CN106529317B - Web application encipher-decipher method based on Shadow DOM - Google Patents

Web application encipher-decipher method based on Shadow DOM Download PDF

Info

Publication number
CN106529317B
CN106529317B CN201611032064.5A CN201611032064A CN106529317B CN 106529317 B CN106529317 B CN 106529317B CN 201611032064 A CN201611032064 A CN 201611032064A CN 106529317 B CN106529317 B CN 106529317B
Authority
CN
China
Prior art keywords
data
format
crypt
sensitive data
fpe
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611032064.5A
Other languages
Chinese (zh)
Other versions
CN106529317A (en
Inventor
李进
刘哲理
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou University
Original Assignee
Guangzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou University filed Critical Guangzhou University
Priority to CN201611032064.5A priority Critical patent/CN106529317B/en
Publication of CN106529317A publication Critical patent/CN106529317A/en
Application granted granted Critical
Publication of CN106529317B publication Critical patent/CN106529317B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6263Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of Web application encipher-decipher method based on Shadow DOM includes the following steps: that (1) web developer or maintenance personnel mark sensitive data;(2) user installs ShadowFPE extender in browser, and key is arranged;(3) ShadowFPE browser extender identifies sensitive data and realizes encryption and decryption under the isolation environment of safety.The present invention is directed to encrypt Web to apply to protect privacy of user, the sensitive data of user is set to resist the stealing of client application code, the snooping in network transmission process and the leakage of server end, and the significant function of application will not be destroyed.

Description

Web application encipher-decipher method based on Shadow DOM
Technical field
The present invention relates to the research field of data-privacy protection, in particular to a kind of Web application based on Shadow DOM Encipher-decipher method.
Background technique
With internet rapid development while, privacy of user leakage problem is got worse.The private data of user is not But it may be stolen in server-side database, it is also possible to be revealed in transmission process, or even in the code of client application It is dangerous to be similarly faced with leakage.Thus allow the encryption of user oneself control private data can be to avoid above-mentioned threat.And it is traditional Encryption Algorithm is verified using the foreground that the variation of brought ciphertext format not only will affect application, equally destroys Database field Memory requirement.It is one so privacy of user can be made to obtain protecting while not destroying application database storage and major function A urgent problem to be solved.
Summary of the invention
The shortcomings that it is a primary object of the present invention to overcome the prior art and deficiency, provide a kind of based on Shadow DOM's Web application encipher-decipher method realizes the protection to privacy of user data and does not destroy the master of storage and the application of application database Want function.
In order to achieve the above object, the invention adopts the following technical scheme:
The present invention is based on the Web application encipher-decipher methods of Shadow DOM, include the following steps:
(1) web developer or maintenance personnel mark sensitive data;
(2) user installs ShadowFPE extender in browser, and key is arranged;
(3) ShadowFPE browser extender identifies sensitive data and realizes encryption and decryption under the isolation environment of safety.
As a preferred technical solution, in step (1), the method that marks sensitive data are as follows:
(1.1) customized label<myshadowspan>is added between the sensitive data rendered for needs;
It (1.2) is to be related to the label addition Custom Attributes data-crypt of sensitive data with mark data format, the category Property value can for { " AES ", " FPE ", " INT ", " STRING ", " IDNUMBER ", " EMAIL " } set in one, " AES ", " FPE ", " INT ", " STRING ", " IDNUMBER ", " EMAIL " respectively indicate AES encryption, the FPE of not specified format, format and are The FPE that FPE, the format of integer are the FPE of character string, format is the FPE of identity card type, format is email type.
As a preferred technical solution, in step (3), ShadowFPE browser extender identifies the side of sensitive data Method are as follows:
<myshadowspan>label present in (3.1.1) traversal applications DOM and data-crypt attribute;
(3.1.2) regards as sensitive data to be encrypted to the text input element with data-crypt attribute, such as Input element, textarea element, [contentEditable] etc., data format are specified by the value of data-crypt;
(3.1.3) regards as sensitive data ciphertext to be decrypted, data to the text in<myshadowspan>label Format is specified by the value of data-crypt.
As a preferred technical solution, in step (3.1.2), the identification of encryption element format is treated dependent in the element The value of attribute:
If A, data-crypt value is AES, then it is assumed that the field format is insensitive, is added using AES encryption algorithm It is close;
If B, data-crypt value is one in { " INT ", " string ", " IDNUMBER ", " EMAIL " }, then it is assumed that The field format is sensitive, is handled using the specific format in FPE algorithm;
If C, data-crypt value is " FPE ", i.e., the field format is sensitive but does not provide data format clearly, at this time ShadowFPE can carry out automatic identification to data format: ShadowFPE will traverse all properties of the element, and discovery is crucial Word returns.
As a preferred technical solution, in step (3.1.2), there are two types of the identification methods of the ciphertext to be decrypted:
D, pass through the identification to data-crypt attribute;
E, ciphertext is identified by canonical matched mode.
As a preferred technical solution, in step (3), the method that encryption and decryption is realized under the isolation environment of safety Are as follows:
When (3.2.1) acquires user's sensitive data, replacement application code and user's sensitivity number are generated in shadow DOM According to the element interacted, monitoring users keystroke events encrypt the sensitive data of user's input, and by ciphertext update to Original application;
When (3.2.2) is that sensitive data is presented in user, ciphertext is encrypted, and is presented being encapsulated in shadow DOM in plain text To user.
Basic concepts related with data encryption of the present invention:
(1) AES: the Advanced Encryption Standard (Advanced Encryption Standard, AES) in cryptography is beauty A kind of block encryption standard that federal government, state uses.This standard is used to substitute original DES, has been analyzed in many ways and extensively It is used by the whole world.By 5 years selection processes, Advanced Encryption Standard was by National Institute of Standards and Technology (NIST) it is published on FIPS PUB 197 on November 26th, 2001, and becomes effective standard on May 26th, 2002.2006 Year, Advanced Encryption Standard already becomes one of most popular algorithm in symmetric key encryption.
(2) FPE: the reservation format in cryptography encrypts (Format Preserving Encryption, FPE), and FPE is A kind of completely new cryptological technique, the plaintext of specific format is encrypted to the ciphertext of same format, the i.e. length and class of ciphertext by it Type is identical as plaintext.
(3) shadow DOM:Shadow DOM is the new specification for the HTML that W3C is proposed, developer is allowed to encapsulate Html tag, CSS style and the JavaScript code of oneself.
Compared with the prior art, the invention has the following advantages and beneficial effects:
1. the achievable user of the present invention to the control of sensitive data, avoids client application code, in transmission process And leakage of the server end to privacy of user.
2. the present invention uses reservation format Encryption Algorithm that ciphertext format is made not change, the foreground of application will not be destroyed The field format of verifying and database purchase.
3. developer or maintenance personnel that the present invention applies can voluntarily select sensitive field and add label, avoids and add It is close to be influenced caused by application function.
Detailed description of the invention
Fig. 1 is the method flow diagram of apparatus of the present invention;
Fig. 2 is present invention input separation principle figure;
Fig. 3 is present invention output separation principle figure.
Specific embodiment
Present invention will now be described in further detail with reference to the embodiments and the accompanying drawings, but embodiments of the present invention are unlimited In this.
Embodiment
User's sensitive data is related to name, phone, ID card No., Email, address etc., and the present invention is with Email It is described in detail as example.
As shown in Figure 1, Web application encipher-decipher method of the present embodiment based on Shadow DOM, concrete implementation mode It is as follows:
1, web developer or maintenance personnel mark sensitive data;
1.1, when application needs to be acquired user sensitive information, reply is related to the element addition of sensitive data Data-crypt attribute.Such as to<input type=" text " name=" email "/>addition data-crypt to identify the electricity Sub- email field needs are encrypted, and select corresponding format for data-crypt assignment.
Can be revised as<input type=" text " name=" email " data-crypt=" FPE "/>or< Input type=" text " name=" email " data-crypt=" email "/>.The difference of the two is whether clearly refer to Data format out, the field of data format is pointed out for being not known, and shadowFPE will carry out automatic identification to it.
1.2, it when application needs that sensitive information is presented for user, copes with sensitive field ciphertext and is marked with<myshadowspan> Know, carries out data format mark with data-crypt.
For example, can be labeled as if huxtdg@gmail.com indicates the encrypted ciphertext of nankai@gmail.com < Myshadowspan data-crypt=" FPE ">huxtdg@gmail.com<myshadowspan>or<myshadowspan Data-crypt=" email ">huxtdg@gmail.com<myshadowspan>.Both this difference is whether specify reservation The specific data format of format encryption, the field of data format is pointed out for being not known, and shadowFPE will automate it Identification.
2, authentication scheme;
2.1, identify input to be encrypted.Each node in ShadowFPE meeting traversal applications DOM, to text input member Plain (for example, input, textarea, [contenEditable]) traverses its attribute.For there are data-crypt attributes Text input element regards as element to be encrypted.
Treat value of the identification of encryption element format dependent on attribute in the element: if (1) data-crypt value is AES, then it is assumed that the field format is insensitive, is encrypted using AES encryption algorithm;(2) if data-crypt value is One in { " INT ", " string ", " IDNUMBER ", " EMAIL " }, then it is assumed that the field format is sensitive, using in FPE algorithm Specific format handled;(3) if data-crypt value is " FPE ", i.e., the field format is sensitive but does not provide clearly Data format, ShadowFPE can carry out automatic identification to data format at this time: ShadowFPE, which will traverse the element, to be owned Attribute, discovery keyword return.
The pseudocode of this process is for example following shown:
2.2, identify input to be decrypted.Each node in ShadowFPE meeting traversal applications DOM, to < Myshadowspan>label is identified that the text in<myshadowspan>label is output to be decrypted.
To the identification of ciphertext format, there are two types of modes: (1) by identification to data-crypt attribute, at this time with above-mentioned side Case is identical;(2) ciphertext is identified by canonical matched mode, judges its format, shadowFPE, which is provided, to be had centainly The automatic identification algorithm of accuracy is indicated in following codes with function IdentifyDecFormat.
The pseudocode of this process is for example following shown:
3, it generates the isolation environment of safety and realizes encryption and decryption
Safe input and output environment is generated using shadow DOM isolation applications DOM.In ShadowFPE, have defeated Enter two kinds of operations of isolation and output isolation.
3.1, input isolation.Text input element in the shadow DOM with isolation obtains user's input, and Suitable Encryption Algorithm in algorithms library is called by parameter of the identification result of identification module, cleartext information is encrypted, and will Ciphertext is updated to application.
According to identification result, the element for being related to sensitive data is handled.By taking input element as an example, it is inserted into before it New node myspan is used as shadow host carry shadow tree, in shadow tree, generates a new input element.Then, It is by adding attribute value by the former input element in application " attribute of display:none " " style " is set as not showing.
Input element in shadow tree is monitored, to each keystroke events of user, shadowFPE inputs user It is encrypted with corresponding to format, hereafter updates ciphertext to using original input element.
This process is as shown in Fig. 2, its core code is as follows:
3.2, output isolation.The ciphertext and format identify to identification module calls suitable decipherment algorithm in algorithms library, Ciphertext data are decrypted, and plaintext is presented to the user in the shadow DOM with isolation.
According to identification result, corresponding decipherment algorithm in algorithms library is called, ciphertext is decrypted according to corresponding format.It It is afterwards that shadow host generates shadow tree, and sensitive data is placed in shadow tree in plain text with ciphertext identification (RFID) tag<myshadowspan> In.
This process is as shown in figure 3, its core code is as follows:
In the present embodiment, sensitive field is identified in application code by application developer or maintenance personnel, User installs after browser of the invention extends and code key is arranged in client browser, will apply involved in user sensitive information Data be encapsulated in it is safe, with the shadow DOM that is isolated using DOM, and carry out retaining the processing of format encryption and decryption.
The above embodiment is a preferred embodiment of the present invention, but embodiments of the present invention are not by above-described embodiment Limitation, other any changes, modifications, substitutions, combinations, simplifications made without departing from the spirit and principles of the present invention, It should be equivalent substitute mode, be included within the scope of the present invention.

Claims (5)

1. the Web application encipher-decipher method based on Shadow DOM, which is characterized in that include the following steps:
(1) web developer or maintenance personnel mark sensitive data;
In step (1), the method that marks sensitive data are as follows:
(1.1) when needing that sensitive information is presented for user, for need the sensitive data that renders add customized label < myshadowspan>;
(1.2) when needing to be acquired user sensitive information, Custom Attributes is added to be related to the element of sensitive data Data-crypt with mark data format, the attribute value be " AES ", " FPE ", " INT ", " STRING ", " IDNUMBER ", " EMAIL " } set in one, " FPE ", " INT ", " STRING ", " IDNUMBER ", " EMAIL " respectively indicates not specified lattice FPE, the format of formula are the FPE of integer, format is the FPE of character string, format is the FPE of identity card type, format is electronics postal The FPE of part type;
(2) user installs ShadowFPE extender in browser, and key is arranged for ShadowFPE extender;
(3) ShadowFPE browser extender identifies sensitive data and realizes encryption and decryption under the isolation environment of safety.
2. the Web application encipher-decipher method based on Shadow DOM according to claim 1, which is characterized in that step (3) In, the method for ShadowFPE browser extender identification sensitive data are as follows:
<myshadowspan>label present in (3.1.1) traversal applications DOM and data-crypt attribute;
(3.1.2) regards as sensitive data to be encrypted, including input to the text input element with data-crypt attribute Element, textarea element or [contentEditable], data format are specified by the value of data-crypt;
(3.1.3) regards as sensitive data ciphertext to be decrypted, data format to the text in<myshadowspan>label Specified by value for data-crypt.
3. the Web application encipher-decipher method based on Shadow DOM according to claim 2, which is characterized in that step In (3.1.2), value of the identification of encryption element format dependent on attribute in the element is treated:
If A, data-crypt value is AES, encrypted using AES encryption algorithm;
If B, data-crypt value is one in { " INT ", " STRING ", " IDNUMBER ", " EMAIL " }, then it is assumed that the number According to format sensitivity, handled using the specific format in FPE algorithm;
If C, data-crypt value is " FPE ", i.e., the data format is sensitive but does not provide data format clearly, at this time ShadowFPE can carry out automatic identification to data format: ShadowFPE will traverse all properties of the element, and discovery is crucial Word returns.
4. the Web application encipher-decipher method based on Shadow DOM according to claim 2, which is characterized in that step In (3.1.3), there are two types of the identification methods of the sensitive data ciphertext to be decrypted:
D, pass through the identification to data-crypt attribute;
E, ciphertext is identified by canonical matched mode.
5. the Web application encipher-decipher method based on Shadow DOM according to claim 1, which is characterized in that step (3) In, the method that encryption and decryption is realized under the isolation environment of safety are as follows:
(3.2.1) acquire user's sensitive data when, in shadow DOM generate replacement application code and user's sensitive data into The element of row interaction, monitoring users keystroke events encrypt the sensitive data of user's input, and ciphertext are updated and is answered to original With;
When (3.2.2) is that sensitive data is presented in user, ciphertext is encrypted, and be presented to use for being encapsulated in shadow DOM in plain text Family.
CN201611032064.5A 2016-11-22 2016-11-22 Web application encipher-decipher method based on Shadow DOM Active CN106529317B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611032064.5A CN106529317B (en) 2016-11-22 2016-11-22 Web application encipher-decipher method based on Shadow DOM

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611032064.5A CN106529317B (en) 2016-11-22 2016-11-22 Web application encipher-decipher method based on Shadow DOM

Publications (2)

Publication Number Publication Date
CN106529317A CN106529317A (en) 2017-03-22
CN106529317B true CN106529317B (en) 2019-11-12

Family

ID=58356116

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611032064.5A Active CN106529317B (en) 2016-11-22 2016-11-22 Web application encipher-decipher method based on Shadow DOM

Country Status (1)

Country Link
CN (1) CN106529317B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108900468A (en) * 2018-05-31 2018-11-27 中融万博网络科技有限公司 A kind of method of secure storage and transmitting user service data
CN108540501B (en) * 2018-07-18 2021-07-27 郑州云海信息技术有限公司 Asymmetric encryption method and device
US11281744B2 (en) * 2018-09-12 2022-03-22 Citrix Systems, Inc Systems and methods for improved remote display protocol for HTML applications
CN111563269B (en) * 2020-03-18 2023-08-29 宁波送变电建设有限公司永耀科技分公司 Sensitive data security protection method and system based on shadow system
CN114726596A (en) * 2022-03-25 2022-07-08 北京沃东天骏信息技术有限公司 Sensitive data processing method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1829975A (en) * 2003-04-16 2006-09-06 佐伊奥斯股份有限公司 Method and system for providing a customized network
CN101779436A (en) * 2007-08-15 2010-07-14 国际商业机器公司 Tracking the origins of data and controlling data transmission
CN103959302A (en) * 2011-06-01 2014-07-30 安全第一公司 Systems and methods for secure distributed storage
CN104254858A (en) * 2011-10-31 2014-12-31 国际商业机器公司 Protecting sensitive data in a transmission

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8407321B2 (en) * 2010-04-21 2013-03-26 Microsoft Corporation Capturing web-based scenarios

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1829975A (en) * 2003-04-16 2006-09-06 佐伊奥斯股份有限公司 Method and system for providing a customized network
CN101779436A (en) * 2007-08-15 2010-07-14 国际商业机器公司 Tracking the origins of data and controlling data transmission
CN103959302A (en) * 2011-06-01 2014-07-30 安全第一公司 Systems and methods for secure distributed storage
CN104254858A (en) * 2011-10-31 2014-12-31 国际商业机器公司 Protecting sensitive data in a transmission

Also Published As

Publication number Publication date
CN106529317A (en) 2017-03-22

Similar Documents

Publication Publication Date Title
CN106529317B (en) Web application encipher-decipher method based on Shadow DOM
US20220366019A1 (en) Method and system for verifying ownership of a digital asset using a distributed hash table and a peer-to-peer distributed ledger
EP3000068B1 (en) Protecting data
US8739265B2 (en) System and method of sort-order preserving tokenization
CN103026684B (en) For defending the method and apparatus of cross-site scripting attack
CN110688662A (en) Sensitive data desensitization and inverse desensitization method and electronic equipment
WO2016019342A1 (en) Mapping between user interface fields and protocol information
CN108075888B (en) Dynamic URL generation method and device, storage medium and electronic equipment
CN107992771B (en) A kind of data desensitization method and device
CN102782692A (en) System, apparatus and method for encryption and decryption of data transmitted over a network
CN111756522A (en) Data processing method and system
CN113010856A (en) Dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system
CN115795538B (en) Anti-desensitization method, device, computer equipment and storage medium for desensitizing document
CN105721154B (en) Encryption protection method based on Android platform communication interface
CN108319822B (en) Method, storage medium, electronic device and system for protecting webpage code
CN108170753A (en) A kind of method of Key-Value data base encryptions and Safety query in shared cloud
Grosvald et al. Free from the Cover Text: A Human-generated Natural Language Approach to Text-based Steganography.
EP2702723B1 (en) System and method for data obfuscation in interception of communication with a cloud
CN112307503B (en) Signature management method and device and electronic equipment
CN105678185B (en) A kind of data security protection method and intelligent terminal management system
US9129131B2 (en) Distributed database
CN110990848A (en) Sensitive word encryption method and device based on hive data warehouse and storage medium
CN107026841B (en) Method and device for publishing works in network
CN107291773B (en) Webpage address generation method and device
CN113792323A (en) Sensitive data encryption method and device based on agricultural products and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant