Database transparent encryption method and device, electronic device and storage medium

[0054] Example one

[0055] See figure 1 , figure 1 A flowchart of a method for transparent encryption of a database provided by an embodiment of the present disclosure includes the following steps:

[0056] S101: Write rewriting rules for the three operations of addition, deletion and modification, and place the rewriting rules in the SQL gateway, so as to realize the three operations of adding, deleting and modifying the ciphertext database by the user through the SQL gateway;

[0057] Different from the prior art that requires the compilation of four rewriting rules of addition, deletion, modification, and check, this application only needs to compile three rewritings of addition, deletion, and modification, which are less difficult to develop, shorter in time, and cost-effective. Rules and put them into the SQL gateway at the upper level of the ciphertext database to convert the normal SQL commands sent by the user into three types of operations such as addition, deletion, and modification through the rewrite rules built into the SQL gateway. Rewritten SQL commands recognized and processed by the ciphertext database.

[0058] The reason why it is less difficult to develop rewriting rules for the three types of operations of addition, deletion, and modification is that the database is a carrier for storing massive data. In most cases, it provides front-end users with query operations based on massive data. Especially in some departments, units and enterprises that conduct audits based on existing data, compared to the number of queries based on stored data in the database following various query methods, the number of uses of addition, deletion and modification is very small. And compared to diversified query methods, the format of adding, deleting and modifying is very fixed (addition usually only needs to determine the new data and new location, and delete only needs to determine the target data. Modify only need to confirm The old data and new data are sufficient). Therefore, the development of rewriting rules for these three types of operations is less difficult.

[0059] S102: Create a view with the same name and the same field as the original table of ciphertext data, and map each ciphertext field in the original table of ciphertext data to a corresponding field in the view through a decryption function, so as to realize the user to the ciphertext database through the view The query operation performed.

[0060] The addition, deletion, and modification of the four operation types of add, delete, modify, and check are handled by the rewrite rules placed in the SQL gateway. This application uses views to process the remaining development that is difficult and time-consuming Longer and more expensive query operations. Among them, this view is a virtual data table with the same name and the same field created based on the original ciphertext data table storing ciphertext data. The data storage method is the same as the original ciphertext data table, and has the same data as the original ciphertext data table. Each field, except that each field in the original table of ciphertext data is a ciphertext field storing ciphertext data, and each field in the view is obtained by mapping each ciphertext field through a decryption function.

[0061] In actual use, since the view has the same name as the ciphertext data table storing the actual ciphertext data, the SQL query commands entered by the user will be implemented through this view. First, determine the target view field corresponding to the received SQL query command in the view. , And then use the mapping relationship between the target view field and the corresponding ciphertext field in the original table of ciphertext data to call the decryption function to decrypt the corresponding ciphertext data and return it to the user. The user is unaware of the whole process.

[0062] according to figure 1 The process of the transparent encryption method of the database can be obtained as figure 2 The ciphertext data access method shown, figure 2 From the perspective of the actual operation of the ciphertext database, the use method after transparent data encryption is completed according to the above transparent database encryption method is described, including the following steps:

[0063] S201: Receive the SQL command sent when the user accesses the ciphertext database, and determine the operation type of the SQL command;

[0064] First, receive the SQL command sent by the user to access the ciphertext data, and determine the specific operation type of the SQL command. The purpose of determining the specific operation type is to determine which method to use (the re-rule in the SQL gateway or the view with the same name and the same field as the original table of the ciphertext data) to complete the processing of the SQL command.

[0065] SQL commands specifically include four types of operations: add, delete, modify, and query. Adding means adding ciphertext data to the ciphertext database, and deleting means removing some of the ciphertext data stored in the current ciphertext database, and modifying Indicates that it is necessary to modify or replace part of the data stored in the current ciphertext database (for example, modify or replace from the original A to B), and the query is based on the query requirements from the ciphertext data stored in the current ciphertext database Check the target data.

[0066] There are many ways to determine the operation type of SQL commands, such as keywords that characterize different types of operations, command length, command header information, and some tags and marks that can be used to distinguish different types of operations according to special requirements. Further, The distinguishing characteristics of multiple operation types, such as keywords, command length, command header information, labels, and tags, may differ due to different database types. Which method is used to determine the operation type of SQL commands can be based on The actual situation is flexible to choose the most suitable solution, and there is no specific limitation here.

[0067] Here is an example of how to distinguish the operation type of keywords: Since the above four types of operations have obvious intentions and directivity, the corresponding types of SQL commands usually carry keywords for identifying the types. , Such as INSTER to add, DELETE to delete, UPDATE to modify, and SELETE to query, etc. Under different versions of the SQL protocol standard, different keywords may be used to represent the same type, or based on different commands Generate the format so that the key field or the number of bytes is different, etc. The specific keyword is used to determine the access type of each intercepted SQL command, and the SQL protocol standard used under actual conditions and possible special requirements can be used. There is no specific limitation here.

[0068] S202: When the operation type of the SQL command is specifically any of the three operations of adding, deleting, and modifying, rewrite the SQL command using the rewriting rule to obtain the rewritten SQL command, so that the ciphertext database is based on the rewritten SQL Command to call the corresponding encryption or decryption function to complete the corresponding addition, deletion or modification operation;

[0069] This step is based on S201 determining that the operation type of the received SQL command is specifically any of the three operations of addition, deletion, and modification. This application sends such SQL commands to the built-in addition, deletion, and modification operations. Three kinds of rewriting rules are handled by the SQL gateway to rewrite them. After rewriting, they can be recognized by the ciphertext database, and the plaintext data carried in the SQL command is correctly ciphertext in the ciphertext data Complete the corresponding operation.

[0070] S203: When the operation type of the SQL command is specifically a query operation, determine the position of the target field in the SQL command in the view, and according to the mapping relationship between the view and the original table of the ciphertext data, the target ciphertext data in the original table The text field is decrypted into target plain text data.

[0071] This step is based on S201 determining that the operation type of the received SQL command is specifically a query storage operation. This application sends such SQL commands to a preset view with the same name and the same field as the original table of the ciphertext data. Processing, with the help of mapping management between each field in the view and each ciphertext field in the original table of ciphertext data to realize the query of ciphertext data.

[0072] Furthermore, in order to find the target data more quickly and accurately, ciphertext indexing technology can also be introduced. The ciphertext indexing technology is a ciphertext version of the indexing technology, which is suitable for indexing ciphertext data. The index is usually extracted from the target data. Yes, it usually has unique directivity, that is, an index will only point to the only target data, but due to the short index length and the small amount of data, it is convenient to store and quickly locate. Since the actual scenario of the present disclosure is ciphertext data stored in ciphertext after encrypting plaintext data, the ciphertext index is obtained based on ciphertext data extraction.

[0073] There are many ways to implement ciphertext indexing technology. At present, it can be divided into two categories, namely, expanded index realized by the unique mechanism of the database itself and order-preserving hash index that has nothing to do with the database itself. Among them, the extended index is based on the unique mechanism of some specific types of databases, such as Oracle database, which cannot be used in other databases that do not include this type, so the generality is low, but it is based on its own mechanism in a specific database. Index, the performance is better; the order-preserving hash index is to generate the index value corresponding to the plaintext data of the field through the order-preserving hash function, the index value can reflect the size relationship of the plaintext data, so that the index value can be used to achieve The acceleration of addition, deletion, modification, and query operations is not related to the database type, so it has high versatility. The present disclosure can specifically select which ciphertext indexing method to use according to the actual database type, and at the same time, it does not rule out the emergence of new ciphertext indexing methods that are the same or similar to this type of method with the development of technology.

[0074] Divide see figure 2 In addition to the flow chart of the ciphertext data access method shown, you can also refer to image 3 The more intuitive schematic diagram shown is consistent with the content described in the above content, and will not be repeated here.

[0075] According to the above technical solution, it can be seen that, compared to the prior art that requires pre-writing all rewriting rules for the four operations of addition, deletion, modification, and check, the transparent database encryption method provided by the present disclosure only needs to write the less difficult ones. Add, delete, and modify the rewriting rules of the three operations, and the most difficult query operation among them is implemented through a pre-created view, which has the same name and the same field as the original table of ciphertext data storing ciphertext fields. And each field in the view is mapped from each ciphertext field in the original table of the ciphertext data through the decryption function, which can realize the query operation in a very light weight without writing complex rewriting rules, so that the On the basis of versatility, the development difficulty and development cost are reduced as much as possible.

[0076] Example two

[0077] See Figure 4 , Figure 4 This is a flowchart of a method for determining the operation type of an SQL command based on keywords in the transparent database encryption method provided by the embodiments of the present disclosure. On the basis of the first embodiment, this embodiment provides a keyword-based determining SQL command The method of operation type includes the following steps:

[0078] S301: Use keywords of different access types to match the string contained in the SQL command to obtain matching keywords;

[0079] S302: Use the access type to which the matching keyword belongs as the operation type of the SQL command.

[0080] This embodiment aims to use keywords of different access types to actively match the character strings contained in the SQL command. Among them, various types of keywords used for active matching can also form a corresponding keyword set. Each type of keyword The combination will contain the access type string corresponding to each version of the SQL protocol standard and the custom access type feature, so as to exclude the inability to obtain an accurate access type string based on the fixed extraction method due to version differences through active matching. Improve the accuracy of discrimination.

[0081] Further, during matching, the serial mode or the parallel mode can be selectively selected according to the available system resources under actual conditions. The parallel mode can reduce the matching time as much as possible when the system resources are sufficient.

[0082] In order to speed up the time required to determine the operation type, keywords corresponding to the query operation can also be used first to match the string contained in the SQL command, because a SQL command corresponds to only one operation type, and according to the solution provided in this application, In the process of processing, the choice of the rewriting method of the SQL gateway or the view method is only related to whether the operation type is a query operation. Therefore, first use the keyword corresponding to the query operation to match, and you can more quickly determine that it should be sent to the SQL gateway for processing The follow-up processing is still sent to the view for follow-up processing. If it is a query operation, there is no need to use the three operation types of addition, deletion, and modification keywords again under normal circumstances, which reduces the matching time and improves the efficiency.

[0083] In another embodiment of the present application, in order to prevent the SQL command from being normally recognized by the SQL gateway, view, or ciphertext data due to various interference factors that may exist during the transmission process, it can also be returned through a preset path Corresponding error information, the preset path includes emails, instant messaging applications, interface pop-up windows, and various alarm errors, etc. The purpose is to return this problem in time, and even new error messages that cannot be identified can be transferred to the background Managers, and follow up with the solutions given by the received background managers.

[0084] Furthermore, in order to prevent malicious methods such as SQL injection from stealing sensitive information in the database, the detection of malicious methods can be added to the SQL gateway or another functional module that is different from the SQL gateway, and it can also be supplemented by logs. Record every operation performed on the SQL gateway and the database for later retrospective use.

[0085] Because the situation is complicated, it is impossible to enumerate one by one. Those skilled in the art should be aware that there can be many examples based on the basic method and principle provided in this disclosure combined with the actual situation. Without sufficient creative work, they should all be included in this disclosure. Within the scope of protection.

[0086] Example three

[0087] See Figure 5 , Figure 5 A structural block diagram of a database transparent encryption device provided by an embodiment of the present disclosure, the device may include:

[0088] The addition, deletion, and modification operation processing unit 100 is used to write rewriting rules for the three operations of addition, deletion, and modification, and place the rewriting rules in the SQL gateway, so that users can add, delete, and modify the ciphertext database through the SQL gateway. Three operations;

[0089] The query operation processing unit 200 is used to create a view with the same name and the same field as the original table of ciphertext data, and map each ciphertext field in the original table of ciphertext data to a corresponding field in the view through a decryption function to pass the view Realize user's query operation on ciphertext database.

[0090] Further, the device for transparent encryption of the database may further include:

[0091] The command receiving unit is used to receive the SQL command sent when the user accesses the ciphertext database;

[0092] The operation type determining unit is used to determine the operation type of the SQL command;

[0093] The non-query operation processing unit is used to rewrite the SQL command by using the rewrite rule when the operation type of the SQL command is add, delete, and modify to obtain the rewritten SQL command, so that the ciphertext database is based on Rewrite the SQL command to call the corresponding encryption or decryption function to complete the corresponding addition, deletion or modification operation;

[0094] The query operation processing unit is used to determine the position of the target field in the SQL command in the view when the operation type of the SQL command is a query operation, and convert the original table of ciphertext data according to the mapping relationship between the view and the original table of ciphertext data The target ciphertext field in is decrypted into target plaintext data.

[0095] Wherein, the operation type determining unit may include:

[0096] Active matching sub-units are used to match the strings contained in SQL commands with keywords of different operation types to obtain matching keywords;

[0097] The operation type determination subunit is used to determine the access type to which the matching keyword belongs as the operation type of the SQL command.

[0098] Wherein, the active matching subunit may include:

[0099] The query keyword priority matching module is used to match the string contained in the SQL command with the keyword corresponding to the query operation;

[0100] The keyword addition, deletion and modification subsequent matching module is used to match the string contained in the SQL command with the corresponding keywords of addition, deletion, and modification when the string contained in the SQL command does not match the keyword corresponding to the query operation.

[0101] Further, the device for transparent encryption of the database may further include:

[0102] The ciphertext index acceleration unit is used to construct a ciphertext index based on the original table of ciphertext data, and use the ciphertext index to accelerate addition, deletion, modification and query operations.

[0103] The database transparent encryption device corresponds to the database transparent encryption method given above. This embodiment exists as a product embodiment corresponding to the method embodiment, and has the same beneficial effects as the method embodiment. For the explanation of each functional unit, please refer to The foregoing method embodiments will not be repeated here.