CN113010856A - Dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system - Google Patents
Dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system Download PDFInfo
- Publication number
- CN113010856A CN113010856A CN202110230035.4A CN202110230035A CN113010856A CN 113010856 A CN113010856 A CN 113010856A CN 202110230035 A CN202110230035 A CN 202110230035A CN 113010856 A CN113010856 A CN 113010856A
- Authority
- CN
- China
- Prior art keywords
- obfuscation
- browser
- file
- decryption
- asymmetric encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000004422 calculation algorithm Methods 0.000 claims description 28
- 238000012795 verification Methods 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 16
- 239000011159 matrix material Substances 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000003068 static effect Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a dynamic asymmetric encryption and decryption JavaScript code obfuscation method and a system, wherein the method comprises the following steps: step A, a user accesses a service system, and a browser confuses an SDK (software development kit) to request a JavaScript file from the service system; step B, the service system sends the source file to the obfuscation server, the obfuscation server dynamically obfuscates the code in an asymmetric encryption mode to generate an obfuscated file and token, and returns the obfuscated file and token to the browser-side obfuscation SDK, so that the contents of the files returned by each access are different; and step C, the browser obfuscates the SDK to dynamically decrypt and execute the obfuscated file. According to the method and the system, the browser end cannot acquire the original file content, the contents of the obfuscated files returned by accessing each time are changed, the obfuscated decryption process cannot be counterfeited, and the files are prevented from being analyzed reversely.
Description
Technical Field
The invention relates to the field of computers and communication, in particular to a dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system.
Background
With the rapid development of the internet client technology, various technologies of the client are more and more abundant, and the functions are more and more complex, but as the client code runs on the user terminal, an attacker can easily read, analyze and crack, and various risks are brought to the system. At present, various clients such as a browser, a Hybrid AP, an applet, and the like operate by mainly interpreting a JavaScript code, so that the JavaScript code needs to be protected to avoid exposing business logic, and prevent works from being copied and tampered.
The current confusion method is mainly static confusion, files are uploaded to a server after confusion, and files downloaded from the server by different users are the same static files. Static obfuscation techniques can be mainly divided into two categories, i.e. obfuscated control flow and obfuscated data structure, and static obfuscation works well in virtual machine languages such as JAVA and NET, because such codes are not compiled into binary machine codes, but interpreted and executed at runtime in the form of intermediate codes, which are very easy to reverse, so that obfuscation has to be performed. Similarly, the confusion protection of script languages such as JavaScript is also carried out, and the protection schemes are carried out on the basis of source codes.
The statically obfuscated file may be reversed as long as the attacker spends some time and cost. Once the file is reversed, the business logic is already exposed, even if the obfuscated file is subsequently updated regularly, the risk still exists as long as the business logic does not change.
Disclosure of Invention
Aiming at the problems in the prior art, the invention aims to solve the technical problem that the confused file is easy to reverse in the prior art, and provides a dynamic confusion technology, so that a browser end cannot acquire the original file content, the confused file content returned by each access is changed, the confused decryption process cannot be counterfeited and bypassed, and the file is prevented from being analyzed reversely.
The invention discloses a dynamic asymmetric encryption and decryption JavaScript code obfuscation method, which comprises the following steps of:
step A, a user accesses a service system, and a browser confuses an SDK (software development kit) to request a JavaScript file from the service system;
step B, the service system sends the source file to the obfuscation server, the obfuscation server dynamically obfuscates the code in an asymmetric encryption mode to generate an obfuscated file and token, and returns the obfuscated file and token to the browser-side obfuscation SDK, so that the contents of the files returned by each access are different;
and step C, the browser obfuscates the SDK to dynamically decrypt and execute the obfuscated file.
Further, in step a, after receiving request information for accessing the JavaScript source file by the user, the service server obtains a feature value of an issuing terminal that issues the request information according to the request information, determines whether the request information is legal according to the obtained feature value, allows the issuing terminal of the request information to access the JavaScript source file if the request information is legal, and refuses the issuing terminal of the request information to access the JavaScript source file if the request information is illegal.
Further, step B includes:
step B1, the confusion server uses an asymmetric encryption algorithm to generate a public key and a private key, transmits the private key to confuse the source file, and returns the confused file and token to the service server;
the obfuscating mode of the obfuscating program is that a source code is analyzed to generate an AST, basic data types in the code are encrypted and replaced by the encrypted content, meanwhile, a decryption code is inserted into the AST, the decryption code can normally return to original data by taking a public key as a parameter, and otherwise, the decryption code can be executed in a browser but cannot obtain a normal result. Then the obfuscated AST is converted into a new JavaScript code to be returned;
token may be used to request public key information from the obfuscation server;
and step B2, the service server returns the confused file and token to the browser.
Further, step C includes:
step C1, the browser terminal obfuscates the SDK to carry a token to request a public key from the obfuscation server;
step C2, the obfuscation server verifies that token returns the public key to the browser;
and step C3, the browser executes the obfuscated file, and transmits the public key as a parameter, and the code is dynamically decrypted and operated in the operation process.
Further, in step C2, in the token verification process, if the token passes the verification, the obfuscation server returns the public key to the browser end, and the user may use the public key to dynamically decrypt and execute the obfuscated file; and if the token verification fails, throwing an exception to the browser and sending feedback of the verification failure.
Further, the basic data type is a character string or a number.
Further, the asymmetric encryption algorithm is any one of RSA, Elgamal, knapsack algorithm, Rabin and D-H, ECC.
Further, the asymmetric encryption algorithm adopts RSA.
In another aspect, the present invention further provides a dynamic asymmetric encryption/decryption JavaScript code obfuscating system, including a browser, a service server and an obfuscating server, where the browser has a browser-side obfuscating SDK, and the obfuscating server has an obfuscator, an interpreter and a token generator, and the system further has a memory, and a computer program stored on the memory and operable on the processor, where the computer program, when executed by the processor, implements the dynamic asymmetric encryption/decryption JavaScript code obfuscating method according to the present invention.
Further, the obfuscator replaces the basic data type in the code file through a certain rule, the obfuscator replaces each instruction with a specified replacement matrix, and the replaced instruction retains all operands of the original instruction, but the operation code for identifying the data is changed.
The obfuscation server uses an asymmetric encryption mode to obfuscate the codes, adopts dynamic obfuscation, makes the contents of the returned files different when accessing each time, and dynamically decrypts when running, and depends on the returned public key. By the method for dynamically obfuscating the JavaScript, the browser cannot acquire the original file content, the obfuscated file content returned by each access is changed, the token mechanism ensures that the obfuscated decryption process cannot be forged and bypassed, and the problem that the JavaScript code of the client side is easy to analyze and reverse is solved.
Drawings
Fig. 1 shows a schematic structural and flow diagram of a JavaScript code obfuscating method and system for dynamic asymmetric encryption and decryption according to the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation.
The specific structure and flow of the dynamic asymmetric encryption/decryption JavaScript code obfuscation method and system are shown in FIG. 1.
The JavaScript code obfuscation method for dynamic asymmetric encryption and decryption comprises the following steps:
step A, a user accesses a service system, and a browser confuses an SDK (software development kit) to request a JavaScript file from the service system;
step B, the service system sends the source file to the obfuscation server, the obfuscation server dynamically obfuscates the code in an asymmetric encryption mode to generate an obfuscated file and token, and returns the obfuscated file and token to the browser-side obfuscation SDK, so that the contents of the files returned by each access are different;
and step C, the browser obfuscates the SDK to dynamically decrypt and execute the obfuscated file.
In the step A, after request information for accessing the JavaScript source file by a user is received, the service server acquires the characteristic value of an issuing end for issuing the request information according to the request information, judges whether the request information is legal or not according to the acquired characteristic value, allows the issuing end of the request information to access the JavaScript source file if the request information is legal, and refuses the issuing end of the request information to access the JavaScript source file if the request information is illegal.
The step B comprises the following steps:
step B1, the confusion server uses an asymmetric encryption algorithm to generate a public key and a private key, transmits the private key to confuse the source file, and returns the confused file and token to the service server;
the obfuscating mode of the obfuscating program is that a source code is analyzed to generate an AST, basic data types in the code are encrypted and replaced by the encrypted content, meanwhile, a decryption code is inserted into the AST, the decryption code can normally return to original data by taking a public key as a parameter, and otherwise, the decryption code can be executed in a browser but cannot obtain a normal result. Then the obfuscated AST is converted into a new JavaScript code to be returned;
token may be used to request public key information from the obfuscation server;
and step B2, the service server returns the confused file and token to the browser.
The step C comprises the following steps:
step C1, the browser terminal obfuscates the SDK to carry a token to request a public key from the obfuscation server;
step C2, the obfuscation server verifies that token returns the public key to the browser;
and step C3, the browser executes the obfuscated file, and transmits the public key as a parameter, and the code is dynamically decrypted and operated in the operation process.
The specific implementation process of the method is as follows:
firstly, step 1, a user accesses a service system, and a browser confusion SDK requests a JavaScript file from the service system.
The JavaScript code is a code program coded by an transliteration script language JavaScript, and a plurality of JavaScript codes are gathered together to form a JavaScript source file. The JavaScript source file can be directly viewed through a source file viewing function on the browser.
In order to protect the JavaScript source file, a verification link for setting request information can be added. After receiving request information for accessing a JavaScript source file by a user, a service server acquires a characteristic value of an issuing end for issuing the request information according to the request information, judges whether the request information is legal or not according to the acquired characteristic value, allows the issuing end of the request information to access the JavaScript source file if the request information is legal, refuses the issuing end of the request information to access the JavaScript source file if the request information is not legal, filters the request for accessing the JavaScript source file by the access information verification mode, ensures that the legal request is normally executed, cannot be executed if the illegal request is illegal, avoids falsification of the JavaScript source file by an illegal user, and improves the safety of the JavaScript source file.
Specifically, after the characteristic value of the request information sending end is obtained, the IP address in the characteristic value is compared with the IP address in the verification information base of the JavaScript source file, whether the IP address of the request information sending end is the same as one of the IP addresses in the verification information base is judged, if one IP address in the verification information base is the same as the IP address of the request information sending end, the request information sending end is allowed to have the authority of accessing the JavaScript source file, whether the user name in the characteristic value is the same as one of the user names in the verification information base is further judged, if one user name in the verification information base is the same as the user name logged in the request information sending end, the user name is allowed to have the authority of accessing the JavaScript source file, the request information sending end is allowed to access the JavaScript source file, and if any one IP address in the verification information base is different from the IP address of the request information sending end, or the IP address of the request information sending end is the same as one IP address in the verification information base, but the user name logged on at the request information sending end is different from any user name in the verification information base, which indicates that the request information sending end does not have the authority to access the JavaScript source file or the user name logged on at the request information sending end which has the authority to access the JavaScript source file does not have the authority to access the JavaScript source file, the access request of the request information sending end is rejected, and the access authority of the request information sending end and the access authority of the user name logged on the request information sending end are respectively judged through double judgment, so that an illegal user cannot access the JavaScript source file, and the safety of the JavaScript source file is improved.
Then, step 2, the business system sends the source file to the obfuscation server.
After the verification is passed, the service server sends the JavaScript source file to the obfuscation server. The obfuscation server includes: the random number generation module is used for generating a random number according to the received application information and setting the random number as a key parameter; the algorithm reconstruction module is used for changing the operation sequence of the preset algorithm according to the key parameter to obtain a confusion encryption/decryption algorithm, and/or changing the structure of the grouped data block of the preset algorithm and the operation sequence of the corresponding grouped data block according to the key parameter to obtain the confusion encryption/decryption algorithm, and/or changing the fixed parameter of the preset algorithm according to the key parameter to obtain the confusion encryption/decryption algorithm; and the plug-in compiling module is used for compiling the application information and the obfuscated encryption/decryption algorithm into the security plug-in.
And 3, the obfuscation server generates a public key and a private key by using an asymmetric encryption algorithm (such as RSA), transmits the private key to obfuscate the source file (the file is not encrypted), and returns the obfuscated file and token to the service server.
Step 3 includes (a), where the obfuscating manner of the obfuscating program is to analyze the source code to generate an AST, encrypt the basic data type (such as character string, number, etc.) in the code, replace the basic data type with the encrypted content, insert a decryption code in the AST, where the decryption code needs a public key as a parameter to normally return to the original data, otherwise, the decryption code may be executed in the browser but cannot obtain a normal result. The obfuscated AST is then converted to a new JavaScript code return.
And (b), token may be used to request public key information from the obfuscation server.
The asymmetric encryption algorithm is a secret method of a key, and two keys are required: the public key (public key for short) and the private key (private key for short) are characterized in that the encryption key is different from the decryption key, the key is divided into the public key and the private key, a plaintext encrypted by the private key can only be decrypted by the public key, and the plaintext encrypted by the public key can only be decrypted by the private key. The security of asymmetric cryptographic algorithms is good, eliminating the need for end users to exchange keys. The asymmetric encryption algorithm has the following points: the algorithm is complex in strength, the security depends on the algorithm and the secret key, and the safety is high due to the complex algorithm. The asymmetric encryption algorithm may employ any one of RSA, Elgamal, knapsack algorithm, Rabin, and D-H, ECC. Among them, the RSA encryption algorithm is the most commonly used asymmetric encryption algorithm.
The abstract Syntax tree ast (abstract Syntax tree) refers to a tree structure corresponding to the source code Syntax. The source code of a programming language can map statements in the source code to each node in a syntax tree by constructing the syntax tree. For JavaScript's original code, the original code may be converted into an abstract syntax tree AST by a JavaScript parser.
The obfuscation server is provided with an obfuscator, and the contents of the returned files are different from one another every time the obfuscation server accesses the files. The browser cannot acquire the original file content, and because the contents of the obfuscated files returned by each access are changed, the token mechanism ensures that the obfuscated decryption flow cannot be forged and bypassed, and the JavaScript code of the client cannot be reversely analyzed, so that the security is extremely high.
The obfuscator replaces the basic data type in the code file with a certain rule, and may also be an instruction set replacement. The obfuscator permutes each instruction using a prescribed permutation matrix (e.g., randomly picked), with the permuted instruction retaining all operands of the original instruction, but with the opcode used to identify the data having changed.
Because dynamic obfuscation is used, the operation code of each instruction in the obfuscated file is different from that of the original instruction, the operation codes need to be restored to correctly execute each instruction, otherwise, the obfuscated application program cannot be normally executed by a general-purpose operating system. It is preferred that when a particular terminal needs to run an obfuscated application, the corresponding interpreter is loaded first. The interpreter has a one-to-one correspondence with the permutation matrix used for obfuscation, i.e. the interpreter needs to restore the instructions. The Token generator is a tool for generating Token by using a permutation matrix, and is a string of character strings generated by the server. In the invention, Token must carry the interpreter needed for interpreting and executing obfuscation, the interpreters carried in Token generated by using different permutation matrices are different, and data obfuscated by the obfuscator can only be executed in the interpreters generated by the same permutation matrix.
And 4, returning the confused file and token to the browser by the service server.
And 5, the browser-side obfuscating SDK carries a token to request a public key from the obfuscating server.
Step 6, the obfuscation server verifies and returns the public key to the browser
In the step of validating the token, if the token passes the validation, the obfuscation server returns the public key to the browser end, and the user can dynamically decrypt and execute the obfuscated file by using the public key; and if the token verification fails, throwing an exception to the browser and sending feedback of the verification failure.
And 7, the browser executes the obfuscated file, and transmits the public key as a parameter, and the code is dynamically decrypted and operated in the operation process.
The obfuscation server uses an asymmetric encryption mode to obfuscate the codes, adopts dynamic obfuscation, makes the contents of the returned files different when accessing each time, and dynamically decrypts when running, and depends on the returned public key.
According to the method for dynamically obfuscating the JavaScript, the browser end cannot acquire the original file content, the obfuscated file content returned by each access is changed, the token mechanism ensures that the obfuscated decryption process cannot be forged and bypassed, and the problem that the JavaScript code of the client end is easy to analyze and reverse is solved.
In addition, the embodiment of the invention also provides a dynamic asymmetric encryption and decryption JavaScript code obfuscation system, which comprises a browser, a service server and an obfuscation server, wherein the browser is provided with a browser-side obfuscation SDK, the obfuscation server is provided with an obfuscator, an interpreter and a token generator, the system is also provided with a memory and a computer program which is stored on the memory and can run on the processor, and when the computer program is executed by the processor, the computer program realizes the processes of dynamic obfuscation and dynamic decryption, and can achieve the same technical effect of protecting a source file and preventing the source file from being reversed.
The embodiment of the invention also provides a computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, and when being executed by a processor, the computer program realizes each process of the dynamic obfuscation method or the encryption method embodiment based on the dynamic obfuscation method, and can achieve the same technical effect. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
Claims (10)
1. A JavaScript code obfuscation method for dynamic asymmetric encryption and decryption is characterized by comprising the following steps:
step A, a user accesses a service system, and a browser confuses an SDK (software development kit) to request a JavaScript file from the service system;
step B, the service system sends the source file to the obfuscation server, the obfuscation server dynamically obfuscates the code in an asymmetric encryption mode to generate an obfuscated file and token, and returns the obfuscated file and token to the browser-side obfuscation SDK, so that the contents of the files returned by each access are different;
and step C, the browser obfuscates the SDK to dynamically decrypt and execute the obfuscated file.
2. The dynamic asymmetric encryption/decryption JavaScript code obfuscation method according to claim 1, wherein in step A, after receiving request information for accessing a JavaScript source file by a user, the service server obtains a feature value of an issuing end that issues the request information according to the request information, determines whether the request information is legal according to the obtained feature value, allows the issuing end of the request information to access the JavaScript source file if the request information is legal, and denies the issuing end of the request information to access the JavaScript source file if the request information is not legal.
3. The dynamic asymmetric encryption/decryption JavaScript code obfuscation method according to claim 1 or 2, wherein step B comprises:
step B1, the confusion server uses an asymmetric encryption algorithm to generate a public key and a private key, transmits the private key to confuse the source file, and returns the confused file and token to the service server;
the obfuscating mode of the obfuscating program is that a source code is analyzed to generate an AST, basic data types in the code are encrypted and replaced by the encrypted content, meanwhile, a decryption code is inserted into the AST, the decryption code can normally return to original data by taking a public key as a parameter, and otherwise, the decryption code can be executed in a browser but cannot obtain a normal result. Then the obfuscated AST is converted into a new JavaScript code to be returned;
token may be used to request public key information from the obfuscation server;
and step B2, the service server returns the confused file and token to the browser.
4. The dynamic asymmetric encryption/decryption JavaScript code obfuscation method according to claim 3, wherein step C comprises:
step C1, the browser terminal obfuscates the SDK to carry a token to request a public key from the obfuscation server;
step C2, the obfuscation server verifies that token returns the public key to the browser;
and step C3, the browser executes the obfuscated file, and transmits the public key as a parameter, and the code is dynamically decrypted and operated in the operation process.
5. The dynamic asymmetric encryption/decryption JavaScript code obfuscation method according to claim 4, wherein in the step C2, during the token verification process, if the token passes the verification, the obfuscation server returns the public key to the browser end, and the user can dynamically decrypt the obfuscated file using the public key and execute the obfuscated file; and if the token verification fails, throwing an exception to the browser and sending feedback of the verification failure.
6. The dynamic asymmetric encryption/decryption JavaScript code obfuscation method of claim 3, wherein the base data type is a string or a number.
7. The dynamic asymmetric encryption/decryption JavaScript code obfuscation method according to any one of claims 1-6, wherein the asymmetric encryption algorithm is any one of RSA, Elgamal, knapsack algorithm, Rabin, and D-H, ECC.
8. The dynamic asymmetric encryption/decryption JavaScript code obfuscation method of claim 7, wherein the asymmetric encryption algorithm employs RSA.
9. A dynamic asymmetric encryption/decryption JavaScript code obfuscation system, comprising a browser, a service server and an obfuscation server, wherein the browser has a browser-side obfuscation SDK, and the obfuscation server has an obfuscator, an interpreter and a token generator, and further comprising a memory, and a computer program stored on the memory and executable on the processor, and when executed by the processor, the computer program implements the dynamic asymmetric encryption/decryption JavaScript code obfuscation method according to any one of claims 1 to 8.
10. The system for obfuscating dynamic asymmetric encryption/decryption JavaScript code according to claim 9, wherein the obfuscator replaces a basic data type in the code file by a certain rule, the obfuscator replaces each instruction with a specified permutation matrix, and the replaced instruction retains all operands of the original instruction, but an opcode used for identifying data has changed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110230035.4A CN113010856A (en) | 2021-03-02 | 2021-03-02 | Dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110230035.4A CN113010856A (en) | 2021-03-02 | 2021-03-02 | Dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113010856A true CN113010856A (en) | 2021-06-22 |
Family
ID=76402310
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110230035.4A Pending CN113010856A (en) | 2021-03-02 | 2021-03-02 | Dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113010856A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113449330A (en) * | 2021-08-31 | 2021-09-28 | 北京华云安信息技术有限公司 | Method for transmitting Javascript encrypted file |
| CN113507479A (en) * | 2021-07-23 | 2021-10-15 | 上海颜硕信息科技有限公司 | Gateway type encryption and decryption transparent SDK technology for WEB codes and data |
| CN114282181A (en) * | 2021-12-01 | 2022-04-05 | 北京达佳互联信息技术有限公司 | Code execution method, device, server and storage medium |
| CN114338091A (en) * | 2021-12-08 | 2022-04-12 | 杭州逗酷软件科技有限公司 | Data transmission method and device, electronic equipment and storage medium |
| CN114499837A (en) * | 2021-12-29 | 2022-05-13 | 广州蚁比特区块链科技有限公司 | Method, device, system and equipment for preventing leakage of message |
| CN115065537A (en) * | 2022-06-16 | 2022-09-16 | 公安部第三研究所 | Defense system and dynamic defense method for WEB application automation attack behavior |
| CN115473731A (en) * | 2022-09-09 | 2022-12-13 | 北京融和友信科技股份有限公司 | Method for obfuscating HTTP network protocol interface address |
| CN117155539A (en) * | 2023-10-31 | 2023-12-01 | 浙江大学 | Confusion of analog radio frequency circuit netlist, restoration method, device, terminal and medium thereof |
| CN117811734A (en) * | 2024-02-29 | 2024-04-02 | 浙江金网信息产业股份有限公司 | Service source code encryption storage and evaluation and authentication method |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104393991A (en) * | 2014-12-03 | 2015-03-04 | 上海众人科技有限公司 | Algorithm reconstruction device and method |
| CN104394161A (en) * | 2014-12-03 | 2015-03-04 | 上海众人科技有限公司 | Algorithm reconstruction mechanism based secret key transmission method and system |
| CN105187389A (en) * | 2015-08-07 | 2015-12-23 | 北京思特奇信息技术股份有限公司 | Webpage access method and system based on digital mixed encryption |
| CN105404796A (en) * | 2015-10-21 | 2016-03-16 | 浪潮电子信息产业股份有限公司 | JavaScript source file protection method and apparatus |
| CN106412862A (en) * | 2016-10-13 | 2017-02-15 | 上海众人网络安全技术有限公司 | Short message reinforcement method, apparatus and system |
| CN109145535A (en) * | 2018-08-13 | 2019-01-04 | 阿里巴巴集团控股有限公司 | A kind of front end page providing method and device |
| CN110555303A (en) * | 2019-08-01 | 2019-12-10 | 苏宁云计算有限公司 | Method and device for preventing machine script from being maliciously accessed |
-
2021
- 2021-03-02 CN CN202110230035.4A patent/CN113010856A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104393991A (en) * | 2014-12-03 | 2015-03-04 | 上海众人科技有限公司 | Algorithm reconstruction device and method |
| CN104394161A (en) * | 2014-12-03 | 2015-03-04 | 上海众人科技有限公司 | Algorithm reconstruction mechanism based secret key transmission method and system |
| CN105187389A (en) * | 2015-08-07 | 2015-12-23 | 北京思特奇信息技术股份有限公司 | Webpage access method and system based on digital mixed encryption |
| CN105404796A (en) * | 2015-10-21 | 2016-03-16 | 浪潮电子信息产业股份有限公司 | JavaScript source file protection method and apparatus |
| CN106412862A (en) * | 2016-10-13 | 2017-02-15 | 上海众人网络安全技术有限公司 | Short message reinforcement method, apparatus and system |
| CN109145535A (en) * | 2018-08-13 | 2019-01-04 | 阿里巴巴集团控股有限公司 | A kind of front end page providing method and device |
| CN110555303A (en) * | 2019-08-01 | 2019-12-10 | 苏宁云计算有限公司 | Method and device for preventing machine script from being maliciously accessed |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113507479A (en) * | 2021-07-23 | 2021-10-15 | 上海颜硕信息科技有限公司 | Gateway type encryption and decryption transparent SDK technology for WEB codes and data |
| CN113449330A (en) * | 2021-08-31 | 2021-09-28 | 北京华云安信息技术有限公司 | Method for transmitting Javascript encrypted file |
| CN114282181A (en) * | 2021-12-01 | 2022-04-05 | 北京达佳互联信息技术有限公司 | Code execution method, device, server and storage medium |
| CN114338091A (en) * | 2021-12-08 | 2022-04-12 | 杭州逗酷软件科技有限公司 | Data transmission method and device, electronic equipment and storage medium |
| CN114338091B (en) * | 2021-12-08 | 2024-05-07 | 杭州逗酷软件科技有限公司 | Data transmission method, device, electronic equipment and storage medium |
| CN114499837B (en) * | 2021-12-29 | 2023-09-26 | 广州蚁比特区块链科技有限公司 | Message leakage prevention method, device, system and equipment |
| CN114499837A (en) * | 2021-12-29 | 2022-05-13 | 广州蚁比特区块链科技有限公司 | Method, device, system and equipment for preventing leakage of message |
| CN115065537A (en) * | 2022-06-16 | 2022-09-16 | 公安部第三研究所 | Defense system and dynamic defense method for WEB application automation attack behavior |
| CN115473731A (en) * | 2022-09-09 | 2022-12-13 | 北京融和友信科技股份有限公司 | Method for obfuscating HTTP network protocol interface address |
| CN115473731B (en) * | 2022-09-09 | 2023-09-19 | 北京融和友信科技股份有限公司 | Method for confusing HTTP network protocol interface address |
| CN117155539A (en) * | 2023-10-31 | 2023-12-01 | 浙江大学 | Confusion of analog radio frequency circuit netlist, restoration method, device, terminal and medium thereof |
| CN117155539B (en) * | 2023-10-31 | 2024-01-30 | 浙江大学 | Confusion of analog radio frequency circuit netlist, restoration method, device, terminal and medium thereof |
| CN117811734A (en) * | 2024-02-29 | 2024-04-02 | 浙江金网信息产业股份有限公司 | Service source code encryption storage and evaluation and authentication method |
| CN117811734B (en) * | 2024-02-29 | 2024-06-04 | 浙江金网信息产业股份有限公司 | Service source code encryption storage and evaluation and authentication method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113010856A (en) | Dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system | |
| US10891384B2 (en) | Blockchain transaction device and method | |
| KR100996784B1 (en) | Saving and retrieving data based on public key encryption | |
| KR101067399B1 (en) | Saving and retrieving data based on symmetric key encryption | |
| WO2021218331A1 (en) | Offline software licensing method, apparatus and device, and storage medium | |
| Sookhak | Dynamic remote data auditing for securing big data storage in cloud computing | |
| JP6257754B2 (en) | Data protection | |
| JP6545136B2 (en) | System and method for encrypted transmission of web pages | |
| CN113240519A (en) | Intelligent contract management method and device based on block chain and electronic equipment | |
| CN110008745B (en) | Encryption method, computer equipment and computer storage medium | |
| US20120216242A1 (en) | Systems and Methods for Enhanced Security in Wireless Communication | |
| CN104756127A (en) | Secure data handling by a virtual machine | |
| Piao et al. | Server‐based code obfuscation scheme for APK tamper detection | |
| CN108429719A (en) | Cryptographic key protection method and device | |
| Sandikkaya et al. | Security problems of platform-as-a-service (paas) clouds and practical solutions to the problems | |
| CN110276610B (en) | Method and device for realizing dynamic encryption based on transaction offset | |
| CN108183796A (en) | The method and device of encryption and decryption is carried out using whitepack library file and whitepack key file | |
| Yadav et al. | Enhancing data security in cloud using blockchain | |
| CN104484628A (en) | Multi-application intelligent card with encryption and decryption functions | |
| CN117459327B (en) | Cloud data transparent encryption protection method, system and device | |
| CN109784072B (en) | Security file management method and system | |
| EP3836478A1 (en) | Method and system of data encryption using cryptographic keys | |
| CN114896621B (en) | Application service acquisition method, encryption method, device and computer equipment | |
| CN113515726B (en) | Method and device for preventing enterprise product authorization file from leaking | |
| CN111291333A (en) | Java application program encryption method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |