KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Enhancing the Session Security of Zen Cart based on HMAC-SHA256

  • Lin, Lihui (College of Mathematics and Computer Science, Fuzhou University) ;
  • Chen, Kaizhi (College of Mathematics and Computer Science, Fuzhou University) ;
  • Zhong, Shangping (College of Mathematics and Computer Science, Fuzhou University)
  • Received : 2016.08.16
  • Accepted : 2016.11.26
  • Published : 2017.01.31
Download PDF
⟨ Previous Next ⟩

Abstract

Zen Cart is an open-source online store management system. It is used all over the world because of its stability and safety. Today, Zen Cart's session security mechanism is mainly used to verify user agents and check IP addresses. However, the security in verifying the user agent is lower and checking the IP address can affect the user's experience. This paper, which is based on the idea of session protection as proposed by Ben Adida, takes advantage of the HTML5's sessionStorage property to store the shared keys that are used in HMAC-SHA256 encryption. Moreover, the request path, current timestamp, and parameter are encrypted by using HMAC-SHA256 in the client. The client then submits the result to the web server as per request. Finally, the web server recalculates the HMAC-SHA256 value to validate the request by comparing it with the submitted value. In this way, the Zen Cart's open-source system is reinforced. Owing to the security and integrity of the HMAC-SHA256 algorithm, it can effectively protect the session security. Analysis and experimental results show that this mechanism can effectively protect the session security of Zen Cart without affecting the original performance.

Keywords

References

  1. Adida, Ben, "Sessionlock: securing web sessions against eavesdropping," in Proc. of 17th international conference on World Wide Web, pp. 517-524, April 21-25, 2008.
  2. Adida, Ben, "Beamauth: two-factor web authentication with a bookmark," in Proc. of 14th ACM conference on Computer and communications security, pp. 48-57, 2007.
  3. Dacosta, I., Chakradeo, S., Ahamad, M. and Traynor, P, "One-time cookies: preventing session hijacking attacks with stateless authentication tokens," Acm Transactions on Internet Technology, vol. 12, no. 1, pp. 336-345, June.2012.
  4. Dietz, M., Czeskis, A., Balfanz, D. and Wallach, D. S., "Origin-bound certificates: a fresh approach to strong client authentication for the web," in Proc. of 21st USENIX Security Symposium (USENIX Security 12), pp. 317-331, August 8-10, 2012.
  5. Juels, A., Jakobsson, M. and Jagatic, T. N, "Cache cookies for browser authentication," in Proc. of 2006 IEEE Symposium on Security and Privacy (S&P'06), pp. 301-305, May 21-24, 2006.
  6. Unger, T., Mulazzani, M., Frühwirt, D., Huber, M., Schrittwieser, S., and Weippl, E., "Shpf: Enhancing http(s) session security with browser fingerprinting," in Proc. of 2013 Eighth International Conference on Availability, Reliability and Security (ARES), pp.255-261, Sept 2-6, 2013.
  7. Krawczyk, Hugo, Mihir Bellare, and Ran Canetti, "Hmac: Keyed-hashing for message authentication," February 1997.
  8. Ende93, AlexChao, "Window.sessionStorage," last modified on Oct 27, 2015.
  9. Johns, M., Lekies, S., Braun, B. and Flesch, B, "BetterAuth: web authentication revisited," in Proc. of 28th Annual Computer Security Applications Conference, pp.169-178, December 03 -07, 2012.
  10. Hallam-Baker, Phillip, "Http integrity header," 2012.
  11. De Ryck, P., Desmet, L., Piessens, F. and Joosen, W, "SecSess: keeping your session tucked away in your browser," in Proc. of ACM Symposium on Applied Computing, pp.2171-2176, April 13-17, 2015.
  12. Wikipedia, "Zen Cart ," last modified on August 18, 2016.
  13. CVE Details, "Zen-cart : Vulnerability Statistics."
  14. D. Wichers, "Owasp top 10," OWASP Foundation, 2013.
  15. Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A. and Stewart, L, "HTTP authentication: Basic and digest access authentication," No. RFC 2617, 1999.
  16. Gebotys, C. H., White, B. A. and Mateos, E, "Preaveraging and carry propagate approaches to side-channel analysis of HMAC-SHA256," ACM Transactions on Embedded Computing Systems (TECS), vol. 15, no. 1, pp. 1-19, 2016.
  17. Berners-Lee T, Fielding R, Masinter L, "Uniform Resource Identifiers (URI): Generic Syntax," Staff.kmutt.ac.th, vol. 4, no. 3, pp. 84-87, 2005.
  18. Wei, K. J., Lee, J. S., and Chen, S. J, "Enhancing the Security of Credit Card Transaction based on Visual DSC," Ksii Transactions on Internet & Information Systems, vol. 9, no. 3, pp. 1231-1245, 2016. https://doi.org/10.3837/tiis.2015.03.022
  19. Wei Guo, "Security analysis and construction of chaotic Hash function," Southwest Jiaotong University, China, 2011.
  20. HE Run-min and MA Jun, "Analysis safety of SHA-256 algorithm," Electronic Design Engineering, vol.22, no.3, pp.31-33, 2014.
  21. Saini, Vineet, Q. Duan, and V. Paruchuri, "Threat modeling using attack trees," Journal of Computing Sciences in Colleges, vol.23, no.4, pp.124-131, 2008.
  22. Ismail, Reem Jafar. "A Secure Session Management Based on Threat Modeling," Iraqi Journal of Science, vol.54, no.4 (5), pp.1176-1182, 2013.