CN114189369A - Secure communication method and device under browser - Google Patents
Secure communication method and device under browser Download PDFInfo
- Publication number
- CN114189369A CN114189369A CN202111442171.6A CN202111442171A CN114189369A CN 114189369 A CN114189369 A CN 114189369A CN 202111442171 A CN202111442171 A CN 202111442171A CN 114189369 A CN114189369 A CN 114189369A
- Authority
- CN
- China
- Prior art keywords
- browser
- logic
- file
- javascript file
- wasm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004891 communication Methods 0.000 title claims abstract description 67
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000012795 verification Methods 0.000 claims abstract description 46
- 238000002347 injection Methods 0.000 claims abstract description 16
- 239000007924 injection Substances 0.000 claims abstract description 16
- 230000008569 process Effects 0.000 claims abstract description 15
- 238000004590 computer program Methods 0.000 claims description 23
- 230000004044 response Effects 0.000 claims description 14
- 238000003780 insertion Methods 0.000 claims description 3
- 230000037431 insertion Effects 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 claims description 2
- 238000004458 analytical method Methods 0.000 abstract description 8
- 230000003068 static effect Effects 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 18
- 230000006870 function Effects 0.000 description 9
- 238000012545 processing Methods 0.000 description 9
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000000750 progressive effect Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 1
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000007795 chemical reaction product Substances 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000011423 initialization method Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a safe communication method and a device under a browser, wherein the method comprises the following steps: after loading of browser resources is completed, calling a prestored wasm file to perform state initialization; dynamically injecting logic hidden codes into a prestored JavaScript file while calling the wasm file to carry out state initialization; after the dynamic injection of the logic hidden code is completed, the safety of the current operating environment is verified in the state initialization process; and after the verification is passed, communicating with the server in the state of finishing initialization. The method and the device hide the key logic codes at the front end in the form of the binary file, improve the code static analysis cost of an attacker, simultaneously avoid the problem that the common flow hijacks a phishing website in man-in-the-middle attack through checking the local running environment, and further improve the code analysis cost of the attacker and improve the attack difficulty through carrying out wasm hosting on the key data.
Description
Technical Field
The application belongs to the technical field of cloud computing security services, and particularly relates to a secure communication method and device under a browser.
Background
At present, aiming at the problem of communication security under the environment of a front-end pure browser, https encrypted communication of a certificate of a trusted CA authority is generally adopted between a browser and a server to solve the problem. Because different browsers have different verification strengths for CA certificates, in order to solve the problem that a user is attacked by a man-in-the-middle after being connected to a trusted network, encryption is usually performed on a code logic layer, in short, an asymmetric key is used for communication exchange of a symmetric encryption key, and then a message encrypted by the symmetric key is used for communication between the front end and the rear end.
The prior art can relieve the problem of man-in-the-middle attack under the untrusted network to a certain extent. However, due to the characteristics of the JavaScript language analytic language in the browser environment, the front-end code logic can be actually statically analyzed in a relatively low-cost manner, so that an attacker can modify the front-end code and easily complete the tentative attack on the server interface.
WebAssembly is a new coding that can run in modern Web browsers-it is a low-level assembly-like language with compact binary format (wasm), can run close to native performance, and provides a compilation target for languages such as C/C + + so that they can run on the Web. It is also designed to co-exist with JavaScript, allowing both to work together.
Disclosure of Invention
The application provides a secure communication method and device under a browser, which at least solve the problem that an attacker can attack a server interface after modifying a front-end code because the front-end code logic can be statically analyzed in a low-cost mode.
According to one aspect of the application, a secure communication method under a browser is provided, which includes:
after loading of browser resources is completed, calling a prestored wasm file to perform state initialization;
dynamically injecting logic hidden codes into a prestored JavaScript file while calling the wasm file to carry out state initialization;
after the dynamic injection of the logic hidden code is completed, the safety of the current operating environment is verified in the state initialization process;
and after the verification is passed, communicating with the server in the state of finishing initialization.
In an embodiment, dynamically injecting a logic hiding code into a pre-stored JavaScript file includes:
operating a dom tree in the HTML through the wasm, and dynamically inserting a label into the JavaScript file;
and operating the interface by using the JavaScript file, and injecting a logic hidden code according to the inserted label to delete the response logic after the interface finishes the response logic.
In one embodiment, the security verification of the current operating environment during state initialization comprises:
verifying a uniform resource locator operated by a browser, and judging whether the domain name of the uniform resource locator is a legal domain name or not;
and performing MD5 verification on the JavaScript file, and judging whether the JavaScript file is tampered by an attacker.
In an embodiment, the MD5 verification is performed on the JavaScript file, and determining whether the JavaScript file is tampered by an attacker includes:
downloading binary data of the JavaScript file in the wap;
calculating MD5 values of binary data;
and comparing the MD5 value with a preset legal value and judging whether the JavaScript file is tampered by an attacker or not according to the comparison result.
In one embodiment, communicating with the server in a state where initialization is complete includes:
and in an initialization state, all communication with the server is managed through wasm.
According to another aspect of the present application, there is also provided a secure communication apparatus under a browser, including:
the initialization unit is used for calling a prestored wasm file to carry out state initialization after the browser resource loading is finished;
the dynamic injection unit is used for dynamically injecting logic hidden codes into a prestored JavaScript file while calling the wasm file to carry out state initialization;
the security verification unit is used for performing security verification on the current operating environment in the state initialization process after the dynamic injection of the logic hidden code is completed;
and the safety communication unit is used for communicating with the server in the initialized state after the verification is passed.
In one embodiment, the dynamic injection unit includes:
the tag insertion module is used for operating a dom tree in the HTML through the wap and dynamically inserting tags into the JavaScript file;
and the logic hiding module is used for operating the interface by utilizing the JavaScript file, and after the interface finishes the response logic, injecting a logic hiding code according to the inserted label to delete the response logic.
In one embodiment, the security verification unit includes:
the URL verification module is used for verifying the uniform resource locator operated by the browser and judging whether the domain name of the uniform resource locator is a legal domain name or not;
and the MD5 verification module is used for performing MD5 verification on the JavaScript file and judging whether the JavaScript file is tampered by an attacker.
In one embodiment, the MD5 validation module includes:
the binary acquisition module is used for downloading binary data of the JavaScript file in the wap;
a calculation module for calculating MD5 values of the binary data;
and the comparison module is used for comparing the MD5 value with a preset legal value and judging whether the JavaScript file is tampered by an attacker or not according to a comparison result.
In one embodiment, the secure communication unit comprises:
and the hosting module is used for hosting all the communication with the server through the wasm in an initialization state.
The method and the device hide the key logic codes at the front end in the form of the binary file, improve the code static analysis cost of an attacker, simultaneously avoid the problem that the common flow hijacks a phishing website in man-in-the-middle attack through checking the local running environment, and further improve the code analysis cost of the attacker and improve the attack difficulty through carrying out wasm hosting on the key data.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a secure communication method under a browser according to the present application.
Fig. 2 is a flowchart of a method for dynamically injecting logic hiding code according to an embodiment of the present application.
Fig. 3 is a flowchart of security verification performed on the current operating environment in the embodiment of the present application.
Fig. 4 is a flowchart of a method for determining whether a JavaScript file is tampered by an attacker in the embodiment of the present application.
Fig. 5 is a block diagram illustrating a secure communication device under a browser according to the present application.
Fig. 6 is a block diagram of a dynamic injection unit in the embodiment of the present application.
Fig. 7 is a block diagram of a security verification unit in the embodiment of the present application.
Fig. 8 is a block diagram illustrating a structure of an MD5 verification module in the embodiment of the present application.
Fig. 9 is a specific implementation of an electronic device in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the prior art, the main problem of the encryption communication mechanism for https is that authentication of a CA certificate is completely performed by a browser, and different browsers may adopt different authentication and prompt behaviors (for example, when a chrome finds that a certificate is not matched with a domain name, access is blocked, an edge only makes a weak prompt beside the domain name, and a certain version of the browser is directly ignored), so that when a client connects an untrusted network, the client is easily subjected to message monitoring by a middleman, and a communication message is intercepted and modified from the untrusted network.
The popular front-end JavaScript (JS) communication encryption mechanism is a symmetric key exchange scheme based on https, only aiming at the defects in the verification of https certificates, and the RSA private key of the server is arranged in the front end, so that the security risk caused by the fact that the client uses a standard browser and is connected with an insecure network is avoided.
