Proxy Mode

Introduction

In Proxy Mode, users communicate with a target server through a browser plugin and a proxy server.

The Proxy Server establishes a "tunnel" between the browser plugin and the target server. Users communicate data through this tunnel, and the Proxy Server logs all data packets sent and received via the tunnel.

Since the Proxy Server does not possess the encryption key, it cannot decrypt the communication data.

After the TLS handshake is completed, the user can begin sending data to the target server. At this point, the createRequest method of the provider is called to generate the data and its associated redaction policy.

Before data transmission, the data is validated using the same rules as the server to ensure successful claim creation.

To achieve data desensitization, users must send data in a specific manner:

  • TLS Key Update Method (default, high efficiency, supports only TLS 1.3, and applies only to data sent from the user to the server):

    • The user sends data in segments, each encrypted with a different TLS session key. The Proxy Server only obtains partial keys, thus can only decrypt partial data.

  • Zero-Knowledge Proof (ZKP) Method (redaction, see ZKP):

    • Using zero-knowledge proofs, the user can prove to the verifier that a specific encrypted block can be decrypted into a particular plaintext without revealing the key used for encryption.

Detailed Process Flowchart

  1. Initialize Connection

    • Description: The process begins with initializing the connection, configuring necessary communication parameters to prepare for establishing a secure communication channel.

    • Output: Proceeds to the tunnel establishment stage.

  2. Establish Tunnel

    • Description: Based on the initialized connection, a secure communication tunnel is established to ensure the security of data transmission.

    • Output: Proceeds to the TLS handshake stage.

  3. TLS Handshake

    • Description: The TLS protocol is used to complete the handshake process, establishing an encrypted communication channel to ensure the confidentiality and integrity of subsequent data transmission.

    • Output: Proceeds to the data transmission and redaction stage.

  4. Data Transmission and Redaction Stage

    • This stage includes the following sub-steps:

      • 4.1 Segmented Data Encryption:

        • Data is segmented and encrypted to protect its security during transmission.

      • 4.2 Hide Sensitive Information:

        • Sensitive information is redacted or hidden to prevent unauthorized access and protect privacy.

      • 4.3 Use TLS Key Update or ZKP:

        • TLS key update mechanisms or zero-knowledge proof techniques are used to further enhance the security and privacy of data transmission.

    • Output: Encrypted and redacted data, proceeding to the transmission record preparation stage.

  5. Prepare Transmission Record

    • Description: A transmission record is generated, containing necessary metadata and encrypted information for subsequent verification.

    • Output: Transmission record, proceeding to the claim request submission stage.

  6. Submit Claim Request

    • Description: The transmission record and related claim request are submitted to the verifier, triggering the verification process.

    • Output: Proceeds to the verification and signing stage.

  7. Verification and Signing Stage

    • This stage includes the following sub-steps:

      • 7.1 Verify Tunnel Parameters:

        • The communication tunnel parameters are checked to ensure the connection's security and consistency.

      • 7.2 Compare Transmission Record:

        • The submitted transmission record is compared with expected data to confirm data integrity.

      • 7.3 Decrypt Data:

        • Encrypted data is decrypted for further verification.

      • 7.4 Call Service Verification Function:

        • A specific service verification function is called to check the data's validity and legitimacy.

    • Output: Verification result and signature, proceeding to the result return stage.

  8. Return Result

    • Description: The verification result (including the signature) is returned to the requester, completing the process.

    • Output: Process ends, returning the verification result.

UML Sequence Diagram

  1. Initialize Connection

    • Description: The Client sends an initRequest to the Verifier to start the interaction process.

    • Verifier Response: The Verifier returns an initResponse, confirming initialization completion.

    • Output: Proceeds to the TLS tunnel creation stage.

  2. Create TLS Tunnel

    • Description: The Client sends a createTunnelRequest to negotiate the establishment of a TLS tunnel.

    • Verifier Response: The Verifier returns a createTunnelResponse, confirming the tunnel creation parameters.

    • Output: Proceeds to the TLS handshake stage.

  3. TLS Handshake

    • Description: The Client performs a TLS protocol handshake with the TLS Tunnel to establish a secure encrypted communication channel.

    • TLS Tunnel Response: The TLS Tunnel returns a handshake completion confirmation, indicating the channel is ready.

    • Output: Proceeds to the encrypted data transmission stage.

  4. Encrypted Data Transmission

    • Description: The Client sends segmented encrypted data (Encrypted Data (Segmented)) through the TLS Tunnel.

    • TLS Tunnel Response: The TLS Tunnel receives the target server's response and returns it to the Client.

    • Output: Proceeds to the data generation request stage.

  5. Generate Data Request

    • Description: The Client sends a createRequest to the Service Provider to generate data.

    • Service Provider Response: The Service Provider returns the generated data along with a Redaction Policy to guide data processing or privacy protection.

    • Output: Proceeds to the claim request submission stage.

  6. Submit Claim Request

    • Description: The Client sends a claimTunnelRequest to the Verifier, including the transmission record (Transmission Record).

    • Output: Triggers the verification process.

  7. Verification Process

    • 7.1 Verify Tunnel Parameters:

      • The Verifier checks the TLS Tunnel parameters to ensure the connection's security and consistency.

    • 7.2 Decrypt and Compare Data:

      • The Verifier decrypts the received data and compares it with the transmission record to confirm data integrity.

    • 7.3 Call Service Verification:

      • The Verifier calls assertValidProviderReceipt on the Service Provider to validate the data's legitimacy.

      • The Service Provider returns the verification result (Verification Result).

    • Output: Verification result, proceeding to the result return stage.

  8. Return Result

    • Description: The Verifier returns a Signed Claim or an error message to the Client based on the verification result.

    • Output: Process ends.

PreviousMPC ModeNextZero-Knowledge Proof

Last updated

Was this helpful?