CN113507479A - Gateway type encryption and decryption transparent SDK technology for WEB codes and data - Google Patents

Gateway type encryption and decryption transparent SDK technology for WEB codes and data Download PDF

Info

Publication number
CN113507479A
CN113507479A CN202110835180.5A CN202110835180A CN113507479A CN 113507479 A CN113507479 A CN 113507479A CN 202110835180 A CN202110835180 A CN 202110835180A CN 113507479 A CN113507479 A CN 113507479A
Authority
CN
China
Prior art keywords
decryption
encryption
data
gateway
sdk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110835180.5A
Other languages
Chinese (zh)
Other versions
CN113507479B (en
Inventor
完新说
马正鲍
陈剑航
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Yanshuo Information Technology Co ltd
Original Assignee
Shanghai Yanshuo Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Yanshuo Information Technology Co ltd filed Critical Shanghai Yanshuo Information Technology Co ltd
Priority to CN202110835180.5A priority Critical patent/CN113507479B/en
Publication of CN113507479A publication Critical patent/CN113507479A/en
Application granted granted Critical
Publication of CN113507479B publication Critical patent/CN113507479B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a gateway type encryption and decryption transparent SDK technology aiming at WEB codes and data, which belongs to the technical field of network security and encryption and decryption algorithms, and comprises a front-end browser which sends a corresponding request to a WEB server, the WEB server processes the request and sends the code to a gateway reverse proxy, the gateway reverse proxy sends information for identity authentication to the front-end browser for execution, the browser verifies whether the identity of the gateway reverse proxy is legal or not, the front-end browser negotiates an encryption and decryption algorithm SDK, an encryption and decryption key and encryption and decryption strength with the legal gateway reverse proxy, the gateway reverse proxy encrypts the codes and calculates the integrity, the front-end browser decrypts the codes and verifies the integrity, the front-end browser encrypts the data, and the gateway reverse proxy decrypts the data; the technology can realize various safety effects aiming at the WEB system, and is realized in a transparent and non-inductive mode, namely, the method can be automatically completed without modifying server codes by research personnel and without installing software and plug-ins by a user computer.

Description

Gateway type encryption and decryption transparent SDK technology for WEB codes and data
Technical Field
The invention belongs to the technical field of IT information network security and encryption and decryption algorithms, and particularly relates to a gateway type encryption and decryption transparent SDK technology for WEB codes and data.
Background
The application field of the existing computer encryption and decryption technology is wider, and particularly the combination of the symmetric encryption and decryption technology and the asymmetric encryption and decryption technology can realize a plurality of security and confidentiality effects, such as data confidentiality, data integrity verification, server identity verification effect and the like.
In the field of WEB application systems, especially codes of WEB systems, such as HTML and JavaScript, can hardly achieve transparent encryption and decryption effects. After the codes of the WEB application layer are released, due to the principle of openness of the browser, it is determined that all the codes seen by the browser in various ways such as a self-contained debugging tool are almost plaintext information at present, for example, HTML codes, JavaScript codes, a lot of service data and the like are readable in plaintext, and the browser does not provide any encryption and decryption technology to ensure the security of the HTML and JavaScript codes of the application layer. Although HTTPS encryption is used in many cases, HTTPS is encrypted for four layers of a network layer and a communication link, and encryption processing is not performed on seven layers of data and codes of an application layer, so seven layers of data acquired at a seven-layer WEB agent, a CDN cache, or an illegal third party are still in the clear. The unencrypted codes often have great potential safety hazards, such as security incidents that plaintext information is easy to leak, code information is easy to tamper, WEB information is easy to forge, and the like. The same phenomenon has similar security problems at the mobile WEB H5 side, the public number side, the small program side, the service number side and the like.
As shown in fig. 1, if the HTML code is not encrypted, the automatic attack software (e.g., awvs, appscan, news, bug, etc.) can easily obtain and analyze the plaintext code, so as to obtain more information behind the WEB system, such as the link address of the website, the sensitive content in the code, etc. If the JavaScript code is not encrypted, a lawless person can analyze the JavaScript code logic, can bypass the code logic and enter a service system, and can even tamper the code logic to achieve the purpose of invading a WEB system. Besides exposing all business logic, the unencrypted codes cannot protect self copyright information, and third-party developers can freely copy all codes for the third-party developers. For example, the logged account and password sensitive data, the interactive service data and the like are not encrypted, many WEB systems do not perform encryption and decryption operations at present during development, when a computer is poisoned or is attacked by phishing, the information may be monitored or leaked by a third party, and particularly, the account and password sensitive data have imaginable consequences once plaintext information is leaked.
As shown in fig. 2, the seventh layer application layer link of the OSI model is between a and B, and between C and D, and the codes are almost all plaintext, and at present, the encryption and decryption technology mainly has the following forms to achieve the encryption and decryption effect in the WEB application system:
the encryption and decryption technology is used in an end-to-end proxy communication mode, and the transparent encryption and decryption effect on a fourth layer network layer of an OSI model is only realized;
the transparent encryption and decryption effects on the WEB system disk file are realized by using a code injection or loading drive technology;
the transparent encryption and decryption effects of the fourth layer network layer of the OSI model and the HTTPS in the transmission link are realized by utilizing the encryption and decryption support function of the browser;
the research and development personnel call the corresponding encryption and decryption interfaces to encrypt and decrypt partial service data when developing the WEB application system;
most of these encryption and decryption technologies require a user side to install software or plug-in, or deploy an encryption side and a decryption side to implement them, or during development, a developer needs to invoke a third party encryption and decryption interface to implement them. These encryption and decryption modes are more for four layers of the network layer of the OSI model or for partial encryption and decryption of service communication data. The encryption and decryption of HTML and JavaScript codes of a WEB application system are almost not carried out, namely, the seven-layer codes of the application layer of the OSI model are not encrypted and protected. The encryption and decryption of the WEB service data are realized only by actively calling an interface by developers, and the method is realized by a non-transparent technology, so that a gateway type encryption and decryption transparent SDK technology for WEB codes and data is provided.
Disclosure of Invention
The invention aims to provide a gateway type encryption and decryption transparent SDK technology aiming at WEB codes and data, so as to solve the problems in the background technology.
In order to achieve the purpose, the invention adopts the following technical scheme: a gateway type encryption and decryption transparent SDK technology aiming at WEB codes and data comprises the following steps:
s1, sending HTTP request from the front browser to the opposite end through the seventh layer to the fourth layer of OSI model, receiving the HTTP request by the gateway reverse proxy Server role and sending the corresponding request information to the WEB Server by the Client role, and sending HTML and JavaScript plaintext code after the processing by the WEB Server;
s2, after receiving the authentication information, the gateway reverse proxy sends the authentication information to the front-end browser to execute, wherein the authentication information comprises a Hash ciphertext of a random character string encrypted by a private key, the random character string, an encryption and decryption SDK and a server public key, and the front-end browser verifies whether the gateway reverse proxy identity is legal or not according to the received information;
s3, the front-end browser and the legal gateway reverse proxy negotiate an encryption and decryption algorithm SDK, a symmetric encryption and decryption key and encryption and decryption strength;
s4, the gateway reverse proxy encrypts the code and calculates the integrity according to the negotiated algorithm;
s5, the front-end browser decrypts the code by using the decryption SDK and verifies the integrity;
s6, the front-end browser encrypts data according to the negotiated algorithm and the symmetric key;
s7, the gateway reverse proxy decrypts the data.
Further, S1 specifically includes: the front-end browser receives a target domain name input by a user, then sends an HTTP request and keeps long connection, the request is received by a gateway reverse proxy Server role, the gateway reverse proxy sends corresponding request information by a Client role, and the request information is received by a target WEB Server, processed and then sent to an HTML (hypertext markup language) and JavaScript (JavaScript) code to the browser end.
Further, the specific step in S2 is that the WEB Server source station finishes processing the request sent by the Client, and sends the data to the Client role of the gateway reverse proxy, the gateway reverse proxy role generates a random character string, and obtains Hash information of the random character string, encrypts the Hash information with a private key to obtain a Hash ciphertext, the Server role sends the Hash ciphertext, the random character string, the encryption/decryption SDK, and the public key information as a whole to the front-end browser, the front-end browser obtains the random character string and obtains its Hash plaintext by encrypting/decrypting the SDK, decrypts the received Hash ciphertext with the public key to obtain the Hash plaintext, determines whether the two Hash plaintext are equal, and if equal, can confirm that the Server identity is legal, and can subsequently use the public key safely.
Further, in the specific step S3, the browser generates a symmetric key using the encryption and decryption SDK, encrypts the symmetric key using a legal public key, and sends the encrypted symmetric key to the Server role of the gateway reverse proxy, and the Server role receives the ciphertext and decrypts the ciphertext with the private key to obtain the symmetric key, thereby determining the encryption and decryption mode or the symmetric encryption and decryption algorithm and the strength thereof.
Further, S4 is specifically that the gateway reverse proxy Server role first obtains the Hash of the plaintext code, encrypts the Hash with the private key, encrypts the plaintext code with the symmetric key and the determined encryption/decryption manner and strength thereof to form a ciphertext code, and sends the ciphertext code, the encrypted Hash, the symmetric encryption/decryption SDK, and the strength thereof as a whole to the front-end browser.
Further, S5 is that the front-end browser receives the ciphertext code, the encrypted Hash, the symmetric encryption/decryption SDK, and the strength information thereof, compares the two Hash values, and performs integrity verification, the front-end browser may automatically complete decryption operation on the ciphertext code by using the encryption/decryption SDK and the symmetric key, obtains the Hash of the plaintext code, compares the two Hash values, and if equal, determines that the code has integrity, and the specific execution flow is described in the following two steps.
Further, the two Hash values in S5 are equal, that is, the decrypted code has integrity, decryption operation can be performed, and the browser parses the complete HTML plaintext code and executes the complete JavaScript plaintext code.
Further, the two Hash values in S5 are not equal, that is, the decrypted code has no integrity, the browser does not analyze the incomplete HTML code any more, does not execute the incomplete JavaScript plaintext code, and performs an error prompt.
Further, the specific step in S6 is that the browser encrypts data using the encryption/decryption SDK and the symmetric key and sends the encrypted data to the gateway reverse proxy Server role, where the data includes a logged-in account, a logged-in password, a Cookie, service interaction data, and the like, and at this time, the encrypted data has confidentiality. The gateway reverse proxy Server role decrypts the ciphertext data by using the encryption and decryption SDK and the symmetric key to obtain plaintext data comprising an account number, a password, Cookie, service interaction data and the like, and sends the plaintext data to the Client role which then sends the plaintext data to the WEB Server source station.
Further, the specific step in S7 is that the WEB Server source station receives plaintext data, which includes an account, a password, a Cookie, and service interaction data, and performs logic processing, and returns result data, the gateway reverse-proxy Client role receives data and delivers a Server role, the Server role encrypts the data with a symmetric key and returns a ciphertext to the front-end browser, and the front-end browser decrypts the data with the decryption SDK and the symmetric key to obtain a plaintext, and delivers the plaintext to subsequent processes for normal operation.
Compared with the prior art, the invention has the beneficial effects that:
the application relates to a gateway type encryption and decryption transparent SDK technology for WEB codes and data, which can realize various security effects for a WEB system, such as security effects of preventing information leakage, information tampering and information counterfeiting, authenticating identities and the like. The method is realized in a transparent and non-inductive mode, namely, the method is automatically finished without modifying server codes by research personnel and without installing software and plug-ins by a user computer;
the invention aims at the seventh layer of the OSI model, and the browser does not provide functions such as encryption and decryption and the like for the seventh layer, so the technology of the invention is realized by adopting a SDK (secure digital Key) technology mode of issuing encryption and decryption. The system comprises a plurality of transparent SDKs, such as an encryption SDK, a decryption SDK, an integrity verification SDK, an identity verification SDK and the like, and can well solve various security problems of the current WEB system by combined use, thereby improving the threshold of lawless persons for analyzing or attacking the WEB system to the maximum extent. If the HTML code is encrypted, the automatic attack software can be prevented from obtaining and analyzing the plaintext code, and the whole WEB site directory and related information can be further obtained. Obfuscating and encrypting the Javascript code can well protect the code implementation logic, protect the code copyright information and the like. After data is encrypted, a man-in-the-middle can be prevented from tampering service data, in addition, a third party such as a CDN node or a Cache point can also encrypt all readable plaintext into unreadable ciphertext, and the third party can not illegally leak or maliciously tamper;
the technology only needs to deploy a gateway type reverse proxy product between a user browser and a WEB server, does not need a user side computer to install any software or browser plug-in, does not need developers to do any technology docking work, does not need a WEB server source station to do any code change, and all encryption and decryption operations are automatically completed by a system and the browser, namely the gateway type encryption and decryption transparent SDK effect.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention.
FIG. 1 is a flow chart of a conventional WEB server;
fig. 2 is a schematic diagram of a prior art OSI application layer seven layer code;
FIG. 3 is a flow chart of the present invention;
FIG. 4 is a schematic diagram of the present invention after encryption;
FIG. 5 is a schematic diagram of the present invention before encryption of the WEB code;
FIG. 6 is a schematic diagram of the present invention before encryption of WEB data;
FIG. 7.1 is a schematic diagram of the invention after the WEB code is encrypted (the encryption strength is low);
FIG. 7.2 is a schematic diagram of the invention after the WEB code is encrypted (the encryption strength is high);
FIG. 8 is a schematic diagram of the present invention after encrypting the WEB data;
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only some embodiments of the present invention, not all embodiments.
In the description of the present invention, it is to be understood that the terms "upper", "lower", "front", "rear", "left", "right", "top", "bottom", "inner", "outer", and the like, indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, are only for convenience in describing the present invention and simplifying the description, and do not indicate or imply that the device or element referred to must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present invention.
Referring to fig. 3 to 8, a technical solution proposed by the present invention: a gateway type encryption and decryption transparent SDK technology aiming at WEB codes and data comprises the following steps:
step 1, the processing flow is front-end browser-gateway reverse proxy-WEB server source station, which specifically comprises the following steps: after a target domain name is input in an address field of a user browser, a seventh layer of an OSI model of the browser sends an HTTP request to a gateway reverse proxy through a fourth layer, the HTTP request is received by a gateway reverse proxy Server role, an HTTP long link session state is kept, meanwhile, the gateway reverse proxy establishes an HTTP link with a target WEB Server by using the Client role of the gateway reverse proxy and sends corresponding request information, and a WEB Server source station can process a front-end browser after receiving the request and data sent by the Client;
step 2, the processing flow is WEB Server source station-gateway reverse proxy-front-end browser, specifically, WEB Server source station processes the request sent by Client, and sends data to the Client role of gateway reverse proxy, Server role can generate random character string and obtain Hash information of random character string, then uses private key to encrypt Hash information to obtain Hash ciphertext, Server role sends Hash ciphertext, random character string, encryption and decryption SDK, public key information to front-end browser as a whole, uses public key to decrypt received Hash ciphertext and obtain Hash plaintext, judges whether two Hash ciphers are equal, and can safely use public key, and also confirms that Server identity is legal;
step 3, the processing flow is front-end browser processing-gateway reverse proxy, after the browser receives the issuing information, the encryption and decryption SDK of the browser dynamically generates a symmetric key, the symmetric key is encrypted by a legal public key and is sent to the Server role of the gateway reverse proxy, the scheme mainly describes the form of issuing the public key by the Server, the form of issuing the certificate by the Server is not described in detail, and if the certificate is verified by the Server, the certificate legal SDK is used for completing the verification;
the steps 1 to 3 mainly complete the sending of the request, the verification of the gateway identity and the negotiation of the algorithm or the key and the encryption strength.
And 4, gateway reverse proxy processing-front-end browser processing, wherein the gateway reverse proxy Server role decrypts the ciphertext by using a private key after receiving the ciphertext to obtain a symmetric key, and determines an encryption and decryption mode or a symmetric encryption and decryption algorithm and the strength of the symmetric encryption and decryption algorithm. The Server role firstly obtains the Hash of a plaintext code, encrypts the Hash by using a private key, encrypts the plaintext code into a ciphertext code by using a symmetric key and a determined encryption and decryption mode and strength thereof, and sends the ciphertext code, the encrypted Hash, the symmetric encryption and decryption SDK and the strength thereof to a front-end browser as a whole;
and 5, the front-end browser finishes processing, receives the ciphertext codes and the encrypted Hash sent by the Server role, and at the moment, the encrypted codes have confidentiality, and can automatically finish decryption operation on the ciphertext codes by using the encryption and decryption SDK and the symmetric key and acquire the Hash of the plaintext codes. And decrypting the received ciphertext Hash by using the public key to obtain a plaintext Hash, comparing the two Hash values, if the two Hash values are equal, the decrypted code has integrity, and the browser can normally analyze and display the HTML plaintext code and call and execute the JavaScript plaintext code. If the two Hash values are not equal, namely the decrypted code has no integrity, displaying prompt information: "current display content is different from the source station, please operate cautiously";
and (5) completing encryption and decryption of the WEB code, comparing the Hash value after decryption, and performing integrity check.
And 6, the processing flow is front-end browser processing-gateway reverse proxy-WEB Server source station, the browser encrypts data by using an encryption and decryption SDK and a symmetric key and then sends the encrypted data to the role of the gateway reverse proxy Server, the data comprises a login account number and a password, Cookie, service interaction data and the like, and the encrypted data has confidentiality at the moment. The gateway reverse proxy Server role decrypts the ciphertext data by using the encryption and decryption SDK and the symmetric key to obtain plaintext data, wherein the plaintext data comprises an account number, a password, Cookie, service interaction data and the like;
and 7, the processing flow is WEB server source station-gateway reverse proxy-front-end browser processing, the WEB server source station receives plaintext data, and the plaintext data comprises account numbers, passwords, Cookie, service interaction data and the like to be logically processed, and result data is returned. The gateway reverse proxy Client role receives data and delivers a Server role, the Server role encrypts the data by using a symmetric key and returns a ciphertext to the front-end browser, and the front-end browser decrypts the data by using a decryption SDK and the symmetric key to obtain a plaintext and delivers the plaintext to subsequent flow normal operation;
and 6, step 7, encryption and decryption of WEB data including but not limited to a login account number, a login password, a Cookie and service interaction data are completed.
In this embodiment, the Client role and the Server role are both two roles that the gateway reverse proxy serves as a broker.
It is noted that the present embodiment includes a description of one-way authentication (like HTTPS one-way), i.e., the authentication process of the client to the server. The principle of authentication of the client by the server (like two-way of HTTPS) is similar to that, and therefore not described in detail. If the Server needs to verify the identity of the user side, the user side needs to import the certificate and sends the certificate information and the public key to the gateway reverse proxy Server role, the Server role verifies whether the certificate is legal or not through the user side public key, if so, the public key is used for encrypting the symmetric encryption and decryption algorithm and the use strength adopted by the encryption and decryption SDK and integrally issuing the encrypted certificate and the use strength to the user browser side, and then the negotiation of the symmetric encryption and decryption algorithm and the difficulty is completed.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art should be considered to be within the technical scope of the present invention, and equivalent alternatives or modifications according to the technical solution and the inventive concept of the present invention should be covered by the scope of the present invention.

Claims (10)

1. A gateway type encryption and decryption transparent SDK technology aiming at WEB codes and data is characterized by comprising the following steps:
s1, sending HTTP request from the front browser to the opposite end through the seventh layer to the fourth layer of OSI model, receiving the HTTP request by the gateway reverse proxy Server role, sending corresponding request to the WEB Server by the Client role, and issuing HTML and JavaScript plaintext code after the WEB Server processes the HTTP request;
s2, the gateway reverse proxy receives the plaintext code, the following process is required to be completed before the plaintext code is sent to the browser, the authentication information is sent to the front-end browser to be executed, the authentication information comprises a Hash ciphertext of a random character string encrypted by a private key, the random character string, an encryption and decryption SDK and a server public key, and the front-end browser verifies whether the gateway reverse proxy identity is legal or not according to the received information;
s3, the front-end browser and the legal gateway reverse proxy negotiate an encryption and decryption algorithm SDK, a symmetric encryption and decryption key and encryption and decryption strength;
s4, the gateway reverse proxy encrypts the code and carries out integrity calculation according to the negotiated algorithm;
s5, the front-end browser decrypts the code by using the decryption SDK and verifies the integrity;
s6, the front-end browser encrypts data according to the negotiated algorithm and the symmetric key;
s7, the gateway reverse proxy decrypts the data.
2. The gateway-type encryption and decryption transparent SDK technology for WEB codes and data according to claim 1, wherein: s1 specifically includes: the front-end browser receives a target domain name input by a user, then sends an HTTP request and keeps long connection, the request is received by a gateway reverse proxy Server role, the gateway reverse proxy sends corresponding request information by a Client role, and the request information is received by a target WEB Server, processed and then sent to the browser end.
3. The gateway-type encryption and decryption transparent SDK technology for WEB codes and data according to claim 1, wherein: the specific steps in S2 are that the WEB Server source station processes the request sent by the Client and sends the data to the Client role of the gateway reverse proxy, the gateway reverse proxy Server role generates a random character string and obtains the Hash information of the random character string, the Hash information is encrypted by a private key to obtain a Hash ciphertext, the Server role sends the Hash ciphertext, the random character string, the encryption and decryption SDK and the public key information as a whole to the front-end browser, the front-end browser obtains the random character string and obtains the Hash plaintext thereof by the encryption and decryption SDK, the received Hash ciphertext is decrypted by the public key to obtain the Hash plaintext, whether the two Hash plaintexts are equal is judged, the identity of the Server can be confirmed to be legal by equal, and the public key can be safely used subsequently.
4. The gateway-type encryption and decryption transparent SDK technology for WEB codes and data according to claim 1, wherein: in the specific step of S3, the browser generates a symmetric key using the encryption and decryption SDK, encrypts the symmetric key with a valid public key, and sends the encrypted symmetric key to the Server role of the gateway reverse proxy, and the Server role receives the ciphertext and decrypts the ciphertext with a private key to obtain the symmetric key, and determines the encryption and decryption mode or the symmetric encryption and decryption algorithm and the strength thereof.
5. The gateway-type encryption and decryption transparent SDK technology for WEB codes and data according to claim 1, wherein: s4 is concrete that the gateway reverse proxy Server role first obtains the Hash of the plaintext code, encrypts the Hash with the private key, encrypts the plaintext code with the symmetric key and the determined encryption and decryption mode and intensity thereof to form a ciphertext code, and sends the ciphertext code, the encrypted Hash, the symmetric encryption and decryption SDK and the intensity thereof to the front-end browser as a whole.
6. The gateway-type encryption and decryption transparent SDK technology for WEB codes and data according to claim 1, wherein: s5 is that the front-end browser receives the cipher text code, the encrypted Hash, the symmetric encryption and decryption SDK and the strength information, compares the two Hash values, carries out integrity verification, the front-end browser can automatically finish decryption operation on the cipher text code by using the encryption and decryption SDK and the symmetric key, obtains the Hash of the plain text code, compares the two Hash values, if equal, the code is determined to have integrity, and the specific execution flow is described in 7 and 8.
7. The gateway-type encryption and decryption transparent SDK technology for WEB codes and data according to claim 6, wherein: and S5, the two Hash values are equal, namely the decrypted code has integrity, decryption operation can be carried out, and the browser analyzes the complete HTML plaintext code and executes the complete JavaScript plaintext code.
8. The gateway-type encryption and decryption transparent SDK technology for WEB codes and data according to claim 6, wherein: and (4) the two Hash values in the S5 are not equal, namely the decrypted code has no integrity, the browser does not analyze the incomplete HTML code any more, does not execute the incomplete JavaScript plain text code, and carries out error reminding.
9. The gateway-type encryption and decryption transparent SDK technology for WEB codes and data according to claim 1, wherein: the specific step in S6 is that the browser encrypts data using the encryption/decryption SDK and the symmetric key and sends the encrypted data to the gateway reverse proxy Server role, where the data includes a logged-in account, a password, a Cookie, service interaction data, and the like, and at this time, the encrypted data has confidentiality. The gateway reverse proxy Server role decrypts the ciphertext data by using the encryption and decryption SDK and the symmetric key to obtain plaintext data, wherein the plaintext data comprises an account number, a password, Cookie, service interaction data and the like, the Server role sends the plaintext data to the Client role, and the Client role sends the plaintext data to the WEB Server source station.
10. The gateway-type encryption and decryption transparent SDK technology for WEB codes and data according to claim 9, wherein: the concrete steps in S7 are that the WEB Server source station receives plaintext data, which includes account and password, Cookie, service interaction data and the like, and performs logic processing, and returns result data, the gateway reverse proxy Client role receives data and delivers the data to the Server role, the Server role encrypts the data by using a symmetric key and returns a ciphertext to the front-end browser, and the front-end browser decrypts the data by using a decryption SDK and the symmetric key to obtain plaintext and delivers the plaintext to subsequent processes for normal operation.
CN202110835180.5A 2021-07-23 2021-07-23 Gateway type encryption and decryption transparent SDK method for WEB codes and data Active CN113507479B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110835180.5A CN113507479B (en) 2021-07-23 2021-07-23 Gateway type encryption and decryption transparent SDK method for WEB codes and data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110835180.5A CN113507479B (en) 2021-07-23 2021-07-23 Gateway type encryption and decryption transparent SDK method for WEB codes and data

Publications (2)

Publication Number Publication Date
CN113507479A true CN113507479A (en) 2021-10-15
CN113507479B CN113507479B (en) 2022-11-08

Family

ID=78014289

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110835180.5A Active CN113507479B (en) 2021-07-23 2021-07-23 Gateway type encryption and decryption transparent SDK method for WEB codes and data

Country Status (1)

Country Link
CN (1) CN113507479B (en)

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020178353A1 (en) * 2001-04-11 2002-11-28 Graham Randall James Secure messaging using self-decrypting documents
US20060136724A1 (en) * 2004-12-02 2006-06-22 Yoshiteru Takeshima Relay method of encryption communication, gateway server, and program and program memory medium of encryption communication
CN103139185A (en) * 2011-12-02 2013-06-05 中科信息安全共性技术国家工程研究中心有限公司 Method of achieving safe reverse proxy service
CN103763308A (en) * 2013-12-31 2014-04-30 北京明朝万达科技有限公司 Method and device for having access to webpage safely and downloading data through intelligent terminal
CN104217173A (en) * 2014-08-27 2014-12-17 武汉理工大学 Method of encrypting data and files for browser
CN104243475A (en) * 2014-09-18 2014-12-24 东软集团股份有限公司 Method and system for dynamic mixing based on WEB reverse proxy
CN104506517A (en) * 2014-12-22 2015-04-08 中软信息系统工程有限公司 Encryption transmission method for MIPS (Million Instructions Per Second) platform on basis of HTTP (Hyper Text Transfer Protocol)
CN106789476A (en) * 2016-12-29 2017-05-31 Tcl集团股份有限公司 A kind of gateway communication method and system
CN107209830A (en) * 2014-11-13 2017-09-26 克丽夫有限公司 Method for recognizing and resisting network attack
CN107302541A (en) * 2017-07-31 2017-10-27 成都蓝码科技发展有限公司 A kind of data encryption and transmission method based on http protocol
CN109962784A (en) * 2019-03-22 2019-07-02 西安电子科技大学 A kind of data encrypting and deciphering and restoration methods based on the more certificates of digital envelope
CN111159684A (en) * 2019-12-31 2020-05-15 郑州信大捷安信息技术股份有限公司 Safety protection system and method based on browser
CN111884986A (en) * 2019-12-13 2020-11-03 马上消费金融股份有限公司 Data encryption processing method and device
CN112613037A (en) * 2020-12-29 2021-04-06 北京永新视博数字电视技术有限公司 Code checking method and device
CN113010856A (en) * 2021-03-02 2021-06-22 北京顶象技术有限公司 Dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020178353A1 (en) * 2001-04-11 2002-11-28 Graham Randall James Secure messaging using self-decrypting documents
US20060136724A1 (en) * 2004-12-02 2006-06-22 Yoshiteru Takeshima Relay method of encryption communication, gateway server, and program and program memory medium of encryption communication
CN103139185A (en) * 2011-12-02 2013-06-05 中科信息安全共性技术国家工程研究中心有限公司 Method of achieving safe reverse proxy service
CN103763308A (en) * 2013-12-31 2014-04-30 北京明朝万达科技有限公司 Method and device for having access to webpage safely and downloading data through intelligent terminal
CN104217173A (en) * 2014-08-27 2014-12-17 武汉理工大学 Method of encrypting data and files for browser
CN104243475A (en) * 2014-09-18 2014-12-24 东软集团股份有限公司 Method and system for dynamic mixing based on WEB reverse proxy
CN107209830A (en) * 2014-11-13 2017-09-26 克丽夫有限公司 Method for recognizing and resisting network attack
CN104506517A (en) * 2014-12-22 2015-04-08 中软信息系统工程有限公司 Encryption transmission method for MIPS (Million Instructions Per Second) platform on basis of HTTP (Hyper Text Transfer Protocol)
CN106789476A (en) * 2016-12-29 2017-05-31 Tcl集团股份有限公司 A kind of gateway communication method and system
CN107302541A (en) * 2017-07-31 2017-10-27 成都蓝码科技发展有限公司 A kind of data encryption and transmission method based on http protocol
CN109962784A (en) * 2019-03-22 2019-07-02 西安电子科技大学 A kind of data encrypting and deciphering and restoration methods based on the more certificates of digital envelope
CN111884986A (en) * 2019-12-13 2020-11-03 马上消费金融股份有限公司 Data encryption processing method and device
CN111159684A (en) * 2019-12-31 2020-05-15 郑州信大捷安信息技术股份有限公司 Safety protection system and method based on browser
CN112613037A (en) * 2020-12-29 2021-04-06 北京永新视博数字电视技术有限公司 Code checking method and device
CN113010856A (en) * 2021-03-02 2021-06-22 北京顶象技术有限公司 Dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system

Also Published As

Publication number Publication date
CN113507479B (en) 2022-11-08

Similar Documents

Publication Publication Date Title
CN108418691B (en) Dynamic network identity authentication method based on SGX
US8321924B2 (en) Method for protecting software accessible over a network using a key device
US8275984B2 (en) TLS key and CGI session ID pairing
US8745394B1 (en) Methods and systems for secure electronic communication
KR101381789B1 (en) Method for web service user authentication
US20090055642A1 (en) Method, system and computer program for protecting user credentials against security attacks
US8904195B1 (en) Methods and systems for secure communications between client applications and secure elements in mobile devices
CN106453361B (en) A kind of security protection method and system of the network information
CN105850073A (en) Access authentication method and device for information system
CA2438357A1 (en) System and method for secure remote access
WO2011103561A2 (en) Encryption system using web browsers and untrusted web servers
CN104469767A (en) Implementation method for integrated security protection subsystem of mobile office system
CN110933078B (en) H5 unregistered user session tracking method
CN109684129B (en) Data backup recovery method, storage medium, encryption machine, client and server
AU2005255513A1 (en) Method, system and computer program for protecting user credentials against security attacks
CN111918284B (en) Safe communication method and system based on safe communication module
Jøsang et al. Security in mobile communications: challenges and opportunities
CN109040079A (en) The establishment of live streaming chained address and verification method and related device
CN108768613A (en) A kind of ciphertext password method of calibration based on multiple encryption algorithms
CN104754571A (en) User authentication realizing method, device and system thereof for multimedia data transmission
CN105119894A (en) Communication system and communication method based on hardware safety module
CN113225352A (en) Data transmission method and device, electronic equipment and storage medium
WO2008053279A1 (en) Logging on a user device to a server
CN111464532A (en) Information encryption method and system
CN112910867B (en) Double verification method for trusted equipment to access application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant