Pseudo-randomness Inside Web Browsers

With the increasing concerns over the security and privacy of Web based applications, many solutions based on strong cryptography have been proposed to protect client side Web applications against attacks such as phishing, pharming and even server side attacks. While strong cryptography is used, one critical building block in cryptosystem, the random number generator, is often neglected. Considering this situation, in this paper we design and implement a pseudo-random number generator only rely on ubiquitous Web browser abilities - JavaScript, HTML and AJAX. We also provide a mechanism called Pseudo-cookiefor JavaScript programs to access operating system services for retrieving random or entropy values without changing Web browser security policies. The security model, analysis and performance evaluation demonstrate that our method is secure and efficient.

[1]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[2]  Benny Pinkas,et al.  Analysis of the Linux random number generator , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3]  Peter Gutmann,et al.  Software Generation of Practically Strong Random Numbers , 1998, USENIX Security Symposium.

[4]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[5]  Ben Adida,et al.  Beamauth: two-factor web authentication with a bookmark , 2007, CCS '07.

[6]  Hugo Krawczyk,et al.  Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.

[7]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[8]  Elaine B. Barker Digital Signature Standard (DSS) [includes Change Notice 1 from 12/30/1996] | NIST , 1994 .

[9]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[10]  Benny Pinkas,et al.  Cryptanalysis of the windows random number generator , 2007, CCS '07.

[11]  Yuliang Zheng,et al.  Breaking real-world implementations of cryptosys-tems by manipulating their random number generation , 1997 .

[12]  Mihir Bellare,et al.  "Pseudo-Random" Number Generation Within Cryptographic Algorithms: The DDS Case , 1997, CRYPTO.

[13]  Shai Halevi,et al.  A model and architecture for pseudo-random generation with applications to /dev/random , 2005, CCS '05.

[14]  Zhi Guan,et al.  WebIBC: Identity Based Cryptography for Client Side Security in Web Applications , 2008, 2008 The 28th International Conference on Distributed Computing Systems.

[15]  Peter Gutmann The design and verification of a cryptographic security architecture , 2000 .