Chrome扩展 - 加密存储在Chrome存储中的数据 [英] Chrome extension - encrypting data to be stored in chrome storage
问题描述
我有一个Chrome扩展,它使用 chrome.storage在本地存储一些用户数据 API。
I have a chrome extension which stores some user data locally using the chrome.storage API.
所以引用文件:
不得存储机密用户信息!存储区域未加密。
Confidential user information should not be stored! The storage area isn't encrypted.
无论如何,我想在存储之前加密我的扩展的数据,我想知道:Google提供了一种方法吗?如果没有,还有其他方式吗?
Anyway I would like to encrypt my extension's data before storing it, and I'd like to know: does Google provide a way to do this? And, if not, is there any other way?
推荐答案
为了加密你的数据,这是一个非常有用的工具,名为 CryptoJS ,这是加密/解密算法的好库。假设您要加密某些数据,因此只能通过某些密码进行访问,那么您将执行以下操作:
To encrypt your data ther's a really useful tool called CryptoJS, which is a good library for encryption/decryption algorithms. Let's say you want to encrypt some data so it can only be accessible with a certain passphrase, then you'll do something like this:
var encrypted = CryptoJS.AES.encrypt("Message", "Secret Passphrase");
var decrypted = CryptoJS.AES.decrypt(encrypted, "Secret Passphrase");
小问题:看起来很清楚,如果你不会模糊你的代码(使它
Little problem: it looks clear that if you don't obfuscate your code (making it unreadable) the secret password will be always visible to any user, and obviously useless.
所以:编码你的数据不会使攻击者无法使用这个密码如果您使用常用算法和纯文本JavaScript ,则进行解码。因此,如果要使代码更安全(这很困难,因为javascript作为纯文本存储在扩展文件夹中),您必须使用以下工具来加扰或模糊您的JS函数:
So: encoding your data will not make attackers unable to decode it if you use common algorithms and plain text JavaScript. Therefore, if you want to make your code safer (that is difficult since that javascript is stored as plain text in your extension folder), you have to scramble or obfuscate your JS functions using some tools like:
- JavascriptObfuscator
- JSObfuscate
- JScrambler (不免费)
- Jasob (不是免费的)
- 等(只是在谷歌搜索)...
- JavascriptObfuscator
- JSObfuscate
- JScrambler (not free)
- Jasob (not free)
- etc (just search on google)...
是使用上面链接的工具(1次jsobfuscate和1次javascriptobfuscator)混淆的上述代码片段的示例:
Here is an example of the above snippet obfuscated using the tools I linked above (1 time jsobfuscate and 1 time javascriptobfuscator):
var _0x7390=["\x31\x20\x35\x3D\x30\x2E\x33\x2E\x37\x28\x22\x36\x22\x2C\x22\x34\x20\x32\x22\x29\x3B\x31\x20\x38\x3D\x30\x2E\x33\x2E\x39\x28\x35\x2C\x22\x34\x20\x32\x22\x29\x3B","\x7C","\x73\x70\x6C\x69\x74","\x43\x72\x79\x70\x74\x6F\x4A\x53\x7C\x76\x61\x72\x7C\x50\x61\x73\x73\x70\x68\x72\x61\x73\x65\x7C\x41\x45\x53\x7C\x53\x65\x63\x72\x65\x74\x7C\x65\x6E\x63\x72\x79\x70\x74\x65\x64\x7C\x4D\x65\x73\x73\x61\x67\x65\x7C\x65\x6E\x63\x72\x79\x70\x74\x7C\x64\x65\x63\x72\x79\x70\x74\x65\x64\x7C\x64\x65\x63\x72\x79\x70\x74","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0xf4e9x1,_0xf4e9x2,_0xf4e9x3,_0xf4e9x4,_0xf4e9x5,_0xf4e9x6){_0xf4e9x5=function (_0xf4e9x3){return _0xf4e9x3;} ;if(!_0x7390[5][_0x7390[4]](/^/,String)){while(_0xf4e9x3--){_0xf4e9x6[_0xf4e9x3]=_0xf4e9x4[_0xf4e9x3]||_0xf4e9x3;} ;_0xf4e9x4=[function (_0xf4e9x5){return _0xf4e9x6[_0xf4e9x5];} ];_0xf4e9x5=function (){return _0x7390[6];} ;_0xf4e9x3=1;} ;while(_0xf4e9x3--){if(_0xf4e9x4[_0xf4e9x3]){_0xf4e9x1=_0xf4e9x1[_0x7390[4]]( new RegExp(_0x7390[7]+_0xf4e9x5(_0xf4e9x3)+_0x7390[7],_0x7390[8]),_0xf4e9x4[_0xf4e9x3]);} ;} ;return _0xf4e9x1;} (_0x7390[0],10,10,_0x7390[3][_0x7390[2]](_0x7390[1]),0,{}));
很明显,这段代码是不可能读取的。如果您使用不同的工具重复使用混淆算法,那么您将减少任何人能够理解的机会,甚至认为存储在Chrome扩展程序客户端的数据从来不是完全安全的,而且理解上可以让你的代码可以让你的代码再次可读,并且理解它。
It looks clear that this code is impossible to read. If you repeat the obfuscation algorithm several times with different tools then you'll decrease the chance of anyone being able to understand it, even thought that data stored on the client side of a Chrome Extension is never entirely safe, and anyone using a deobfuscator could theoretically be able to make your code human readable again and understand it.
另外一个提示:不要使用常用的变量名,并使你的函数私有地将它们包装在一些对象中,以便数据更难以访问。
这篇关于Chrome扩展 - 加密存储在Chrome存储中的数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
