技术领域technical field
本发明属于移动互联网网络安全技术领域,具体涉及一种移动端的沙盒化键盘系统及其数据传输方法。The invention belongs to the technical field of mobile Internet network security, and in particular relates to a mobile terminal sandboxed keyboard system and a data transmission method thereof.
背景技术Background technique
现有技术中,在PC端,有KeyDefender这一工具,其功能是保护用户防止被键盘记录软件记录键盘输入,该键盘输入保护工具不再使用原输入通道进行数据传输,而是为用户开辟了专用的加密输入通道,当用户通过键盘输入数据时,KeyDefender对输入信息加密后通过该通道传输至目标程序,同时该工具还会释放不同干扰值,使各种键盘记录软件无法获得任何对用户有害的信息,保护用户在用键盘输入各种信息时的安全。In the prior art, on the PC side, there is a tool called KeyDefender, whose function is to protect users from being recorded by keylogging software. This keyboard input protection tool no longer uses the original input channel for data transmission, but opens up a Dedicated encrypted input channel. When the user inputs data through the keyboard, KeyDefender encrypts the input information and transmits it to the target program through this channel. At the same time, the tool also releases different interference values, so that various keylogging software cannot obtain any data that is harmful to the user. information to protect the security of users when inputting various information with the keyboard.
在移动设备端,常用的方法是先对键盘输入进行加密,再将加密后的内容发送至目标程序;也有一种技术是重新设计硬件,使得恶意程序无法通过运行在内核态来获取用户的输入信息。On the mobile device side, the common method is to encrypt the keyboard input first, and then send the encrypted content to the target program; there is also a technique to redesign the hardware so that malicious programs cannot obtain user input by running in kernel mode information.
这些技术有一定的缺陷,KeyDefender工具采用的技术,没有考虑工具自身的安全性,而且可用范围太小;先加密再发送的技术,信息容易被截取破解,而且不能防止运行在设备上的恶意软件对用户输入的记录;重新设计硬件则太过繁琐;此外,一些常见的安全键盘,常常会有使用范围过小,保护的数据格式太单一,只能保护短的纯数字密码,这些问题。These technologies have certain defects. The technology adopted by the KeyDefender tool does not consider the security of the tool itself, and the available range is too small; the technology of encrypting and then sending the information is easy to be intercepted and cracked, and it cannot prevent malware running on the device Recording of user input; redesigning hardware is too cumbersome; in addition, some common security keyboards often have problems such as too small range of use, too single protected data format, and only short pure digital passwords.
沙盒技术:沙盒(sandbox,又译为沙箱)是一种安全机制,为运行中的程序提供的隔离环境;沙盒通常严格控制其中的程序所能访问的资源,比如,沙盒可以提供用后即回收的磁盘及空间;在沙盒中,网络访问、对真实系统的访问、对输入设备的读取通常被严格禁止或是严格限制;从这个角度来说,沙盒属于虚拟化的一种;在目前,沙盒技术主要被计算机技术人员广泛用于测试可能带毒的程序或是其他的恶意代码,并未应用到移动设备端键盘输入技术中。Sandbox technology: Sandbox (sandbox, also translated as sandbox) is a security mechanism that provides an isolated environment for running programs; sandboxes usually strictly control the resources that programs can access, for example, sandboxes can Provide disks and space that can be recycled after use; in sandboxes, network access, access to real systems, and reading of input devices are usually strictly prohibited or strictly restricted; from this perspective, sandboxes are virtualization At present, sandbox technology is mainly used by computer technicians to test programs that may contain viruses or other malicious codes, and has not been applied to keyboard input technology on mobile devices.
发明内容Contents of the invention
针对现有技术的不足,本发明提出一种移动端的沙盒化键盘系统及其数据传输方法,以达到满足对多种格式的用户输入数据的保护,提高移动端APP与服务器端进行数据交互安全性的目的。Aiming at the deficiencies of the prior art, the present invention proposes a mobile terminal sandboxed keyboard system and its data transmission method, in order to meet the protection of user input data in various formats and improve the security of data interaction between the mobile terminal APP and the server terminal sexual purpose.
一种移动端的沙盒化键盘系统,该系统包括沙盒模块,所述的沙盒模块包括自定义键盘模块和加密混淆模块,其中,A sandboxed keyboard system at a mobile terminal, the system includes a sandbox module, the sandbox module includes a custom keyboard module and an encryption obfuscation module, wherein,
自定义键盘模块:当接收到数据传输请求时,用于获取用户输入数据,并发送至加密混淆模块中;Custom keyboard module: When a data transmission request is received, it is used to obtain user input data and send it to the encryption obfuscation module;
加密混淆模块:用于根据目标APP和目标服务器之间自定义的加密混淆方式,将用户的输入数据进行相应的加密和混淆处理,再将处理后的加密数据发送给目标服务器。该系统以APP的形式设置于移动端内,并与目标APP应用配合使用。Encryption obfuscation module: It is used to encrypt and obfuscate the user's input data according to the customized encryption obfuscation method between the target APP and the target server, and then send the processed encrypted data to the target server. The system is set in the mobile terminal in the form of APP and used in conjunction with the target APP.
采用移动端的沙盒化键盘系统进行的数据传输方法,包括以下步骤:The data transmission method carried out by using the sandboxed keyboard system of the mobile terminal includes the following steps:
步骤1、当目标APP需要获取用户输入数据并发送至目标服务器时,启动沙盒模块;Step 1. When the target APP needs to obtain user input data and send it to the target server, start the sandbox module;
步骤2、将目标APP与用户输入之间的数据传输通道切断,并打开沙盒模块与用户输入之间的数据通道;Step 2. Cut off the data transmission channel between the target APP and the user input, and open the data channel between the sandbox module and the user input;
步骤3、采用自定义键盘模块获取用户输入数据;Step 3, using a custom keyboard module to obtain user input data;
步骤4、根据目标APP和目标服务器之间自定义的加密混淆方式,加密混淆模块将用户的输入数据进行相应的加密和混淆处理,再将处理后的加密数据发送给目标服务器;Step 4. According to the custom encryption and obfuscation method between the target APP and the target server, the encryption and obfuscation module performs corresponding encryption and obfuscation processing on the user's input data, and then sends the processed encrypted data to the target server;
步骤5、目标服务器接收加密的数据,对其进行相应的解密处理,得到用户的原始输入。Step 5. The target server receives the encrypted data and performs corresponding decryption processing on it to obtain the original input of the user.
本发明优点:Advantages of the present invention:
本发明提出一种移动端的沙盒化键盘系统及其数据传输方法,该方法不采用系统的原生键盘,而是利用沙盒技术设计自定义的用户键盘,记录用户输入;利用沙盒技术的目的是,将用户输入暂时和设备上的其它运行软件隔离开来,保证输入数据不暴露在设备上的恶意软件下,防止在这个过程中恶意程序对键盘输入的纪录;收集到的用户输入,通过专用的加密通道进行传输,用户可以自定义加密方式、加密密钥等,也可以加入自定义的混淆和干扰方式,防止恶意软件对输入信息的破解;The present invention proposes a mobile terminal sandboxed keyboard system and its data transmission method. The method does not use the system's native keyboard, but uses sandbox technology to design a custom user keyboard to record user input; the purpose of using sandbox technology Yes, temporarily isolate user input from other running software on the device to ensure that the input data is not exposed to malicious software on the device, and prevent malicious programs from recording keyboard input during the process; the collected user input is passed Dedicated encryption channel for transmission, users can customize the encryption method, encryption key, etc., and can also add custom obfuscation and interference methods to prevent malicious software from cracking the input information;
采用本发明,即使存在恶意软件也会被阻挡在沙盒之外;自定义的键盘可以满足不同的移动端APP需求,可以满足对多种格式的用户输入数据的保护;自定义的加密混淆方式,可以大大加强移动端APP和服务器端进行数据交互的安全性;相比采用单一加密方式,这种做法可以很好地降低用户输入被截取破译的风险,也可以满足不同种类的用户的需求。With the present invention, even if there is malicious software, it will be blocked outside the sandbox; the customized keyboard can meet the requirements of different mobile terminal APPs, and can meet the protection of user input data in various formats; the customized encryption and obfuscation method , can greatly enhance the security of data interaction between the mobile APP and the server; compared with a single encryption method, this approach can well reduce the risk of user input being intercepted and deciphered, and can also meet the needs of different types of users.
附图说明Description of drawings
图1为本发明一种实施例的移动端的沙盒化键盘系统结构框图;Fig. 1 is the structural block diagram of the sandboxed keyboard system of the mobile terminal of an embodiment of the present invention;
图2为本发明一种实施例的采用移动端的沙盒化键盘系统进行的数据传输方法流程图。FIG. 2 is a flowchart of a data transmission method using a sandboxed keyboard system at a mobile terminal according to an embodiment of the present invention.
具体实施方式detailed description
下面结合附图对本发明一种实施例做进一步说明。An embodiment of the present invention will be further described below in conjunction with the accompanying drawings.
本发明实施例中,如图1所示,移动端的沙盒化键盘系统以APP的形式设置于移动端内,并与目标APP应用配合使用;该系统包括沙盒模块,所述的沙盒模块包括自定义键盘模块和加密混淆模块,其中,自定义键盘模块当接收到数据传输请求时,用于获取用户输入数据,并发送至加密混淆模块中;加密混淆模块用于根据目标APP和目标服务器之间自定义的加密混淆方式,将用户的输入数据进行相应的加密和混淆处理,再将处理后的加密数据发送给目标服务器。In the embodiment of the present invention, as shown in Figure 1, the sandboxed keyboard system of the mobile terminal is set in the mobile terminal in the form of APP, and is used in conjunction with the target APP application; the system includes a sandbox module, and the sandbox module Including a custom keyboard module and an encryption obfuscation module, wherein, when the custom keyboard module receives a data transmission request, it is used to obtain user input data and send it to the encryption obfuscation module; the encryption obfuscation module is used to The user-defined encryption and obfuscation method performs corresponding encryption and obfuscation processing on the user's input data, and then sends the processed encrypted data to the target server.
本发明实施例中,采用移动端的沙盒化键盘系统进行的数据传输方法,方法流程图如图2所示,包括以下步骤:In the embodiment of the present invention, the data transmission method carried out by using the sandboxed keyboard system of the mobile terminal, the method flow chart is shown in Figure 2, including the following steps:
步骤1、当目标APP需要获取用户输入数据并发送至目标服务器时,启动沙盒模块;Step 1. When the target APP needs to obtain user input data and send it to the target server, start the sandbox module;
本发明实施例中,当实际操作为输入登陆密码、网银密码、支付宝密码、个人信息等需要保密的信息时,APP发送请求至沙盒模块,启动沙盒模块;In the embodiment of the present invention, when the actual operation is to input login password, online banking password, Alipay password, personal information and other information that needs to be kept secret, the APP sends a request to the sandbox module to start the sandbox module;
步骤2、将目标APP与用户输入之间的数据传输通道切断,并打开沙盒模块与用户输入之间的数据通道;Step 2. Cut off the data transmission channel between the target APP and the user input, and open the data channel between the sandbox module and the user input;
本发明实施例中,使用沙盒技术将该模块置于一个受限制的系统环境中,控制其使用的资源(如文件描述符、内存、磁盘空间),可以保证输入数据不暴露给设备上的任何一个软件,也就不会被恶意软件获取。In the embodiment of the present invention, using the sandbox technology to place the module in a restricted system environment, controlling the resources it uses (such as file descriptors, memory, and disk space), can ensure that the input data is not exposed to the Any software will not be acquired by malware.
步骤3、采用自定义键盘模块获取用户输入数据;Step 3, using a custom keyboard module to obtain user input data;
本发明实施例中,沙盒模块开启自定义键盘,用户在自定义键盘的输入被沙盒模块记录;在这个步骤中,沙盒技术可以做到将沙盒模块和设备上其他任何模块的隔离,任何运行在设备上的进程都不能获取用户的原始输入。In the embodiment of the present invention, the sandbox module opens the custom keyboard, and the user's input on the custom keyboard is recorded by the sandbox module; in this step, the sandbox technology can isolate the sandbox module from any other modules on the device , any process running on the device cannot get the user's raw input.
本发明实施例中,自定义键盘的设计是多样化的,可以是类似PC机键盘的大型键盘和NumberPad键盘;也可以是一个纯手写模块;也可以是由数字和字母组成的,位置不断发生随机变化的完全自定义键盘。In the embodiment of the present invention, the design of the custom keyboard is diversified, it can be a large keyboard similar to a PC keyboard and a NumberPad keyboard; it can also be a pure handwriting module; it can also be composed of numbers and letters, and the positions are constantly changing Fully custom keyboard with random changes.
步骤4、根据目标APP和目标服务器之间自定义的加密混淆方式,加密混淆模块将用户的输入数据进行相应的加密和混淆处理,再将处理后的加密数据发送给目标服务器;Step 4. According to the custom encryption and obfuscation method between the target APP and the target server, the encryption and obfuscation module performs corresponding encryption and obfuscation processing on the user's input data, and then sends the processed encrypted data to the target server;
本发明实施例中,所采用的加密混淆算法十分灵活,既可以使用一些常见的、已经成熟的对称加密与非对称加密算法,也可以使用自定义的加密混淆算法;目前学术领域上有许多面向不同平台、不同系统的加密方式,都可以使用在加密混淆模块中;In the embodiment of the present invention, the encryption obfuscation algorithm adopted is very flexible, and some common and mature symmetric encryption and asymmetric encryption algorithms can be used, and a self-defined encryption obfuscation algorithm can also be used; The encryption methods of different platforms and systems can be used in the encryption obfuscation module;
本发明实施例中,移动APP端和服务器端会提前设计好通信协议,包括具体的加密混淆方式、密钥、数据格式、数据传输通道等,保证服务器端在得到了移动APP端发送来的数据(也就是加密混淆模块发送的数据)后,能够顺利的到用户的原始输入;而这些协议不会被外部所知,即使加密后的数据被截取,恶意软件也无法获取用户的原始输入。In the embodiment of the present invention, the mobile APP and the server will design a communication protocol in advance, including specific encryption and obfuscation methods, keys, data formats, data transmission channels, etc., to ensure that the server receives the data sent by the mobile APP (that is, the data sent by the encryption obfuscation module), the original input of the user can be obtained smoothly; and these protocols will not be known to the outside, even if the encrypted data is intercepted, the malware cannot obtain the original input of the user.
步骤5、目标服务器接收加密的数据,对其进行相应的解密处理,得到用户的原始输入。Step 5. The target server receives the encrypted data and performs corresponding decryption processing on it to obtain the original input of the user.
本发明实施例中,该步骤的前提条件是服务器端与移动端已经达成了数据通信的协议,分发、交换过密钥和数据格式信息。In the embodiment of the present invention, the precondition of this step is that the server end and the mobile end have reached a data communication agreement, and have distributed and exchanged keys and data format information.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610064397.XACN105678165A (en) | 2016-01-29 | 2016-01-29 | Sandboxing keyboard system of mobile terminal and data transmitting method of sandboxing keyboard system |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610064397.XACN105678165A (en) | 2016-01-29 | 2016-01-29 | Sandboxing keyboard system of mobile terminal and data transmitting method of sandboxing keyboard system |
| Publication Number | Publication Date |
|---|---|
| CN105678165Atrue CN105678165A (en) | 2016-06-15 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610064397.XAPendingCN105678165A (en) | 2016-01-29 | 2016-01-29 | Sandboxing keyboard system of mobile terminal and data transmitting method of sandboxing keyboard system |
| Country | Link |
|---|---|
| CN (1) | CN105678165A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106529353A (en)* | 2016-10-26 | 2017-03-22 | 努比亚技术有限公司 | Method and apparatus for performing anti-eavesdropping processing on key input information |
| CN107832105A (en)* | 2017-11-24 | 2018-03-23 | 南昌黑鲨科技有限公司 | A kind of application program launching method, starter and computer-readable recording medium |
| CN109260701A (en)* | 2018-07-10 | 2019-01-25 | 广州小鸡快跑网络科技有限公司 | A kind of conversion method and device of Android system standard incoming event |
| CN109726593A (en)* | 2018-12-31 | 2019-05-07 | 联动优势科技有限公司 | A method and device for realizing data sandbox |
| CN111193740A (en)* | 2019-12-31 | 2020-05-22 | 苏宁金融科技(南京)有限公司 | Encryption method, device, decryption method, computer device and storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1766920A (en)* | 2005-11-01 | 2006-05-03 | 广州好易联支付网络有限公司 | On-line safety payment system |
| CN102184372A (en)* | 2011-05-27 | 2011-09-14 | 北京洋浦伟业科技发展有限公司 | Reverse-sandbox-based mobilephone payment protection method |
| CN102195940A (en)* | 2010-03-12 | 2011-09-21 | 北京路模思科技有限公司 | Virtual-machine-technology-based data security input and submission method and system |
| CN103532927A (en)* | 2013-07-30 | 2014-01-22 | 北京中科金财科技股份有限公司 | Financial cloud safety service platform based on mobile terminal and data protection method |
| CN104021168A (en)* | 2011-12-28 | 2014-09-03 | 北京奇虎科技有限公司 | Method and device for browsing webpage |
| CN104933361A (en)* | 2015-06-05 | 2015-09-23 | 浪潮电子信息产业股份有限公司 | Device and method for protecting login password |
| US20150347747A1 (en)* | 2014-05-28 | 2015-12-03 | Apple Inc. | Sandboxing third party components |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1766920A (en)* | 2005-11-01 | 2006-05-03 | 广州好易联支付网络有限公司 | On-line safety payment system |
| CN102195940A (en)* | 2010-03-12 | 2011-09-21 | 北京路模思科技有限公司 | Virtual-machine-technology-based data security input and submission method and system |
| CN102184372A (en)* | 2011-05-27 | 2011-09-14 | 北京洋浦伟业科技发展有限公司 | Reverse-sandbox-based mobilephone payment protection method |
| CN104021168A (en)* | 2011-12-28 | 2014-09-03 | 北京奇虎科技有限公司 | Method and device for browsing webpage |
| CN103532927A (en)* | 2013-07-30 | 2014-01-22 | 北京中科金财科技股份有限公司 | Financial cloud safety service platform based on mobile terminal and data protection method |
| US20150347747A1 (en)* | 2014-05-28 | 2015-12-03 | Apple Inc. | Sandboxing third party components |
| CN104933361A (en)* | 2015-06-05 | 2015-09-23 | 浪潮电子信息产业股份有限公司 | Device and method for protecting login password |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106529353A (en)* | 2016-10-26 | 2017-03-22 | 努比亚技术有限公司 | Method and apparatus for performing anti-eavesdropping processing on key input information |
| CN107832105A (en)* | 2017-11-24 | 2018-03-23 | 南昌黑鲨科技有限公司 | A kind of application program launching method, starter and computer-readable recording medium |
| WO2019100897A1 (en)* | 2017-11-24 | 2019-05-31 | 南昌黑鲨科技有限公司 | Application program starting method and starting apparatus, and computer readable storage medium |
| CN107832105B (en)* | 2017-11-24 | 2022-02-15 | 南昌黑鲨科技有限公司 | Application program starting method, starting device and computer readable storage medium |
| CN109260701A (en)* | 2018-07-10 | 2019-01-25 | 广州小鸡快跑网络科技有限公司 | A kind of conversion method and device of Android system standard incoming event |
| CN109726593A (en)* | 2018-12-31 | 2019-05-07 | 联动优势科技有限公司 | A method and device for realizing data sandbox |
| CN111193740A (en)* | 2019-12-31 | 2020-05-22 | 苏宁金融科技(南京)有限公司 | Encryption method, device, decryption method, computer device and storage medium |
| Publication | Publication Date | Title |
|---|---|---|
| CN112513857B (en) | Personalized cryptographic secure access control in trusted execution environments | |
| US11188652B2 (en) | Access management and credential protection | |
| US20180082050A1 (en) | Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device | |
| US8954758B2 (en) | Password-less security and protection of online digital assets | |
| US8261072B2 (en) | Method and system for secure external TPM password generation and use | |
| US7787661B2 (en) | Method, system, personal security device and computer program product for cryptographically secured biometric authentication | |
| US9202076B1 (en) | Systems and methods for sharing data stored on secure third-party storage platforms | |
| US20180091487A1 (en) | Electronic device, server and communication system for securely transmitting information | |
| CN103930899B (en) | Method for the management public data of input and private data at equipment | |
| CN104794388B (en) | application program access protection method and application program access protection device | |
| US20080288776A1 (en) | Security method using virtual keyboard | |
| CN105678165A (en) | Sandboxing keyboard system of mobile terminal and data transmitting method of sandboxing keyboard system | |
| US10019605B2 (en) | Systems, methods and apparatus for secure peripheral communication | |
| CN104335548A (en) | Secure data processing | |
| WO2012156785A1 (en) | Systems and methods for device based password-less user authentication using encryption | |
| WO2017147890A1 (en) | Verification code short message display method and mobile terminal | |
| CN108134671A (en) | A kind of transparent encryption system and its encipher-decipher method based on quantum true random number | |
| CN105827574A (en) | File access system, file access method and file access device | |
| TW201839645A (en) | Storage device and method for controlling access privilege of a storage device to determine whether the authentication data matches the authentication code or not after receiving the authentication data from the electronic device via the second communication network | |
| US20210248245A1 (en) | Calculation device, calculation method, calculation program and calculation system | |
| WO2017166362A1 (en) | Esim number writing method, security system, esim number server, and terminal | |
| CN113630412A (en) | Resource downloading method, resource downloading device, electronic equipment and storage medium | |
| CN108462699A (en) | Based on the encrypted Quick Response Code generation of sequential and verification method and system | |
| Kim et al. | Security analysis and bypass user authentication bound to device of windows hello in the wild | |
| CN118715516A (en) | Communication Link |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication | Application publication date:20160615 |