CN106529317A - Web application encryption and decryption method based on Shadow DOM - Google Patents
Web application encryption and decryption method based on Shadow DOM Download PDFInfo
- Publication number
- CN106529317A CN106529317A CN201611032064.5A CN201611032064A CN106529317A CN 106529317 A CN106529317 A CN 106529317A CN 201611032064 A CN201611032064 A CN 201611032064A CN 106529317 A CN106529317 A CN 106529317A
- Authority
- CN
- China
- Prior art keywords
- data
- crypt
- fpe
- sensitive data
- sensitive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6263—Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Information Transfer Between Computers (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a Web application encryption and decryption method based on Shadow DOM. The method comprises the following steps of: (1) web development personnel or maintenance personnel mark sensitive data; (2) a user installs a ShadowFPE extension in a browser, and sets a secret key; and (3) a ShadowFPE browser extension identifies the sensitive data and realizes encryption and decryption under a safe isolation environment. The method aims to encrypt the Web application to protect the privacy of a user, so that the sensitive data of the user can defense the stealing of client side application codes, prying in a network transmission process and the leakage of a server side, and the significant functions of the application can not be damaged.
Description
Technical field
The present invention relates to the research field of data-privacy protection, more particularly to a kind of Web applications based on Shadow DOM
Encipher-decipher method.
Background technology
As the Internet is while developing rapidly, privacy of user leakage problem is increasingly serious.The private data of user is not
But may be stolen in server-side database, it is also possible to reveal in transmitting procedure, or even in the code of client application
Leakage is faced with similarly dangerous.Thus allow the encryption of user oneself control private data avoid above-mentioned threat.And it is traditional
The foreground checking that AES can not only affect to apply using the change of brought ciphertext form, equally destroys Database field
Memory requirement.So, can make privacy of user protection be obtained while not destroying application data library storage and major function, be one
Individual problem demanding prompt solution.
The content of the invention
Present invention is primarily targeted at overcoming the shortcoming and deficiency of prior art, there is provided a kind of based on Shadow DOM's
Web application encipher-decipher methods, realize the protection to privacy of user data and do not destroy the master of the storage and application of application database
Want function.
In order to achieve the above object, the present invention is employed the following technical solutions:
Web application encipher-decipher method of the present invention based on Shadow DOM, comprises the steps:
(1) web developer or attendant's labelling sensitive data;
(2) user installs ShadowFPE extenders in browser, and arranges key;
(3) ShadowFPE browsers extender differentiates sensitive data and realizes encryption and decryption under the isolation environment of safety.
Used as preferred technical scheme, in step (1), the method for labelling sensitive data is:
(1.1) it is to need to add customized label between the sensitive data for rendering<myshadowspan>;
(1.2) it is that the label for being related to sensitive data adds Custom Attributes data-crypt with mark data form, the category
Property value can be { " AES ", " FPE ", " INT ", " STRING ", " IDNUMBER ", " EMAIL " } set in one, " AES ",
" FPE ", " INT ", " STRING ", " IDNUMBER ", " EMAIL " represent that AES encryption, the FPE of not specified form, form are respectively
The FPE of integer, form are the FPE of character string, the FPE that form is the FPE of identity card type, form is email type.
As preferred technical scheme, in step (3), ShadowFPE browsers extender differentiates the side of sensitive data
Method is:
(3.1.1) present in traversal applications DOM<myshadowspan>Label and data-crypt attributes;
(3.1.2) sensitive data to be encrypted is regarded as to the text input element with data-crypt attributes, such as
Input elements, textarea elements, [contentEditable] etc., its data form is specified by the value of data-crypt;
(3.1.3) it is right<myshadowspan>Text in label regards as sensitive data ciphertext to be decrypted, its data
Form is specified by the value of data-crypt.
As preferred technical scheme, in step (3.1.2), the discriminating for treating encryption element format depends on the element
The value of attribute:
If A, data-crypt value is AES, then it is assumed that the field format is insensitive, carry out adding using AES encryption algorithm
It is close;
If B, data-crypt value is one in { " INT ", " string ", " IDNUMBER ", " EMAIL " }, then it is assumed that
The field format is sensitive, is processed using the specific format in FPE algorithms;
If C, data-crypt value is " FPE ", i.e., the field format is sensitive but does not clearly provide data form, now
ShadowFPE can carry out automatic identification to data form:ShadowFPE will travel through all properties of the element, find crucial
Word is returned.
As preferred technical scheme, in step (3.1.2), the identification method of the ciphertext to be decrypted has two kinds:
D, by the discriminating to data-crypt attributes;
E, canonical match by way of ciphertext is differentiated.
As preferred technical scheme, in step (3), the method that encryption and decryption is realized under the isolation environment of safety
For:
(3.2.1), when gathering user's sensitive data, generate in shadow DOM and application code is replaced with user's sensitivity number
According to the element for interacting, monitoring users keystroke events, the sensitive data of user input is encrypted, and by ciphertext update to
Former application;
(3.2.2) when sensitive data is presented for user, ciphertext is encrypted, and plaintext is encapsulated in into presentation in shadow DOM
To user.
The basic concepts relevant with data encryption according to the present invention:
(1)AES:Advanced Encryption Standard (Advanced Encryption Standard, AES) in cryptography, is beautiful
A kind of block encryption standard that federal government of state adopts.This standard is used for substituting original DES, has been analyzed in many ways and extensively
Used by the whole world.Through the selection flow process of 5 years, Advanced Encryption Standard was by National Institute of Standards and Technology
(NIST) FIPS PUB 197 are published in November 26 calendar year 2001, and become effective standard on May 26th, 2002.2006
Year, Advanced Encryption Standard already becomes one of most popular algorithm in symmetric key encryption.
(2)FPE:Reservation form encryption (Format Preserving Encryption, FPE) in cryptography, FPE is
A kind of brand-new cryptological technique, it by the plain text encryption of specific format into same format ciphertext, i.e. the length and class of ciphertext
Type is identical with plaintext.
(3)shadow DOM:Shadow DOM are the new specifications of the HTML that W3C is proposed, which allows developer to encapsulate
Oneself html tag, CSS style and JavaScript code.
The present invention compared with prior art, has the advantage that and beneficial effect:
1. achievable control of the user to sensitive data of the present invention, it is to avoid in client application code, transmitting procedure
And leakage of the server end to privacy of user.
2. the present invention use and retains form AES so that ciphertext form does not change, and will not destroy the foreground of application
Checking and the field format of database purchase.
3. the developer or attendant of present invention application can voluntarily select sensitive field and add label, it is to avoid plus
The close impact caused by application function.
Description of the drawings
Fig. 1 is the method flow diagram of apparatus of the present invention;
Fig. 2 is present invention input separation principle figure;
Fig. 3 is present invention output separation principle figure.
Specific embodiment
With reference to embodiment and accompanying drawing, the present invention is described in further detail, but embodiments of the present invention are not limited
In this.
Embodiment
User's sensitive data is related to name, phone, ID (identity number) card No., Email, address etc., and the present invention is with Email
It is described in detail as example.
As shown in figure 1, Web application encipher-decipher method of the present embodiment based on Shadow DOM, its concrete implementation mode
It is as follows:
1st, web developer or attendant's labelling sensitive data;
1.1st, when application needs to be acquired user sensitive information, reply is related to the element addition of sensitive data
Data-crypt attributes.It is such as right<Input type=" text " name=" email "/>Add data-crypt to identify the electricity
Sub- email field needs to be encrypted, and selects corresponding form to be data-crypt assignment.
Can be revised as<Input type=" text " name=" email " data-crypt=" FPE "/>Or<
Input type=" text " name=" email " data-crypt=" email "/>.Whether the difference of the two is clearly to refer to
Go out data form, for the field for not explicitly pointing out data form, shadowFPE will carry out automatic identification to which.
1.2nd, when application needs sensitive information is presented for user, the sensitive field ciphertext of reply is used<myshadowspan>Mark
Know, data form mark is carried out with data-crypt.
For example, if huxtdg@gmail.com represent the ciphertext after nankai@gmail.com encryptions, can be labeled as<
Myshadowspan data-crypt=" FPE ">huxtdg@gmail.com<myshadowspan>Or<myshadowspan
Data-crypt=" email ">huxtdg@gmail.com<myshadowspan>.Difference both this is whether specified reservation
The concrete data form of form encryption, for the field for not explicitly pointing out data form, shadowFPE will carry out automatization to which
Identification.
2nd, authentication scheme;
2.1st, differentiate input to be encrypted.Each node in ShadowFPE meeting traversal applications DOM, to text input unit
Plain (for example, input, textarea, [contenEditable]) travels through its attribute.For there is data-crypt attributes
Text input element regard as element to be encrypted.
The discriminating for treating encryption element format depends on the value of attribute in the element:(1) if data-crypt values are
AES, then it is assumed that the field format is insensitive, is encrypted using AES encryption algorithm;(2) if data-crypt values are
One in { " INT ", " string ", " IDNUMBER ", " EMAIL " }, then it is assumed that the field format is sensitive, using in FPE algorithms
Specific format processed;(3) if data-crypt values are " FPE ", i.e., the field format is sensitive but is not clearly given
Data form, now ShadowFPE can carry out automatic identification to data form:ShadowFPE will travel through all of the element
Attribute, it is found that keyword is returned.
The false code of this process is for example following shown:
2.2nd, differentiate input to be decrypted.Each node in ShadowFPE meeting traversal applications DOM, it is right<
myshadowspan>Label is identified,<myshadowspan>Text in label is output to be decrypted.
Discriminating to ciphertext form has two ways:(1) by the discriminating to data-crypt attributes, now with above-mentioned side
Case is identical;(2) ciphertext is differentiated by way of canonical matching, judge its form, shadowFPE is provided with certain
The automatic identification algorithm of accuracy, is represented with function IdentifyDecFormat in following codes.
The false code of this process is for example following shown:
3rd, generate the isolation environment of safety and realize encryption and decryption
Safe input and output environment is generated using shadow DOM isolation applications DOM.In ShadowFPE, have defeated
Enter isolation and export two kinds of operations of isolation.
3.1st, input isolation.Text input element in the shadow DOM with isolation obtains user input, and
In with the identification result of identification module as parameter call algorithms library, suitable AES, is encrypted to cleartext information, and will
Ciphertext is updated to application.
According to identification result, the element to being related to sensitive data is processed.By taking input elements as an example, insert before which
New node myspan is used as shadow host carry shadow tree, in shadow tree, generates a new input element.Then,
By the former input elements in application by adding property value it is " display:The attribute of none " " style " is set to not show.
Input elements in shadow tree are monitored, to each keystroke events of user, shadowFPE is to user input
It is encrypted with correspondence form, hereafter ciphertext is updated and gives application original input elements.
This process is as shown in Fig. 2 its core code is as follows:
3.2nd, output isolation.The ciphertext and form identified to identification module calls suitable decipherment algorithm in algorithms library,
Ciphertext data are decrypted, and plaintext is presented to into user in the shadow DOM with isolation.
According to identification result, corresponding decipherment algorithm in algorithms library is called, ciphertext is decrypted according to corresponding format.It
Afterwards with ciphertext identification (RFID) tag<myshadowspan>Shadow tree is generated for shadow host, and sensitive data is placed in into shadow tree in plain text
In.
This process is as shown in figure 3, its core code is as follows:
In the present embodiment, sensitive field is identified in application code by application developer or attendant,
User will be related to user sensitive information in applying after the browser that client browser installs the present invention extends and arranges key
Data be encapsulated in it is safe, and the shadow DOM that are isolated using DOM in, and carry out retaining form encryption and decryption and process.
Above-described embodiment is the present invention preferably embodiment, but embodiments of the present invention not by above-described embodiment
Limit, other any spirit without departing from the present invention and the change, modification, replacement made under principle, combine, simplification,
Equivalent substitute mode is should be, is included within protection scope of the present invention.
Claims (6)
1. Web application encipher-decipher methods based on Shadow DOM, it is characterised in that comprise the steps:
(1) web developer or attendant's labelling sensitive data;
(2) user installs ShadowFPE extenders in browser, and arranges key;
(3) ShadowFPE browsers extender differentiates sensitive data and realizes encryption and decryption under the isolation environment of safety.
2. Web application encipher-decipher methods according to claim 1 based on Shadow DOM, it is characterised in that step (1)
In, the method for labelling sensitive data is:
(1.1) it is to need to add customized label between the sensitive data for rendering<myshadowspan>;
(1.2) it is that the label for being related to sensitive data adds Custom Attributes data-crypt with mark data form, the attribute takes
Value can be one during { " AES ", " FPE ", " INT ", " STRING ", " IDNUMBER ", " EMAIL " } gathers, " AES ",
" FPE ", " INT ", " STRING ", " IDNUMBER ", " EMAIL " represent that AES encryption, the FPE of not specified form, form are respectively
The FPE of integer, form are the FPE of character string, the FPE that form is the FPE of identity card type, form is email type.
3. Web application encipher-decipher methods according to claim 2 based on Shadow DOM, it is characterised in that step (3)
In, ShadowFPE browsers extender differentiates that the method for sensitive data is:
(3.1.1) present in traversal applications DOM<myshadowspan>Label and data-crypt attributes;
(3.1.2) sensitive data to be encrypted is regarded as to the text input element with data-crypt attributes, such as input is first
Element, textarea elements, [contentEditable] etc., its data form is specified by the value of data-crypt;
(3.1.3) it is right<myshadowspan>Text in label regards as sensitive data ciphertext to be decrypted, its data form
Specified by the value of data-crypt.
4. Web application encipher-decipher methods according to claim 3 based on Shadow DOM, it is characterised in that step
(3.1.2), in, the discriminating for treating encryption element format depends on the value of attribute in the element:
If A, data-crypt value is AES, then it is assumed that the field format is insensitive, is encrypted using AES encryption algorithm;
If B, data-crypt value is one in { " INT ", " string ", " IDNUMBER ", " EMAIL " }, then it is assumed that the word
Paragraph format is sensitive, is processed using the specific format in FPE algorithms;
If C, data-crypt value is " FPE ", i.e., the field format is sensitive but does not clearly provide data form, now
ShadowFPE can carry out automatic identification to data form:ShadowFPE will travel through all properties of the element, find crucial
Word is returned.
5. Web application encipher-decipher methods according to claim 3 based on Shadow DOM, it is characterised in that step
(3.1.2), in, the identification method of the ciphertext to be decrypted has two kinds:
D, by the discriminating to data-crypt attributes;
E, canonical match by way of ciphertext is differentiated.
6. Web application encipher-decipher methods according to claim 1 based on Shadow DOM, it is characterised in that step (3)
In, it is described encryption and decryption is realized under the isolation environment of safety method be:
(3.2.1), when gathering user's sensitive data, replacement application code is generated in shadow DOM and is entered with user's sensitive data
The element of row interaction, monitoring users keystroke events are encrypted to the sensitive data of user input, and by ciphertext update to it is former should
With;
(3.2.2) when sensitive data is presented for user, ciphertext is encrypted, and use is presented to by being encapsulated in shadow DOM in plain text
Family.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611032064.5A CN106529317B (en) | 2016-11-22 | 2016-11-22 | Web application encipher-decipher method based on Shadow DOM |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611032064.5A CN106529317B (en) | 2016-11-22 | 2016-11-22 | Web application encipher-decipher method based on Shadow DOM |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106529317A true CN106529317A (en) | 2017-03-22 |
CN106529317B CN106529317B (en) | 2019-11-12 |
Family
ID=58356116
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611032064.5A Active CN106529317B (en) | 2016-11-22 | 2016-11-22 | Web application encipher-decipher method based on Shadow DOM |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106529317B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108540501A (en) * | 2018-07-18 | 2018-09-14 | 郑州云海信息技术有限公司 | A kind of method and apparatus of asymmetric cryptosystem |
CN108900468A (en) * | 2018-05-31 | 2018-11-27 | 中融万博网络科技有限公司 | A kind of method of secure storage and transmitting user service data |
CN111563269A (en) * | 2020-03-18 | 2020-08-21 | 宁波送变电建设有限公司永耀科技分公司 | Sensitive data security protection method and system based on shadow system |
CN112868212A (en) * | 2018-09-12 | 2021-05-28 | 思杰系统有限公司 | System and method for improved remote display protocol for HTML applications |
CN114726596A (en) * | 2022-03-25 | 2022-07-08 | 北京沃东天骏信息技术有限公司 | Sensitive data processing method and device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1829975A (en) * | 2003-04-16 | 2006-09-06 | 佐伊奥斯股份有限公司 | Method and system for providing a customized network |
CN101779436A (en) * | 2007-08-15 | 2010-07-14 | 国际商业机器公司 | Tracking the origins of data and controlling data transmission |
US20110264787A1 (en) * | 2010-04-21 | 2011-10-27 | Microsoft Corporation | Capturing web-based scenarios |
CN103959302A (en) * | 2011-06-01 | 2014-07-30 | 安全第一公司 | Systems and methods for secure distributed storage |
CN104254858A (en) * | 2011-10-31 | 2014-12-31 | 国际商业机器公司 | Protecting sensitive data in a transmission |
-
2016
- 2016-11-22 CN CN201611032064.5A patent/CN106529317B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1829975A (en) * | 2003-04-16 | 2006-09-06 | 佐伊奥斯股份有限公司 | Method and system for providing a customized network |
CN101779436A (en) * | 2007-08-15 | 2010-07-14 | 国际商业机器公司 | Tracking the origins of data and controlling data transmission |
US20110264787A1 (en) * | 2010-04-21 | 2011-10-27 | Microsoft Corporation | Capturing web-based scenarios |
CN103959302A (en) * | 2011-06-01 | 2014-07-30 | 安全第一公司 | Systems and methods for secure distributed storage |
CN104254858A (en) * | 2011-10-31 | 2014-12-31 | 国际商业机器公司 | Protecting sensitive data in a transmission |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108900468A (en) * | 2018-05-31 | 2018-11-27 | 中融万博网络科技有限公司 | A kind of method of secure storage and transmitting user service data |
CN108540501A (en) * | 2018-07-18 | 2018-09-14 | 郑州云海信息技术有限公司 | A kind of method and apparatus of asymmetric cryptosystem |
CN108540501B (en) * | 2018-07-18 | 2021-07-27 | 郑州云海信息技术有限公司 | Asymmetric encryption method and device |
CN112868212A (en) * | 2018-09-12 | 2021-05-28 | 思杰系统有限公司 | System and method for improved remote display protocol for HTML applications |
CN111563269A (en) * | 2020-03-18 | 2020-08-21 | 宁波送变电建设有限公司永耀科技分公司 | Sensitive data security protection method and system based on shadow system |
CN111563269B (en) * | 2020-03-18 | 2023-08-29 | 宁波送变电建设有限公司永耀科技分公司 | Sensitive data security protection method and system based on shadow system |
CN114726596A (en) * | 2022-03-25 | 2022-07-08 | 北京沃东天骏信息技术有限公司 | Sensitive data processing method and device |
Also Published As
Publication number | Publication date |
---|---|
CN106529317B (en) | 2019-11-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11487897B2 (en) | Generating and processing obfuscated sensitive information | |
CN106529317B (en) | Web application encipher-decipher method based on Shadow DOM | |
CN104166822B (en) | A kind of method and apparatus of data protection | |
CN105745903B (en) | Apparatus and method for making offline data online while protecting consumer privacy | |
CN110688662A (en) | Sensitive data desensitization and inverse desensitization method and electronic equipment | |
CN109241484B (en) | Method and equipment for sending webpage data based on encryption technology | |
JP5776696B2 (en) | Encrypted database system, client terminal, encrypted database server, natural join method and program | |
CN108154038B (en) | Data processing method and device | |
CN104992119B (en) | A kind of safe transmission method and system of sensitive information Anti-theft | |
CN108075888B (en) | Dynamic URL generation method and device, storage medium and electronic equipment | |
US20170099144A1 (en) | Embedded encryption platform comprising an algorithmically flexible multiple parameter encryption system | |
CN107800716B (en) | Data processing method and device | |
CN103227786A (en) | Method and device for filling in website login information | |
CN112182614B (en) | Dynamic Web application protection system | |
CN105723681A (en) | Partner encoding of anonymous links to protect consumer privacy | |
CN111212033A (en) | Page display method and device based on combined web crawler defense technology and electronic equipment | |
Grosvald et al. | Free from the Cover Text: A Human-generated Natural Language Approach to Text-based Steganography. | |
CN115733659A (en) | Intelligent encryption contract detection system based on block chain | |
CN108170753A (en) | A kind of method of Key-Value data base encryptions and Safety query in shared cloud | |
US11133926B2 (en) | Attribute-based key management system | |
CN104252604B (en) | Database based building block system type dynamic encryption method | |
CN108319821A (en) | A kind of software activation method and device | |
CN105678185B (en) | A kind of data security protection method and intelligent terminal management system | |
CN108694186A (en) | Data transmission method for uplink and server application, computing device and computer-readable medium | |
CN110990848A (en) | Sensitive word encryption method and device based on hive data warehouse and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |