CN106529317B - Web application encipher-decipher method based on Shadow DOM - Google Patents
Web application encipher-decipher method based on Shadow DOM Download PDFInfo
- Publication number
- CN106529317B CN106529317B CN201611032064.5A CN201611032064A CN106529317B CN 106529317 B CN106529317 B CN 106529317B CN 201611032064 A CN201611032064 A CN 201611032064A CN 106529317 B CN106529317 B CN 106529317B
- Authority
- CN
- China
- Prior art keywords
- data
- format
- crypt
- sensitive data
- fpe
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6263—Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Information Transfer Between Computers (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of Web application encipher-decipher method based on Shadow DOM includes the following steps: that (1) web developer or maintenance personnel mark sensitive data;(2) user installs ShadowFPE extender in browser, and key is arranged;(3) ShadowFPE browser extender identifies sensitive data and realizes encryption and decryption under the isolation environment of safety.The present invention is directed to encrypt Web to apply to protect privacy of user, the sensitive data of user is set to resist the stealing of client application code, the snooping in network transmission process and the leakage of server end, and the significant function of application will not be destroyed.
Description
Technical field
The present invention relates to the research field of data-privacy protection, in particular to a kind of Web application based on Shadow DOM
Encipher-decipher method.
Background technique
With internet rapid development while, privacy of user leakage problem is got worse.The private data of user is not
But it may be stolen in server-side database, it is also possible to be revealed in transmission process, or even in the code of client application
It is dangerous to be similarly faced with leakage.Thus allow the encryption of user oneself control private data can be to avoid above-mentioned threat.And it is traditional
Encryption Algorithm is verified using the foreground that the variation of brought ciphertext format not only will affect application, equally destroys Database field
Memory requirement.It is one so privacy of user can be made to obtain protecting while not destroying application database storage and major function
A urgent problem to be solved.
Summary of the invention
The shortcomings that it is a primary object of the present invention to overcome the prior art and deficiency, provide a kind of based on Shadow DOM's
Web application encipher-decipher method realizes the protection to privacy of user data and does not destroy the master of storage and the application of application database
Want function.
In order to achieve the above object, the invention adopts the following technical scheme:
The present invention is based on the Web application encipher-decipher methods of Shadow DOM, include the following steps:
(1) web developer or maintenance personnel mark sensitive data;
(2) user installs ShadowFPE extender in browser, and key is arranged;
(3) ShadowFPE browser extender identifies sensitive data and realizes encryption and decryption under the isolation environment of safety.
As a preferred technical solution, in step (1), the method that marks sensitive data are as follows:
(1.1) customized label<myshadowspan>is added between the sensitive data rendered for needs;
It (1.2) is to be related to the label addition Custom Attributes data-crypt of sensitive data with mark data format, the category
Property value can for { " AES ", " FPE ", " INT ", " STRING ", " IDNUMBER ", " EMAIL " } set in one, " AES ",
" FPE ", " INT ", " STRING ", " IDNUMBER ", " EMAIL " respectively indicate AES encryption, the FPE of not specified format, format and are
The FPE that FPE, the format of integer are the FPE of character string, format is the FPE of identity card type, format is email type.
As a preferred technical solution, in step (3), ShadowFPE browser extender identifies the side of sensitive data
Method are as follows:
<myshadowspan>label present in (3.1.1) traversal applications DOM and data-crypt attribute;
(3.1.2) regards as sensitive data to be encrypted to the text input element with data-crypt attribute, such as
Input element, textarea element, [contentEditable] etc., data format are specified by the value of data-crypt;
(3.1.3) regards as sensitive data ciphertext to be decrypted, data to the text in<myshadowspan>label
Format is specified by the value of data-crypt.
As a preferred technical solution, in step (3.1.2), the identification of encryption element format is treated dependent in the element
The value of attribute:
If A, data-crypt value is AES, then it is assumed that the field format is insensitive, is added using AES encryption algorithm
It is close;
If B, data-crypt value is one in { " INT ", " string ", " IDNUMBER ", " EMAIL " }, then it is assumed that
The field format is sensitive, is handled using the specific format in FPE algorithm;
If C, data-crypt value is " FPE ", i.e., the field format is sensitive but does not provide data format clearly, at this time
ShadowFPE can carry out automatic identification to data format: ShadowFPE will traverse all properties of the element, and discovery is crucial
Word returns.
As a preferred technical solution, in step (3.1.2), there are two types of the identification methods of the ciphertext to be decrypted:
D, pass through the identification to data-crypt attribute;
E, ciphertext is identified by canonical matched mode.
As a preferred technical solution, in step (3), the method that encryption and decryption is realized under the isolation environment of safety
Are as follows:
When (3.2.1) acquires user's sensitive data, replacement application code and user's sensitivity number are generated in shadow DOM
According to the element interacted, monitoring users keystroke events encrypt the sensitive data of user's input, and by ciphertext update to
Original application;
When (3.2.2) is that sensitive data is presented in user, ciphertext is encrypted, and is presented being encapsulated in shadow DOM in plain text
To user.
Basic concepts related with data encryption of the present invention:
(1) AES: the Advanced Encryption Standard (Advanced Encryption Standard, AES) in cryptography is beauty
A kind of block encryption standard that federal government, state uses.This standard is used to substitute original DES, has been analyzed in many ways and extensively
It is used by the whole world.By 5 years selection processes, Advanced Encryption Standard was by National Institute of Standards and Technology
(NIST) it is published on FIPS PUB 197 on November 26th, 2001, and becomes effective standard on May 26th, 2002.2006
Year, Advanced Encryption Standard already becomes one of most popular algorithm in symmetric key encryption.
(2) FPE: the reservation format in cryptography encrypts (Format Preserving Encryption, FPE), and FPE is
A kind of completely new cryptological technique, the plaintext of specific format is encrypted to the ciphertext of same format, the i.e. length and class of ciphertext by it
Type is identical as plaintext.
(3) shadow DOM:Shadow DOM is the new specification for the HTML that W3C is proposed, developer is allowed to encapsulate
Html tag, CSS style and the JavaScript code of oneself.
Compared with the prior art, the invention has the following advantages and beneficial effects:
1. the achievable user of the present invention to the control of sensitive data, avoids client application code, in transmission process
And leakage of the server end to privacy of user.
2. the present invention uses reservation format Encryption Algorithm that ciphertext format is made not change, the foreground of application will not be destroyed
The field format of verifying and database purchase.
3. developer or maintenance personnel that the present invention applies can voluntarily select sensitive field and add label, avoids and add
It is close to be influenced caused by application function.
Detailed description of the invention
Fig. 1 is the method flow diagram of apparatus of the present invention;
Fig. 2 is present invention input separation principle figure;
Fig. 3 is present invention output separation principle figure.
Specific embodiment
Present invention will now be described in further detail with reference to the embodiments and the accompanying drawings, but embodiments of the present invention are unlimited
In this.
Embodiment
User's sensitive data is related to name, phone, ID card No., Email, address etc., and the present invention is with Email
It is described in detail as example.
As shown in Figure 1, Web application encipher-decipher method of the present embodiment based on Shadow DOM, concrete implementation mode
It is as follows:
1, web developer or maintenance personnel mark sensitive data;
1.1, when application needs to be acquired user sensitive information, reply is related to the element addition of sensitive data
Data-crypt attribute.Such as to<input type=" text " name=" email "/>addition data-crypt to identify the electricity
Sub- email field needs are encrypted, and select corresponding format for data-crypt assignment.
Can be revised as<input type=" text " name=" email " data-crypt=" FPE "/>or<
Input type=" text " name=" email " data-crypt=" email "/>.The difference of the two is whether clearly refer to
Data format out, the field of data format is pointed out for being not known, and shadowFPE will carry out automatic identification to it.
1.2, it when application needs that sensitive information is presented for user, copes with sensitive field ciphertext and is marked with<myshadowspan>
Know, carries out data format mark with data-crypt.
For example, can be labeled as if huxtdg@gmail.com indicates the encrypted ciphertext of nankai@gmail.com <
Myshadowspan data-crypt=" FPE ">huxtdg@gmail.com<myshadowspan>or<myshadowspan
Data-crypt=" email ">huxtdg@gmail.com<myshadowspan>.Both this difference is whether specify reservation
The specific data format of format encryption, the field of data format is pointed out for being not known, and shadowFPE will automate it
Identification.
2, authentication scheme;
2.1, identify input to be encrypted.Each node in ShadowFPE meeting traversal applications DOM, to text input member
Plain (for example, input, textarea, [contenEditable]) traverses its attribute.For there are data-crypt attributes
Text input element regards as element to be encrypted.
Treat value of the identification of encryption element format dependent on attribute in the element: if (1) data-crypt value is
AES, then it is assumed that the field format is insensitive, is encrypted using AES encryption algorithm;(2) if data-crypt value is
One in { " INT ", " string ", " IDNUMBER ", " EMAIL " }, then it is assumed that the field format is sensitive, using in FPE algorithm
Specific format handled;(3) if data-crypt value is " FPE ", i.e., the field format is sensitive but does not provide clearly
Data format, ShadowFPE can carry out automatic identification to data format at this time: ShadowFPE, which will traverse the element, to be owned
Attribute, discovery keyword return.
The pseudocode of this process is for example following shown:
2.2, identify input to be decrypted.Each node in ShadowFPE meeting traversal applications DOM, to <
Myshadowspan>label is identified that the text in<myshadowspan>label is output to be decrypted.
To the identification of ciphertext format, there are two types of modes: (1) by identification to data-crypt attribute, at this time with above-mentioned side
Case is identical;(2) ciphertext is identified by canonical matched mode, judges its format, shadowFPE, which is provided, to be had centainly
The automatic identification algorithm of accuracy is indicated in following codes with function IdentifyDecFormat.
The pseudocode of this process is for example following shown:
3, it generates the isolation environment of safety and realizes encryption and decryption
Safe input and output environment is generated using shadow DOM isolation applications DOM.In ShadowFPE, have defeated
Enter two kinds of operations of isolation and output isolation.
3.1, input isolation.Text input element in the shadow DOM with isolation obtains user's input, and
Suitable Encryption Algorithm in algorithms library is called by parameter of the identification result of identification module, cleartext information is encrypted, and will
Ciphertext is updated to application.
According to identification result, the element for being related to sensitive data is handled.By taking input element as an example, it is inserted into before it
New node myspan is used as shadow host carry shadow tree, in shadow tree, generates a new input element.Then,
It is by adding attribute value by the former input element in application " attribute of display:none " " style " is set as not showing.
Input element in shadow tree is monitored, to each keystroke events of user, shadowFPE inputs user
It is encrypted with corresponding to format, hereafter updates ciphertext to using original input element.
This process is as shown in Fig. 2, its core code is as follows:
3.2, output isolation.The ciphertext and format identify to identification module calls suitable decipherment algorithm in algorithms library,
Ciphertext data are decrypted, and plaintext is presented to the user in the shadow DOM with isolation.
According to identification result, corresponding decipherment algorithm in algorithms library is called, ciphertext is decrypted according to corresponding format.It
It is afterwards that shadow host generates shadow tree, and sensitive data is placed in shadow tree in plain text with ciphertext identification (RFID) tag<myshadowspan>
In.
This process is as shown in figure 3, its core code is as follows:
In the present embodiment, sensitive field is identified in application code by application developer or maintenance personnel,
User installs after browser of the invention extends and code key is arranged in client browser, will apply involved in user sensitive information
Data be encapsulated in it is safe, with the shadow DOM that is isolated using DOM, and carry out retaining the processing of format encryption and decryption.
The above embodiment is a preferred embodiment of the present invention, but embodiments of the present invention are not by above-described embodiment
Limitation, other any changes, modifications, substitutions, combinations, simplifications made without departing from the spirit and principles of the present invention,
It should be equivalent substitute mode, be included within the scope of the present invention.
Claims (5)
1. the Web application encipher-decipher method based on Shadow DOM, which is characterized in that include the following steps:
(1) web developer or maintenance personnel mark sensitive data;
In step (1), the method that marks sensitive data are as follows:
(1.1) when needing that sensitive information is presented for user, for need the sensitive data that renders add customized label <
myshadowspan>;
(1.2) when needing to be acquired user sensitive information, Custom Attributes is added to be related to the element of sensitive data
Data-crypt with mark data format, the attribute value be " AES ", " FPE ", " INT ", " STRING ", " IDNUMBER ",
" EMAIL " } set in one, " FPE ", " INT ", " STRING ", " IDNUMBER ", " EMAIL " respectively indicates not specified lattice
FPE, the format of formula are the FPE of integer, format is the FPE of character string, format is the FPE of identity card type, format is electronics postal
The FPE of part type;
(2) user installs ShadowFPE extender in browser, and key is arranged for ShadowFPE extender;
(3) ShadowFPE browser extender identifies sensitive data and realizes encryption and decryption under the isolation environment of safety.
2. the Web application encipher-decipher method based on Shadow DOM according to claim 1, which is characterized in that step (3)
In, the method for ShadowFPE browser extender identification sensitive data are as follows:
<myshadowspan>label present in (3.1.1) traversal applications DOM and data-crypt attribute;
(3.1.2) regards as sensitive data to be encrypted, including input to the text input element with data-crypt attribute
Element, textarea element or [contentEditable], data format are specified by the value of data-crypt;
(3.1.3) regards as sensitive data ciphertext to be decrypted, data format to the text in<myshadowspan>label
Specified by value for data-crypt.
3. the Web application encipher-decipher method based on Shadow DOM according to claim 2, which is characterized in that step
In (3.1.2), value of the identification of encryption element format dependent on attribute in the element is treated:
If A, data-crypt value is AES, encrypted using AES encryption algorithm;
If B, data-crypt value is one in { " INT ", " STRING ", " IDNUMBER ", " EMAIL " }, then it is assumed that the number
According to format sensitivity, handled using the specific format in FPE algorithm;
If C, data-crypt value is " FPE ", i.e., the data format is sensitive but does not provide data format clearly, at this time
ShadowFPE can carry out automatic identification to data format: ShadowFPE will traverse all properties of the element, and discovery is crucial
Word returns.
4. the Web application encipher-decipher method based on Shadow DOM according to claim 2, which is characterized in that step
In (3.1.3), there are two types of the identification methods of the sensitive data ciphertext to be decrypted:
D, pass through the identification to data-crypt attribute;
E, ciphertext is identified by canonical matched mode.
5. the Web application encipher-decipher method based on Shadow DOM according to claim 1, which is characterized in that step (3)
In, the method that encryption and decryption is realized under the isolation environment of safety are as follows:
(3.2.1) acquire user's sensitive data when, in shadow DOM generate replacement application code and user's sensitive data into
The element of row interaction, monitoring users keystroke events encrypt the sensitive data of user's input, and ciphertext are updated and is answered to original
With;
When (3.2.2) is that sensitive data is presented in user, ciphertext is encrypted, and be presented to use for being encapsulated in shadow DOM in plain text
Family.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611032064.5A CN106529317B (en) | 2016-11-22 | 2016-11-22 | Web application encipher-decipher method based on Shadow DOM |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611032064.5A CN106529317B (en) | 2016-11-22 | 2016-11-22 | Web application encipher-decipher method based on Shadow DOM |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106529317A CN106529317A (en) | 2017-03-22 |
CN106529317B true CN106529317B (en) | 2019-11-12 |
Family
ID=58356116
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611032064.5A Active CN106529317B (en) | 2016-11-22 | 2016-11-22 | Web application encipher-decipher method based on Shadow DOM |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106529317B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108900468A (en) * | 2018-05-31 | 2018-11-27 | 中融万博网络科技有限公司 | A kind of method of secure storage and transmitting user service data |
CN108540501B (en) * | 2018-07-18 | 2021-07-27 | 郑州云海信息技术有限公司 | Asymmetric encryption method and device |
US11281744B2 (en) * | 2018-09-12 | 2022-03-22 | Citrix Systems, Inc | Systems and methods for improved remote display protocol for HTML applications |
CN111563269B (en) * | 2020-03-18 | 2023-08-29 | 宁波送变电建设有限公司永耀科技分公司 | Sensitive data security protection method and system based on shadow system |
CN114726596A (en) * | 2022-03-25 | 2022-07-08 | 北京沃东天骏信息技术有限公司 | Sensitive data processing method and device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1829975A (en) * | 2003-04-16 | 2006-09-06 | 佐伊奥斯股份有限公司 | Method and system for providing a customized network |
CN101779436A (en) * | 2007-08-15 | 2010-07-14 | 国际商业机器公司 | Tracking the origins of data and controlling data transmission |
CN103959302A (en) * | 2011-06-01 | 2014-07-30 | 安全第一公司 | Systems and methods for secure distributed storage |
CN104254858A (en) * | 2011-10-31 | 2014-12-31 | 国际商业机器公司 | Protecting sensitive data in a transmission |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8407321B2 (en) * | 2010-04-21 | 2013-03-26 | Microsoft Corporation | Capturing web-based scenarios |
-
2016
- 2016-11-22 CN CN201611032064.5A patent/CN106529317B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1829975A (en) * | 2003-04-16 | 2006-09-06 | 佐伊奥斯股份有限公司 | Method and system for providing a customized network |
CN101779436A (en) * | 2007-08-15 | 2010-07-14 | 国际商业机器公司 | Tracking the origins of data and controlling data transmission |
CN103959302A (en) * | 2011-06-01 | 2014-07-30 | 安全第一公司 | Systems and methods for secure distributed storage |
CN104254858A (en) * | 2011-10-31 | 2014-12-31 | 国际商业机器公司 | Protecting sensitive data in a transmission |
Also Published As
Publication number | Publication date |
---|---|
CN106529317A (en) | 2017-03-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106529317B (en) | Web application encipher-decipher method based on Shadow DOM | |
US20220366019A1 (en) | Method and system for verifying ownership of a digital asset using a distributed hash table and a peer-to-peer distributed ledger | |
EP3000068B1 (en) | Protecting data | |
US8739265B2 (en) | System and method of sort-order preserving tokenization | |
CN103026684B (en) | For defending the method and apparatus of cross-site scripting attack | |
CN110688662A (en) | Sensitive data desensitization and inverse desensitization method and electronic equipment | |
WO2016019342A1 (en) | Mapping between user interface fields and protocol information | |
CN108075888B (en) | Dynamic URL generation method and device, storage medium and electronic equipment | |
CN107992771B (en) | A kind of data desensitization method and device | |
CN102782692A (en) | System, apparatus and method for encryption and decryption of data transmitted over a network | |
CN111756522A (en) | Data processing method and system | |
CN113010856A (en) | Dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system | |
CN115795538B (en) | Anti-desensitization method, device, computer equipment and storage medium for desensitizing document | |
CN105721154B (en) | Encryption protection method based on Android platform communication interface | |
CN108319822B (en) | Method, storage medium, electronic device and system for protecting webpage code | |
CN108170753A (en) | A kind of method of Key-Value data base encryptions and Safety query in shared cloud | |
Grosvald et al. | Free from the Cover Text: A Human-generated Natural Language Approach to Text-based Steganography. | |
EP2702723B1 (en) | System and method for data obfuscation in interception of communication with a cloud | |
CN112307503B (en) | Signature management method and device and electronic equipment | |
CN105678185B (en) | A kind of data security protection method and intelligent terminal management system | |
US9129131B2 (en) | Distributed database | |
CN110990848A (en) | Sensitive word encryption method and device based on hive data warehouse and storage medium | |
CN107026841B (en) | Method and device for publishing works in network | |
CN107291773B (en) | Webpage address generation method and device | |
CN113792323A (en) | Sensitive data encryption method and device based on agricultural products and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |