CN106529317A - Web application encryption and decryption method based on Shadow DOM - Google Patents

Web application encryption and decryption method based on Shadow DOM Download PDF

Info

Publication number
CN106529317A
CN106529317A CN201611032064.5A CN201611032064A CN106529317A CN 106529317 A CN106529317 A CN 106529317A CN 201611032064 A CN201611032064 A CN 201611032064A CN 106529317 A CN106529317 A CN 106529317A
Authority
CN
China
Prior art keywords
data
crypt
fpe
sensitive data
sensitive
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611032064.5A
Other languages
Chinese (zh)
Other versions
CN106529317B (en
Inventor
李进
刘哲理
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou University
Original Assignee
Guangzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou University filed Critical Guangzhou University
Priority to CN201611032064.5A priority Critical patent/CN106529317B/en
Publication of CN106529317A publication Critical patent/CN106529317A/en
Application granted granted Critical
Publication of CN106529317B publication Critical patent/CN106529317B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6263Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a Web application encryption and decryption method based on Shadow DOM. The method comprises the following steps of: (1) web development personnel or maintenance personnel mark sensitive data; (2) a user installs a ShadowFPE extension in a browser, and sets a secret key; and (3) a ShadowFPE browser extension identifies the sensitive data and realizes encryption and decryption under a safe isolation environment. The method aims to encrypt the Web application to protect the privacy of a user, so that the sensitive data of the user can defense the stealing of client side application codes, prying in a network transmission process and the leakage of a server side, and the significant functions of the application can not be damaged.

Description

Web application encipher-decipher methods based on Shadow DOM
Technical field
The present invention relates to the research field of data-privacy protection, more particularly to a kind of Web applications based on Shadow DOM Encipher-decipher method.
Background technology
As the Internet is while developing rapidly, privacy of user leakage problem is increasingly serious.The private data of user is not But may be stolen in server-side database, it is also possible to reveal in transmitting procedure, or even in the code of client application Leakage is faced with similarly dangerous.Thus allow the encryption of user oneself control private data avoid above-mentioned threat.And it is traditional The foreground checking that AES can not only affect to apply using the change of brought ciphertext form, equally destroys Database field Memory requirement.So, can make privacy of user protection be obtained while not destroying application data library storage and major function, be one Individual problem demanding prompt solution.
The content of the invention
Present invention is primarily targeted at overcoming the shortcoming and deficiency of prior art, there is provided a kind of based on Shadow DOM's Web application encipher-decipher methods, realize the protection to privacy of user data and do not destroy the master of the storage and application of application database Want function.
In order to achieve the above object, the present invention is employed the following technical solutions:
Web application encipher-decipher method of the present invention based on Shadow DOM, comprises the steps:
(1) web developer or attendant's labelling sensitive data;
(2) user installs ShadowFPE extenders in browser, and arranges key;
(3) ShadowFPE browsers extender differentiates sensitive data and realizes encryption and decryption under the isolation environment of safety.
Used as preferred technical scheme, in step (1), the method for labelling sensitive data is:
(1.1) it is to need to add customized label between the sensitive data for rendering<myshadowspan>;
(1.2) it is that the label for being related to sensitive data adds Custom Attributes data-crypt with mark data form, the category Property value can be { " AES ", " FPE ", " INT ", " STRING ", " IDNUMBER ", " EMAIL " } set in one, " AES ", " FPE ", " INT ", " STRING ", " IDNUMBER ", " EMAIL " represent that AES encryption, the FPE of not specified form, form are respectively The FPE of integer, form are the FPE of character string, the FPE that form is the FPE of identity card type, form is email type.
As preferred technical scheme, in step (3), ShadowFPE browsers extender differentiates the side of sensitive data Method is:
(3.1.1) present in traversal applications DOM<myshadowspan>Label and data-crypt attributes;
(3.1.2) sensitive data to be encrypted is regarded as to the text input element with data-crypt attributes, such as Input elements, textarea elements, [contentEditable] etc., its data form is specified by the value of data-crypt;
(3.1.3) it is right<myshadowspan>Text in label regards as sensitive data ciphertext to be decrypted, its data Form is specified by the value of data-crypt.
As preferred technical scheme, in step (3.1.2), the discriminating for treating encryption element format depends on the element The value of attribute:
If A, data-crypt value is AES, then it is assumed that the field format is insensitive, carry out adding using AES encryption algorithm It is close;
If B, data-crypt value is one in { " INT ", " string ", " IDNUMBER ", " EMAIL " }, then it is assumed that The field format is sensitive, is processed using the specific format in FPE algorithms;
If C, data-crypt value is " FPE ", i.e., the field format is sensitive but does not clearly provide data form, now ShadowFPE can carry out automatic identification to data form:ShadowFPE will travel through all properties of the element, find crucial Word is returned.
As preferred technical scheme, in step (3.1.2), the identification method of the ciphertext to be decrypted has two kinds:
D, by the discriminating to data-crypt attributes;
E, canonical match by way of ciphertext is differentiated.
As preferred technical scheme, in step (3), the method that encryption and decryption is realized under the isolation environment of safety For:
(3.2.1), when gathering user's sensitive data, generate in shadow DOM and application code is replaced with user's sensitivity number According to the element for interacting, monitoring users keystroke events, the sensitive data of user input is encrypted, and by ciphertext update to Former application;
(3.2.2) when sensitive data is presented for user, ciphertext is encrypted, and plaintext is encapsulated in into presentation in shadow DOM To user.
The basic concepts relevant with data encryption according to the present invention:
(1)AES:Advanced Encryption Standard (Advanced Encryption Standard, AES) in cryptography, is beautiful A kind of block encryption standard that federal government of state adopts.This standard is used for substituting original DES, has been analyzed in many ways and extensively Used by the whole world.Through the selection flow process of 5 years, Advanced Encryption Standard was by National Institute of Standards and Technology (NIST) FIPS PUB 197 are published in November 26 calendar year 2001, and become effective standard on May 26th, 2002.2006 Year, Advanced Encryption Standard already becomes one of most popular algorithm in symmetric key encryption.
(2)FPE:Reservation form encryption (Format Preserving Encryption, FPE) in cryptography, FPE is A kind of brand-new cryptological technique, it by the plain text encryption of specific format into same format ciphertext, i.e. the length and class of ciphertext Type is identical with plaintext.
(3)shadow DOM:Shadow DOM are the new specifications of the HTML that W3C is proposed, which allows developer to encapsulate Oneself html tag, CSS style and JavaScript code.
The present invention compared with prior art, has the advantage that and beneficial effect:
1. achievable control of the user to sensitive data of the present invention, it is to avoid in client application code, transmitting procedure And leakage of the server end to privacy of user.
2. the present invention use and retains form AES so that ciphertext form does not change, and will not destroy the foreground of application Checking and the field format of database purchase.
3. the developer or attendant of present invention application can voluntarily select sensitive field and add label, it is to avoid plus The close impact caused by application function.
Description of the drawings
Fig. 1 is the method flow diagram of apparatus of the present invention;
Fig. 2 is present invention input separation principle figure;
Fig. 3 is present invention output separation principle figure.
Specific embodiment
With reference to embodiment and accompanying drawing, the present invention is described in further detail, but embodiments of the present invention are not limited In this.
Embodiment
User's sensitive data is related to name, phone, ID (identity number) card No., Email, address etc., and the present invention is with Email It is described in detail as example.
As shown in figure 1, Web application encipher-decipher method of the present embodiment based on Shadow DOM, its concrete implementation mode It is as follows:
1st, web developer or attendant's labelling sensitive data;
1.1st, when application needs to be acquired user sensitive information, reply is related to the element addition of sensitive data Data-crypt attributes.It is such as right<Input type=" text " name=" email "/>Add data-crypt to identify the electricity Sub- email field needs to be encrypted, and selects corresponding form to be data-crypt assignment.
Can be revised as<Input type=" text " name=" email " data-crypt=" FPE "/>Or< Input type=" text " name=" email " data-crypt=" email "/>.Whether the difference of the two is clearly to refer to Go out data form, for the field for not explicitly pointing out data form, shadowFPE will carry out automatic identification to which.
1.2nd, when application needs sensitive information is presented for user, the sensitive field ciphertext of reply is used<myshadowspan>Mark Know, data form mark is carried out with data-crypt.
For example, if huxtdg@gmail.com represent the ciphertext after nankai@gmail.com encryptions, can be labeled as< Myshadowspan data-crypt=" FPE ">huxtdg@gmail.com<myshadowspan>Or<myshadowspan Data-crypt=" email ">huxtdg@gmail.com<myshadowspan>.Difference both this is whether specified reservation The concrete data form of form encryption, for the field for not explicitly pointing out data form, shadowFPE will carry out automatization to which Identification.
2nd, authentication scheme;
2.1st, differentiate input to be encrypted.Each node in ShadowFPE meeting traversal applications DOM, to text input unit Plain (for example, input, textarea, [contenEditable]) travels through its attribute.For there is data-crypt attributes Text input element regard as element to be encrypted.
The discriminating for treating encryption element format depends on the value of attribute in the element:(1) if data-crypt values are AES, then it is assumed that the field format is insensitive, is encrypted using AES encryption algorithm;(2) if data-crypt values are One in { " INT ", " string ", " IDNUMBER ", " EMAIL " }, then it is assumed that the field format is sensitive, using in FPE algorithms Specific format processed;(3) if data-crypt values are " FPE ", i.e., the field format is sensitive but is not clearly given Data form, now ShadowFPE can carry out automatic identification to data form:ShadowFPE will travel through all of the element Attribute, it is found that keyword is returned.
The false code of this process is for example following shown:
2.2nd, differentiate input to be decrypted.Each node in ShadowFPE meeting traversal applications DOM, it is right< myshadowspan>Label is identified,<myshadowspan>Text in label is output to be decrypted.
Discriminating to ciphertext form has two ways:(1) by the discriminating to data-crypt attributes, now with above-mentioned side Case is identical;(2) ciphertext is differentiated by way of canonical matching, judge its form, shadowFPE is provided with certain The automatic identification algorithm of accuracy, is represented with function IdentifyDecFormat in following codes.
The false code of this process is for example following shown:
3rd, generate the isolation environment of safety and realize encryption and decryption
Safe input and output environment is generated using shadow DOM isolation applications DOM.In ShadowFPE, have defeated Enter isolation and export two kinds of operations of isolation.
3.1st, input isolation.Text input element in the shadow DOM with isolation obtains user input, and In with the identification result of identification module as parameter call algorithms library, suitable AES, is encrypted to cleartext information, and will Ciphertext is updated to application.
According to identification result, the element to being related to sensitive data is processed.By taking input elements as an example, insert before which New node myspan is used as shadow host carry shadow tree, in shadow tree, generates a new input element.Then, By the former input elements in application by adding property value it is " display:The attribute of none " " style " is set to not show.
Input elements in shadow tree are monitored, to each keystroke events of user, shadowFPE is to user input It is encrypted with correspondence form, hereafter ciphertext is updated and gives application original input elements.
This process is as shown in Fig. 2 its core code is as follows:
3.2nd, output isolation.The ciphertext and form identified to identification module calls suitable decipherment algorithm in algorithms library, Ciphertext data are decrypted, and plaintext is presented to into user in the shadow DOM with isolation.
According to identification result, corresponding decipherment algorithm in algorithms library is called, ciphertext is decrypted according to corresponding format.It Afterwards with ciphertext identification (RFID) tag<myshadowspan>Shadow tree is generated for shadow host, and sensitive data is placed in into shadow tree in plain text In.
This process is as shown in figure 3, its core code is as follows:
In the present embodiment, sensitive field is identified in application code by application developer or attendant, User will be related to user sensitive information in applying after the browser that client browser installs the present invention extends and arranges key Data be encapsulated in it is safe, and the shadow DOM that are isolated using DOM in, and carry out retaining form encryption and decryption and process.
Above-described embodiment is the present invention preferably embodiment, but embodiments of the present invention not by above-described embodiment Limit, other any spirit without departing from the present invention and the change, modification, replacement made under principle, combine, simplification, Equivalent substitute mode is should be, is included within protection scope of the present invention.

Claims (6)

1. Web application encipher-decipher methods based on Shadow DOM, it is characterised in that comprise the steps:
(1) web developer or attendant's labelling sensitive data;
(2) user installs ShadowFPE extenders in browser, and arranges key;
(3) ShadowFPE browsers extender differentiates sensitive data and realizes encryption and decryption under the isolation environment of safety.
2. Web application encipher-decipher methods according to claim 1 based on Shadow DOM, it is characterised in that step (1) In, the method for labelling sensitive data is:
(1.1) it is to need to add customized label between the sensitive data for rendering<myshadowspan>;
(1.2) it is that the label for being related to sensitive data adds Custom Attributes data-crypt with mark data form, the attribute takes Value can be one during { " AES ", " FPE ", " INT ", " STRING ", " IDNUMBER ", " EMAIL " } gathers, " AES ", " FPE ", " INT ", " STRING ", " IDNUMBER ", " EMAIL " represent that AES encryption, the FPE of not specified form, form are respectively The FPE of integer, form are the FPE of character string, the FPE that form is the FPE of identity card type, form is email type.
3. Web application encipher-decipher methods according to claim 2 based on Shadow DOM, it is characterised in that step (3) In, ShadowFPE browsers extender differentiates that the method for sensitive data is:
(3.1.1) present in traversal applications DOM<myshadowspan>Label and data-crypt attributes;
(3.1.2) sensitive data to be encrypted is regarded as to the text input element with data-crypt attributes, such as input is first Element, textarea elements, [contentEditable] etc., its data form is specified by the value of data-crypt;
(3.1.3) it is right<myshadowspan>Text in label regards as sensitive data ciphertext to be decrypted, its data form Specified by the value of data-crypt.
4. Web application encipher-decipher methods according to claim 3 based on Shadow DOM, it is characterised in that step (3.1.2), in, the discriminating for treating encryption element format depends on the value of attribute in the element:
If A, data-crypt value is AES, then it is assumed that the field format is insensitive, is encrypted using AES encryption algorithm;
If B, data-crypt value is one in { " INT ", " string ", " IDNUMBER ", " EMAIL " }, then it is assumed that the word Paragraph format is sensitive, is processed using the specific format in FPE algorithms;
If C, data-crypt value is " FPE ", i.e., the field format is sensitive but does not clearly provide data form, now ShadowFPE can carry out automatic identification to data form:ShadowFPE will travel through all properties of the element, find crucial Word is returned.
5. Web application encipher-decipher methods according to claim 3 based on Shadow DOM, it is characterised in that step (3.1.2), in, the identification method of the ciphertext to be decrypted has two kinds:
D, by the discriminating to data-crypt attributes;
E, canonical match by way of ciphertext is differentiated.
6. Web application encipher-decipher methods according to claim 1 based on Shadow DOM, it is characterised in that step (3) In, it is described encryption and decryption is realized under the isolation environment of safety method be:
(3.2.1), when gathering user's sensitive data, replacement application code is generated in shadow DOM and is entered with user's sensitive data The element of row interaction, monitoring users keystroke events are encrypted to the sensitive data of user input, and by ciphertext update to it is former should With;
(3.2.2) when sensitive data is presented for user, ciphertext is encrypted, and use is presented to by being encapsulated in shadow DOM in plain text Family.
CN201611032064.5A 2016-11-22 2016-11-22 Web application encipher-decipher method based on Shadow DOM Active CN106529317B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611032064.5A CN106529317B (en) 2016-11-22 2016-11-22 Web application encipher-decipher method based on Shadow DOM

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611032064.5A CN106529317B (en) 2016-11-22 2016-11-22 Web application encipher-decipher method based on Shadow DOM

Publications (2)

Publication Number Publication Date
CN106529317A true CN106529317A (en) 2017-03-22
CN106529317B CN106529317B (en) 2019-11-12

Family

ID=58356116

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611032064.5A Active CN106529317B (en) 2016-11-22 2016-11-22 Web application encipher-decipher method based on Shadow DOM

Country Status (1)

Country Link
CN (1) CN106529317B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108540501A (en) * 2018-07-18 2018-09-14 郑州云海信息技术有限公司 A kind of method and apparatus of asymmetric cryptosystem
CN108900468A (en) * 2018-05-31 2018-11-27 中融万博网络科技有限公司 A kind of method of secure storage and transmitting user service data
CN111563269A (en) * 2020-03-18 2020-08-21 宁波送变电建设有限公司永耀科技分公司 Sensitive data security protection method and system based on shadow system
CN112868212A (en) * 2018-09-12 2021-05-28 思杰系统有限公司 System and method for improved remote display protocol for HTML applications
CN114726596A (en) * 2022-03-25 2022-07-08 北京沃东天骏信息技术有限公司 Sensitive data processing method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1829975A (en) * 2003-04-16 2006-09-06 佐伊奥斯股份有限公司 Method and system for providing a customized network
CN101779436A (en) * 2007-08-15 2010-07-14 国际商业机器公司 Tracking the origins of data and controlling data transmission
US20110264787A1 (en) * 2010-04-21 2011-10-27 Microsoft Corporation Capturing web-based scenarios
CN103959302A (en) * 2011-06-01 2014-07-30 安全第一公司 Systems and methods for secure distributed storage
CN104254858A (en) * 2011-10-31 2014-12-31 国际商业机器公司 Protecting sensitive data in a transmission

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1829975A (en) * 2003-04-16 2006-09-06 佐伊奥斯股份有限公司 Method and system for providing a customized network
CN101779436A (en) * 2007-08-15 2010-07-14 国际商业机器公司 Tracking the origins of data and controlling data transmission
US20110264787A1 (en) * 2010-04-21 2011-10-27 Microsoft Corporation Capturing web-based scenarios
CN103959302A (en) * 2011-06-01 2014-07-30 安全第一公司 Systems and methods for secure distributed storage
CN104254858A (en) * 2011-10-31 2014-12-31 国际商业机器公司 Protecting sensitive data in a transmission

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108900468A (en) * 2018-05-31 2018-11-27 中融万博网络科技有限公司 A kind of method of secure storage and transmitting user service data
CN108540501A (en) * 2018-07-18 2018-09-14 郑州云海信息技术有限公司 A kind of method and apparatus of asymmetric cryptosystem
CN108540501B (en) * 2018-07-18 2021-07-27 郑州云海信息技术有限公司 Asymmetric encryption method and device
CN112868212A (en) * 2018-09-12 2021-05-28 思杰系统有限公司 System and method for improved remote display protocol for HTML applications
CN111563269A (en) * 2020-03-18 2020-08-21 宁波送变电建设有限公司永耀科技分公司 Sensitive data security protection method and system based on shadow system
CN111563269B (en) * 2020-03-18 2023-08-29 宁波送变电建设有限公司永耀科技分公司 Sensitive data security protection method and system based on shadow system
CN114726596A (en) * 2022-03-25 2022-07-08 北京沃东天骏信息技术有限公司 Sensitive data processing method and device

Also Published As

Publication number Publication date
CN106529317B (en) 2019-11-12

Similar Documents

Publication Publication Date Title
CN106529317B (en) Web application encipher-decipher method based on Shadow DOM
CN104166822B (en) A kind of method and apparatus of data protection
CN105745903B (en) Apparatus and method for making offline data online while protecting consumer privacy
CN110688662A (en) Sensitive data desensitization and inverse desensitization method and electronic equipment
WO2018102286A1 (en) Generating and processing obfuscated sensitive information
CN108154038B (en) Data processing method and device
CN109241484B (en) Method and equipment for sending webpage data based on encryption technology
CN104992119B (en) A kind of safe transmission method and system of sensitive information Anti-theft
EP2624500A1 (en) Encrypted database system, client terminal, encrypted database server, natural joining method, and program
CN106506159A (en) Encryption method and equipment for key safety
CN105827582B (en) A kind of communication encrypting method, device and system
CN108075888B (en) Dynamic URL generation method and device, storage medium and electronic equipment
CN105723681A (en) Partner encoding of anonymous links to protect consumer privacy
CN115795538B (en) Anti-desensitization method, device, computer equipment and storage medium for desensitizing document
CN111212033A (en) Page display method and device based on combined web crawler defense technology and electronic equipment
CN115603907A (en) Method, device, equipment and storage medium for encrypting storage data
CN115733659A (en) Intelligent encryption contract detection system based on block chain
Grosvald et al. Free from the Cover Text: A Human-generated Natural Language Approach to Text-based Steganography.
CN108170753A (en) A kind of method of Key-Value data base encryptions and Safety query in shared cloud
CN104252604B (en) Database based building block system type dynamic encryption method
CN108319821A (en) A kind of software activation method and device
CN105678185B (en) A kind of data security protection method and intelligent terminal management system
CN107291773B (en) Webpage address generation method and device
CN115589316A (en) Data encryption transmission method and device, electronic equipment and storage medium
CN113792323A (en) Sensitive data encryption method and device based on agricultural products and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant