A Browser Fingerprint Authentication Scheme Based on the Browser Cache Side-Channel Technology

Abstract

Users encounter various threats, such as cross-site scripting attacks and session hijacking, when they perform login operations in the browser. These attacks pose significant risks to the integrity and confidentiality of personal data. The browser fingerprint, as an authentication technique, can effectively enhance user security. However, attackers can bypass browser fingerprint authentication through phishing attacks and other methods, leading to unauthorized logins. To address these issues, we propose a secure browser fingerprint authentication scheme that integrates the data of the browser cache side-channel into the traditional browser fingerprint. Consequently, it enhances the dynamics and non-determinism of the browser fingerprint and improves the anti-attack capabilities of the authentication process. Experimental results demonstrate that this scheme can effectively mitigate phishing attacks and man-in-the-middle attacks, achieving a 95.33% recognition rate for attackers and a 96.17% recall rate for authorized users.

1. Introduction

The advent of the Internet has fundamentally transformed the way we interact with information, communicate with others, and conduct business [1]. Central to this digital revolution is the browser, a software application that enables users to access and navigate the vast expanse of the World Wide Web [2]. Today, the technologies to enrich the user experience are evolving at an amazing pace [3]. Browsers have become indispensable tools for virtually every aspect of modern life, facilitating everything from online shopping and social networking to research and entertainment [4].

Browser authentication is crucial for maintaining data privacy, preventing identity theft, and enforcing secure access controls in the online environment. Most sites rely on relatively weak forms of authentication [5], and passwords are the default solution [6]. However, the widespread reliance on username-password-based authentication poses significant challenges [7,8]. As early as 2016, research indicated that over 3.3 billion credentials had been compromised through this approach alone. Meanwhile, phishing attacks significantly increase the risk of account hijacking [9]. While multi-factor authentication (MFA) [10,11] can enhance user security, the introduction of additional authentication factors increases the complexity and time cost of the user login process.

Browser fingerprint, as a stateless technique [12], harnesses user device data (e.g., browser type, operating system, installed plugins, etc.) collected by the browser to construct a distinct device identifier [13]. Browser fingerprinting for authentication is a way to put browser fingerprints in the service of benign purposes [14]. Unlike traditional username-password authentication methods, browser fingerprint authentication is considerably more resistant to cracking, thus enhancing user security, which is a promising additional web authentication factor [15].

However, current browser fingerprint authentication technology faces two significant challenges. First, the weak stability of browser fingerprints contradicts the need for a relatively stable credential for authentication. Since browser fingerprints directly reflect users’ devices and their environment, any modifications or updates to device parameters can easily alter the browser fingerprint [16]. Second, browser fingerprints are vulnerable to illegitimate theft by attackers through techniques such as cross-site scripting (XSS) and cross-site request forgery (CSRF). Additionally, they are susceptible to phishing attacks [17] and man-in-the-middle attacks [18]. Specifically, malicious websites can collect users’ fingerprints and use them to mimic their devices, therefore bypassing authentication mechanisms. Simultaneously, attackers can intercept users’ login information and tamper with users’ identities to achieve authentication. These vulnerabilities undermine the reliability and security of browser fingerprint authentication, necessitating further advancements to address these concerns and enhance the overall robustness of the authentication process.

To tackle these challenges, we propose a browser fingerprint authentication scheme based on browser cache side-channel technology [19]. First, we utilize Fast Fourier Transform (FFT) to map browser cache side-channel data into a unique browser fingerprint attribute. Since browser cache side-channel data are closely tied to the hardware information of user devices, this approach significantly improves stability compared to traditional browser fingerprint authentication methods. Furthermore, due to the diversity of hardware devices, attackers are unable to replicate user devices, therefore thwarting phishing attacks. Second, we introduce the concept of timestamps. By recording the time when fingerprint collection is completed and analyzing the duration of fingerprint collection, we can detect man-in-the-middle attacks. This dual-pronged approach aims to enhance the security and reliability of browser identity authentication, mitigating the vulnerabilities associated with traditional methods and bolstering overall protection against malicious activities in the online environment.

In summary, the main contributions of this paper are summarized below:

• We propose a more stable and secure browser fingerprint authentication scheme that integrates browser cache side-channel technology, therefore mitigating phishing attacks.
• We introduce the timestamp to identify man-in-the-middle (MITM) attacks by analyzing the duration of fingerprint collection.
• We test and analyze the uniqueness and stability of browser cache side-channel data across 11 different computer devices. Furthermore, the accuracy of the proposed authentication scheme is tested, with experimental results indicating a recall rate of 96.17% even in the presence of man-in-the-middle and phishing attacks.

The remaining sections of the paper are structured as follows. We review the state-of-the-art in Section 2, including browser cache side-channel technology and browser fingerprint authentication technology. Section 3 introduces the system model, the threat model, and the design goals of the proposed scheme, followed by its detailed design in Section 4. We analyze the security and privacy of the scheme regarding resistance against man-in-the-middle attacks and phishing attacks in Section 5. Section 6 conducts experiments to evaluate the uniqueness, stability, and accuracy of the scheme. Finally, we draw a conclusion in the Section 7.

2. Background and Related Work

In this section, we critically examine the current state-of-the-art literature on browser cache side-channel technology and browser fingerprint authentication. We also identify and discuss the limitations of existing methodologies.

2.1. Browser Cache Side-Channel Technology

The browser cache side-channel technology is a type of microarchitecture attack [20,21] in which sensitive information can be recovered by analyzing the physical phenomena of the device during operation [22]. Since the mid-1990s, side-channel technology has received increasing attention from researchers [23]. Among the different types of side-channel attacks, cache side-channel attacks can leak large amounts of information [24]. The Prime and Probe technique was initially proposed by Osvik et al. in 2006 [25], which, as shown in Figure 1, typically involves three main phases:

Figure 1. The General Flow of the Prime and Probe Technique.

• Prime Phase: the attacker fills the CPU cache with specific data carefully selected to impact the cache’s behavior in subsequent operations.
• Wait Phase: victims execute operations that may replace the data previously loaded by attackers in the cache.
• Probe Phase: the attacker performs memory access operations and observes the timing or latency of these operations. By carefully timing memory accesses, the attacker can infer information about the cache state and potentially recover sensitive data.

In 2020, Shusterman et al. explored the application of cache side-channel techniques in a networked environment [26]. Cronin et al. present a new GPU side-channel attack in 2021 by targeting different levels of caching in devices [27]. In 2022, Mojtaba et al. [19] proposed a cash occupancy attack through browser cache side-channel data based on the Prime and Probe technique. It exploits the variations in cache occupancy to infer sensitive information or monitor user behavior in computing systems. In this attack, adversaries analyze the occupancy patterns of cache memory to deduce details about the system’s operations or the data being processed.

2.2. Browser Fingerprint Authentication Technology

In 2009, Mayer conducted an investigation into the potential exploitation of browser environment variations by remote attackers for user identification purposes [2]. In this study [28], experiments were conducted to collect data on browsers, screen characteristics, and browser plugins. The findings, derived from a sample of 1328 users, demonstrated that 1278 users (96.23%) could be identified.

Andriamilanto et al. conducted extensive research on the browser fingerprint, rigorously assessing its necessity as a factor in browser identity authentication [28]. Their work has gradually raised awareness of the crucial role that browser fingerprints play in the authentication process. In 2013, Nikiforakis et al. launched an in-depth study on the variability of browser fingerprints [29].

However, issues such as weak uniqueness and stability have long constrained the development of browser fingerprint authentication. To address these challenges, Queiroz et al. recognized a device’s web browser fingerprint by studying the use of the Web Audio API [30]. Karami et al. introduced behavioral fingerprints in the authentication process in 2020 [31]. In 2022, ref. [32] conducted a comparative analysis of single-peak and multi-peak behavioral biometric features obtained from various activities such as typing, scrolling, drawing numbers, and screen tapping on smartphones. The introduction of behavioral fingerprints significantly raised the difficulty for attackers to simulate fingerprints, therefore enhancing the uniqueness of browser fingerprints and reducing the risk of credential theft. However, users’ behaviors may vary over time [33], influenced by factors such as emotions, health conditions, etc., leading to subsequent authentication failures.

In the same year, Andriamilanto et al. utilized machine-learning techniques to propose a dynamic fingerprint updating scheme, ensuring the uniqueness of fingerprints [34]. However, this scheme requires re-authentication of users every time fingerprint updating is conducted, which demands substantial data for training and incurs high maintenance costs.

As shown in Figure 2, Xu et al. [35] proposed a type of phishing attack on the process of browser fingerprint authentication in 2022. Initially, attackers extract fingerprinting code from susceptible websites and incorporate it into their phishing sites. Subsequently, it automatically replicates the fingerprinting process of target websites to ensure that collected fingerprints match the expected ones. Finally, various fingerprinting functions are included on the phishing page to gather fingerprints, enabling exploitation across multiple websites simultaneously.

Figure 2. The General Flow of the Phishing Attack.

In response to the aforementioned challenges and attacks, our scheme innovatively integrates cache side-channel data with browser fingerprints, which ensures stability and uniqueness and improves the ability to defend against phishing attacks.

3. Problem Statement

In this section, we illustrate the system model, the threat model, and the design goals of this scheme and describe the notation involved in the scheme, as shown in Table 1.

Table 1. The Explanation of Notations.

