Securely outsourcing cookies to the cloud via private information retrieval

Many smartphone applications are web based and rely on cookies to maintain the status of a web session. Cookies, however, may lead to security threats since they may contain sensitive information. In addition, an attacker having access to a cookie can easily impersonate the legitimate user. In this paper, we propose and implement a system that securely outsources browser cookies to the cloud and ensures user privacy using Private Information Retrieval. Experimental evaluation using traces collected from operational cellular and WiFi networks demonstrates that our system achieves satisfactory performance for most real-life web browsing scenarios: the average latency is within 1.0 to 1.2 seconds (well within users' tolerance) even when retrieving tens of cookies over an LTE or WiFi network, and the amount of generated traffic is significantly lower than that when downloading the entire cookie database.

[1]  Feng Qian,et al.  A close examination of performance and power characteristics of 4G LTE networks , 2012, MobiSys '12.

[2]  Wenke Lee,et al.  Jekyll on iOS: When Benign Apps Become Evil , 2013, USENIX Security Symposium.

[3]  Ravi S. Sandhu,et al.  Secure Cookies on the Web , 2000, IEEE Internet Comput..

[4]  Wouter Joosen,et al.  Automatic and Precise Client-Side Protection against CSRF Attacks , 2011, ESORICS.

[5]  Fiona Fui-Hoon Nah,et al.  A study on tolerable waiting time: how long are Web users willing to wait? , 2004, AMCIS.

[6]  Ian Goldberg,et al.  Optimally Robust Private Information Retrieval , 2012, USENIX Security Symposium.

[7]  Philippe Gaborit,et al.  A Lattice-Based Computationally-Efficient Private Information Retrieval Protocol , 2007, IACR Cryptol. ePrint Arch..

[8]  Michele Bugliesi,et al.  Automatic and Robust Client-Side Protection for Cookie-Based Sessions , 2014, ESSoS.

[9]  Lei Yang,et al.  Accurate online power estimation and automatic battery behavior based power model generation for smartphones , 2010, 2010 IEEE/ACM/IFIP International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS).

[10]  Wouter Joosen,et al.  SessionShield: Lightweight Protection against Session Hijacking , 2011, ESSoS.

[11]  Eyal Kushilevitz,et al.  Private information retrieval , 1998, JACM.

[12]  Patrick Traynor,et al.  One-time cookies: Preventing session hijacking attacks with stateless authentication tokens , 2012, TOIT.

[13]  X. Gabaix Zipf's Law for Cities: An Explanation , 1999 .

[14]  Rafail Ostrovsky,et al.  Replication is not needed: single database, computationally-private information retrieval , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[15]  Samuel T. King,et al.  Fortifying web-based applications automatically , 2011, CCS '11.

[16]  Hari Balakrishnan,et al.  CryptDB: protecting confidentiality with encrypted query processing , 2011, SOSP.

[17]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[18]  Ian Goldberg,et al.  The Best of Both Worlds: Combining Information-Theoretic and Computational PIR for Communication Efficiency , 2014, Privacy Enhancing Technologies.

[19]  Ian Goldberg,et al.  Improving the Robustness of Private Information Retrieval , 2007 .

[20]  Sheng Zhong,et al.  Privacy-Preserving Queries on Encrypted Data , 2006, ESORICS.

[21]  Umesh Shankar,et al.  Doppelganger: Better browser privacy without the bother , 2006, CCS '06.

[22]  Philippe Gaborit,et al.  High-Speed Single-Database PIR implementation , 2008 .

[23]  Narseo Vallina-Rodriguez,et al.  Energy Management Techniques in Modern Mobile Handsets , 2013, IEEE Communications Surveys & Tutorials.

[24]  Hari Balakrishnan,et al.  Stochastic Forecasts Achieve High Throughput and Low Delay over Cellular Networks , 2013, NSDI.

[25]  Mohamed G. Gouda,et al.  A secure cookie scheme , 2012, Comput. Networks.

[26]  Adi Shamir,et al.  How to share a secret , 1979, CACM.