180 likes | 193 Views
RWA: Resilient Web Apps Through Client-Side Processing, Database, and Web Cryptography. Master Project By Jebreel Alamari. Introduction: Cyber Resilience.
E N D
RWA: ResilientWeb Apps Through Client-Side Processing, Database, and Web Cryptography Master Project By Jebreel Alamari
Introduction: Cyber Resilience • Cyber resilience: “ the ability of a system or domain to withstand attacks or failures, and in such events, to reestablish itself quickly.” by Nigel Inkster, Director of Transactional Threats and Political Risk at the International Institute of Strategic Studies . • Ways to have better cyber resilience: • Update software/ hardware • Backup and redundancy. • Security Resilient Web App / Jebreel Alamari
Introduction: Research Scope • In my research I will concentrate on web applications as part of the cyber world. • Why web applications? why not native applications? • Easy to distribute. • Easy to update. • Easy to maintain. • Platform/device independent. Resilient Web App / Jebreel Alamari
Introduction: Web App Resilient Web App / Jebreel Alamari
Offline Web Applications: • Developing offline applications could solve part of the problem by not requiring Internet access, but it has some limitations. • Retaining data for a long period of time • Security • Browser dependency How to deal with these limitations? Resilient Web App / Jebreel Alamari
Proposed design • We can develop Online/Offline web applications • Since modern browsers have become operating system like software, we can utilize them. Some of browser abilities: • Executes code • Creates and manages databases • Supports persistent storage • Performs cryptography Is it possible to develop resilient web applications using client-side ? Resilient Web App / Jebreel Alamari
Project Description: • One of solutions we could offer people with bad connection is to develop web application that can handle slowconnection. • My work can be divided into the following tasks: • Database management at server and client side • Performing cryptographic operations at client Side. • Switching from online to offline mode seamlessly and vice versa. • Client Side/Server Side synchronization Resilient Web App / Jebreel Alamari
Synchronization on Demand • Data synchronization will be perform in online mode. • In offline mode, the app uses database within browser. • Online detection mechanism. • Purpose of synchronization: • Backup • Increase availability • Data sharing among browsers (They Do not share local storage) Resilient Web App / Jebreel Alamari
Security: Indexed DB supports (SOP). is it enough? • Encrypt data before storing it in the database • Decrypt data using user’s secret/private key • Client Side/Server Side Authentication. • Key generation and management. • Hashing. Resilient Web App / Jebreel Alamari
Why Web Crypto API? • Implemented in browser native code. • Hides cryptographic operations from JavaScript code. • Has methods to wrap/unwrap keys using browser specific key called keywrappingkey . • Performance. • Lightweight web applications Resilient Web App / Jebreel Alamari
Related work • Pouch DB: JavaScript library for database management in the browser and data synchronization. This library requires Node.js web server and Couch DB. • xStorage: Extended local storage. • Kepler: Chrome extension. Resilient Web App / Jebreel Alamari
Challenges: Browser compatibility: • API support • API implementation • Studied Browsers are Google Chrome, Firefox, Safari, and IE. JavaScript asynchronous nature: • Single threaded language. • None Blocking I/O. Resilient Web App / Jebreel Alamari
Tools Used to Develop RWA • Browser Developer console Debugging JavaScript code and APIs • Sublime text2 Auto Completion, text highlighting, and project management. • JavaScript libraries such as: optional • AngularJS : Supports MVC pattern. • Jquery: Dom manipulation JavaScript library. • Q.js: Handle callbacks with promises, to have a cleaner code. Resilient Web App / Jebreel Alamari
Deliverable: • Master project report documents the design and implementation of the resilient web applications and their performance evaluation. • Two working resilient web applications that can handle bad Internet connection and be secure. Resilient Web App / Jebreel Alamari
References: • Doc.ic.ac.uk, 'The CIA principle', 2014. [Online]. Available: http://www.doc.ic.ac.uk/~ajs300/security/CIA.htm. [Accessed: 06- Oct- 2014]. • William West and S. MonishaPulimood. 2012. Analysis of privacy and security in HTML5 web storage. J. Comput. Sci. Coll. 27, 3 (January 2012), 80-87. • W3.org, 'Indexed Database API', 2015. [Online]. Available: http://www.w3.org/TR/IndexedDB/. [Accessed: 28- Jan- 2015]. • W3.org, 'Web Cryptography API', 2014. [Online]. Available: http://www.w3.org/TR/WebCryptoAPI/. [Accessed: 23- Nov- 2014]. • M. Jemel and A. Serhrouchni, 'Content protection and secure synchronization of HTML5 local storage data', Consumer Communications and Networking Conference (CCNC), 2014 IEEE 11th, pp. 539-540, 2014. Resilient Web App / Jebreel Alamari
References: • Polycrypt.net, 'PolyCrypt: A WebCryptoPolyfill', 2015. [Online]. Available: http://polycrypt.net/. [Accessed: 16- Oct- 2014]. • Code.google.com, 'crypto-js - JavaScript implementations of standard and secure cryptographic algorithms - Google Project Hosting', 2014. [Online]. Available: https://code.google.com/p/crypto-js/. [Accessed: 17- Nov- 2014]. • C. Reis, A. Barth and C. Pizano, 'Browser Security: Lessons from Google Chrome', Queue, vol. 7, no. 5, p. 3, 2009. • Pouchdb.com, 'PouchDB, the JavaScript Database that Syncs!', 2014. [Online]. Available: http://pouchdb.com. [Accessed: 28- Jan- 2015]. • Nodejs.org, 'Node.js', 2015. [Online]. Available: http://nodejs.org/. [Accessed: 28- Jan- 2015]. Resilient Web App / Jebreel Alamari
References: • S. Naseem and F. Majeed, 'Extending HTML5 local storage to save more data; efficiently and in more structured way', Eighth International Conference on Digital Information Management (ICDIM 2013), 2013. • T. Wahlberg, P. Paakkola, C. Wieser, M. Laakso and J. Roning, 'Kepler -- Raising Browser Security Awareness', 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops, 2013. • C. Bansal, K. Bhargavan, A. Delignat-Lavaud and S. Maffeis, 'Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage', Principles of Security and Trust, pp. 126-146, 2013. Resilient Web App / Jebreel Alamari