Database transparent encryption method and device, electronic device and storage medium

A transparent encryption and database technology, applied in digital data protection, electronic digital data processing, special data processing applications, etc., can solve problems such as difficult to develop databases, and achieve the effect of reducing development difficulty and development costs

Pending Publication Date: 2019-05-21
成都卫士通信息产业股份有限公司
3 Cites 1 Cited by

AI-Extracted Technical Summary

Problems solved by technology

[0005] The purpose of this disclosure is to provide a database transparent encryption method, device, electronic equipment, and computer-readable storage medium, aiming to solve the difficulty in de...
View more

Method used

The purpose of this embodiment is to use keywords of different access types to actively match the strings contained in the SQL command, wherein the various types of keywords used for active matching can also form corresponding keyword sets, each type The combination of keywords will contain the access type strings corresponding to each version of the SQL protocol standard and the user-defined access type characteristics, so as to eliminate the problem that cannot be accurately determined based on the fixed extraction method due to version differences through active matching. character string to improve the accuracy of discrimination.
[0073] There are many ways to realize the ciphertext index technology. At present, it can be divided into two categories, namely, the extended index realized by the unique mechanism of the database itself and the sequence-preserving hash index independent of the database itself. Among them, the extended index is implemented based on th...
View more

Abstract

The invention relates to a database transparent encryption method, an electronic device and a readable storage medium. Pre-compilation of increments compared to the need for pre-compilation, and deleting, modifying and checking all rewriting rules of the four operations in the prior art. According to the database transparent encryption method provided by the invention, only an increase in difficulty needs to be compiled; deleting and changing rewriting rules of the three operations. The query operation with the maximum development difficulty is realized through a pre-created view. The view isthe same as a ciphertext data original table in which ciphertext character fields are stored. Compared with the prior art, the method has the advantages that the fields are the same, each field in theview is obtained by mapping each ciphertext field in the ciphertext data original table through the decryption function, query operation can be achieved very lightly, complex rewriting rules do not need to be compiled, and development difficulty and development cost are reduced as much as possible on the basis that universality is met. The device applying the database transparent encryption method, the electronic device and the readable storage medium also have the same beneficial effects.

Application Domain

Digital data information retrievalDigital data protection +1

Technology Topic

Rewrite ruleComputer hardware +2

Image

  • Database transparent encryption method and device, electronic device and storage medium
  • Database transparent encryption method and device, electronic device and storage medium
  • Database transparent encryption method and device, electronic device and storage medium

Examples

  • Experimental program(4)

Example Embodiment

[0054] Example one
[0055] See figure 1 , figure 1 A flowchart of a method for transparent encryption of a database provided by an embodiment of the present disclosure includes the following steps:
[0056] S101: Write rewriting rules for the three operations of addition, deletion and modification, and place the rewriting rules in the SQL gateway, so as to realize the three operations of adding, deleting and modifying the ciphertext database by the user through the SQL gateway;
[0057] Different from the prior art that requires the compilation of four rewriting rules of addition, deletion, modification, and check, this application only needs to compile three rewritings of addition, deletion, and modification, which are less difficult to develop, shorter in time, and cost-effective. Rules and put them into the SQL gateway at the upper level of the ciphertext database to convert the normal SQL commands sent by the user into three types of operations such as addition, deletion, and modification through the rewrite rules built into the SQL gateway. Rewritten SQL commands recognized and processed by the ciphertext database.
[0058] The reason why it is less difficult to develop rewriting rules for the three types of operations of addition, deletion, and modification is that the database is a carrier for storing massive data. In most cases, it provides front-end users with query operations based on massive data. Especially in some departments, units and enterprises that conduct audits based on existing data, compared to the number of queries based on stored data in the database following various query methods, the number of uses of addition, deletion and modification is very small. And compared to diversified query methods, the format of adding, deleting and modifying is very fixed (addition usually only needs to determine the new data and new location, and delete only needs to determine the target data. Modify only need to confirm The old data and new data are sufficient). Therefore, the development of rewriting rules for these three types of operations is less difficult.
[0059] S102: Create a view with the same name and the same field as the original table of ciphertext data, and map each ciphertext field in the original table of ciphertext data to a corresponding field in the view through a decryption function, so as to realize the user to the ciphertext database through the view The query operation performed.
[0060] The addition, deletion, and modification of the four operation types of add, delete, modify, and check are handled by the rewrite rules placed in the SQL gateway. This application uses views to process the remaining development that is difficult and time-consuming Longer and more expensive query operations. Among them, this view is a virtual data table with the same name and the same field created based on the original ciphertext data table storing ciphertext data. The data storage method is the same as the original ciphertext data table, and has the same data as the original ciphertext data table. Each field, except that each field in the original table of ciphertext data is a ciphertext field storing ciphertext data, and each field in the view is obtained by mapping each ciphertext field through a decryption function.
[0061] In actual use, since the view has the same name as the ciphertext data table storing the actual ciphertext data, the SQL query commands entered by the user will be implemented through this view. First, determine the target view field corresponding to the received SQL query command in the view. , And then use the mapping relationship between the target view field and the corresponding ciphertext field in the original table of ciphertext data to call the decryption function to decrypt the corresponding ciphertext data and return it to the user. The user is unaware of the whole process.
[0062] according to figure 1 The process of the transparent encryption method of the database can be obtained as figure 2 The ciphertext data access method shown, figure 2 From the perspective of the actual operation of the ciphertext database, the use method after transparent data encryption is completed according to the above transparent database encryption method is described, including the following steps:
[0063] S201: Receive the SQL command sent when the user accesses the ciphertext database, and determine the operation type of the SQL command;
[0064] First, receive the SQL command sent by the user to access the ciphertext data, and determine the specific operation type of the SQL command. The purpose of determining the specific operation type is to determine which method to use (the re-rule in the SQL gateway or the view with the same name and the same field as the original table of the ciphertext data) to complete the processing of the SQL command.
[0065] SQL commands specifically include four types of operations: add, delete, modify, and query. Adding means adding ciphertext data to the ciphertext database, and deleting means removing some of the ciphertext data stored in the current ciphertext database, and modifying Indicates that it is necessary to modify or replace part of the data stored in the current ciphertext database (for example, modify or replace from the original A to B), and the query is based on the query requirements from the ciphertext data stored in the current ciphertext database Check the target data.
[0066] There are many ways to determine the operation type of SQL commands, such as keywords that characterize different types of operations, command length, command header information, and some tags and marks that can be used to distinguish different types of operations according to special requirements. Further, The distinguishing characteristics of multiple operation types, such as keywords, command length, command header information, labels, and tags, may differ due to different database types. Which method is used to determine the operation type of SQL commands can be based on The actual situation is flexible to choose the most suitable solution, and there is no specific limitation here.
[0067] Here is an example of how to distinguish the operation type of keywords: Since the above four types of operations have obvious intentions and directivity, the corresponding types of SQL commands usually carry keywords for identifying the types. , Such as INSTER to add, DELETE to delete, UPDATE to modify, and SELETE to query, etc. Under different versions of the SQL protocol standard, different keywords may be used to represent the same type, or based on different commands Generate the format so that the key field or the number of bytes is different, etc. The specific keyword is used to determine the access type of each intercepted SQL command, and the SQL protocol standard used under actual conditions and possible special requirements can be used. There is no specific limitation here.
[0068] S202: When the operation type of the SQL command is specifically any of the three operations of adding, deleting, and modifying, rewrite the SQL command using the rewriting rule to obtain the rewritten SQL command, so that the ciphertext database is based on the rewritten SQL Command to call the corresponding encryption or decryption function to complete the corresponding addition, deletion or modification operation;
[0069] This step is based on S201 determining that the operation type of the received SQL command is specifically any of the three operations of addition, deletion, and modification. This application sends such SQL commands to the built-in addition, deletion, and modification operations. Three kinds of rewriting rules are handled by the SQL gateway to rewrite them. After rewriting, they can be recognized by the ciphertext database, and the plaintext data carried in the SQL command is correctly ciphertext in the ciphertext data Complete the corresponding operation.
[0070] S203: When the operation type of the SQL command is specifically a query operation, determine the position of the target field in the SQL command in the view, and according to the mapping relationship between the view and the original table of the ciphertext data, the target ciphertext data in the original table The text field is decrypted into target plain text data.
[0071] This step is based on S201 determining that the operation type of the received SQL command is specifically a query storage operation. This application sends such SQL commands to a preset view with the same name and the same field as the original table of the ciphertext data. Processing, with the help of mapping management between each field in the view and each ciphertext field in the original table of ciphertext data to realize the query of ciphertext data.
[0072] Furthermore, in order to find the target data more quickly and accurately, ciphertext indexing technology can also be introduced. The ciphertext indexing technology is a ciphertext version of the indexing technology, which is suitable for indexing ciphertext data. The index is usually extracted from the target data. Yes, it usually has unique directivity, that is, an index will only point to the only target data, but due to the short index length and the small amount of data, it is convenient to store and quickly locate. Since the actual scenario of the present disclosure is ciphertext data stored in ciphertext after encrypting plaintext data, the ciphertext index is obtained based on ciphertext data extraction.
[0073] There are many ways to implement ciphertext indexing technology. At present, it can be divided into two categories, namely, expanded index realized by the unique mechanism of the database itself and order-preserving hash index that has nothing to do with the database itself. Among them, the extended index is based on the unique mechanism of some specific types of databases, such as Oracle database, which cannot be used in other databases that do not include this type, so the generality is low, but it is based on its own mechanism in a specific database. Index, the performance is better; the order-preserving hash index is to generate the index value corresponding to the plaintext data of the field through the order-preserving hash function, the index value can reflect the size relationship of the plaintext data, so that the index value can be used to achieve The acceleration of addition, deletion, modification, and query operations is not related to the database type, so it has high versatility. The present disclosure can specifically select which ciphertext indexing method to use according to the actual database type, and at the same time, it does not rule out the emergence of new ciphertext indexing methods that are the same or similar to this type of method with the development of technology.
[0074] Divide see figure 2 In addition to the flow chart of the ciphertext data access method shown, you can also refer to image 3 The more intuitive schematic diagram shown is consistent with the content described in the above content, and will not be repeated here.
[0075] According to the above technical solution, it can be seen that, compared to the prior art that requires pre-writing all rewriting rules for the four operations of addition, deletion, modification, and check, the transparent database encryption method provided by the present disclosure only needs to write the less difficult ones. Add, delete, and modify the rewriting rules of the three operations, and the most difficult query operation among them is implemented through a pre-created view, which has the same name and the same field as the original table of ciphertext data storing ciphertext fields. And each field in the view is mapped from each ciphertext field in the original table of the ciphertext data through the decryption function, which can realize the query operation in a very light weight without writing complex rewriting rules, so that the On the basis of versatility, the development difficulty and development cost are reduced as much as possible.

Example Embodiment

[0076] Example two
[0077] See Figure 4 , Figure 4 This is a flowchart of a method for determining the operation type of an SQL command based on keywords in the transparent database encryption method provided by the embodiments of the present disclosure. On the basis of the first embodiment, this embodiment provides a keyword-based determining SQL command The method of operation type includes the following steps:
[0078] S301: Use keywords of different access types to match the string contained in the SQL command to obtain matching keywords;
[0079] S302: Use the access type to which the matching keyword belongs as the operation type of the SQL command.
[0080] This embodiment aims to use keywords of different access types to actively match the character strings contained in the SQL command. Among them, various types of keywords used for active matching can also form a corresponding keyword set. Each type of keyword The combination will contain the access type string corresponding to each version of the SQL protocol standard and the custom access type feature, so as to exclude the inability to obtain an accurate access type string based on the fixed extraction method due to version differences through active matching. Improve the accuracy of discrimination.
[0081] Further, during matching, the serial mode or the parallel mode can be selectively selected according to the available system resources under actual conditions. The parallel mode can reduce the matching time as much as possible when the system resources are sufficient.
[0082] In order to speed up the time required to determine the operation type, keywords corresponding to the query operation can also be used first to match the string contained in the SQL command, because a SQL command corresponds to only one operation type, and according to the solution provided in this application, In the process of processing, the choice of the rewriting method of the SQL gateway or the view method is only related to whether the operation type is a query operation. Therefore, first use the keyword corresponding to the query operation to match, and you can more quickly determine that it should be sent to the SQL gateway for processing The follow-up processing is still sent to the view for follow-up processing. If it is a query operation, there is no need to use the three operation types of addition, deletion, and modification keywords again under normal circumstances, which reduces the matching time and improves the efficiency.
[0083] In another embodiment of the present application, in order to prevent the SQL command from being normally recognized by the SQL gateway, view, or ciphertext data due to various interference factors that may exist during the transmission process, it can also be returned through a preset path Corresponding error information, the preset path includes emails, instant messaging applications, interface pop-up windows, and various alarm errors, etc. The purpose is to return this problem in time, and even new error messages that cannot be identified can be transferred to the background Managers, and follow up with the solutions given by the received background managers.
[0084] Furthermore, in order to prevent malicious methods such as SQL injection from stealing sensitive information in the database, the detection of malicious methods can be added to the SQL gateway or another functional module that is different from the SQL gateway, and it can also be supplemented by logs. Record every operation performed on the SQL gateway and the database for later retrospective use.
[0085] Because the situation is complicated, it is impossible to enumerate one by one. Those skilled in the art should be aware that there can be many examples based on the basic method and principle provided in this disclosure combined with the actual situation. Without sufficient creative work, they should all be included in this disclosure. Within the scope of protection.

Example Embodiment

[0086] Example three
[0087] See Figure 5 , Figure 5 A structural block diagram of a database transparent encryption device provided by an embodiment of the present disclosure, the device may include:
[0088] The addition, deletion, and modification operation processing unit 100 is used to write rewriting rules for the three operations of addition, deletion, and modification, and place the rewriting rules in the SQL gateway, so that users can add, delete, and modify the ciphertext database through the SQL gateway. Three operations;
[0089] The query operation processing unit 200 is used to create a view with the same name and the same field as the original table of ciphertext data, and map each ciphertext field in the original table of ciphertext data to a corresponding field in the view through a decryption function to pass the view Realize user's query operation on ciphertext database.
[0090] Further, the device for transparent encryption of the database may further include:
[0091] The command receiving unit is used to receive the SQL command sent when the user accesses the ciphertext database;
[0092] The operation type determining unit is used to determine the operation type of the SQL command;
[0093] The non-query operation processing unit is used to rewrite the SQL command by using the rewrite rule when the operation type of the SQL command is add, delete, and modify to obtain the rewritten SQL command, so that the ciphertext database is based on Rewrite the SQL command to call the corresponding encryption or decryption function to complete the corresponding addition, deletion or modification operation;
[0094] The query operation processing unit is used to determine the position of the target field in the SQL command in the view when the operation type of the SQL command is a query operation, and convert the original table of ciphertext data according to the mapping relationship between the view and the original table of ciphertext data The target ciphertext field in is decrypted into target plaintext data.
[0095] Wherein, the operation type determining unit may include:
[0096] Active matching sub-units are used to match the strings contained in SQL commands with keywords of different operation types to obtain matching keywords;
[0097] The operation type determination subunit is used to determine the access type to which the matching keyword belongs as the operation type of the SQL command.
[0098] Wherein, the active matching subunit may include:
[0099] The query keyword priority matching module is used to match the string contained in the SQL command with the keyword corresponding to the query operation;
[0100] The keyword addition, deletion and modification subsequent matching module is used to match the string contained in the SQL command with the corresponding keywords of addition, deletion, and modification when the string contained in the SQL command does not match the keyword corresponding to the query operation.
[0101] Further, the device for transparent encryption of the database may further include:
[0102] The ciphertext index acceleration unit is used to construct a ciphertext index based on the original table of ciphertext data, and use the ciphertext index to accelerate addition, deletion, modification and query operations.
[0103] The database transparent encryption device corresponds to the database transparent encryption method given above. This embodiment exists as a product embodiment corresponding to the method embodiment, and has the same beneficial effects as the method embodiment. For the explanation of each functional unit, please refer to The foregoing method embodiments will not be repeated here.

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products