Defacement of Colluding Attack Using Blowfish Algorithm

- In web environment, browser extension extends its functionality by retrieving, presenting and traversing the information through web browser. Browser extensions run with ‘high’ privileges which consequences, vulnerable web browser extensions to steal user’s credentials and trap users into leaking sensitive information to unauthorized parties. One of the attack known as Colluding browser extension attack causes privacy leakage of share data in web browser through extensions. This paper, proposed Defacement of colluding Attack (DCA) mechanism to secure user credentials and confidential information over web browser extension. DCA mechanism encapsulate padding with blowfish algorithm to encrypt sensitive information before sharing it over common memory location. Finally the comparison evaluation of proposed mechanism is carried out with twofish, threefish, 3DES and DES on standard parameters such as encryption time, decryption time, key-length, throughput, attacks and level of security.

memory in an encrypted form and if one extension uses the object of another extension, then encrypted object will be communicated from one extension to another. So that encrypted object can't be recognized by vulnerable extension or an attacker.
The paper is organized as follows. In section 2, discussion of Blowfish algorithm is done. In section 3, survey of related work is summarized. In section 4, proposed work is described. In section 5, Experimental setup and results are shown. In section 6, conclusion of paper is carried out.
Browser extension needs an encryption which would be light-weighted, highly secure and public domain. So blowfish encryption algorithm is used to fulfill all the parameters.

II. BLOWFISH ALGORITHM
Blowfish is a 64-bit block cipher which uses symmetric key encryption algorithm of variable key-length ranging from 32-bits to 448-bits for providing security and protection of data [25], [26].
Blowfish algorithm is based on 16-iteration Feistel Network for encryption. It is suitable for applications where key remains same, like an automatic file encryptor or a communication link. This algorithm provides better encryption and decryption mechanism for user's data.
Feistel Network: Blowfish is a 16-round Feistel Cipher in which each and every round is made up of a key and data dependent substitution and a key dependent permutation. Feistel network is a general method of transforming any function (usually called an F-function) into a permutation [27], [30].
In Blowfish algorithm, F-function splits 32-bit input data into four 8-bit quarters and uses that quarters as an input to the S-boxes i.e. S-box 1, S-box 2, S-box 3 and S-box 4 respectively as shown in Figure 1. The output of first 2 boxes i.e. 'p' and 'q' is added and subsequently modulo 232 is taken which produces output i.e. X. Then X is XOR-ed with S-box 3 output i.e. 'r' and produces another output i.e. Y. Then Y is added with S-box 4 output i.e. 's' and subsequently modulo 232 is taken which produces final output of 32-bits i.e. Z as shown in equation (1) F (Z) = ((S1,p + S2,q mod 232) XOR S3,r) + S4,s mod 232 ……………………(1)

A. Credentials stealing attack
In this attack, attacker steals the user credentials or important information through vulnerable extensions or through some type of infected files or softwares which is discussed below.
Anil Saini et.al. [15], [24], extend the concept of colluding extension and present the concept of attacks through collusion among browser extensions in Firefox. The Author also provided a proof-of-concept in explaining how multiple extensions can collude with each other for negotiating the browser for data leakage. Finally, they have discussed some possible mitigation techniques to address the proposed colluding attack.
Sampsa Rauti et.al. [23], explains that the problem is raised by the powerful browser extensions and viable attack surface of internet applications. The Browser extension is not only the way to realize man-in-the-browser attack. Man-in-the-Browser is a Trojan horse that infects a web browser and has the ability to tamper the contents of web pages and transactions. This attack is a serious threat to online services. Techniques like Modifying payload, Modifying DOM tree, Modifying Ajax transmission mechanism, Modifying Ajax application functionality have flaws as well because these are implemented on the target site in javascript which can be overwritten by the attacker.

B. Storage Mechanism
In this mechanism, web storage area is discussed for different browsers which store different artifacts such as cookies, history, etc.
Abner Mendoza et.al. [1], presented a brief overview of the evolution of persistent storage mechanisms on websites and describe the new web storage features wrap with the new HTML5 specifications. The main contribution of this paper is to identify the means by which different browsers implement web storage, and to show that further information can be obtained from web storage artifacts that may not be present in other browser artifacts, such as Cookies and History. They designed and implemented a tool, BrowStEx, through which one can analyze web storage artifacts on Windows platform. It parses both SQLite files and XML files in web storage used by the five major web browsers.

C. Protection of Browser Extensions
In this mechanism, the basic focus is on the protection of extensions through different techniques and different tools is used to track the flow of objects from source to sink.
Anton et.al. [5], presents a runtime protection mechanism which is based on code randomization technique and apply static analysis technique to protect browser extensions from javascript attacks. The protection is applied during runtime by separating malicious code from the randomization extension code. The protection mechanism is evaluated on the set of vulnerable and non-vulnerable firefox extensions. Their results indicated that the approach would be a viable extension. Their approach is able to reduce false positives and attain maximum compatibility with existing extensions.
SABRE [11] tracks the flow of JavaScript objects from sensitive sources to sinks inside the Mozilla Firefox browser by employing a dynamic taint analysis technique. White listing is used to separate benign extension flows from malicious ones. However, the whitelist approach essentially delegates the responsibility of deciding the maliciousness of an extension to a user. Similarly, a dynamic taint analysis based approach detects vulnerable extensions. This approach attempts to prevent unprivileged data from being compiled into privileged bytecode. It also identifies and prevents privileged caller functions from accidentally calling unprivileged code.

D. Performance related to Encryption Algorithm
In this section, comparison of different encryption algorithms is analyzed on the basis of different parameters such as block size, key-length, number of rounds, execution time, etc.
A.Ramesh et.al. [25], analyzed the performance of AES, DES and Blowfish encryption algorithms. Their performances were compared by varying block size, key size and number of round of the encryption input file. The performances are analyzed by computing certain performance parameters such as memory required, execution time and throughput. The result shows blowfish algorithm consumes less memory usage, execution time and produces more throughputs. Blowfish performed approximately 4 times faster than AES and 2 times faster than DES. AES showed poor performance results compared to other algorithms, since it required more power for processing.
A.E. Diaa et.al. [26], evaluated the common encryption algorithms such as DES, 3ES, AES, RC2, Blowfish, and RC6. There were some basic parameters of performance such as battery power consumption, encryption or decryption speed compared. The results showed that blowfish had better performance than other algorithms when changing packet size. 3DES still had low performance compared to DES algorithms. RC2 showed the poorest performance among all.
So on the basis of the related work, main concern is on the communication of object from one extension to another without user's permission which is also known as Colluding Browser Extension attack. So in this paper, algorithm is applied on data which restricts the attacker to read or detect the user's information or credentials.

IV. PROPOSED WORK
For restricting the communication of object from one extension to another, a mechanism is needed for data by which attacker cannot be able to identify the user's credential or personal information. So this paper proposed Defacement of Colluding Attack (DCA) algorithm which is implemented on message bits by sending preprocessed data as an input of Blowfish Algorithm. In proposed algorithm, data is in the form of bits and on that bits, logarithmic function is applied to minimize the value of data. Then those logarithmic values are compared with each other and among them the bigger value is selected for message bits and padding of extra bits is applied on smaller value. Then proposed algorithm adds both the values i.e. bigger one and smaller one with padded bits with each other and apply Blowfish encryption algorithm on it. After this process, output is generated in the form of ciphertext. So for decrypting the ciphertext, Blowfish decryption algorithm is applied and message bits are generated as an output of it containing padded bits with it. For removing the padded bits, divide the output of decryption algorithm into two equal halves and compare the bits one by one with padded symbol i.e. ' '. When bit is equal to ' ' then discard that bit and when bit is not equal to ' ' then from that bit to the last bit it is going to be called complete message bits.

A. Defacement of Colluding Attack (DCA) Encryption Algorithm
DCA encryption algorithm is applied, to pre-process the data before going in the input of Blowfish Algorithm. This encryption algorithm is having two phases as shown in Figure 2. Phase-I is for padding and Phase-II is for encryption.

1) Padding:
In this phase, firstly take a card number which is equal to X-bits and Pin number which is equal to Y-bits as shown in Figure 2, Then apply logarithmic function on X and Y bits because logarithms are a convenient way to express large numbers. So, we take new variable M and N to represent the value of X and Y after taking log. Therefore, Now the value of M & N is compared with each other to find the bigger value from the among two values i.e.

 Case 1: If M is greater than equal to N (M >= N)
If card bits (M) is greater than pin bits (N) then take the exponential of M for message bits i.e.

………………………………………… (1)
and add padding bits with 2 N . Here we are using ' ' symbol for padding extra bits. For calculating padding value (P), we have to calculate the value of M-N. Then we take the exponential of the difference value which will be taken as padding bits, therefore P is equal to Now multiply equation (6)

2) Encryption:
Blowfish is a 64-bit block cipher encryption algorithm which can be used as a replacement of DES algorithm. It uses a variable key-length ranging from 32 bits to 448 bits having 16 rounds with input of 64-bit data [27]. This data is further divided into two equal halves as shown in Figure 3, and then apply following algorithm steps on it.  Blowfish uses a large number of subkeys that can be precomputed before any data encryption or decryption. Blowfish consists of an array also called as P-array which comprises of 18 sub-keys [28]. This prevents attackers from figuring out how the sub-keys were generated, and then gaining access to all the other known keys. Blowfish is solid against attacks because of the complexity of the subkey generation process. Generation of subkeys took longer time but in case of security, it is time well spent. For each key, the encryption routine runs for 522 times [29]. i.
The P-array consists of 18 subkeys which is of 32-bit: ii.

 Generating subkeys
Subkeys which is used in P-array can be generated by using following steps [28]: i. Firstly the P-array is initialized followed by four S-boxes with a fixed string that contains hexadecimal digits of pi. ii.
XOR P 1 with the key's first 32-bits, XOR P 2 with its second 32-bits, and so on upto P 14 . This process or cycle repeated until the entire P-array has been XOR-ed with key bits. iii.
Encrypt all-zero string with the blowfish algorithm, by using the subkeys described in steps (i) and (ii). iv.
Replace P 1 and P 2 with the output of step (iii). v.
Encrypt the output of step (iii) by using the blowfish algorithm with the modified subkeys. vi.
Replace P 3 and P 4 with the output of step (v). vii.
Continue the process, replace all entries of the P-array, followed by all four S-boxes, with the output of the continuously changing the blowfish algorithm.

B. Defacement of Colluding Attack (DCA) Decryption Algorithm
DCA decryption algorithm is used for de-padding the message bits after decrypting the ciphertext by using Blowfish Algorithm. This decryption algorithm is having two phases as shown in Figure 5. Phase-I is for decryption and Phase-II is for de-padding.

1) Decryption
For Blowfish cipher, encryption algorithm is so well intended, that the decryption algorithm is same as the encryption algorithm step by step in the same order [27], only the sub-keys are applied in the reverse order as shown in Figure 4.

 Algorithm
Input is of 64-bit ciphertext, C. Divide C into two equal halves i.e. 32-bits each: C L & C R . Then, for i = 1 to 16: C L = C L XOR K 16 C R = F(C L ) XOR C R Swap C L and C R After the sixteenth round, swap C L and C R again to undo the last swap. Then, C R = C R XOR K 2 and C L = C L XOR K 1 .
Finally, recombine C L and C R to get the data element.

2) De-Padding
After applying algorithm, the output is obtained in the form of message or data element i.e. Card number & Pin number in combined form. So divide that message into two equal halves.
Suppose message is having a range from 0 to R which is divide into two halves i.e. first one is from 0 to Q-1 & second one is from Q to R as shown in Figure 5.
Now compare both halves of message bits one by one with ' ' symbol because at the time of padding we pad the extra bits with' ' symbol.
So, compare each message bit and separate padding bits from the message as shown in Figure 5, and extract the Card no. and Pin number from it. So comparison of bits is done by using basic algorithm i.e.

i=0; While (Mi == ) { Separate the bit from whole message bits because this is padding bit i++; } From this bit to the last bit there is a message bits without padding bits
So by using this, there is an extraction of valuable bits i.e. Card number & Pin number from the complete message bits.

V. EXPERIMENTAL SETUP AND RESULT ANALYSIS
For experiment purpose, a computer present in Network Security Lab of MANIT, Bhopal is used with Intel Core(TM) i7-3770 CPU @ 3.40 GHZ CPU with 2GB RAM.
Implementation of DCA algorithm is done by using Blowfish algorithm in python language using Linux Operating System. In the experiment, encryption and decryption is carried out on 1000 different datasets i.e. card numbers and pin numbers. For making the bits of pin number equal to card number, padding of extra bits is required and which is done by using ' ' symbol and then encryption and decryption time is calculated.
Here 10 datasets of encryption time is shown in Table I   According to results shown in Figure 6, DCA with Blowfish algorithm is having less encryption and decryption time as compared to other techniques. So DCA with blowfish algorithm will make data more secure as compare to others with minimum encryption and decryption time. Beside encryption and decryption time other parameters like key-length, rounds, block-size, attacks found and level of security are also important factors to compare the algorithms. In table III, comparison of algorithms is done on different parameters for different algorithms like DCA, Twofish, Threefish, 3DES and DES. For any efficient encryption algorithm it is required to have variable key-length which takes exponential time to crack the encryption. In proposed DCA algorithm, key-length is ranging from 32-448 bits whereas in twofish, threefish, 3DES and DES is having static key-length and it is very easy to crack them.

Comparison between Encryption and Decryption Time
Average Decryption Time (ms) Average Encryption Time (ms)