Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage
- Chetan Bansal ,
- Karthikeyan Bhargavan ,
- Antoine Delignat-Lavaud ,
- Sergio Maffeis
2nd Conference on Principles of Security and Trust (POST 2013) |
Published by Springer-Verlag Berlin Heidelberg
To protect sensitive user data against server-side attacks, a number of security-conscious web applications have turned to client-side encryption, where only encrypted user data is ever stored in the cloud. We formally investigate the security of a number of such applications, including password managers, cloud storage providers, an e-voting website and a conference management system. We find that their security relies on both their use of cryptography and the way it combines with common web security mechanisms as implemented in the browser. We model these applications using the WebSpi web security library for ProVerif, we discuss novel attacks found by automated formal analysis, and we propose robust countermeasures.