CN107666459B - Application cache checking method and device and computing equipment - Google Patents
Application cache checking method and device and computing equipment Download PDFInfo
- Publication number
- CN107666459B CN107666459B CN201610599039.9A CN201610599039A CN107666459B CN 107666459 B CN107666459 B CN 107666459B CN 201610599039 A CN201610599039 A CN 201610599039A CN 107666459 B CN107666459 B CN 107666459B
- Authority
- CN
- China
- Prior art keywords
- signature
- manifest file
- algorithm
- application cache
- network resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
Abstract
The invention discloses an application cache checking method and device and computing equipment. Calculating a signature of the loaded network resource according to a predetermined algorithm, wherein the predetermined algorithm is specified in the manifest file of the application cache; and verifying the calculated signature with a signature of a corresponding file list in the manifest file. The invention realizes the judgment of the validity of the loaded network resources by simply expanding the list file of the application cache and utilizing signature verification, thereby simply and effectively improving the safety of the application cache.
Description
Technical Field
The present invention relates generally to the field of application caching technologies, and in particular, to a method and an apparatus for enhancing security of an application cache by checking and loading network resources, and a computing device.
Background
After entering the era of mobile internet, people increasingly use mobile terminals to browse web pages. The terminal device location is no longer fixed but relies on wireless signal networking, thereby degrading network reliability. In order to improve network reliability, an application cache (AppCache) mechanism is introduced into the fifth edition of hypertext markup language (HTML5) for offline applications, so that the mobile terminal can access the web page even under the condition that the mobile terminal cannot be networked.
In the application caching mechanism, resources required to be cached locally at the mobile terminal are defined by a Manifest file (Manifest) in an HTML tag of a page. The client browser supporting the manifest file stores the specified resources locally at the client according to the rules in the manifest file, so that the cached offline file resources are accessed under the condition of no network connection, and the client browser is enabled to run normally.
Since the hypertext transfer protocol (HTTP), which is a protocol of a web page data transfer base layer, is a protocol for plaintext transfer, a situation in which data is hijacked and tampered during transfer may occur. The above application caching mechanism doubles the risk of such traffic hijacking because the tampered data is cached locally at the client and is used until the application cache data is updated, thereby seriously compromising data security and the user's offline experience.
In the prior art, in order to solve the traffic hijacking problem, a hypertext transfer secure protocol (HTTPS) may be used for data transmission. HTTPS employs a Secure Socket Layer (SSL) protocol, which relies on certificates to verify the identity of the server and encrypt communications between the browser and the server, thereby improving network security and data integrity.
However, the HTTPS protocol requires a Certificate Authority (CA) to pay for a Certificate, and the connection method and port used by the HTTPS protocol are different from those used by the HTTP protocol, so that although network security and data integrity are improved by using the HTTPS protocol, a plurality of services need to be modified, thereby reducing efficiency, affecting web performance, and increasing cost. This increase in cost is uneconomical, especially in the case of a small proportion of hijacking.
Thus, there is a need for a method and apparatus that can simply and efficiently enhance application cache security.
Disclosure of Invention
It is an object of the present invention to verify the loaded network resources in a simple and efficient way, thereby improving the security of the application cache.
The applicant has noticed that in the prior art, the client cannot determine whether the loaded network resource is tampered with or is a valid resource. If the client is able to determine whether the resource is valid, then action may be taken accordingly, such as not caching the resource or reloading the resource over a secure channel.
Therefore, the application cache verification method and the application cache verification device provided by the invention have the advantages that the Manifest file Manifest of the application cache is simply expanded to comprise the signature verification part, so that the signature verification is utilized to achieve the purpose of verifying the validity of the loaded network resources.
According to an aspect of the present invention, there is provided an application cache checking method, including the steps of: calculating a signature of the loaded network resource according to a predetermined algorithm, wherein the predetermined algorithm is specified in the manifest file of the application cache; and verifying the calculated signature with a signature of a corresponding file list in the manifest file.
By the method, whether the loaded network resource is tampered or not can be judged through signature verification, so that the safety of application cache is improved.
In one embodiment of the invention, the manifest file includes a signature check field specifying the predetermined algorithm; and wherein some or all of the list of files in the manifest file include a corresponding signature, the signature being calculated according to the predetermined algorithm.
By using the embodiment, the judgment of the client on the network resource validity can be realized by simply expanding the manifest file, so that the security of the application cache is simply and effectively improved.
In an embodiment of the present invention, the application cache checking method further includes the following steps: judging whether the loaded network resources belong to resources to be checked; and executing the network resource signature calculation step and the signature verification step under the condition that the loaded network resource is judged to belong to the resource to be verified.
In an embodiment of the present invention, the step of determining whether the loaded network resource belongs to a resource to be checked includes any one or more of the following steps: determining whether the manifest file is loaded through a secure channel; determining that at least a portion of a file list of the manifest file includes a corresponding signature; and determining whether the loaded network resource corresponds to a specified list of files in the manifest file.
In one embodiment of the invention, the secure channel is an HTTPS channel; and/or the list of specified files in the manifest file comprises any one or more of: CACHE, NETWORKK and FALLBACK.
In an embodiment of the present invention, the application cache checking method further includes the following steps: in the event that the verification determines that the calculated signature of the loaded network resource is not consistent with the signature of the corresponding list of files in the manifest file, performing any one or more of the following operations for the loaded network resource: discarding the loaded network resource; reloading the network resource through a secure channel; and causing the manifest file to be modified to designate the network resource as a resource that is not allowed to be cached.
In one embodiment of the present invention, the operation of causing the manifest file to be modified to designate the network resource as a resource that is not allowed to be cached comprises: causing the NETWORK resource to be added to a NETWORK white list in the manifest file.
In one embodiment of the invention, the predetermined algorithm comprises any one of: fifth version of message digest algorithm (MD5), secure hash algorithm (SHA-1), RACE raw integrity check message digest (ripemm), or fifth version of the Haval message digest algorithm (Haval MD 5).
In another aspect of the present invention, an application cache checking method is provided, which includes the following steps: extending the manifest file of the application cache to include a signature check field, the signature check field containing information indicative of a signature check algorithm; and adding corresponding signatures to part or all of the file lists in the manifest file, wherein the signatures are calculated according to a signature verification algorithm indicated in the signature verification field.
By the method, the Manifest file Manifest cached by the application can be simply expanded to include the signature verification part, so that a verification basis is provided for verifying the validity of the loaded network resources.
In an embodiment of the present invention, the adding the corresponding signature to part or all of the file list in the manifest file includes: adding a signature to any one or more of the CACHE, NETWORK, and FALLBACK portions of the manifest file.
In an embodiment of the present invention, the application cache checking method further includes the following steps: causing the manifest file to be sent over a secure channel. In one embodiment of the invention, the secure channel is an HTTPS channel.
In one embodiment of the invention, the signature verification algorithm comprises any one of: fifth version of message digest algorithm (MD5), secure hash algorithm (SHA-1), RACE raw integrity check message digest (ripemm), or fifth version of the Haval message digest algorithm (Haval MD 5).
In still another aspect of the present invention, an application cache checking apparatus is provided, including: a signature calculation unit configured to calculate a signature of the loaded network resource according to a predetermined algorithm specified in the manifest file of the application cache; and the signature verification unit is configured to verify the signature calculated by the signature calculation unit and the signature of the corresponding file list in the manifest file.
In one embodiment of the invention, the manifest file includes a signature check field specifying the predetermined algorithm; and wherein some or all of the list of files in the manifest file include a corresponding signature, the signature being calculated according to the predetermined algorithm.
In an embodiment of the present invention, the application cache checking apparatus further includes: and the checking judgment unit is configured to judge whether the loaded network resource belongs to the resource to be checked.
In one embodiment of the present invention, the checking and judging unit includes any one or more of the following: a first determination module configured to determine whether the manifest file is loaded through a secure channel; a second determination module configured to determine that at least a portion of a file list of the manifest file includes a corresponding signature; and a third determination module configured to determine whether the loaded network resource corresponds to a specified list of files in the manifest file.
In one embodiment of the invention, the secure channel is a hypertext transfer security protocol, HTTPS, channel; and/or the list of specified files in the manifest file comprises any one or more of: CACHE, NETWORKK and FALLBACK.
In an embodiment of the present invention, the application cache checking apparatus further includes: a verification failure processing unit configured to, in a case that the signature verification unit verifies that the calculated signature of the loaded network resource is not consistent with the signature of the corresponding file list in the manifest file, perform any one or more of the following operations for the loaded network resource: discarding the loaded network resource; reloading the network resource through a secure channel; and causing the manifest file to be modified to designate the network resource as a resource that is not allowed to be cached.
In one embodiment of the present invention, the operation of causing the manifest file to be modified to designate the network resource as a resource that is not allowed to be cached comprises: causing the NETWORK resource to be added to a NETWORK white list in the manifest file.
In one embodiment of the invention, the predetermined algorithm comprises any one of: fifth version of message digest algorithm (MD5), secure hash algorithm (SHA-1), RACE raw integrity check message digest (ripemm), or fifth version of the Haval message digest algorithm (Haval MD 5).
In still another aspect of the present invention, an application cache checking apparatus is provided, including: a manifest file extension unit configured to extend the manifest file cached by the application to include a signature check field containing information indicating a signature check algorithm; and the signature adding unit is configured to add corresponding signatures to part or all of the file lists in the manifest file, wherein the signatures are calculated according to a signature verification algorithm indicated in the signature verification field.
In one embodiment of the present invention, the signature adding unit is further configured to: adding a signature to any one or more of the CACHE, NETWORK, and FALLBACK portions of the manifest file.
In an embodiment of the present invention, the application cache checking apparatus further includes: a manifest file transmitting unit configured to cause the manifest file to be transmitted through a secure channel. In one embodiment of the invention, the secure channel is a hypertext transfer security protocol, HTTPS, channel.
In one embodiment of the invention, the signature verification algorithm comprises any one of: fifth version of message digest algorithm (MD5), secure hash algorithm (SHA-1), RACE raw integrity check message digest (ripemm), or fifth version of the Haval message digest algorithm (Haval MD 5).
In yet another aspect of the present invention, there is provided a computing device comprising: a network interface that enables the computing device to communicate via one or more networks; a memory in which network resources loaded through the network interface are cached; and one or more processors coupled to the network interface and the memory, the one or more processors configured to: calculating a signature of the loaded network resource according to a predetermined algorithm, wherein the predetermined algorithm is specified in the manifest file of the application cache; and verifying the calculated signature with a signature of a corresponding file list in the manifest file.
In another aspect of the present invention, there is provided a computing device comprising: one or more processors configured to perform the following operations: extending the manifest file of the application cache to include a signature check field, the signature check field containing information indicative of a signature check algorithm; adding corresponding signatures to part or all of the file lists in the manifest file, wherein the signatures are calculated according to a signature verification algorithm indicated in the signature verification field; a memory connected to the one or more processors, the manifest file and files corresponding to a list of files in the manifest file being stored in the memory; and a network interface that enables the computing device to communicate the manifest files stored in the memory and files corresponding to a list of files in the manifest files via one or more networks.
According to the application cache checking method and device and the computing equipment, the validity of the loaded network resource is judged by simply expanding the list file of the application cache and checking the signature, so that the safety of the application cache is simply and effectively improved.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in greater detail exemplary embodiments thereof with reference to the attached drawings, in which like reference numerals generally represent like parts throughout.
FIG. 1 is a block diagram illustrating the architecture of client-side and server-side computing devices according to an embodiment of the present invention.
Fig. 2 is a flowchart illustrating a server-side application cache checking method according to an embodiment of the present invention.
Fig. 3 is a flow diagram illustrating a client-side application cache checking method according to an embodiment of the invention.
Fig. 4 is a functional block diagram illustrating a server-side application cache checking apparatus according to an embodiment of the present invention.
Fig. 5 is a functional block diagram illustrating a client-side application cache checking apparatus according to an embodiment of the present invention.
Fig. 6A and 6B illustrate file structures of an application cache manifest file according to an embodiment of the present invention and the related art, respectively.
Detailed Description
Preferred embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While the preferred embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As described above, in order to improve the security of the application cache, the present invention simply extends the file structure of the manifest file of the application cache on the web server side to support the resource digital signature, then calculates the signature of the loaded network resource according to the algorithm specified in the manifest file on the client side, and verifies the signature in the manifest file, so that the client can determine whether the resource has been tampered with, thereby taking corresponding measures.
In the existing application cache specification, as shown in the example of fig. 6A, the Manifest file Manifest mainly includes four parts: first line "CACHE MANIFEST", CACHE, NETWORK, and FALLBACK, where the latter three parts have no sequential relationship, and NETWORK and FALLBACK are optional parts.
The first line "CACHE MANIFEST" is in a fixed format and must be written ahead. Following this is a comment beginning with # and will generally be annotated with a Manifest version number on the second line. The CACHE part identifies which resources need to be cached, either as file relative paths or absolute paths. The resources listed in the NETWORK part need to be loaded directly to the NETWORK by bypassing the cache, that is, the part of the resources are never cached locally to the client and are not available offline. The fals section specifies an alternate resource that the browser will use when the network resource is inaccessible.
The present invention expands the Manifest file structure on the basis of the application of the cache specification to support the resource digital signature. Specifically, a SIGNATURE check field SIGNATURE is added on the basis of the original specification, and the SIGNATURE check field contains information indicating a SIGNATURE check algorithm. The signature verification algorithm of the present invention may include, but is not limited to: fifth version of message digest algorithm (MD5), secure hash algorithm (SHA-1), RACE raw integrity check message digest (ripemm), or fifth version of the Haval message digest algorithm (Haval MD 5). Then, a digital signature of the corresponding file is added behind part or all of the file resource list of Manifest, wherein the signature is calculated by the server according to the signature verification algorithm indicated in the signature verification field aiming at the actual content of the file of the resource list.
FIG. 6B illustrates an extended Manifest file structure according to an example of the present invention, where the SIGNATURE section indicates that the checking algorithm employed in this example is MD 5. As shown in fig. 6B, each of the files listed by CACHE, NETWORK and FALLBACK is then added with a corresponding signature calculated using the MD5 algorithm. These signatures will be transmitted from the web server to the client as part of the manifest file.
An embodiment of the present invention will be specifically described below with reference to fig. 1 to 5. FIG. 1 is a block diagram illustrating the structure of a server-side computing device 100 and a client-side computing device 100' according to an embodiment of the invention. The components of the server-side computing device 100 include, but are not limited to, a network interface 110, memory 120, and one or more processors 130. The processor 130 is coupled to the network interface 110 and the memory 120. Correspondingly, components of the client-side computing device 100 'include, but are not limited to, the network interface 110', the memory 120 ', and the one or more processors 130'. The processor 130 ' is coupled to the network interface 110 ' and the memory 120 '.
In one embodiment of the invention, the other components of the server-side computing device 100 and the client-side computing device 100' described above and not shown in fig. 1 may also each be connected to each other, for example by a bus. It should be understood that the block diagram of the computing device architecture shown in FIG. 1 is for purposes of example only and is not limiting upon the scope of the present invention. Those skilled in the art may add or replace other components as desired.
The server-side computing device 100 is typically a mobile or stationary server. The manifest file and file resources corresponding to the list of files in the manifest file are stored in memory 120. The memory 120 may include one or more of any type of storage device that stores content in the form of files or in other forms, including magnetic hard drives, solid state hard drives, semiconductor storage devices, flash memory, or any other computer readable writable storage medium capable of storing program instructions or digital information.
The network interface 110 enables the server-side computing device 100 to communicate manifest files and file resources in the memory 120 via one or more networks. Examples of such networks include a Local Area Network (LAN), a Wide Area Network (WAN), a Personal Area Network (PAN), or a combination of communication networks such as the internet. The network interface 110 may include one or more of any type of network interface, e.g., a Network Interface Card (NIC), wired or wireless, such as an IEEE 802.11 Wireless Local Area Network (WLAN) wireless interface, a worldwide interoperability for microwave access (Wi-MAX) interface, an ethernet interface, a Universal Serial Bus (USB) interface, a cellular network interface, a bluetooth interface, a Near Field Communication (NFC) interface, and so forth.
The server-side processor 130 may be configured to simply extend the file structure of the application-cached manifest file to support resource digital signatures. The process of the processor 130 extending the manifest file structure to add signature sections can be seen in fig. 2. FIG. 2 shows a flow diagram of a server-side application cache checking method 200 according to an embodiment of the invention.
Method 200 begins at step S210, as shown in fig. 2, where processor 130 expands the manifest file of the application cache to include a SIGNATURE check field SIGNATURE (as shown in fig. 6B) containing information indicative of a SIGNATURE check algorithm (e.g., MD5, as shown in fig. 6B).
Next, in step S220, the processor 130 calculates digital signatures for the file resources stored in the memory 120 corresponding to the file list in the manifest file according to the signature verification algorithm indicated in the signature verification field, in this embodiment, one file resource corresponds to one digital signature, and then adds the calculated signatures to the corresponding files in the manifest file, as shown in fig. 6B.
It is noted that although in the example of fig. 6B digital signatures are calculated and added for all three parts of the file, CACHE, NETWORK and FALLBACK, in other embodiments signatures may be added for any one or two of the three parts, for example only for files listed in CACHE. For example, considering that the resources listed in NETWORK are not cached to the client, the hazard is limited for a short time even if the content is tampered with, so in order to save the computing cost, the signature may not be computed and added to the file in NETWORK.
In one embodiment, to ensure the security of the application cache and guarantee the feasibility of the signature check, the processor 130 preferably causes the manifest file with the added signature to be sent from the network interface 110 via a secure channel (step S230). Here, the so-called secure channel may be an HTTPS channel.
With the method 200 shown in fig. 2, the present invention can provide a verification basis for verifying the validity of a loaded network resource by simply extending the Manifest file Manifest of the application cache to include a signature verification portion.
Returning again to FIG. 1, the client-side computing device 100' will be described in detail below. The client-side computing device 100' may be any type of stationary or mobile computing device, including a mobile computer or mobile computing device (e.g., tablet, personal digital assistant, laptop, notebook, netbook, etc.), a mobile phone (e.g., smartphone), a wearable computing device (e.g., smartwatch, smartglasses, etc.), or other type of mobile device, or a stationary computing device such as a desktop computer or PC.
The network interface 110 'enables the client-side computing device 100' to communicate via one or more networks. Examples of such networks include a Local Area Network (LAN), a Wide Area Network (WAN), a Personal Area Network (PAN), or a combination of communication networks such as the internet. The network interface 110 may include one or more of any type of network interface, e.g., a Network Interface Card (NIC), wired or wireless, such as an IEEE 802.11 Wireless Local Area Network (WLAN) wireless interface, a worldwide interoperability for microwave access (Wi-MAX) interface, an ethernet interface, a Universal Serial Bus (USB) interface, a cellular network interface, a bluetooth interface, a Near Field Communication (NFC) interface, and so forth.
Network resources loaded through the network interface 110 'may be cached in the memory 120'. The memory 120' may include one or more of any type of storage device that stores content in the form of files or in other forms, including magnetic hard drives, solid state hard drives, semiconductor storage devices, flash memory, or any other computer readable writable storage medium capable of storing program instructions or digital information.
The client-side processor 130' may be configured to perform signature verification on the loaded network resources, thereby achieving the purpose of enhancing application cache security. The process of signature verification by the processor 130' can be seen in fig. 3. Fig. 3 shows a flow diagram of a client-side application cache check method 300 according to an embodiment of the invention.
The method 300 may begin at step S320, as shown in fig. 3, after the client-side computing device 100 ' acquires the Manifest file, Manifest, and network resources, extended by the server-side processor 130, via the network interface 110 ', the client-side processor 130 ' calculates a signature of the loaded network resources according to a predetermined algorithm. The predetermined algorithm here is specified by the manifest file, and specifically, the SIGNATURE check field SIGNATURE of the manifest file extension by the server-side processor 130 (see fig. 6B). As previously mentioned, the signature verification algorithm of the present invention may include, but is not limited to: fifth version of message digest algorithm (MD5), secure hash algorithm (SHA-1), RACE raw integrity check message digest (ripemm), or fifth version of the Haval message digest algorithm (HavalMD 5).
Next, in step S330, the processor 130' verifies the calculated signature of the loaded network resource with the signature of the corresponding file list in the manifest file. For example, the digital signature of the file entry corresponding to the network resource to be verified in the manifest file is read and compared with the signature calculated in step S320. If the check in step S330 is successful, it indicates that the loaded network resource is valid and can be cached locally at the client.
With the method 300 shown in fig. 3, the present invention enables a client to verify a loaded network resource in a simple and efficient manner, thereby improving the security of application caching.
In one embodiment, the method 300 preferably further includes a step S310 before performing the network resource signature calculation step S320 and the signature verification step S330, that is, determining whether the loaded network resource belongs to a resource to be verified. Only in case it is determined that the loaded network resource belongs to the resource that should be checked, steps S320 and S330 are performed. If the loaded network resource is determined not to belong to the resource to be checked, the method 300 ends.
Specifically, the step of determining whether the loaded network resource belongs to the resource to be checked may include any one or more of the following operations: determining whether the manifest file is loaded through a secure channel; determining that at least part of a file list of the manifest file includes a corresponding signature; and determining whether the loaded network resource corresponds to a specified list of files in the manifest file.
For example, if the manifest file is not loaded through an HTTPS secure channel, it means that the reliability of the manifest file itself is questionable, and the SIGNATURE extension field therein is not suitable as a verification basis for SIGNATURE verification, in which case, the SIGNATURE verification may be optionally not performed on the loaded network resource.
In one example, if a Manifest resource list is not followed by a signature, the resource may be defaulted to being valid without checking it. In yet another example, verification may be performed only on a partial file list in the manifest file, for example, signature verification may be performed only on resources of CACHE and fals portions, and verification on the portions is omitted even if the resources of the NETWORK portion carry a signature, thereby saving the calculation cost and improving the operation performance. The list of files in the manifest file that specify that verification should be performed may include any one or more of CACHE, NETWORK, and FALLBACK.
In an embodiment of the present invention, preferably, the client-side application cache verification method 300 further includes a verification failure processing step S340, that is, in the case that the verification determines that the calculated signature of the loaded network resource is not consistent with the signature of the corresponding file list in the manifest file in step S330, any one or more of the following operations may be performed on the loaded network resource: discarding the loaded network resource; reloading the network resource over a secure channel such as HTTPS; and causing the manifest file to be modified to designate the network resource as a resource that is not allowed to be cached. For example, the NETWORK resource may be caused to be added to the NETWORK whitelist, i.e., the resource is no longer cached, but rather a load is requested from the server each time a web page is accessed.
Fig. 4 and 5 show functional block diagrams of a server-side application cache checking apparatus 400 and a client-side application cache checking apparatus 500, respectively, according to an embodiment of the present invention. The functional blocks of the server-side application cache verifier 400 and the client-side application cache verifier 500 may be implemented by hardware, software, or a combination of hardware and software implementing the principles of the present invention, for example, by one or more processors 130 in the server-side computing device 100 and one or more processors 130' in the client-side computing device shown in fig. 1. It will be appreciated by those skilled in the art that the functional blocks depicted in fig. 4 and 5 may be combined or divided into sub-blocks to implement the principles of the invention described above. Thus, the description herein may support any possible combination, or division, or further definition of the functional modules described herein.
Referring to fig. 4, in order to extend a manifest file to implement signature verification, the server-side application cache verification apparatus 400 is configured to include a manifest file extension unit 410, a signature addition unit 420, and preferably a manifest file transmission unit 430. The manifest file extension unit 410 is configured to extend the manifest file cached by the application to include a signature check field containing information indicative of a signature check algorithm. As previously mentioned, the signature verification algorithm of the present invention may include, but is not limited to: fifth version of message digest algorithm (MD5), secure hash algorithm (SHA-1), RACE raw integrity check message digest (ripemm), or fifth version of the Haval message digest algorithm (Haval MD 5).
The signature adding unit 420 is configured to add a corresponding signature to part or all of the list of files in the manifest file, the signature being calculated according to a signature verification algorithm indicated in the signature verification field. In one embodiment, the signature adding unit 420 is further configured to add a signature to any one or more of CACHE, NETWORK, and fals of the manifest file. The manifest file transmitting unit 430 is configured such that the manifest file is transmitted through a secure channel such as HTTPS.
Referring to fig. 5, in order to implement signature verification, the client-side application cache verification apparatus 500 is configured to include a signature calculation unit 520, a signature verification unit 530, and preferably a verification judgment unit 510 and a verification failure processing unit 540. The signature calculation unit 520 is configured to calculate a signature of the loaded network resource according to a predetermined algorithm, wherein the predetermined algorithm is specified in the manifest file of the application cache. The manifest file here includes a signature check field that specifies a predetermined algorithm. And, part or all of the file lists in the manifest file include corresponding signatures calculated according to a predetermined algorithm. The signature verification unit 530 is configured to verify the signature calculated by the signature calculation unit 520 with the signature of the corresponding file list in the manifest file.
In an embodiment of the present invention, the checking and determining unit 510 is configured to determine whether the loaded network resource belongs to a resource to be checked. Specifically, the verification judging unit 510 may include: a first determining module 511 configured to determine whether the manifest file is loaded through a secure channel; a second determining module 513 configured to determine that at least part of the file list of the manifest file includes a corresponding signature; and a third determination module 515 configured to determine whether the loaded network resource corresponds to a specified list of files in the manifest file.
For example, if the manifest file is not loaded through an HTTPS secure channel, the signature check may be selected not to be performed on the loaded network resource. In one example, if a Manifest resource list is not followed by a signature, the resource may be defaulted to being valid without checking it. In yet another example, verification may be performed only on a partial file list in the manifest file, for example, signature verification may be performed only on resources of CACHE and fals portions, and verification on the portions is omitted even if the resources of the NETWORK portion carry a signature, thereby saving the calculation cost and improving the operation performance. The list of files in the manifest file that specify that verification should be performed may include any one or more of CACHE, NETWORK, and FALLBACK.
In one embodiment of the present invention, the verification failure processing unit 540 is configured to, in case the signature verification unit 530 verifies that the calculated signature of the loaded network resource is not consistent with the signature of the corresponding file list in the manifest file, perform any one or more of the following operations for the loaded network resource: discarding the loaded network resource; reloading the network resource through a secure channel; and causing the manifest file to be modified to designate the network resource as a resource that is not allowed to be cached. For example, the NETWORK resource may be caused to be added to the NETWORK whitelist, i.e., the resource is no longer cached, but rather a load is requested from the server each time a web page is accessed.
In summary, the application cache verification method, the application cache verification device and the computing device of the present invention simply extend the manifest file of the application cache to utilize signature verification to realize the judgment on the validity of the loaded network resource, thereby simply and effectively improving the security of the application cache.
Furthermore, the method according to the invention may also be implemented as a computer program comprising computer program code instructions for carrying out the above-mentioned steps defined in the above-mentioned method of the invention. Alternatively, the method according to the present invention may also be implemented as a computer program product comprising a computer readable medium having stored thereon a computer program for executing the above-mentioned functions defined in the above-mentioned method of the present invention. Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems and methods according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Having described embodiments of the present invention, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or improvements made to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
Claims (24)
1. An application cache checking method comprises the following steps:
loading a manifest file cached by an application through a secure channel, the manifest file including a signature check field specifying a predetermined algorithm, and wherein a part or all of a list of files in the manifest file includes a corresponding signature;
calculating the signature of the loaded network resource according to the predetermined algorithm; and
and checking the calculated signature with the signature of the corresponding file list in the manifest file.
2. The application cache checking method of claim 1, further comprising the steps of:
judging whether the loaded network resources belong to resources to be checked; and
and executing the network resource signature calculation step and the signature verification step under the condition that the loaded network resource belongs to the resource to be verified.
3. The application cache checking method according to claim 2, wherein the step of determining whether the loaded network resource belongs to a resource to be checked comprises any one or more of the following:
determining that at least a portion of a file list of the manifest file includes a corresponding signature; and
determining whether the loaded network resource corresponds to a specified list of files in the manifest file.
4. The application cache checking method of claim 3, wherein,
the secure channel is a hypertext transfer security protocol (HTTPS) channel; and/or
The list of specified files in the manifest file includes any one or more of: CACHE, NETWORKK and FALLBACK.
5. The application cache checking method according to any of claims 1 to 4, further comprising the steps of:
in the event that the verification determines that the calculated signature of the loaded network resource is not consistent with the signature of the corresponding list of files in the manifest file, performing any one or more of the following operations for the loaded network resource:
discarding the loaded network resource;
reloading the network resource through a secure channel; and
causing the manifest file to be modified to designate the network resource as a resource that is not allowed to be cached.
6. The application cache checking method of claim 5, wherein the operation of causing the manifest file to be modified to designate the network resource as a resource that is not allowed to be cached comprises:
causing the NETWORK resource to be added to a NETWORK white list in the manifest file.
7. The application cache checking method according to any of claims 1 to 4, wherein the predetermined algorithm comprises any of:
fifth version of message digest algorithm (MD5), secure hash algorithm (SHA-1), RACE raw integrity check message digest (ripemm), or fifth version of the Haval message digest algorithm (HavalMD 5).
8. An application cache checking method comprises the following steps:
extending the manifest file of the application cache to include a signature check field, the signature check field containing information indicative of a signature check algorithm;
adding corresponding signatures to part or all of the file lists in the manifest file, wherein the signatures are calculated according to a signature verification algorithm indicated in the signature verification field; and
and sending the manifest file through a secure channel.
9. The application cache verification method of claim 8, wherein the adding of the corresponding signature to the partial or full list of files in the manifest file comprises:
adding a signature to any one or more of the CACHE, NETWORK, and FALLBACK portions of the manifest file.
10. The application cache checking method of claim 8, wherein,
the secure channel is a hypertext transfer security protocol, HTTPS, channel.
11. The application cache checking method according to claim 8 or 9, wherein the signature checking algorithm comprises any one of:
fifth version of message digest algorithm (MD5), secure hash algorithm (SHA-1), RACE raw integrity check message digest (ripemm), or fifth version of the Haval message digest algorithm (HavalMD 5).
12. An application cache checking apparatus, comprising:
a manifest file loading unit configured to load a manifest file cached by an application through a secure channel, the manifest file including a signature check field that specifies a predetermined algorithm, and wherein a part or all of a list of files in the manifest file includes a corresponding signature;
a signature calculation unit configured to calculate a signature of the loaded network resource according to the predetermined algorithm; and
and the signature verification unit is configured to verify the signature calculated by the signature calculation unit and the signature of the corresponding file list in the manifest file.
13. The application cache checking apparatus of claim 12, further comprising:
and the checking judgment unit is configured to judge whether the loaded network resource belongs to the resource to be checked.
14. The application cache checking device according to claim 13, wherein the checking and judging unit comprises any one or more of the following:
a second determination module configured to determine that at least a portion of a file list of the manifest file includes a corresponding signature; and
a third determination module configured to determine whether the loaded network resource corresponds to a specified list of files in the manifest file.
15. The application cache checking apparatus of claim 14,
the secure channel is a hypertext transfer security protocol (HTTPS) channel; and/or
The list of specified files in the manifest file includes any one or more of: CACHE, NETWORKK and FALLBACK.
16. The application cache checking apparatus according to any one of claims 12 to 15, further comprising:
a verification failure processing unit configured to, in a case that the signature verification unit verifies that the calculated signature of the loaded network resource is not consistent with the signature of the corresponding file list in the manifest file, perform any one or more of the following operations for the loaded network resource:
discarding the loaded network resource;
reloading the network resource through a secure channel; and
causing the manifest file to be modified to designate the network resource as a resource that is not allowed to be cached.
17. The application cache checking apparatus of claim 16, wherein the operation of causing the manifest file to be modified to designate the network resource as a resource that is not allowed to be cached comprises:
causing the NETWORK resource to be added to a NETWORK white list in the manifest file.
18. The application cache checking apparatus of any of claims 12 to 15, wherein the predetermined algorithm comprises any of:
fifth version of message digest algorithm (MD5), secure hash algorithm (SHA-1), RACE raw integrity check message digest (ripemm), or fifth version of the Haval message digest algorithm (HavalMD 5).
19. An application cache checking apparatus, comprising:
a manifest file extension unit configured to extend the manifest file cached by the application to include a signature check field containing information indicating a signature check algorithm;
the signature adding unit is configured to add corresponding signatures to part or all of the file lists in the manifest file, and the signatures are calculated according to a signature verification algorithm indicated in the signature verification field; and
a manifest file transmitting unit configured to cause the manifest file to be transmitted through a secure channel.
20. The application cache checking device of claim 19, wherein the signature adding unit is further configured to: adding a signature to any one or more of the CACHE, NETWORK, and FALLBACK portions of the manifest file.
21. The application cache checking apparatus of claim 19,
the secure channel is a hypertext transfer security protocol, HTTPS, channel.
22. The application cache checking device of claim 19 or 20, wherein the signature checking algorithm comprises any one of:
fifth version of message digest algorithm (MD5), secure hash algorithm (SHA-1), RACE raw integrity check message digest (ripemm), or fifth version of the Haval message digest algorithm (HavalMD 5).
23. A computing device, comprising:
a network interface that enables the computing device to communicate via one or more networks;
a memory in which network resources loaded through the network interface are cached; and
one or more processors coupled with the network interface and the memory, the one or more processors configured to perform operations comprising:
loading a manifest file cached by an application through a secure channel, the manifest file including a signature check field specifying a predetermined algorithm, and wherein a part or all of a list of files in the manifest file includes a corresponding signature;
calculating the signature of the loaded network resource according to the predetermined algorithm; and
and checking the calculated signature with the signature of the corresponding file list in the manifest file.
24. A computing device, comprising:
one or more processors configured to perform the following operations:
extending the manifest file of the application cache to include a signature check field, the signature check field containing information indicative of a signature check algorithm; and
adding corresponding signatures to part or all of the file lists in the manifest file, wherein the signatures are calculated according to a signature verification algorithm indicated in the signature verification field;
sending the manifest file through a secure channel; a memory connected to the one or more processors, the manifest file and files corresponding to a list of files in the manifest file being stored in the memory; and
a network interface that enables the computing device to communicate the manifest files stored in the memory and files corresponding to a list of files in the manifest files via one or more networks.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610599039.9A CN107666459B (en) | 2016-07-27 | 2016-07-27 | Application cache checking method and device and computing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610599039.9A CN107666459B (en) | 2016-07-27 | 2016-07-27 | Application cache checking method and device and computing equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107666459A CN107666459A (en) | 2018-02-06 |
| CN107666459B true CN107666459B (en) | 2020-10-16 |
Family
ID=61114965
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610599039.9A Active CN107666459B (en) | 2016-07-27 | 2016-07-27 | Application cache checking method and device and computing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107666459B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110162488B (en) * | 2018-11-15 | 2022-02-11 | 深圳乐信软件技术有限公司 | Cache consistency checking method, device, server and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104106048A (en) * | 2012-02-16 | 2014-10-15 | 微软公司 | Using application cache to update resources of installed applications |
| CN105320687A (en) * | 2014-07-29 | 2016-02-10 | 腾讯科技(北京)有限公司 | Webpage display method and device |
| CN105373747A (en) * | 2015-12-09 | 2016-03-02 | 上海斐讯数据通信技术有限公司 | File generation method, file verification method and systems for preventing system from being tampered |
| CN105630981A (en) * | 2015-12-25 | 2016-06-01 | 小米科技有限责任公司 | Network resource loading and configuration method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9268797B2 (en) * | 2012-12-21 | 2016-02-23 | Zetta Inc. | Systems and methods for on-line backup and disaster recovery |
-
2016
- 2016-07-27 CN CN201610599039.9A patent/CN107666459B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104106048A (en) * | 2012-02-16 | 2014-10-15 | 微软公司 | Using application cache to update resources of installed applications |
| CN105320687A (en) * | 2014-07-29 | 2016-02-10 | 腾讯科技(北京)有限公司 | Webpage display method and device |
| CN105373747A (en) * | 2015-12-09 | 2016-03-02 | 上海斐讯数据通信技术有限公司 | File generation method, file verification method and systems for preventing system from being tampered |
| CN105630981A (en) * | 2015-12-25 | 2016-06-01 | 小米科技有限责任公司 | Network resource loading and configuration method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107666459A (en) | 2018-02-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2473112C2 (en) | Creation and deployment of distributed extensible applications | |
| KR102143434B1 (en) | Method of updating firmware of near field communication chip and electronic system performing the same | |
| CN110764807B (en) | Upgrading method, system, server and terminal equipment | |
| CN109361754A (en) | A kind of document transmission method and device based on browser | |
| WO2017198079A1 (en) | File download method and apparatus, user terminal and machine-readable storage medium | |
| CN108667799B (en) | Defense method and system for browser cache poisoning | |
| CN110096889B (en) | File detection method, device, equipment and computer readable storage medium | |
| CN112565393B (en) | File uploading method, downloading method, device, computer equipment and storage medium | |
| WO2019201040A1 (en) | File update management method and system and terminal apparatus | |
| CN112491776B (en) | Security authentication method and related equipment | |
| US8904492B2 (en) | Method of controlling information processing system, computer-readable recording medium storing program for controlling apparatus | |
| WO2019057023A1 (en) | Data recovery method, sending/receiving apparatus, and computer-readable storage medium | |
| CN107666459B (en) | Application cache checking method and device and computing equipment | |
| JP5322288B2 (en) | COMMUNICATION PROCESSING DEVICE, COMMUNICATION PROCESSING METHOD, AND PROGRAM | |
| JP6089346B2 (en) | Method, apparatus and system for obtaining an object | |
| JP2013041587A (en) | System and method for executing command from remote source | |
| CN112152993A (en) | Method and device for detecting webpage hijacking, computer equipment and storage medium | |
| CN106569841B (en) | File loading method and device | |
| CN113691619B (en) | Message processing method and device, electronic equipment and storage medium | |
| CN112905542A (en) | File processing method, device, server, equipment and storage medium | |
| TWI546688B (en) | Method for processing url and associated server and non-transitory computer readable storage medium | |
| CN114282240A (en) | Cross-domain access control method, electronic device and storage medium | |
| CN101163138B (en) | Method and system for uploading document | |
| CN103473245B (en) | A kind of webpage deposits card method and system | |
| CN110555180A (en) | Web page object request method and HTTPS request response method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200713 Address after: 310052 room 508, floor 5, building 4, No. 699, Wangshang Road, Changhe street, Binjiang District, Hangzhou City, Zhejiang Province Applicant after: Alibaba (China) Co.,Ltd. Address before: 510627 Guangdong city of Guangzhou province Whampoa Tianhe District Road No. 163 Xiping Yun Lu Yun Ping B radio square 14 storey tower Applicant before: Guangzhou Dongjing Computer Technology Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |