Spongebob’s troubles

Spongebob likes online shopping very much, which makes him feel happy to be corrupted by capital.

But there was one thing he had been having trouble with, the quick receipt filled with his personal information, and tearing it up.

Addressee Mobile phone: 138 8888 8888 Addressee Address: Polo House, 124 Shell Street, Bikini Bottom, Pacific OceanCopy the code

Have you ever had the same trouble as SpongeBob squarepants? And how is it solved?

User information privacy security

Demand for tomorrow’s launch

Xiao Ming is 26 years old and an ordinary office worker. Working as a technology developer in an Internet company.

“Xiao Ming, I have a simple need.” The product manager came up to Xiao Ming with a smile.

“Oh, simple needs again?” Xiao Ming looked at the product, “has the requirement document been written?”

“Easy, write what document.” “The product manager continued,” Just like last time, add a list of transaction records. This demand is very urgent, can it be online tomorrow?”

“It’s similar to a hammer. It took a week to make it last time. You document clearly, go through the requirements, and schedule another story.” Xiao Ming was not fooled either.

After the detailed design was completed, Ming began the development phase.

It went relatively smoothly:

public void doTransaction(TransactionDto dto) {
    // Output logs
    log.info("Make a transaction: {}", JSON.toJSON(dto));

    // Perform business processing

    // Execute the drop
}
Copy the code

TransactionDto contains the buyer’s name, cell phone number, residential address, and transaction information.

In the database, the response is stored in plain text and the page is displayed in a list.

This requirement is very simple, Xiao Ming thought, just waiting for the test to verify.

User information security

However, during the code review, the project manager raised a question: Does your code protect the security of users’ information?

(1) Users’ private information should not be output in plaintext in logs

(2) Users’ private information should not be displayed in clear text on the page

(3) Users’ private information should not be stored in the database in clear text

And take the tracking number as an example, it should be as follows:

Express waybill No. : 202202181111 Recipient's Name: Hai ** Bao Recipient's Mobile phone: 138 **** 8888 Recipient's address: Bikini Beach Beach beach ******** Note: Secret code is Tianwang GetihuCopy the code

The benefit is obvious, even if the recipient does not tear the tracking number, it will not reveal too much personal information.

Xiao Ming did not understand, “do not let the log output, that how to troubleshoot problems ah?”

“You can output desensitization information. To disable the output of logs is to prevent people who have access to logs from disclosing personal information.”

“How can operations solve daily problems if the page is not allowed to be displayed in plain text?”

“Buttons can be added to the page to restrict the corresponding permissions, and operation logs can be recorded.”

“Database does not let store plaintext, so how to play?”

“You can learn about reversible encryption.” The project manager paused, “Rewrite it and give you 2 more days.”

“Ok”, Xiao Ming lost some.

Technical implementation adjustments

Log desensitization desensitization

As for log desensitization, the most direct method Ming can think of is to override the toString() method of the class and desensitize sensitive information with the utility class.

But his colleague, Lao Ma, recommended an annotation-based desensitization kit, which is relatively easy to use:

Github.com/houbb/sensi…

• Annotation-based log desensitization.

• You can customize policy implementation and conditions.

• Common desensitization built-in program.

• Java deep copy, and the original object does not implement any interface.

• Support for user-defined annotations.

• Support FastJSON to directly generate desensitized JSON

Reversible database encryption

To prevent developers, DBAs, and malicious attackers from leaking database information, sensitive information in a database needs to be encrypted.

Like a cell phone number in a database

phone 13066668888
Copy the code

The value needs to be adjusted as follows:

Phone_chiper BABABABABABABABBABABABA # Encrypted ciphertext phone_mask 130****8888 # Mobile phone number mask phone_Hash FFFFFFFFFFFFFFFFFF # Phone number hashCopy the code

The encryption algorithm must be reversible, for example, AES/3DES/SM4.

The mask can be consistent with the above desensitization, primary user preliminary information confirmation, etc.

Hashes are used for accurate query. Common one-way hashes such as MD5 or SHA are used.

You are a hacker, you see the mask + hash in the database, and know that their hash algorithm is MD5 hash, can you get the corresponding phone number in plaintext?

The answer is yes, so we need to consider these questions when we choose our implementation of the hash algorithm.

How do you get clear text, and how do you avoid this problem?

Leave your comments in the comments section.

Functional design of the page

If you are new to sensitive information, your product may require it to be displayed in clear text or exported in clear text.

If you are in the security department, or project manager, make sure to cut the relevant requirements out of the plain requirements.

Product Manager: Cut me can, cut demand can’t.

Security department: Data must be kept secure.

Project manager: We add a plaintext view button function, add permission control, record view log. Services are not affected and data security is ensured.

Front and back end development:……

Architecture level

Of course, the above situation may just be xiao Ming as a developer of daily.

What about a company?

If you are the technical architecture of an e-commerce/financial company, how do you protect the security and privacy of users’ information?

Crypto service

When we get to a certain level of scale, our apps tend to be less monolithic, and now the dominant is microservices architecture.

Each financial company will have a crypto machine service to provide the business problems xiao Ming encountered above.

For different types of sensitive data, provide corresponding desensitization, reversible encryption, hash services.

Why is it needed

Can’t we just write this implementation as a utility class and put it in code? Why have a crypto service at all.

First, the more common reasons:

(1) Improve work efficiency

With a unified encryption service and corresponding SDK, the iteration cycle can be shortened.

The technical level of research and development varies, saving them time to study and write.

The level of testing is similar and also saves time for test validation.

And this is the biggest charm of public service.

(2) The beauty of architecture

If there is no unified encryption service, each developed to a set, will lead to a large difference between each system.

The overall data information will be messy, and when data consolidation is required, or unified encryption is upgraded, the cost can be very high.

(3) A thief is hard to guard against

Companies today are constantly cutting back on research and development.

A regular company, strictly in accordance with the process, is not going to delete the things run away.

Code writing requires functional testing +code coverage +code review to avoid embedding business-irrelevant code in R&D.

Script execution requires the business side to initiate, the project manager to review, and the DBA to avoid malicious operations.

Production release changes, need to go online planning + review, to avoid malicious operations.

The ELK platform is the mainstream platform for log viewing, and the r&d team has no permission to log in to the production machine.

Production function, research and development does not have access.

This combination of measures means that r&d, as a pure tool man, can only do things and guard against R&D like a thief.

It’s not impossible for an ex-developer to gain access to users’ private information by fully knowing the system’s secret keys + algorithms + weaknesses.

But what about the crypto machine?

Encryption opportunities for the company’s architecture, the technical level is perfect, technical security is guaranteed, relatively stable.

The developer, as the user, does not know the secret key, does not know the algorithm, the attack is not possible.

This is not a technical sorrow.

summary

Every company has the obligation to protect users’ privacy security, but unfortunately in reality, many users’ privacy security is still not guaranteed.

For a country, corresponding legal compliance needs to be implemented.

For a company, it requires a joint effort of architecture, security, production and research.

For a user, we also have to protect their own information security awareness.

I hope this article is helpful to you. If you like it, please click to collect and forward a wave.

I am old ma, looking forward to meeting with you next time.