c IMPERIAL COLLEGE LONDON   (United Kingdom)

Author keywords

Formal Methods; Protocol Verification; Web Security

Indexed keywords

AUTOMATED FORMAL ANALYSIS; CLIENT SIDES; CLOUD STORAGES; CONFERENCE MANAGEMENT SYSTEMS; E-VOTING; FORMAL ANALYSIS; PASSWORD MANAGERS; PROTOCOL VERIFICATION; PROVERIF; USER DATA; WEB APPLICATION; WEB SECURITY; WEB STORAGE;

CRYPTOGRAPHY; DIGITAL STORAGE; FORMAL METHODS; MANAGEMENT;

INTERNET PROTOCOLS;

EID: 84874442652     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-36830-1_7     Document Type: Conference Paper

References (24)

1. Browser security handbook, http://code.google.com/p/browsersec
2. How secure is Dropbox?, https://www.dropbox.com/help/27/en
3. Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. SIGPLAN Not. 36, 104-115 (2001)
4. Adida, B.: Helios: Web-based open-audit voting. In: USENIX Security Symposium, pp. 335-348 (2008)
5. Adida, B., Barth, A., Jackson, C.: Rootkits for JavaScript environments. In: Workshop on Offensive Technologies, WOOT (2009)
6. Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: CSF, pp. 290-304 (2010)
7. Arapinis, M., Bursuc, S., Ryan, M.: Privacy Supporting Cloud Computing: ConfiChair, a Case Study. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 89-108. Springer, Heidelberg (2012)
8. Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: CSF, pp. 247-262 (2012)
9. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: CCS, pp. 75-88 (2008)
10. Belenko, A., Sklyarov, D.: "Secure Password Managers" and "Military-Grade Encryption" on Smartphones: Oh, Really? Technical report, Elcomsoft Ltd. (2012)
11. Bhargavan, K., Delignat-Lavaud, A.: Web-based attacks on host-proof encrypted storage. In: Workshop on Offensive Technologies, WOOT (2012)
12. Blanchet, B.: Automatic verification of correspondences for security protocols. Journal of Computer Security 17(4), 363-434 (2009)
13. Blanchet, B., Chaudhuri, A.: Automated formal analysis of a protocol for secure file sharing on untrusted storage. In: IEEE Symposium on Security & Privacy (2008)
14. Blanchet, B., Smyth, B.: ProVerif: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial, http://www.proverif.inria.fr/manual.pdf
15. Bohannon, A., Pierce, B.C.: Featherweight Firefox: Formalizing the core of a web browser. In: WebApps (2010)
16. Groß, T.R., Pfitzmann, B., Sadeghi, A.-R.: Browser Model for Security Analysis of Browser-Based Protocols. In: De Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 489-508. Springer, Heidelberg (2005)
17. Hammer-Lahav, E., Recordon, D., Hardt, D.: The OAuth 2.0 Authorization Protocol. IETF Internet Draft (2011)
18. Jackson, D.: Alloy: A Logical Modelling Language. In: Bert, D., Bowen, J.P., King, S., Waldén, M. (eds.) ZB 2003. LNCS, vol. 2651, p. 1. Springer, Heidelberg (2003)
19. Kamara, S., Lauter, K.: Cryptographic Cloud Storage. In: Sion, R., Curtmola, R., Dietrich, S., Kiayias, A., Miret, J.M., Sako, K., Sebé, F. (eds.) FC 2010 Workshops. LNCS, vol. 6054, pp. 136-149. Springer, Heidelberg (2010)
20. Kelsey, J., Schneier, B., Hall, C., Wagner, D.: Secure Applications of Low-Entropy Keys. In: Okamoto, E., Davida, G., Mambo, M. (eds.) ISW 1997. LNCS, vol. 1396, pp. 121-134. Springer, Heidelberg (1998)
21. Rescorla, E.: HTTP over TLS. Request for Comments 2818, IETF (2000)
22. Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In: Web 2.0 S&P (2010)
23. Stearne, B., Barth, A. (eds.): Content Security Policy 1.0. W3C Working Draft (2012)
24. Yoshihama, S., Tateishi, T., Tabuchi, N., Matsumoto, T.: Information-Flow-Based Access Control for Web Browsers. IEICE Transactions E92-D(5), 836-850 (2009)