TWI677806B - User data encryption device and method for blocking man-in-the-middle attack - Google Patents

Abstract

The invention provides a user data encryption device for blocking man-in-the-middle attacks, which includes a key database, an identity code database, a transmission end and a processing unit. The keystore provides public and private keys. The identity code database stores a unique identity code. The transmitting end receives an access request from a user end. The processing unit generates one of the unique identification codes, obtains a public key such as a public key from a key store according to an access request, obtains a web page from a server, binds an encryption program and a public key to the web page, and decrypts the encryption program according to the public The key encrypts a piece of data from the client, and verifies whether at least one of the data, the public key, and the unique identification code is valid to decide to send the data to the server. The invention also provides a user data encryption method for blocking man-in-the-middle attacks.

Description

User data encryption device and method for blocking man-in-the-middle attack

The invention relates to the technical field of information security, in particular to a user data encryption device and method capable of blocking man-in-the-middle attacks.

Traditionally, the type of data on the Internet relates to public domain and private domain data. Unprotected data in the private domain (which can be referred to as sensitive data) is like public domain data, and it can directly display the true data. Therefore, in the field of privacy (hereinafter referred to as sensitive information), most websites will choose to send sensitive information such as account names and security protocols (Secure Sockets Layer (SSL) or Transport Layer Security (TLS)). password. With the above security protocol, it is possible to prevent sensitive data from being stolen or tampered with during the process of the client sending sensitive data to the web server using a browser.

However, when the certificate required for SSL or TLS is cracked and the authenticity of the certificate cannot be determined, the phishing website intercepts the data transmitted by the client, replays or falsifies the fake data, causing the aforementioned behavior to go far beyond the protection of SSL or TLS Range, so that encrypted sensitive data is still in a dangerous situation. Here are a few examples:

Case 1: If the data is plain text and only protected by SSL, when SSL is broken or after the Proxy / Reverse Proxy (SSL) Sensing data will be restored to unprotected text. Man-in-the-middle (MITM, Man-In-The-Middle, or attacker) can use the sensitive data of the client to log in to the website.

Case 2: Use Secure Hash Algorithm (SHA), MD5 message digest algorithm or other algorithms to encrypt the data to verify, for example, the user account or password. However, in this case, the middleman does not need to crack the real account name and password, but only needs to resend the account name or password calculated by the aforementioned encryption calculation, and then it is possible to pass the verification.

Case three: If a symmetric key algorithm such as Data Encryption Standard (DES), Triple Data Encryption Algorithm (TDEA) is used to encrypt the data. Since the client can download web page content including Javascript and HTML from the web server, the related keys and encryption programs are also downloaded from the web server during the download process. Therefore, the middleman can easily obtain the key and the encryption program by retrieving the webpage packet, so as to be able to use the same key to unlock the encrypted sensitive data or make situation three happen like situation one.

Case 4: If the data is encrypted using asymmetric key algorithms such as RSA encryption algorithm, Elliptic curve, Diffie-Hellman key exchange, public key and encryption key code Download from a web server. The public key is used only to encrypt the input data, but it cannot be decrypted. Using this algorithm requires decryption using the private key stored on the web server. Therefore, compared with other cases one to three, it provides a more secure way to protect user data. Even if the transmission data is intercepted by the middleman, the middleman cannot recover the password or sensitive data. However, in fact, most websites that use asymmetric keys to encrypt information do not dynamically change the encrypted public key for different web browsing requests, resulting in middlemen being able to decrypt sensitive information without Reproduce the login process because the encrypted data is always the same as the key. So the middleman No need to know the real password, just send the encrypted data to the server, it will pass the authentication and authorization process smoothly, so that the web server will be able to successfully decrypt it.

In view of this, the present invention provides a user data encryption device and method for blocking man-in-the-middle attacks, which can solve the shortcomings of the conventional technology.

A first object of the present invention is to provide a user data encryption method for blocking man-in-the-middle attacks. The method is to provide a uniform resource locator (URL) on a client side and obtain a web page on a server side from a browser. The unique identity code and public key of protect the data submitted by the client, and the unique identity code cannot be forged, modified or changed.

A second object of the present invention is to provide the aforementioned user data encryption method for blocking man-in-the-middle attacks, which can be made into an external hardware encryption and decryption device (such as a reverse proxy server, Reverse Proxy) or a document language code on a web server ( HyperText Markup Language (HTML), Javascript) embedded encryption and decryption methods.

A third object of the present invention is to provide the foregoing user data encryption method for blocking man-in-the-middle attacks, which is encrypted by using a public key, and further decrypted by a private key through the correctness of the unique identity code, to obtain the user-submitted data.

A fourth object of the present invention is to provide the aforementioned user data encryption method for blocking man-in-the-middle attacks, which can select specific or pre-selected sensitive data (such as account name, password, etc.) for encryption in the submitted data.

A fifth object of the present invention is to provide the aforementioned user data encryption method for blocking man-in-the-middle attacks. In a specific time, a one-time unique identity code is used to obtain a corresponding private key to open sensitive data on the web server.

A sixth object of the present invention is to provide the foregoing user data encryption method for blocking man-in-the-middle attacks. The unique identity code provided may include a time stamp of a server's servo time (e.g. nanosecond level), a key pair index value, and a key survival time (Such as second level), check code mechanism, etc., where the key survival time can avoid repeated submission of data or short-term replay to cause damage.

A seventh object of the present invention is to provide the foregoing user data encryption method for blocking man-in-the-middle attacks. When the unique identity code exceeds the key survival time, the unique identity code itself is removed from the database.

An eighth object of the present invention is to provide a user data encryption device for blocking man-in-the-middle attacks, which is used to block man-in-the-middle attacks on user terminals.

To achieve the above and other objectives, the present invention provides a user data encryption device that blocks man-in-the-middle attacks, which includes a key database, an identity code database, a transmission end, and a processing unit. The key library provides a plurality of public keys and a plurality of private keys. The public key is randomly generated and the public key is related to the private key. The identity code database includes a storage space. For storing a unique identity code. The transmitting end is connected to the key database and the identity code database for receiving an access request from a user terminal. The processing unit is connected to the transmission end. The processing unit generates one of the unique identification codes, the processing unit obtains the public key from the key store according to the access request, the processing unit obtains a web page from a server, binds an encryption program and the public key to the web page, and the processing unit decrypts An encryption program encrypts a piece of data from the client based on the public key, and the processing unit verifies whether at least one of the data, the public key, and the unique identity code is valid to determine the data to be transmitted to the server. The unique identity code includes fields of a servo time, a key survival time, and a key pair index value.

In order to achieve the above and other objectives, the present invention provides a user data encryption method for blocking man-in-the-middle attacks, which is based on a uniform resource locator (URL) provided by a client to obtain a web page on a server from a browser to block A man-in-the-middle attack user data encryption method includes (a) the browser sends an access request according to a uniform resource locator (URL); (b) the server receives the access request that needs to be decrypted, and obtains a key request from a key repository. Public key (public key), and according to the access request, the server Output a document language code corresponding to the webpage; (c) add or embed an encryption program and public key to the document language code, and generate a unique ID (Unique ID), and the unique ID is stored in an identity code database (Unique ID repository), where the unique identity code includes at least a field of servo time, a key pair index value, and a key lifetime; (d) the browser displays the file language code on the client for input by the client A data; (e) the encryption program encrypts at least a part of the client's data based on the public key; (f) checks the validity of at least one of the data and the unique identity code, and executes if the data and the unique identity code are valid Step (g), if the data and the unique identity code are invalid, perform step (i); (g) take out a corresponding private key based on the public key, and use the private key to decrypt the encrypted data; (h ) Sending the decrypted data to the server to return the webpage to the browser; and (i) ending the access request.

Compared with the conventional technology, the user data encryption device and method for blocking man-in-the-middle attacks of the present invention can be applied to protect sensitive data (such as accounts and passwords) from being intercepted and resubmitted. The invention can ensure that the user terminal will not be forged or reused by hardware or software during the process of data exchange between the browser, the application program (APP) and the website server. Even though the middleman can retrieve the data, the present invention uses the unique identity code's servo time and key survival time to ensure that one-time data will not be used again.

10, 10'‧‧‧ User data encryption device blocking man-in-the-middle attacks

2‧‧‧Client

4‧‧‧ Browser

6‧‧‧Web Server

8‧‧‧ website

12‧‧‧Key Store

122‧‧‧public key

124‧‧‧Private Key

14‧‧‧ Identity Code Database

142‧‧‧Storage

16‧‧‧Transmission

18‧‧‧ processing unit

VR‧‧‧Access Request

UID‧‧‧Unique Identity Code

EP‧‧‧Encryption Program

DA‧‧‧ Information

S501-S509‧‧‧Method steps

FIG. 1 is a block diagram of a user data encryption device for blocking man-in-the-middle attacks according to a first embodiment of the present invention.

FIG. 2 is a diagram illustrating the format of the unique identity code of FIG. 1.

FIG. 3 is a timing diagram illustrating the operation of the embodiment of FIG. 1.

FIG. 4 is a timing diagram illustrating the operation of another embodiment of FIG. 1.

FIG. 5 is a flowchart of a user data encryption method for blocking a man-in-the-middle attack according to a second embodiment of the present invention.

In order to fully understand the purpose, features and effects of the present invention, the following specific embodiments are used in conjunction with the accompanying drawings to make a detailed description of the present invention, which will be described later: In the present invention, "a" or "an" is used to describe the units, elements and components described herein. This is only for convenience of explanation and provides a general meaning to the scope of the present invention. Therefore, unless it is obvious that he meant otherwise, such a description should be understood to include one, at least one, and also the plural.

In the present invention, the terms "including", "including", "having", "containing" or any other similar terms are intended to cover non-exclusive inclusions. For example, an element, structure, article, or device containing a plurality of elements is not limited to only those elements listed herein, but may include an element, structure, article, or device that is not explicitly listed but is generally inherent to the element, structure, article, or device Other requirements. In addition, unless expressly stated to the contrary, the term "or" means an inclusive "or" rather than an exclusive "or".

Please refer to FIG. 1, which is a block diagram of a user data encryption device for blocking man-in-the-middle attacks according to a first embodiment of the present invention. In FIG. 1, a user data encryption device 10 that blocks man-in-the-middle attacks includes a key database 12, an identity code database 14, a transmission end 16, and a processing unit 18. For the convenience of explanation, related parts are disclosed here, such as the client 2, the browser 4, the web server 6, and the web page 8. These parts can be transmitted through, for example, an Internet-compliant carrier (such as a wire, Fiber, etc.) for communication. Among them, the client 2 refers to the user; the user 4 of the browser 4 can be opened by, for example, a computer, a tablet, a communication phone and used to display a document language code such as HTML or JavaScript, such as IE, Chrome, safari, Firefox, opera, Application App, etc .; the web server 6 is used to execute the host of the web page 8.

The key repository 12 (Key repository) provides a plurality of public keys 122 and a plurality of private keys 124. The key repository 12 may be a memory, a server, a hard disk, a floppy disk, an optical disk, or the like. The public keys 122 are randomly generated and the public keys 122 are related to the private keys 124. Generally speaking, each public key 122 corresponds to each private key 124 to form a key pair.

The identity code database 14 has a storage space 142, wherein the identity code database 14 may be a memory, a server, a hard disk, a floppy disk, an optical disk, and the like. The storage space 142 can store a unique identity code UID. Referring to FIG. 2 together, it is a description of a field format of the unique identity code UID.

In Figure 2, the unique identity code UID uses four fields as an example. The fields are the server time, the key pair (KeyPair) index value, and the key timeout (timeout). ), Verification (checksum). They are defined separately as follows:

Servo time: The time it takes for the client, browser, or reverse proxy server to access the web server 6, and its time can be nanosecond.

Index value of the key pair: The index value of the key pair corresponds to the index value of the public key 122 or the private key 124 in the key library 12.

Key lifetime: The lifetime (or validity time) of the unique identity code UID. For example, when the unique identity code UID is returned to the web server 6 and the time returned is greater than or equal to the servo time and the key survival time, the entire unique identity code UID is considered invalid; otherwise, the reply If the transmission time is less than the servo time and the key survival time, the entire unique identity code UID is considered valid.

Verification: It is used to verify that the entire unique identity code UID has not been altered or modified. For example, verification can be performed by hashing data to create a hash value. The hash value can be composed of random letters and numbers.

Therefore, the above-mentioned servo time, key pair index value, and key survival time, combined with the hash value, can be used to ensure that the unique identity code UID is unique, unique, and non-repeatable.

The transmitting end 16 is connected to the key database 12 and the identity code database 14. For example, the transmitting end 16 is a unidirectional or bidirectional port that complies with the wired communication standard or the wireless communication standard. The transmitting end 16 can receive an access request VR from a user end 2.

The processing unit 18 is connected to the transmission end 16. The processing unit 18 provides several functions, which are listed as follows:

(1) The processing unit 18 generates a unique identity code UID. For example, the processing unit 18 executes a calculation algorithm to establish the aforementioned unique identification code UID according to the requirements of each field.

(2) The processing unit 18 obtains one of the public keys 122 from the key store 12 according to the access request VR. In another embodiment, the processing unit 18 can determine in advance whether the access request VR has an encryption function. If the access request VR is encrypted, it can be decoded in advance.

(3) The processing unit 18 obtains the web page 8 from the web server 6, and binds an encryption program EP and the public key 122 to the web page 8. In one embodiment, the encryption program EP may select at least a part of the DA data of the client 2 for encryption in advance. Among them, at least part of the data DA is sensitive data related to the client 2. The advantage here is that selecting a specific field for encryption can speed up the calculation, and the encrypted field is usually the data provided by the client 2 or the data stored in the cookie.

(4) The processing unit 18 decrypts the data DA (such as account name, password, etc.) encrypted by the encryption program EP based on the public key 122 from the client terminal 2, for example, the encrypted account name and password are not clear codes, but It is changed through encryption, that is, the encrypted account name and password are different from the original data DA.

(5) The processing unit 18 verifies whether the data DA and the unique identification code UID are valid, so as to decide to let the data DA be transmitted to the web server 6.

(6) The processing unit 18 executes a secure hash algorithm to calculate at least one of the document language code and the unique identity code to form the encrypted document language code and the unique identity code.

FIG. 3 is a timing diagram illustrating the operation of the embodiment of FIG. 1, and the time sequence is gradually increased from the upper left to the lower right. In FIG. 3, the client 2, the browser 4, the web server 6, the web page 8 and the user data encryption device 10 that blocks man-in-the-middle attacks are disclosed. The user data encryption device 10 that blocks man-in-the-middle attacks further includes a key library 12, an identity code database 14, a transmission end 16, and a processing unit 18.

The client 2 executes a browser 4 of a computer (not shown), and enters in the browser 4 a uniform resource locator (or web address) of an online bank of a financial institution, for example. The browser 4 sends an access request VR to the web server 6 according to the website address. In this embodiment, the access request VR is first received by the processing unit 18.

The processing unit 18 may determine in advance whether the access request VR is encrypted. If the access request VR is encrypted, the processing unit 18 first decrypts it, and then the processing unit 18 executes two parts, one of which is based on the access request VR connected to The other part of the web server 6 corresponding to the access request VR is that the processing unit 18 randomly obtains a public key 122 from the key store 12 according to the access request VR. For example, the processing unit 18 generates an index value according to a random function, and The processing unit 18 obtains the corresponding public key 122 from the key store 12 according to the index value. Therefore, the processing unit 18 obtains the public key 122 corresponding to the index value.

The processing unit 18 waits for the web page 8 of the web server 6 to obtain the document language code of the web page 8 of the web server 6. After the processing unit 18 receives the document language code, the processing unit 18 further adds the encryption program EP and the public key 122 to the document language code. In addition, the processing unit 18 generates a unique identity code UID according to the document language code, the encryption program EP, and the public key 122, and the document language code, the encryption program EP, the public key 122, and the unique identity UID are transmitted to the browser 4. It is worth noting that the encryption program EP has preset settings for encrypting the account name and password of the client 2. The unique identification code UID is stored in the identification code database 14.

The client 2 can view the web page 8 of the financial institution's internet bank through the browser 4. For example, the web page 8 displays a dialog box, so that the client 2 can enter the account name, password, and verification to log in to. ID, ID, etc. The webpage 8 includes content such as an encryption program EP, a public key 122, and a unique identity code UID in addition to the content described above.

The client 2 enters the data DA such as the corresponding account name and password in the browser 4. At this time, the browser 4 executes the encryption program EP based on the data DA of the client 2, and the encryption program EP is calculated based on the public key 122. Moreover, because the encryption program EP previously set only the account name and password to be encrypted, the account name and password entered by the client 2 are encrypted instead of clear codes, which is different from what the client 2 enters .

At this time, the encrypted data DA, the public key, the unique identification code UID, and the like are transmitted from the browser 4 to the processing unit 18. The processing unit 18 first confirms whether the unique identity code UID exists in the identity code database 14. If the identity code database 14 does not have the same unique identity code UID, it ends transmitting data DA to the web server 6; otherwise, if the identity code The database 14 does have the same unique identification code UID, and the processing unit 18 may further determine whether the user terminal 2 has ever sent the same unique identification code UID.

If the unique identity code UID has not been sent, it means that the unique identity code UID is sent for the first time. The processing unit 18 further determines whether the time when the web server 6 received the unique identity code UID is less than the sum of the servo time and the key survival time. If the time is less than the sum, the unique identity code UID should be considered valid and can be regarded as a user End 2 logs in personally; on the contrary, if the unique ID code UID time is greater than the sum of the servo time and the key survival time, the unique ID code UID is considered invalid, which may be intercepted by the middleman and re-logged in. Or, if the processing unit 18 determines that the unique identity code UID has been sent, it is likely that this unique identity code UID is an action performed by a middleman, and the unique identity code UID is considered invalid. In this embodiment, if the unique identification code UID is invalid, an error page is displayed on the browser 4.

If the unique identification code UID is valid, the processing unit 18 parses the public key 122, and obtains the private key 124 from the key library 12 based on the public key 122, and the processing unit 18 further The secret key 124 decrypts the data DA and transmits the data DA to the web server 6. At this time, the account name and password are decrypted into the clear code input by the client 2. The web server 6 obtains the corresponding account data according to the clear account name and password. Finally, the account data is output in the browser 4 in the form of document language codes.

FIG. 4 is a timing diagram illustrating the operation of another embodiment of FIG. 1. In FIG. 4, a client 2, a browser 4, a web server 6, a web page 8, and a user data encryption device 10 that blocks man-in-the-middle attacks are disclosed. The user data encryption device 10 ′ that blocks man-in-the-middle attacks further includes a key database 12, an identity code database 14, a transmission end 16, and a processing unit 18. Compared with FIG. 3, the transmitting end 16 and the processing unit 18 of FIG. 4 are disposed on the web server 6.

The client 2 executes a browser 4 of a computer (not shown), and enters in the browser 4 a uniform resource locator (or web address) of an online bank of a financial institution, for example. The browser 4 issues an access request VR to the web server 6 based on the website address.

After the web server 6 receives the access request VR, the web server 6 obtains the public key 122 from the key store 12. The web server 6 generates a unique identity code UID according to the document language code, the encryption program EP, and the public key 122, and the document language code, the encryption program EP, the public key 122, and the unique identity UID are all transmitted to the browser 4. It is worth noting that the encryption program EP has preset settings for encrypting the account name and password of the client 2. The unique identification code UID is stored in the identification code database 14. The encryption program EP and the public key 122 may be embedded in a document language code.

The client terminal 2 can view the web page 8 of the financial institution's internet bank through the browser 4. For example, the web page 8 displays a dialog box, so that the client terminal 2 can enter the account name, password, verification code, and identity number to log in. The webpage 8 includes content such as an encryption program EP, a public key 122, and a unique identity code UID in addition to the content described above.

The encrypted data DA, public key, unique identification code UID, etc. are transmitted from the browser 4 to the web server 6. The web server 6 first confirms whether the unique identification code UID exists in the identification code database 14. If the same unique identification code UID does not exist in the identification code database 14, it ends transmitting data DA to Web server 6; Conversely, if the same unique identification code UID does exist in the identification code database 14, the processing unit 18 may further determine whether the client 2 has ever sent the same unique identification code UID.

If the unique identity code UID has not been sent, it means that the unique identity code UID is sent for the first time. The web server 6 further determines whether the time to receive the unique identity code UID is less than the sum of the servo time and the key survival time. If the time is less than the sum, the unique identity code UID should be considered valid and can be regarded as the client 2 himself On the contrary, if the unique UID time is greater than the sum of the servo time and the key survival time, the unique UID is considered invalid, which may be intercepted by a middleman and re-logged in. Or, if the website server 6 determines that the unique identity UID has been sent, the unique identity UID is likely to be a replay action by the middleman, and the unique identity UID is considered invalid. In this embodiment, if the unique identification code UID is invalid, an error page is displayed on the browser 4.

If the unique identification code UID is valid, the web server 6 parses the public key 122 and obtains the private key 124 from the key library 12 based on the public key 122. The processing unit 18 further decrypts the data DA according to the private key 124, and The data DA is transmitted to the web server 6, and the account name and password at this time are decrypted into the clear code input by the client 2. The web server 6 obtains the corresponding account data according to the clear account name and password. Finally, the account data is output in the browser 4 in the form of document language codes.

FIG. 5 is a flowchart of a user data encryption method for blocking man-in-the-middle attacks according to a second embodiment of the present invention. In Figure 5, a user data encryption method that blocks man-in-the-middle attacks is based on a uniform resource locator (URL) provided by a client to obtain a web page on a server from a browser.

The user data encryption method for blocking man-in-the-middle attacks starts at step S501, and the browser sends an access request according to the uniform resource locator. In another embodiment, this step may further include a reverse proxy server receiving the access request and transmitting the access request to the proxy server to the server.

Step S502: The server receives the access request that needs to be decrypted, obtains the public key from the key store, and according to the access request, the server outputs a file language code corresponding to the web page.

In step S503, an encryption program and a public key are added or embedded in the document language code, and a unique identity code is generated, and the unique identity code is stored in an identity code database. The unique identification code includes at least a field of a servo time and a key survival time. In another embodiment, the encryption program may execute a special field of the document language code in advance. Among them, the encryption program selects special fields related to the client or special fields specified by the client.

In another embodiment, a secure hash algorithm can be used to calculate at least one of the document language code and the unique identity code to encrypt the document language code and the unique identity code.

In step S504, the browser displays the language code of the file on the user terminal for the user terminal to input a data.

Step S505: The encryption program encrypts at least a part of the data of the client according to the public key.

In step S506, the validity of at least one of the data and the unique identification code is checked. If the data and the unique identification code are valid, step S507 is performed. If the data and the unique identification code are invalid, step S509 is performed. For example, check that the identity code database is in the unique identity code, and that the unique identity code can only be used once, used within the key lifetime, or whether the data is repeatedly transmitted.

Step S507: Take out a corresponding private key according to the public key, and use the private key to decrypt the encrypted data.

Step S508: Send the decrypted data to the server to return the webpage to the browser.

Step S509: End the access request.

The present invention has been disclosed in the foregoing with a preferred embodiment, but those skilled in the art should understand that this embodiment is only for describing the present invention, and should not be interpreted as limiting the scope of the present invention. Should pay attention It is to be understood that all changes and substitutions equivalent to this embodiment should be included in the scope of the present invention. Therefore, the scope of protection of the present invention shall be defined by the scope of the patent application.

Claims (10)

A user data encryption method for blocking man-in-the-middle attacks is based on a uniform resource locator (URL) provided by a client to obtain a web page on a server at a browser. The user data encryption method for blocking man-in-the-middle attacks includes: (a) the browser sends an access request according to the uniform resource locator; (b) the server receives the access request that needs to be decrypted, and obtains a public key from a key repository, And according to the access request, the server generates a document language code corresponding to the webpage; (c) outputting the document language code to the browser, wherein an encryption program and the public key are added or embedded in the document language code, A unique ID is generated by a processing unit, and the unique ID is stored in a Unique ID repository, where the unique ID includes at least a servo time and a key pair ( (KeyPair) an index value and a key lifetime; (d) the browser displays the document language code on the client for the client to enter a data; (e) the document language code The encryption program encrypts at least a portion of the client's data based on the public key; (f) sends at least a portion of the encrypted data, the public key, and the unique identification code to the processing unit to verify the data And the validity of at least one of the unique identity code, if the data and the unique identity code are valid, step (g) is performed, and if the data and the unique identity code are invalid, step (i) is performed (G) in the processing unit, take out a corresponding private key according to the public key, and use the private key to decrypt the encrypted data; (h) send the decrypted data to the server, and Return the webpage to the browser; and (i) end the access request. The user data encryption method for blocking man-in-the-middle attacks as described in item 1 of the scope of patent application, wherein step (a) further includes a reverse proxy server receiving the access request, and the access request is transmitted to The server. The method for encrypting user data to block man-in-the-middle attacks as described in item 1 of the scope of patent application, wherein step (c) further includes the encryption program specifying a special field of the document language code for execution in advance. The user data encryption method for blocking man-in-the-middle attacks described in item 3 of the scope of the patent application, wherein the encryption program selects the special field related to the client or the special field specified by the client. The method for encrypting user data to block a man-in-the-middle attack as described in item 1 of the scope of patent application, wherein step (c) further comprises calculating at least one of the document language code and the unique identity code using a secure hash algorithm, To encrypt the file language code and the unique identity code. The user data encryption method for blocking man-in-the-middle attacks described in item 1 of the scope of patent application, wherein step (f) further includes checking that the identity code data inventory is in the unique identity code, and the unique identity code can only Used once or during the lifetime of the key. The user data encryption method for blocking man-in-the-middle attacks as described in item 6 of the scope of patent application, wherein step (f) further includes judging whether the data is repeatedly transmitted. A user data encryption device for blocking man-in-the-middle attacks, comprising: a key library providing a plurality of public keys and a plurality of private keys, wherein the public keys are randomly generated and the public keys are related to the Waiting for a private key; an identity code database with a storage space for storing a unique identity code; a transmitting end that connects the key database and the identity code database for receiving an access request from a client; And a processing unit connected to the transmitting end, the processing unit generating the unique identity code, the processing unit obtaining one of the public keys from the key store according to the access request, and the processing unit from a server Obtain a webpage, the server generates a document language code corresponding to the webpage, and binds an encryption program with the public key to the document language code corresponding to the webpage, and the processing unit decrypts the encryption program according to the public money Key to encrypt at least a portion of a data from the client, transmit at least a portion of the encrypted data, the public key and the unique identity code to the A processing unit, and the processing unit verifying whether at least one of the data and the unique identity code is valid to determine that the data decrypted with one of the private keys is transmitted to the server; wherein the unique identity code includes A field for a servo time, an index value of a key pair, and a key lifetime. According to the user data encryption device for blocking man-in-the-middle attacks described in item 8 of the scope of patent application, the processing unit further includes executing a secure hash algorithm to calculate at least one of the document language code and the unique identity code to form encryption. The document language code and the unique identity code. The user data encryption device for blocking a man-in-the-middle attack as described in item 9 of the scope of the patent application, wherein the encryption program preselects at least a part of the data of the client for encryption, wherein at least a part of the data is related to the client Sensitive information.