However, due to the language characteristics of the JavaScript, the source code logic can be analyzed and modified at low cost, that is, an attacker can firstly obtain a message interaction mode with the server by reading the source code of the front-end JavaScript, then establish a wifi network, forward all the front-end request traffic to the own server, replace the public key of the server in the code with the public key of the server, decrypt the random secret key of the front end, and then simulate the client to communicate with the server, so as to achieve the purpose of man-in-the-middle attack.
Aiming at the problem that various schemes are easy to be attacked by man-in-the-middle, the WebAssembler is introduced to realize partial front-end logic based on the assembly binary scheme so as to achieve the purpose of hiding the key logic of the front end, and on the other hand, a set of flow mechanism is combined with the server to ensure the communication safety of the client operation environment and the network environment.
The application not only provides a secure communication method under the browser, but also provides a secure communication device under the browser for implementing the secure communication method under the browser provided in one or more embodiments of the application, and the secure communication device under the browser can be in communication connection with client devices by itself or through a third-party server and the like to receive fault test requests respectively initiated by each client device, and then triggers a program in the device for implementing the secure communication method under the browser provided in one or more embodiments of the application to execute a secure communication step.
It will be appreciated that the client device may comprise a smartphone, a laptop computer, a desktop computer, or the like.
In another practical application scenario, the aforementioned portion of the secure communication apparatus under the browser performing the secure communication under the browser may be executed in the server as described above, or all operations may be completed in the client device. The selection may be specifically performed according to the processing capability of the client device, the limitation of the user usage scenario, and the like. This is not a limitation of the present application. If all the operations are completed in the client device, the client device may further include a processor for performing specific processing of secure communication encryption under the browser.
The client device may have a communication module (i.e., a communication unit), and may be communicatively connected to a remote server to implement data transmission with the server. The server may include a server on the task scheduling center side, and in other implementation scenarios, the server may also include a server on an intermediate platform, for example, a server on a third-party server platform that is communicatively linked to the task scheduling center server. The server may include a single computer device, or may include a server cluster formed by a plurality of servers, or a server structure of a distributed apparatus.
The server and the client device may communicate using any suitable network protocol, including network protocols not yet developed at the filing date of this application. The network protocol may include, for example, a TCP/IP protocol, a UDP/IP protocol, an HTTP protocol, an HTTPS protocol, or the like. Of course, the network Protocol may also include, for example, an RPC Protocol (Remote Procedure Call Protocol), a REST Protocol (Representational State Transfer Protocol), and the like used above the above Protocol.
The following embodiments and application examples are specifically and individually described in detail.
According to an aspect of the present application, there is provided a method for secure communication under a browser, as shown in fig. 1, including:
s101: and after the browser resource loading is finished, calling the prestored wasm file to initialize the state.
S102: and dynamically injecting logic hidden codes into the pre-stored JavaScript file while calling the wasm file to perform state initialization.
S103: and after the dynamic injection of the logic hidden codes is completed, performing security verification on the current operating environment in the state initialization process.
S104: and after the verification is passed, obtaining an encryption key and communicating with the server in a state of finishing initialization.
In a specific embodiment, when the user opens the browser, the JS file, html file, wasm file, etc. are loaded to the client browser together by the server (in this step, the server returning the resources of the JS file, html file, wasm file, etc. to the user may be an untrusted third party attacker). After the browser resource is loaded, triggering the logic operation of the JS file, and firstly calling an initialization method in the wasm to initialize the state. Since the code of the JS cannot hide the logic of the JS, the code is dynamically injected into the JS file when the wsm initialization is triggered, so that the logic is deleted after the JS file completes the response logic, and the purpose of logic hiding is achieved to a certain extent.
In an embodiment, dynamically injecting a logic hiding code into a pre-stored JavaScript file, as shown in fig. 2, includes:
s201: and operating a dom tree in the HTML through wasm, and dynamically inserting a tag into the JavaScript file.
S202: and operating the interface by using the JavaScript file, and injecting a logic hidden code according to the inserted label to delete the response logic after the interface finishes the response logic.
In a specific embodiment, since the code of the JS cannot hide the logic of the JS, when the initialization of the wasm is triggered, the code is dynamically injected into the JS file, the principle is that the html dom tree is operated by the wasm, and a < script > tag is dynamically inserted into the JS file, wherein the jsm is an interface method which needs to be operated by means of the JS file, and after the response logic is completed, a piece of logic is injected again to delete the JS file, so that the purpose of logic hiding to a certain extent is achieved.
In one embodiment, the security verification of the current operating environment during the state initialization process, as shown in fig. 3, includes:
s301: and verifying the uniform resource locator operated by the browser and judging whether the domain name of the uniform resource locator is a legal domain name or not.
S302: and performing MD5 verification on the JavaScript file, and judging whether the JavaScript file is tampered by an attacker.
In a specific embodiment, in order to prevent the situation that the wasm is used by the nested shell (i.e. the wasm can guarantee the security integrity because of the self-character, but the attacker achieves the aim by modifying the JS control program logic called outside the attacker), the current environment needs to be verified during the initialization process of the wasm, and a specific verification method comprises verifying that the browser runs a URL (uniform resource locator) and MD5 verification. Verifying the browser launch URL includes: through an injected JS method, window.location.href is called in wap to obtain the URL of the current browser operation for verification, and to verify whether the domain name is legal, and https connection is adopted (a common method for man-in-the-middle attack on https connection is to apply for a domain name similar to the domain name being attacked, even if small languages such as Greek are used for emulation, for example, rho of Greek letters and p of English face, then apply for CA certificate, finally establish phishing wifi network to guide the user traffic to the attacking website, and then realize the target of message monitoring interception), and the attack can be avoided by verifying the domain name in browser operation.
In an embodiment, the MD5 is performed to check the JavaScript file, and it is determined whether the JavaScript file is tampered by an attacker, as shown in fig. 4, the method includes:
s401: and downloading the binary data of the JavaScript file in the wap.
S402: the MD5 value of the binary data is calculated.
S403: and comparing the MD5 value with a preset legal value and judging whether the JavaScript file is tampered by an attacker or not according to the comparison result.
In a specific embodiment, binary data of a key js file is downloaded in the wap by a window. MD5 verification mainly prevents the attacker from making root certificate trust locally, and then loads the partially modified JS file for attack purposes.
In one embodiment, obtaining the encryption key and communicating with the server in a state of completing initialization includes:
and in an initialization state, all communication with the server is managed through wasm.
In a specific embodiment, after the local running environment is verified, the subsequent communication is exchanged with the server in the wasm to use the encryption key, and the exchanged key is stored in the global storage area of the wasm. All subsequent communication between JS and the server is managed through the communication module of the wasm, meanwhile, fields which are irrelevant to the display logic of the front end and represent the identity of the user like uid/token are not exposed to the JS layer any more, and are managed completely by the wasm layer, so that the security risk caused by breakpoint debugging, data modification and the like of an attacker in a local browser is avoided to a certain extent.
According to the method, the key logic codes at the front end are hidden in the form of the binary file, the code static analysis cost of an attacker is improved, meanwhile, the problem that a phishing website is hijacked by the flow commonly seen in man-in-the-middle attack is solved by checking the local running environment, moreover, the key data is subjected to wasm hosting, the code analysis cost of the attacker is solved, and the attack difficulty is improved.
Based on the same inventive concept, the embodiment of the present application further provides a secure communication device under a browser, which can be used to implement the method described in the above embodiment, as described in the following embodiments. Because the principle of solving the problems of the safety communication device under the browser is similar to the safety communication method under the browser, the implementation of the safety communication device under the browser can refer to the implementation of the safety communication method under the browser, and repeated parts are not described again. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. While the system described in the embodiments below is preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.
According to another aspect of the present application, there is also provided a secure communication apparatus under a browser, as shown in fig. 5, including:
an initialization unit 501, configured to call a pre-stored wasm file to perform state initialization after the browser resource is loaded;
the dynamic injection unit 502 is configured to dynamically inject a logic hidden code into a pre-stored JavaScript file while calling the wasm file to perform state initialization;
the security verification unit 503 is configured to perform security verification on the current operating environment in the state initialization process after the dynamic injection of the logic hidden code is completed;
and a secure communication unit 504, configured to communicate with the server in a state where initialization is completed after the authentication is passed.
In one embodiment, as shown in fig. 6, the dynamic injection unit 502 includes:
the tag insertion module 601 is used for operating a dom tree in the HTML through the wap and dynamically inserting tags into the JavaScript file;
and the logic hiding module 602 is configured to operate the interface by using a JavaScript file, and after the interface completes a response logic, inject a logic hiding code according to the inserted tag to delete the response logic.
In one embodiment, as shown in fig. 7, the security verification unit 503 includes:
a URL verification module 701, configured to verify a uniform resource locator operated by a browser, and determine whether a domain name of the uniform resource locator is a legal domain name;
the MD5 verifying module 702 is configured to perform MD5 verification on the JavaScript file, and determine whether the JavaScript file is tampered by an attacker.
In one embodiment, as shown in FIG. 8, MD5 verification module 702 includes:
a binary acquisition module 801, configured to download binary data of the JavaScript file in the wap;
a calculating module 802 for calculating MD5 values of binary data;
the comparison module 803 is configured to compare the MD5 value with a preset legal value, and determine whether the JavaScript file is tampered by an attacker according to a comparison result.
In one embodiment, the secure communication unit comprises:
and the hosting module is used for hosting all the communication with the server through the wasm in an initialization state.
The key logic code of the front end is hidden in a binary file mode, the code static analysis cost of an attacker is improved, meanwhile, the problem that a common flow hijacks a phishing website in man-in-the-middle attack is solved through checking the local running environment, moreover, the key data is subjected to wasm hosting, the code analysis cost of the attacker is solved, and the attack difficulty is improved.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principle and the implementation mode of the invention are explained by applying specific embodiments in the invention, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
An embodiment of the present application further provides a specific implementation manner of an electronic device capable of implementing all steps in the method in the foregoing embodiment, and referring to fig. 9, the electronic device specifically includes the following contents:
a processor (processor)901, a memory 902, a communication Interface (Communications Interface)903, a bus 904, and a nonvolatile memory 905;
the processor 901, the memory 902 and the communication interface 903 complete mutual communication through the bus 904;
the processor 901 is configured to call the computer programs in the memory 902 and the nonvolatile memory 905, and when the processor executes the computer programs, the processor implements all the steps in the method in the foregoing embodiments, for example, when the processor executes the computer programs, the processor implements the following steps:
s101: and after the browser resource loading is finished, calling the prestored wasm file to initialize the state.
S102: and dynamically injecting logic hidden codes into the pre-stored JavaScript file while calling the wasm file to perform state initialization.
S103: and after the dynamic injection of the logic hidden codes is completed, performing security verification on the current operating environment in the state initialization process.
S104: and after the verification is passed, obtaining an encryption key and communicating with the server in a state of finishing initialization.
Embodiments of the present application also provide a computer-readable storage medium capable of implementing all the steps of the method in the above embodiments, where the computer-readable storage medium stores thereon a computer program, and the computer program when executed by a processor implements all the steps of the method in the above embodiments, for example, the processor implements the following steps when executing the computer program:
s101: and after the browser resource loading is finished, calling the prestored wasm file to initialize the state.
S102: and dynamically injecting logic hidden codes into the pre-stored JavaScript file while calling the wasm file to perform state initialization.
S103: and after the dynamic injection of the logic hidden codes is completed, performing security verification on the current operating environment in the state initialization process.
S104: and after the verification is passed, obtaining an encryption key and communicating with the server in a state of finishing initialization.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the hardware + program class embodiment, since it is substantially similar to the method embodiment, the description is simple, and the relevant points can be referred to the partial description of the method embodiment. Although embodiments of the present description provide method steps as described in embodiments or flowcharts, more or fewer steps may be included based on conventional or non-inventive means. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual apparatus or end product executes, it may execute sequentially or in parallel (e.g., parallel processors or multi-threaded environments, or even distributed data processing environments) according to the method shown in the embodiment or the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the presence of additional identical or equivalent elements in a process, method, article, or apparatus that comprises the recited elements is not excluded. For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, in implementing the embodiments of the present description, the functions of each module may be implemented in one or more software and/or hardware, or a module implementing the same function may be implemented by a combination of multiple sub-modules or sub-units, and the like. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form. The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein. The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment. In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of an embodiment of the specification.
In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction. The above description is only an example of the embodiments of the present disclosure, and is not intended to limit the embodiments of the present disclosure. Various modifications and variations to the embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the embodiments of the present specification should be included in the scope of the claims of the embodiments of the present specification.
Claims (13)
1. A secure communication method under a browser is characterized by comprising the following steps:
after loading of browser resources is completed, calling a prestored wasm file to perform state initialization;
dynamically injecting logic hidden codes into a prestored JavaScript file while calling the wasm file to initialize the state;
after the dynamic injection of the logic hidden code is completed, the safety of the current operating environment is verified in the state initialization process;
and after the verification is passed, obtaining an encryption key and communicating with the server in a state of finishing initialization.
2. The method of claim 1, wherein dynamically injecting a logic hidden code into a pre-stored JavaScript file comprises:
operating a dom tree in HTML through wasm, and dynamically inserting a tag into the JavaScript file;
and operating the interface by using the JavaScript file, and after the interface finishes response logic, injecting the logic hidden code according to the inserted label to delete the response logic.
3. The method of claim 2, wherein the performing security verification on the current operating environment during the state initialization comprises:
verifying a uniform resource locator operated by a browser, and judging whether the domain name of the uniform resource locator is a legal domain name or not;
and performing MD5 verification on the JavaScript file, and judging whether the JavaScript file is tampered by an attacker.
4. The secure communication method under the browser of claim 3, wherein the performing MD5 verification on the JavaScript file and determining whether the JavaScript file is tampered by an attacker comprises:
downloading binary data of the JavaScript file in the wap;
calculating an MD5 value for the binary data;
and comparing the MD5 value with a preset legal value and judging whether the JavaScript file is tampered by an attacker or not according to a comparison result.
5. The method of claim 4, wherein the communicating with the server in the initialized state comprises:
and in an initialization state, all communication with the server is managed through wasm.
6. A secure browser-based communication device, comprising:
the initialization unit is used for calling a prestored wasm file to carry out state initialization after the browser resource loading is finished;
the dynamic injection unit is used for dynamically injecting logic hidden codes into a prestored JavaScript file while calling the wasm file to carry out state initialization;
the security verification unit is used for performing security verification on the current operating environment in the state initialization process after the dynamic injection of the logic hidden code is completed;
and the safety communication unit is used for obtaining the encryption key after the verification is passed and communicating with the server in the initialized state.
7. The under-browser secure communication device of claim 6, wherein the dynamic injection unit comprises:
the tag insertion module is used for operating a dom tree in HTML through wasm and dynamically inserting tags into the JavaScript file;
and the logic hiding module is used for operating the interface by utilizing the JavaScript file, and injecting the logic hiding code according to the inserted label to delete the response logic after the interface finishes the response logic.
8. The under-browser secure communication device of claim 7, wherein the security verification unit comprises:
the URL verification module is used for verifying a uniform resource locator operated by a browser and judging whether the domain name of the uniform resource locator is a legal domain name or not;
and the MD5 verification module is used for performing MD5 verification on the JavaScript file and judging whether the JavaScript file is tampered by an attacker.
9. The under-browser secure communication device of claim 8, wherein the MD5 authentication module comprises:
the binary acquisition module is used for downloading the binary data of the JavaScript file in the wap;
a calculation module for calculating MD5 values of the binary data;
and the comparison module is used for comparing the MD5 value with a preset legal value and judging whether the JavaScript file is tampered by an attacker according to a comparison result.
10. The under-browser secure communication device of claim 9, wherein the secure communication unit comprises:
and the hosting module is used for hosting all the communication with the server through the wasm in an initialization state.
11. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method for secure communication under a browser of any one of claims 1 to 5 are implemented when the program is executed by the processor.
12. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method for secure communication under a browser of any one of claims 1 to 5.
13. A computer program product comprising computer program/instructions, characterized in that the computer program/instructions, when executed by a processor, implement the steps of the secure communication method under a browser according to any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111442171.6A CN114189369B (en) | 2021-11-30 | 2021-11-30 | Secure communication method and device under browser |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111442171.6A CN114189369B (en) | 2021-11-30 | 2021-11-30 | Secure communication method and device under browser |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114189369A true CN114189369A (en) | 2022-03-15 |
| CN114189369B CN114189369B (en) | 2024-04-26 |
Family
ID=80603026
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111442171.6A Active CN114189369B (en) | 2021-11-30 | 2021-11-30 | Secure communication method and device under browser |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114189369B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111881401A (en) * | 2020-08-04 | 2020-11-03 | 浪潮云信息技术股份公司 | Browser deep learning method and system based on WebAssembly |
| CN112214736A (en) * | 2020-11-02 | 2021-01-12 | 杭州安恒信息技术股份有限公司 | Code encryption method and related assembly |
| CN112269602A (en) * | 2020-11-10 | 2021-01-26 | 深圳晶泰科技有限公司 | WebAssembly loading method and device and storage medium |
| US20210096926A1 (en) * | 2019-09-27 | 2021-04-01 | Cloudflare, Inc. | Cloud computing platform that executes third-party code in a distributed cloud computing network and uses a distributed data store |
| CN113660208A (en) * | 2021-07-16 | 2021-11-16 | 北京一砂信息技术有限公司 | Browser-based security password authentication service system and method |
-
2021
- 2021-11-30 CN CN202111442171.6A patent/CN114189369B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210096926A1 (en) * | 2019-09-27 | 2021-04-01 | Cloudflare, Inc. | Cloud computing platform that executes third-party code in a distributed cloud computing network and uses a distributed data store |
| CN111881401A (en) * | 2020-08-04 | 2020-11-03 | 浪潮云信息技术股份公司 | Browser deep learning method and system based on WebAssembly |
| CN112214736A (en) * | 2020-11-02 | 2021-01-12 | 杭州安恒信息技术股份有限公司 | Code encryption method and related assembly |
| CN112269602A (en) * | 2020-11-10 | 2021-01-26 | 深圳晶泰科技有限公司 | WebAssembly loading method and device and storage medium |
| CN113660208A (en) * | 2021-07-16 | 2021-11-16 | 北京一砂信息技术有限公司 | Browser-based security password authentication service system and method |
Non-Patent Citations (3)
| Title |
|---|
| TUSHAR等: "Comparative Analysis Of JavaScript And WebAssembly In The Browser Environment", 《2022 IEEE 10TH REGION 10 HUMANITARIAN TECHNOLOGY CONFERENCE (R10-HTC)》, 3 November 2022 (2022-11-03) * |
| 匡开圆: "基于WebAssembly的JavaScript代码虚拟化保护方法研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑 2019年第01期》, 15 January 2019 (2019-01-15) * |
| 陆展等: "基于WASM技术的密钥对分发加密服务", 《电脑编程技巧与维护(2021年第8期)》, 18 August 2021 (2021-08-18) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114189369B (en) | 2024-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Mainka et al. | SoK: single sign-on security—an evaluation of openID connect | |
| US10382426B2 (en) | Authentication context transfer for accessing computing resources via single sign-on with single use access tokens | |
| Mainka et al. | Do not trust me: Using malicious IdPs for analyzing and attacking single sign-on | |
| CN109522726A (en) | Method for authenticating, server and the computer readable storage medium of small routine | |
| WO2016029595A1 (en) | Method, device, and equipment for calling open platform and non-volatile computer storage medium | |
| CN111062023B (en) | Method and device for realizing single sign-on of multi-application system | |
| CN111262889A (en) | Authority authentication method, device, equipment and medium for cloud service | |
| Calzavara et al. | {WPSE}: Fortifying Web Protocols via {Browser-Side} Security Monitoring | |
| Shin et al. | Certificate injection-based encrypted traffic forensics in AI speaker ecosystem | |
| Cao et al. | Protecting web-based single sign-on protocols against relying party impersonation attacks through a dedicated bi-directional authenticated secure channel | |
| CN111460410A (en) | Server login method, device and system and computer readable storage medium | |
| CN110166470B (en) | Network service simulation method and device | |
| Vasileios Grammatopoulos et al. | A web tool for analyzing FIDO2/WebAuthn Requests and Responses | |
| CN114024751B (en) | Application access control method and device, computer equipment and storage medium | |
| CN113239308A (en) | Page access method, device, equipment and storage medium | |
| CN108563953B (en) | Safe and extensible trusted application development method | |
| KR101637155B1 (en) | A system providing trusted identity management service using trust service device and its methods of operation | |
| US20230403562A1 (en) | Systems and methods for verified communication between mobile applications | |
| CN114189369B (en) | Secure communication method and device under browser | |
| Squarcina et al. | Cookie crumbles: breaking and fixing web session integrity | |
| Titze et al. | Preventing library spoofing on android | |
| Athalye et al. | Package manager security | |
| CN111639033A (en) | Software security threat analysis method and system | |
| Veronese et al. | Bulwark: Holistic and verified security monitoring of web protocols | |
| Huszti | Security Analysis of Android Applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |