ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
A secure and private system for subscription-based remote services
Full text PdfPdf (242 KB)
Source ACM Transactions on Information and System Security (TISSEC) archive
Volume 6 ,  Issue 4  (November 2003) table of contents
Pages: 472 - 500  
Year of Publication: 2003
ISSN:1094-9224
Authors
Pino Persiano  Università di Salerno, Italy
Ivan Visconti  Università di Salerno, Italy
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 10,   Downloads (12 Months): 84,   Citation Count: 4
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/950191.950193
What is a DOI?

ABSTRACT

In this paper we study privacy issues regarding the use of the SSL/TLS protocol and X.509 certificates. Our main attention is placed on subscription-based remote services (e.g., subscription to newspapers and databases) where the service manager charges a flat fee for a period of time independent of the actual number of times the service is requested.We start by pointing out that restricting the access to such services by using X.509 certificates and the SSL/TLS protocol, while preserving the interests of the service managers, neglects the right to privacy of the users.We then propose the concept of a crypto certificate and the Secure and Private Socket Layer protocol (SPSL protocol, in short) and show how they can be used to preserve user privacy and, at the same time, protecting the interests of the service managers. The SPSL protocol only requires the user to have a standard X.509 certificate (with an RSA key) and does not require the user to get any special ad hoc certificate.Finally, we show the viability of the proposed solution by describing a system based on SPSL for secure and private access to subscription-based web services. Our implementation includes an SPSL proxy for a TLS-enabled web client and a module for the Apache web server along with administrative tools for the server side. The system has been developed starting from the implementation of an API for the SPSL protocol that we describe in the paper.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Apache 2002. The Apache web server project. http://www.apache.org.
 
2
Giuseppe Ateniese , Jan Camenisch , Marc Joye , Gene Tsudik, A Practical and Provably Secure Coalition-Resistant Group Signature Scheme, Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology, p.255-270, August 20-24, 2000
 
3
Giuseppe Ateniese , Gene Tsudik, Some Open Issues and New Directions in Group Signatures, Proceedings of the Third International Conference on Financial Cryptography, p.196-211, February 01, 1999
 
4
Stefan A. Brands, Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy, MIT Press, Cambridge, MA, 2000
 
5
Camenisch, J. L. 1997. Efficient and generalized group signatures. In Proceedings of Advances in Cryptology---Eurocrypt '97. Lecture Notes in Computer Science, vol. 1233. Springer Verlag, Berlin, 465--479.
6
David L. Chaum, Untraceable electronic mail, return addresses, and digital pseudonyms, Communications of the ACM, v.24 n.2, p.84-90, Feb. 1981  [doi>10.1145/358549.358563]
 
7
Chaum, D. 1983. Blind signatures for untraceable payments. In Advances in Cryptology: Proceedings of Crypto'82. D. Chaum, R. L. Rivest, and A. T. Sherman, Eds. Plenum Press, New York, 199--203.
8
David Chaum, Security without identification: transaction systems to make big brother obsolete, Communications of the ACM, v.28 n.10, p.1030-1044, Oct. 1985  [doi>10.1145/4372.4373]
 
9
Chaum, D. and van Heyst, E. 1991. Group signatures. In Proceedings of Advances in Cryptology (EUROCRYPT '91), D. W. Davies, Ed. LNCS, vol. 547. Springer, Berlin, 257--265.
10
Afredo De Santis , Giovanni Di Crescenzo , Giuseppe Persiano, Communication-efficient anonymous group identification, Proceedings of the 5th ACM conference on Computer and communications security, p.73-82, November 02-05, 1998, San Francisco, California, United States  [doi>10.1145/288090.288110]
 
11
De Santis, A., Di Crescenzo, G., Persiano, G., and Yung, M. 1994. On monotone formula closure of SZK. In Proceedings of 35th Annual Symposium on Foundations of Computer Science (Santa Fe, NM, Nov. 20--22, 1994), S. Goldwasser, Ed. IEEE Computer Society Press, Los Alamitos, CA, 454--465.
 
12
Dierks, T. and Allen, C. 1999. RFC 2246: The TLS protocol version 1.
 
13
Olivier Dubuisson , Philippe Fouquart, ASN.1: communication between heterogeneous systems, Morgan Kaufmann Publishers Inc., San Francisco, CA, 2001
 
14
Eastlake, D. and Jones, P. 2001. US secure hash algorithm 1. RFC 3174.
 
15
U. Feige , A. Fiat , A. Shamir, Zero-knowledge proofs of identity, Journal of Cryptology, v.1 n.2, p.77-94, Aug. 1988  [doi>10.1007/BF02351717]
16
U. Feige , A. Shamir, Witness indistinguishable and witness hiding protocols, Proceedings of the twenty-second annual ACM symposium on Theory of computing, p.416-426, May 13-17, 1990, Baltimore, Maryland, United States  [doi>10.1145/100216.100272]
 
17
Freier, A. O., Karlton, P., and Kocher, P. C. 1996. The SSL protocol---version 3.0.
 
18
S. Goldwasser , S. Micali , C. Rackoff, The knowledge complexity of interactive proof systems, SIAM Journal on Computing, v.18 n.1, p.186-208, Feb. 1989  [doi>10.1137/0218012]
 
19
Ceki Gulcu , Gene Tsudik, Mixing Email with Babel, Proceedings of the 1996 Symposium on Network and Distributed System Security (SNDSS '96), p.2, February 22-23, 1996
 
20
Housley, R., Polk, W., Ford, W., and Solo, D. 2002. Internet X509 public key infrastructure: Certificate and certificate revocation List (CRL) profile. Network Working Group, RFC 3280.
 
21
ModSSL. The ModSSL home page. http://www.modssl.org.
 
22
Moz2I 2000. The Moz2I home page. http://www.security.unisa.it/spsl/moz2i.html.
 
23
OpenSSL. The OpenSSL home page. http://www.openssl.org.
24
Pino Persiano , Ivan Visconti, User privacy issues regarding certificates and the TLS protocol: the design and implementation of the SPSL protocol, Proceedings of the 7th ACM conference on Computer and communications security, p.53-62, November 01-04, 2000, Athens, Greece  [doi>10.1145/352600.352609]
 
25
Reed, M. G., Syverson, P. F., and Goldschlag, D. M. 1998. Anonymous connections and onion routing. IEEE Journal on Special Areas in Communications 16, 4 (May), 482--494.
26
Michael K. Reiter , Aviel D. Rubin, Crowds: anonymity for Web transactions, ACM Transactions on Information and System Security (TISSEC), v.1 n.1, p.66-92, Nov. 1998  [doi>10.1145/290163.290168]
 
27
Ronald L. Rivest , Adi Shamir , Yael Tauman, How to Leak a Secret, Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, p.552-565, December 09-13, 2001
 
28
Rivest, R. L. 1992. RFC 1321: The MD5 message-digest Algorithm.
 
29
Stuart Schechter , Todd Parnell , Alexander Hartemink, Anonymous Authentication of Membership in Dynamic Groups, Proceedings of the Third International Conference on Financial Cryptography, p.184-195, February 01, 1999
 
30
SPSL. The SPSL home page. http://www.security.unisa.it/spsl.
31
Stuart G. Stubblebine , Paul F. Syverson , David M. Goldschlag, Unlinkable serial transactions: protocols and applications, ACM Transactions on Information and System Security (TISSEC), v.2 n.4, p.354-389, Nov. 1999  [doi>10.1145/330382.330384]
 
32
W3C. 1999. Resource description framework (RDF) model and syntax speficitation. REC-rdf-syntax-19990222.

CITED BY  4
Marina Blanton , Mikhail J. Atallah, Provable bounds for portable and flexible privacy-preserving access, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden
Marina Blanton , Mikhail Atallah, Succinct representation of flexible and privacy-preserving access rights, The VLDB Journal — The International Journal on Very Large Data Bases, v.15 n.4, p.334-354, November 2006
Marina Blanton, Online subscriptions with anonymous access, Proceedings of the 2008 ACM symposium on Information, computer and communications security, March 18-20, 2008, Tokyo, Japan
Christian Stingl , Daniel Slamanig, Privacy-enhancing methods for e-health applications: how to prevent statistical analyses and attacks, International Journal of Business Intelligence and Data Mining, v.3 n.3, p.236-254, December 2008

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.2 Network Protocols
          Subjects: Applications (SMTP, FTP, etc.)

  K. Computing Milieux
  K.4 COMPUTERS AND SOCIETY
      K.4.1 Public Policy Issues
          Subjects: Privacy
      K.4.4 Electronic Commerce
          Subjects: Security
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Unauthorized access (e.g., hacking, phreaking); Authentication


General Terms:
Security


Keywords:
Access control, anonymity, cryptographic algorithms and protocols, privacy, world-wide web

Collaborative Colleagues:
Pino Persiano: colleagues
Ivan Visconti: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player