Notation	Explanation
X	A matrix with N rows and M columns.
$A_1,A_2$	Two matrixes representing the browser cache side-channel data collected during user registration.
B	A matrix, representing the browser cache side-channel data collected during the subsequent login process.
$\overline{X}$	A one-dimensional vector, where each element is the average of the sum of all elements in the corresponding column of the matrix X.
$\overline{X^{\prime }}$	A one-dimensional vector obtained by converting the elements of $\overline{X}$ into complex numbers and padding its length to the smallest power of 2.
$R_{X_1{X}_2}$	The correlation between $X_1$ and $X_2$.

3.1. System Models

The system model of this scheme is shown in Figure 3, which contains two main entities: the server and clients.

Figure 3. System Model.

Clients: Clients mainly refer to the user devices, which are mainly responsible for collecting the browser cache side-channel data and the timestamp of the data collection completion.

Server: The server authenticates clients based on received data. Initially, it converts browser cache side-channel data into browser fingerprints to perform identity authentication. Subsequently, it utilizes the timestamp to determine whether the data sent by the client has been maliciously altered, therefore preventing man-in-the-middle attacks. In this paper, we assume that the server is a trusted entity.

3.2. Threat Models

The browser fingerprint authentication process is threatened by two main types of attacks: phishing attacks and man-in-the-middle attacks.

3.2.1. Phishing Attacks

Phishing attacks trick users into divulging their browser fingerprint data to malicious attackers under the guise of a legitimate entity or service [36,37,38]. By designing an official-looking website with the capability of browser fingerprint collection, the attacker induces the victim to log in and perform authentication operations. In this way, the attacker illegally obtains the victim’s login credentials and realizes authentication.

3.2.2. Man-in-the-Middle Attack

A man-in-the-middle (MITM) attack is a type of cyberattack where a malicious attacker intercepts communication between two parties without their knowledge [39,40]. Attackers position themselves between the server and clients, allowing them to eavesdrop on the communication, manipulate the data being transmitted, and, in some cases, inject their own malicious content into the conversation.

3.3. Design Goals

We intend to design a secure browser fingerprint authentication scheme based on the browser cache side-channel technology, supporting uniqueness, stability, phishing attack resistance, and man-in-the-middle attack resistance.

• Uniqueness: A secure browser fingerprint authentication scheme demonstrates uniqueness if the cache side-channel data from different devices exhibit distinct characteristics from each other.
• Stability: A secure browser fingerprint authentication scheme holds stability if the cache side-channel data from one device remains highly consistent over time.
• Phishing attack resistance: A secure browser fingerprint authentication scheme exhibits resistance to phishing attacks if it can identify an attacker who fraudulently obtains users’ browser fingerprint data under the guise of a legitimate entity or service.
• Man-in-the-middle attack resistance: A secure browser fingerprint authentication scheme demonstrates resistance to man-in-the-middle attacks if it can detect an attacker who intercepts communication between two parties without their knowledge.

4. Scheme Design

Our scheme contains four steps: data collection, data processing, browser fingerprint generation, and timestamp analysis. Clients initially collect browser cache side-channel data and subsequently transmit it to the server. Upon receiving the data, the server conducts a Fast Fourier Transform (FFT), therefore mapping the data to a browser fingerprint and proceeding with authentication. Furthermore, based on the timestamp, the server assesses whether the data sent by the client has been maliciously altered to prevent man-in-the-middle attacks.

Next, we describe the scheme in detail according to these four steps.

4.1. Data Collection

We collect the browser cache side-channel data based on the Prime and Probe technique proposed by Mojtaba et al. [19]. The data are represented by a matrix X with N rows and M columns, as referenced in Equation (1). Each row in the matrix represents a set of time-domain eigenvalue sequences extracted by performing a browser cache side-channel operation, where N indicates the number of executions.

$$\begin{array}{c}\hfill \begin{array}{c}\hfill X=\left[\begin{array}{c}{x}_{11},x_{12},\dots ,x_{1M}\\ x_{21},x_{22},\dots ,x_{2M}\\ ⋮\\ x_{N1},x_{N2},\dots ,x_{NM}\end{array}\right]\end{array}\end{array}$$

(1)

For clarity and differentiation, data collected during user registration are denoted as matrices $A_1$ and $A_2$, where $A_1$ serves as the baseline value. Subsequently, data collected during logins is represented using matrix B.

4.2. Data Processing

Upon receiving the browser cache side-channel data B sent by the client during logins, the server processes it according to the procedure outlined in Figure 4. Initially, the server calculates the average values of each column of the array and transforms them into a non-periodic curve. Subsequently, all elements of the array are normalized and converted into complex numbers, with their length extended to the nearest power of two. The FFT algorithm is then applied to the array with the butterfly operation to reduce the overall computational effort. Finally, authentication is performed by calculating the correlation between two different sets of data using the Inverse FFT (IFFT) algorithm and the K-Nearest Neighbors (KNN) algorithm. The specific process is described as follows:

Figure 4. The process of cache side-channel data processing.

• Mean Computation
  We convert the cache side-channel data $A_1$, $A_2$, and B into one-dimensional vectors $\overline{A_1}$, $\overline{A_2}$, and $\overline{B}$ according to the following equation:

  $$\begin{array}{c}\hfill \begin{array}{c}\hfill \overline{X}=({\overline{x}}_1,{\overline{x}}_2,\dots ,{\overline{x}}_m,\dots ,{\overline{x}}_M),{\overline{x}}_m=\frac{1}{N}\sum _{n=1}^N{x}_{nm},m=1,2,\dots ,M\end{array}\end{array}$$

  (2)
• Complex Formulation
  Subsequently, we apply Equation (3) to convert the elements within the vectors $\overline{A_1}$, $\overline{A_2}$, and $\overline{B}$ into complex numbers, and pad their length to the smallest power of 2.

  $$\begin{array}{c}\hfill \begin{array}{c}\hfill \overline{X^{\prime }}=\left[(\overline{x_1}+0i),(\overline{x_2}+0i),\dots ,(\overline{x_m}+0i),\underset{2^{\lceil {log}_2\left(M\right)\rceil }-M\mathrm{times}}{\underbrace{(0+0i),\dots ,(0+0i)}}\right]\end{array}\end{array}$$

  (3)
• Fast Fourier Transform
  FFT is an efficient algorithm to execute the Discrete Fourier Transform (DFT). It is a mathematical operation that transforms data from the time domain into a representation in the frequency domain. It can effectively analyze the frequency domain features of the data and help identify the similarity between two sets of data. We apply the FFT algorithm, as shown in Algorithm 1, to convert the vector $\overline{X^{\prime }}$ to a vector F representing data in the frequency domain. Initially, the elements in the vector $\overline{X^{\prime }}$ are divided into two parts: elements with even indexes and elements with odd indexes. Subsequently, F is computed by recursively performing the Fourier transform based on these two parts. During this process, the butterfly operation is employed to reduce the overall computational effort by combining smaller Fourier transforms into larger ones through recursion.

  Algorithm 1 FFT

  1: Input: $\overline{X^{\prime }}$  2: Output: F  3: $l=\mathrm{length}\left(\overline{X^{\prime }}\right)$  4: if  $l==1$  then  5:      return $\overline{X^{\prime }}$  6: end if  7: ${\overline{X^{\prime }}}_{even}=\{FFT\left({\overline{x^{\prime }}}_{2k-1}\right)\},k=1,2,\cdots ,\frac{l}{2}$ ▹ elements of $\overline{X^{\prime }}$ with even indexes  8: ${\overline{X^{\prime }}}_{odd}=\{FFT\left({\overline{x^{\prime }}}_{2k}\right)\},k=1,2,\cdots ,\frac{l}{2}$    ▹ elements of $\overline{X^{\prime }}$ with odd indexes  9: for k from 1 to $l/2$ do             ▹ Perform the butterfly operation 10:     $W_l^k=e^{-(2\pi i/l)k}$                ▹ Calculate the rotation factor 11:     $f_k={\overline{x^{\prime }}}_{eve{n}_k}+W_l^k\ast {\overline{x^{\prime }}}_{od{d}_k}$ 12:     $f_{k+l/2}={\overline{x^{\prime }}}_{eve{n}_k}-W_l^k\ast {\overline{x^{\prime }}}_{od{d}_k}$ 13: end for 14: return  $F=\{f_1,f_2,\cdots f_l\}$

• Correlation analysis
  According to Equation (4), we utilize the convolution theorem in the frequency domain to compute the correlation $R_{A_1{A}_2}$ between data $A_1$ and $A_2$, and $R_{A_{1}B}$ between data $A_1$ and B, respectively. FFT*() denotes the covariance result after the Fast Fourier Transform, and IFFT() denotes the Inverse Fast Fourier Transform.

  $$\begin{array}{c}\hfill \begin{array}{c}\hfill R_{X_1{X}_2}=Max\left\{\mathrm{IFFT}(\mathrm{FFT}{\left(\overline{X_1^{\prime }}\right)}_j·{\mathrm{FFT}}^{\ast }{\left(\overline{X_2^{\prime }}\right)}_j)\right\}\end{array}\end{array}$$

  (4)
  The IFFT algorithm is the inverse operation of the Fast Fourier Transform. As shown in Algorithm 2, it transforms the product of browser cache side-channel data $X_1$ and $X_2$ in the frequency domain (denoted by $F_1=\{f_{1,1},f_{1,2},\cdots f_{1,l}\}$ and $F_2=\{f_{2,1},f_{2,2},\cdots f_{2,l}\}$, respectively) to a vector R representing a list of correlations between $X_1$ and $X_2$. The process begins by determining the length of the arrays. Each element of $F_1$ is then multiplied by the conjugate of the corresponding element in $F_2$, with the results stored in a temporary array $r_{tem}$. This temporary array is subsequently conjugated and transformed using the FFT algorithm. The resulting array, $F_3$, is again conjugated, and both its real and imaginary parts are normalized by dividing by the array length. The final result, R, represents the correlations between the original data sets in the time domain.

  Algorithm 2 IFFT

  1: Input: $F_1,F_2$  2: Output: R  3: $l=\mathrm{length}\left(F_1\right)=\mathrm{length}\left(F_2\right)$  4: for j from 1 to l do   ▹ Multiply each element of $F_1$ by the conjugate  5:               of the corresponding element $F_2$  6:     $f_{2,j}=conj\left(f_{2,j}\right)$               ▹ Conjugate operation  7:     $r_{tem,j}=f_{1,j}\ast f_{2,j}$  8: end for  9: for j from 1 to l do 10:     $r_{tem,j}=conj\left(r_{tem,j}\right)$ 11: end for 12: $F_3=FFT(R_{tem}=\{r_{tem,1},r_{tem,2},\cdots ,r_{tem,l}\})=\{f_{3,1},f_{3,2},\cdots f_{3,l}\}$ 13: for j from 1 to l do 14:     $r_j=conj\left(f_{3,j}\right)$ 15:     $r_{j,real}=r_{j,real}/l$                 ▹ the real part of $r_j$ 16:     $r_{j,imag}=r_{j,imag}/l$              ▹ the imaginary part of $r_j$ 17: end for 18: return  $R=\{r_1,r_2,\cdots ,r_l\}$

4.3. Browser Fingerprint Generation

We apply the browser fingerprint generation (BFG) algorithm based on Manhattan distance and the KNN algorithm to transform data correlation into browser fingerprints for authentication. The KNN algorithm, as shown in Algorithm 3, is a distance-based machine-learning classification method that predicts the category of a new value based on the categories of the k nearest data points. Its theoretical maturity and lack of an extensive training process make it well-suited for enhancing real-time fingerprint identification. We collect n sets of baseline value data $(A_{1,1},A_{1,2},\cdots A_{1,n})$ for each user during the registration phase, where $n=\lfloor K/2\rfloor +1$ and K is the number of nearest neighbors applied in the KNN algorithm. We use the symbol D to denote the correlation generated in the registration phase by all users. For m users, $D=\left\{R_{A_{1,j}{A}_2}^i\right\}$, where $i\in [1,m]$ and $j\in [1,n]$. The Manhattan distance $d_q$ between the correlation $R_{A_{1}B}$ and $R_{A_{1,j}{A}_2}^i$ is calculated according to Equation (5) when a user logs in.

$$\begin{array}{c}\hfill \begin{array}{c}\hfill d_j^i=\parallel R_{A_{1}B}-R_{A_{1,j}{A}_2}^i\parallel ,i\in [1,m],j\in [1,n]\end{array}\end{array}$$

(5)

The results are sorted in ascending order, and the first K Manhattan distances are selected as the nearest neighbors. Subsequently, the user’s identity of data B denoted by $U_B$ is determined based on the principle of majority voting.

Algorithm 3 BFG

1: Input: $R_{A_{1,j}B},D,K,C_{up}$  2: Output: $U_B$  3: $d=\left[\right]$                   ▹ Create a list  4: for i from 1 to m do  5:     for j from 1 to n do  6:         $d_j^i=\parallel R_{A_{1}B}-R_{A_{1,j}{A}_2}^i\parallel$  7:         $d.append\left(d_j^i\right)$  8:     end for  9: end for 10: $d=sort\left(d\right)$             ▹ In ascending order 11: for k from 0 to $K-1$ do 12:     Parse $d\left[k\right]$ as $\parallel R_{A_{1}B}-R_{A_{1,j}{A}_2}^i\parallel$ 13:     $vot{e}_{U_i}++$  ▹ Vote count for $U_i$ is incremented by one 14: end for 15: Set $vot{e}_{U_B}=max\{vot{e}_{U_1},vot{e}_{U_2},\cdots vot{e}_{U_m}\}$ 16: return  $U_B$

4.4. Timestamp Analysis

However, in the above process, an attacker can launch man-in-the-middle attacks to indirectly bypass the authentication mechanism. Malware in the middle of communication can monitor and alter confidential information [41]. To prevent this attack, we introduce the concept of timestamp. Specifically, we assume that the server notifies a client at time $T_{send}$ and subsequently receives data from the client at time $T_{receive}$. Upon completing the browser cache side-channel data collection, the client records the time as $T_{end}$ and transmits both the data and the timestamp to the server. We assume that the network remains stable for a brief period. In this scenario, the duration of data collection $t_{collect}$ can be expressed as Equation (6).

$$\begin{array}{c}\hfill \begin{array}{c}\hfill t_{collect}=(T_{receive}-T_{send})-(T_{receive}-T_{end})\ast 2\end{array}\end{array}$$

(6)

We set a threshold $\Delta t$. When $t_{collect}\le \Delta t$, it is inferred that no man-in-the-middle attack has occurred. Conversely, if $t_{collect}>\Delta t$, it is deduced that a man-in-the-middle attack has transpired. Even in the presence of network delays, as illustrated in Figure 5, the duration for data collection remains consistent, expressed as $t_{collect}^{\prime }=(T_{receive}^{\prime }-T_{send})-(T_{receive}^{\prime }-T_{end}^{\prime })\times 2=t_{collect}$, where $T^{\prime }end$ and $T^{\prime }receive$ denote the completion time of data collection and the time of receiving data in the delayed environment, respectively. Through this analysis, we ascertain that our scheme remains unaffected by network delays.

Figure 5. Comparison of Authentication Duration in a Normal Environment and Delay Environment.

5. Security and Privacy Analysis

This section analyzes how this scheme can successfully protect user privacy and resist both man-in-the-middle attacks and phishing attacks.

5.1. Security Analysis

5.1.1. Resistance to Man-in-the-Middle Attacks

This scheme can resist man-in-the-middle attacks against IP redirection and timestamp modification.

• IP redirection
  The attacker attempts to achieve unauthorized login by altering the IP address upon receiving data from victims. In this case, the duration of fingerprint collection is represented as $T_{collect}^{″}=(T_{receive}^{″}-T_{send})-(T_{receive}^{″}-T_{end}^{″})\ast 2$, where $T_{receive}^{″}$ denotes the time of receiving data when encountering man-in-the-middle attacks. As shown in Figure 6, the process by which attackers alter IP addresses extends the duration of fingerprint collection, ultimately falling outside the normal range.
  

  Figure 6. Comparison of Authentication Duration between Normal Login and IP Redirection.
• Timestamp Modification
  Additionally, the attacker may attempt to manipulate the completion time of the browser cache side-channel data collection ($T_{end}$) to ensure that the overall duration of data collection appears normal. As shown in Figure 7, according to Equation (7), executing this attack requires the attacker to simultaneously know the start time of data collection ($T_{start}$), $T_{send}$, and $T_{receive}$. However, $T_{send}$ and $T_{receive}$ are collected only on the server side, which is a trusted entity. Additionally, $T_{start}$ is not collected during the entire communication process. Therefore, this scheme effectively mitigates man-in-the-middle attacks involving timestamp modification.

  $$\begin{array}{c}\hfill \begin{array}{c}\hfill T_{end}^{″}=T_{end}+(T_{receive}-T_{send}-T_{collect})/2-(T_{start}-T_{send})\end{array}\end{array}$$

  (7)
  

  Figure 7. Timeline when Timestamp Modification.

In summary, this scheme can effectively resist man-in-the-middle attacks.

5.1.2. Resistance to Phishing Attacks

Browser cache side-channel data are tightly bound to users’ devices. For device fingerprinting [42], even if these data are obtained illicitly by an attacker through phishing attacks, it is challenging for the attacker to simulate it on their device without access to detailed parameters of the victim’s device. Moreover, the diversity of devices further decreases the likelihood of collision. Consequently, our scheme effectively resists phishing attacks.

5.2. Privacy Analysis

On one hand, the browser cache side-channel data are a mapping of hardware devices and external resources. Without knowledge of the external resources, an attacker cannot infer the hardware device parameters through the browser cache side-channel data. On the other hand, hardware device parameters do not contain the personal identity information of the user. Even if an attacker illegally obtains hardware device parameters, it is impossible to obtain any information related to the user’s identity. Therefore, the browser cache side-channel data do not pose a threat to user privacy.

6. Evaluation

In this section, we first analyze the computation complexity of algorithms proposed in Section 4. Subsequently, we verify the uniqueness and stability of the browser cache side-channel data. Finally, we test the accuracy of our browser fingerprint authentication scheme.

6.1. Computation Overhead

We analyze the computation complexity of three algorithms, FFT, IFFT, and BFG, as shown in Table 2:

Table 2. Algorithmic Computation Complexity.

Algorithm	Computation Complexity
FFT	$O(l·logl)$
IFFT	$O(l·logl)$
BFG	$O(mn·log(mn\left)\right)$

l: the length of inputs. m: the number of users. n: the number of baseline values.

The FFT and IFFT algorithms both exhibit a complexity of $O(l·logl)$, where l represents the length of the input. These two algorithms are independent of the number of users, making them highly suitable for a wide range of applications. The BFG algorithm, with a complexity of $O(mn·log(mn\left)\right)$, where m and n denote the number of users and baseline values, respectively, scales sub-exponentially with the number of users. It is relatively more computationally intensive. However, for moderate problem sizes, this overhead remains manageable. To improve scalability, we can further enhance the computation efficiency by employing optimization strategies such as multi-threading, multiple servers, or high-performance server configurations.

6.2. Uniqueness Test

We initially tested uniqueness by comparing the correlation of browser cache side-channel data from 11 different devices. The configurations of these devices are detailed in Table 3.

Table 3. Device Configuration.

Equipment Number	Device Type	Operating System Type	CPU Model	RAM Model
Device 1	Desktop computer	Windows10	Intel Core i3-10100	8 GB
Device 2	Desktop computer	Windows10	Intel Core i3-10105T	8 GB
Device 3	Desktop computer	Windows10	Intel Core i5-10400	32 GB
Device 4	Notebook computer	Windows11	Intel Core i5-9300HF	16 GB
Device 5	Notebook computer	Windows11	Intel Core i7-8550U	16 GB
Device 6	Desktop computer	Windows10	Intel Core i7	24 GB
Device 7	Notebook computer	Windows10	Intel Core i7	32 GB
Device 8	Notebook computer	Windows10	Intel Core i7-12700H	16 GB
Device 9	Notebook computer	Windows10	Intel Core i9	16 GB
Device 10	Notebook computer	Windows10	Intel Core i9-12900H	32 GB
Device 11	Notebook computer	Windows10	Intel Core i9-13900HX	32 GB

All devices’ browsers execute the registration operation with the same baseline value. Subsequently, each device performs 300 login operations to collect browser cache side-channel data, followed by correlation calculations with the baseline value. As depicted in Figure 8, it is evident that browser cache side-channel data from different devices exhibit high uniqueness after FFT operations and correlation calculations.

Figure 8. Browser Cache Side-channel Data Correlation Results from Different Devices.

6.3. Stability Test

We test the stability of browser cache side-channel data by comparing its correlation across time. Our scheme is implemented on a desktop running the Windows 10 operating system, equipped with an Intel Core i7 CPU and 32 GB of RAM.

We perform login operations every three months, collecting 50 sets of browser cache side-channel data each time. Subsequently, we calculate their correlation with the baseline value. As illustrated in Figure 9, the correlation results of the browser cache side-channel data from the same device remain highly similar after two months, indicating a high degree of stability of the browser cache side-channel data.

Figure 9. Browser Cache Side-channel Data Correlation Results of Different Time.

6.4. Accuracy Test

We evaluate the accuracy of our browser fingerprint authentication using the following metrics:

• Recall Rate ($REC$): The proportion of legitimate users judged to be legitimate users.
• False Acceptance Rate ($FAR$): The proportion of illegal users judged to be legitimate users.
• False Rejection Rate ($FRR$): The proportion of legitimate users judged to be illegitimate users.

These metrics are calculated based on the following equations:

$$REC=TP/(TP+FN)$$

(8)

$$FAR=FP/(FP+TN)$$

(9)

$$FRR=FN/(TP+FN)$$

(10)

Among them, true positive ($TP$) denotes the number of legitimate users judged to be legitimate users, false negative ($FN$) denotes the number of legitimate users judged to be illegal users, false positive ($FP$) denotes the number of illegal users judged to be legitimate users, and true negative ($TN$) denotes the number of illegal users judged to be illegal users.

We designate 15 groups of devices, with configurations selected from Table 3, to act as attackers and victims, respectively. In this setup, attackers attempt to obtain the victim’s account, password, and other information through phishing attacks, simulating the victim’s login. This experiment collects 300 pieces of browser cache side-channel data to generate browser fingerprints. The fingerprints provided by the attacker and the victim are mixed before being sent to the server for verification.

We first test the effect of different values of K on the $REC$. As presented in Figure 10, $REC$ is highly sensitive to noise when $K=2$ because only 1 nearest neighbor is considered, resulting in lower accuracy. The highest $REC$, at 96.17%, is achieved when $K=3$. The $REC$ shows a gradual decrease as the value of K increases beyond 3.

Figure 10. The Effect of Different K Values on Recall Rate.

Then, we test the effect of different values of K on the $FAR$. As shown in Figure 11, the lowest FAR, at 0, is achieved when $K=2$. The $FAR$ increases when $K\le 6$, and becomes stable when $K>6$.

Figure 11. The Effect of Different K Values on False Acceptance Rate.

Finally, we test the effect of different values of K on the $FRR$. As shown in Figure 12, the $FRR$ reaches its minimum at 3.83% when $K=3$. Beyond this point, the $FRR$ exhibits an upward trend as the value of K continues to increase.

Figure 12. The Effect of Different K Values on False Rejection Rate.

The verification results for $K=2$ and $K=3$ are summarized in Table 4. In summary, the values of $REC$ and $FRR$ are optimized at 96.17% and 3.83%, respectively, when K = 3, with $FAR$ at 4.67%. When $K=2$, $FAR$ reaches its minimum at 0%, while $REC$ and $FRR$ are 91.58% and 8.42%, respectively. These values demonstrate that our scheme exhibits strong resistance to phishing attacks [35].

Table 4. The Accuracy of Our Browser Fingerprint Authentication Scheme when K = 2 and K = 3.

Group Number	Attacker	Victim	K = 2			K = 3
			$\mathit{REC}$/%	$\mathit{FAR}$/%	$\mathit{FRR}$/%	$\mathit{REC}$/%	$\mathit{FAR}$/%	$\mathit{FRR}$/%
1	Device 7	Device 4	99.67	0	0.33	99.67	0.33	0.33
2	Device 2	Device 3	85	0	15	97.31	12.31	2.69
3	Device 1	Device 2	100	0	0	100	0	0
4	Device 11	Device 4	86.69	0	13.31	92.45	4.68	7.55
5	Device 8	Device 10	90.68	0	9.32	95.34	5.4	4.66
6	Device 2	Device 8	98.67	0	1.33	99	0.33	1
7	Device 4	Device 7	99	0	1	99.67	0.72	0.33
8	Device 11	Device 7	61.67	0	38.33	84.67	24	15.33
9	Device 9	Device 1	98.67	0	1.33	98.67	0.33	1.33
10	Device 9	Device 4	98.67	0	1.33	98.67	0	1.33
11	Device 7	Device 5	100	0	0	100	0.33	0
12	Device 2	Device 10	100	0	0	100	0	0
13	Device 2	Device 5	71.91	0	28.09	85.58	12.59	14.42
14	Device 11	Device 5	96.4	0	3.6	98.56	2	1.44
15	Device 10	Device 9	86.67	0	13.33	93	7	7
Average value			91.58	0	8.42	96.17	4.67	3.83

The (Cross-)Browser Fingerprinting scheme [43] achieved authentication by extracting and combining stable features of the operating system and hardware across different browsers on the same device to create unique user fingerprints, yielding a $REC$ of 90.84% and a $FRR$ of 9.16%. As shown in Table 5, our scheme significantly improves the $REC$ compared to this method. Additionally, the FP-Inspector scheme [44] realized authentication by combining static and dynamic analysis of illegal behaviors through a machine-learning approach. It detects browser fingerprinting through machine-learning classifiers that extract features from script contents and execution traces. This scheme has a $FAR$ of 6.2%, which is higher than that of our scheme.

Table 5. Performance Comparison.

Metrics	Our Scheme (K = 2)	Our Scheme (K = 3)	(Cross-)Browser Fingerprinting [43]	FP-Inspector [44]
$REC$	91.58%	96.17%	90.84%	-
$FAR$	0%	4.67%	-	6.2%
$FRR$	8.42%	3.83%	9.16%	-

7. Conclusions

We proposed a browser fingerprint authentication scheme in this paper, which integrates browser cache side-channel technology. It offers a promising solution to enhance user security during online authentication processes. By leveraging the stability and uniqueness of browser cache side-channel data, this scheme effectively mitigates phishing attacks and man-in-the-middle attacks, achieving high recognition and recall rates for both attackers and authorized users. The experimental results demonstrate the scheme’s ability to resist malicious activities and maintain a high level of authentication accuracy even in the presence of sophisticated attacks. Overall, this innovative approach contributes to strengthening browser identity authentication, addressing the limitations of traditional methods, and bolstering overall protection in the online environment.

This scheme relies on the assumption that the server is fully trusted and secure, making it vulnerable to attacks targeting the server in reality. If an attacker gains control of the server, authentication anomalies and potential breaches could occur. Additionally, this scheme, like many security solutions, faces significant challenges in defending against zero-day attacks. These sophisticated attacks exploit previously unknown vulnerabilities, making detection and mitigation difficult with existing measures. To enhance security, we could deploy a Trusted Execution Environment (TEE) within the server in future work. A TEE can provide a secure, isolated area to perform sensitive operations, protecting the server from external attacks. Moreover, future work could incorporate machine-learning models for anomaly detection to improve the scheme’s ability to identify zero-day attacks. These models can analyze patterns in browser cache side-channel data and user behavior to detect deviations that might indicate an exploit. Additionally, regular security audits and penetration testing should be conducted to identify and address potential vulnerabilities proactively. Combining these strategies can significantly fortify the scheme against zero-day attacks, enhancing overall system resilience.