iHTTP: Efficient Authentication of Non-confidential HTTP Traffic

HTTPS is the standard protocol for protecting information sent over the World Wide Web. However, HTTPS adds substantial overhead to servers, clients, and networks [1, 2]. As a result, website owners often pass on HTTPS and resort to only HTTP for hosting websites, leaving clients and servers vulnerable to attacks [3, 4]. Techniques have been proposed to only enable authentication and integrity of HTTP (response) data [2, 5---7]. However, they all suffer from vulnerabilities and poor performance. In this paper, we propose iHTTP, a new approach for enabling lightweight, efficient authentication and verification of HTTP (response) data. We adaptively handle different data encodings to allow for better performance without effecting user experience. We introduce a novel technique, Sliding-Timestamps, to allow iHTTP clients to authenticate the freshness of response data to prevent replay attacks and amortize signing costs. We also introduce Opportunistic Hash Verification to reduce client public key operations required to authenticate full web pages. We show in our experimental evaluation that iHTTP provides similar performance to HTTP, and higher throughput and lower maximum response time than HTTPS and HTTPi, the most recent HTTP authentication approach [7], for Client-Static data.

[1]  Dan S. Wallach,et al.  Performance analysis of TLS Web servers , 2006, TOCS.

[2]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[3]  Tadayoshi Kohno,et al.  Detecting In-Flight Page Changes with Web Tripwires , 2008, NSDI.

[4]  Christopher T. Lesniewski-Laas SSL splitting and barnraising : cooperative caching with authenticity guarantees , 2003 .

[5]  Ran Canetti,et al.  Efficient authentication and signing of multicast streams over lossy channels , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[6]  Elaine B. Barker,et al.  SP 800-131A. Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths , 2011 .

[7]  Eric Rescorla,et al.  HTTP Over TLS , 2000, RFC.

[8]  Elisa Bertino,et al.  SINE: Cache-friendly integrity for the web , 2009, 2009 5th IEEE Workshop on Secure Network Protocols.

[9]  Jianying Zhou,et al.  Information and Communications Security , 2013, Lecture Notes in Computer Science.

[10]  Helen J. Wang,et al.  Practical end-to-end web content integrity , 2012, WWW.

[11]  Julien Freudiger,et al.  Integrity of the Web Content: The Case of Online Advertising , 2010, CollSec.

[12]  Mohamed G. Gouda,et al.  HTTPI: An HTTP with Integrity , 2011, 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN).

[13]  Helen J. Wang,et al.  HTTPi for Practical End-to-End Web Content Integrity , 2011 .

[14]  Markus Jakobsson,et al.  Drive-By Pharming , 2007, ICICS.

[15]  Elaine B. Barker,et al.  Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths , 2011 .

[16]  Dan Pei,et al.  Network-aware forward caching , 2009, WWW '09.

[17]  Jari Arkko,et al.  Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Version-2 , 2005, RFC.