A scalable framework for protecting user identity and access pattern in untrusted Web server using forward secrecy, public key encryption and bloom filter

Abstract

SummarySecuring user identity from data breach in a web server is one of the major concerns for the users of the web applications. Similarly, protecting user access pattern from unauthorized access should be taken seriously, because the potential threats such attacks may pose, are huge. However, these security measures should not be adopted at the expense of user experience and convenience. Nevertheless, any extra overhead in the form of security measures introduced in a distributed system results in significant performance declination. The target of a secured framework for a distributed system like web application should be a reasonable trade‐off between security and user experience. Thus, in this work, we present a framework that ensures security for the user identity along with keeping the online activities of the users anonymous while ensuring scalability of the system. Our framework is designed in a scalable form that can work with other distributed architectures that provide security to user data and identities. To ensure all these measures, our proposal includes the implementation of Forward Secrecy using Diffie‐Hellman Key exchange protocol where the server cannot remember a user's history after a session ends. In addition, we present our own mechanism to hide logical data sharing strategies to protect users against selective DoS attacks. Moreover, we implemented a modified version of bloom filter to safeguard user access pattern in a compromised server. Our proposed implementation of bloom filter also ensures that the scalability of distributed system is preserved even with little infrequent overhead in the server because of security measures proposed in this work. Finally, we implemented different modules of our framework using both Web Socket and Long Polling transport protocols and recorded the time required to perform various tasks. Web socket protocol took less time to perform each task than the long polling protocol, which is convincing enough to suggest that web socket performs better than long polling in the given scenarios. Copyright © 2016 John Wiley & Sons, Ltd.