Method and apparatus for data security protection
By establishing an application strategy table in a relational database and using hash checksums and general triggers, the problem of unauthorized data modification in the business system was solved, data security was improved, the risk of tampering was reduced, and the implementation remained low-cost and efficient.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING CSSCA TECH CO LTD
- Filing Date
- 2023-05-04
- Publication Date
- 2026-06-19
Smart Images

Figure CN116522408B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of data security technology, specifically to data security protection methods and devices. Background Technology
[0002] Information security and data security have two opposing meanings: First, the security of the data itself, primarily referring to proactive protection of data using modern cryptographic algorithms, such as data confidentiality, data integrity, and strong two-way authentication. Second, the security of data protection, mainly using modern information storage methods for proactive protection of data, such as disk arrays, data backup, and off-site disaster recovery. Data security is a proactive protection measure; the security of the data itself must be based on reliable encryption algorithms and security systems, primarily symmetric algorithms and public-key cryptography. Data processing security refers to how to effectively prevent database damage or data loss during data entry, processing, statistics, or printing due to hardware failures, power outages, system crashes, human error, program defects, viruses, or hackers. Certain sensitive or confidential data may be accessible to unauthorized personnel or operators, leading to data leaks. Data storage security refers to the readability of the database outside of system operation. Once a database is stolen, even without the original system program, a new program can still be written to view or modify the stolen database. From this perspective, unencrypted databases are insecure and prone to commercial leaks, which leads to the concept of data leak prevention. This involves issues such as the confidentiality, security, and software protection of computer network communications.
[0003] Currently, the security protection of relational database business data is crucial. In relational databases of business systems such as ERP, EAM, and MIS, when the aforementioned data security issues arise, it is easy for human or unauthorized third-party programs to modify business data. To prevent human or unauthorized third-party programs from modifying business data, data security protection methods and devices are needed to address this problem. Summary of the Invention
[0004] The purpose of this invention is to provide a data security protection method and apparatus. This effectively reduces the risk of unauthorized tampering with system business data and improves the data security of business systems.
[0005] This invention is implemented as follows:
[0006] This invention provides a data security protection method, which is specifically implemented according to the following steps:
[0007] S1: First, the application server establishes an application policy table, an application verification table, and an application history table in the target relational database to be protected. The application policy table defines the protection policy for each business table that needs to be protected, the application verification table stores a temporary HASH verification value for each business table that needs to be protected, and the application history table stores the data after HASH verification. The HASH verification value is a HASH hash algorithm, consisting of the row insertion or update value + table name verification code + application verification code.
[0008] S2: Add application name and table name to the calculation of HASH checksum;
[0009] S3: The application server automatically adds a general trigger to each business table that needs protection; the general trigger supports different types of relational databases, and they implement the same verification method and use the same or different trigger syntax.
[0010] S4: When the business table to be protected is inserted or modified, the general JDBC driver plus a dedicated ORM component controls the data transfer object (DTO).
[0011] Before storing the DTO, the DTO data is hashed according to the defined application strategy, and the hash value is written to the application verification table before the DTO object is written to the database. Business data cannot be directly deleted; logical deletion must be implemented through updates. Deletion logic is not considered.
[0012] The application verification table contains policy ID, business ID, and HASH verification value. The HASH verification value is divided into the HASH value read from the application verification table and the HASH value recalculated by the general trigger. When the HASH values are inconsistent, the verification result is a failure and an abnormal transaction rollback needs to be triggered. When the verification results are consistent, the object is stored normally.
[0013] The application history table contains the policy ID, business ID, verification date, and verification result;
[0014] The protection policy includes policy ID, application name, business table name, hash algorithm, and log type.
[0015] Furthermore, when data is stored in a relational database table, a general trigger is triggered. The general trigger retrieves the data to be inserted or updated in the data transfer object (DTO), calculates the hash value based on the application strategy table, and compares it with the hash verification value stored in the application verification table. If they match, the verification is considered successful; otherwise, the verification is considered to have failed.
[0016] If the verification is successful, the data is normally saved to the business database table; if the verification fails, an error is thrown, causing the business operation transaction to be rolled back.
[0017] After verification is completed, the verification log is stored according to the log type of the protection policy.
[0018] Furthermore, the protection strategy selects the national cryptographic algorithm SM3 or the international algorithms SHA1, SHA256, SHA512, and MD5 hash algorithms, and adopts the same data protection strategy for the same protected object under the same data source.
[0019] Different data protection strategies are used for different data sources or different data protection objects.
[0020] Furthermore, the data transfer object is selected from those implemented using open-source data connection components.
[0021] Furthermore, the present invention provides a data security protection device, including a main controller, on which a computer program is stored, and when the program is executed by the main controller, it implements the method as described in any one of the above.
[0022] Compared with the prior art, the beneficial effects of the present invention are:
[0023] 1. Specifically, in relational databases of business systems such as ERP, EAM, and MIS, without altering the original business table structure, the result of the hash algorithm is stored through the strategy definition and hash verification mechanism of the application strategy table. By fully utilizing the one-way nature of the hash function, this invention prevents manual modification of business data or unauthorized modification of business data by third-party programs without affecting database transactions. This effectively reduces the risk of unauthorized tampering of system business data and improves the data security of business systems.
[0024] By fully utilizing the unidirectional nature of relational data, the risk of unauthorized tampering with relational data can be effectively reduced.
[0025] Most existing patents of this kind are integrity checks, which do not prevent data modification. Moreover, their implementation principles are highly intrusive, requiring changes to the business table structure, the addition of validation fields, and the use of database INSERT for identification, UPDATE for validation, and SELECT for integrity display. Compared with this patent, their principles are fundamentally different, and their objectives and implementation methods are also different.
[0026] The data model is clearly established, which facilitates the transformation of technological achievements. This patent has lower implementation costs, faster implementation speed, and better security than existing technologies. Attached Figure Description
[0027] To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings used in the embodiments will be briefly introduced below. It should be understood that the following drawings only show some embodiments of the present invention and should not be regarded as a limitation of the scope. For those skilled in the art, other related drawings can be obtained from these drawings without creative effort.
[0028] Figure 1 This is a flowchart of the method of the present invention;
[0029] Figure 2 This is a structural diagram of the application table of the present invention. Detailed Implementation
[0030] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of the present invention, not all of them. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention. Therefore, the following detailed description of the embodiments of the present invention provided in the accompanying drawings is not intended to limit the scope of the claimed invention, but merely to represent selected embodiments of the invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0031] Please see Figure 1-2 The data security protection methods and devices shall be implemented in accordance with the following steps:
[0032] S1: First, the application server establishes an application policy table, an application verification table, and an application history table in the target relational database to be protected. The application policy table defines the protection policy for each business table that needs to be protected, the application verification table stores a temporary HASH verification value for each business table that needs to be protected, and the application history table stores the data after HASH verification. The HASH verification value is a HASH hash algorithm, consisting of the row insertion or update value + table name verification code + application verification code.
[0033] S2: Add the application name and table name as checksums to the calculation of the hash checksum;
[0034] S3: The application server automatically adds a general trigger to each business table that needs protection; the general trigger supports different types of relational databases, and they implement the same verification method and use the same or different trigger syntax.
[0035] S4: When the business table to be protected is inserted or modified, the general JDBC driver plus a dedicated ORM component controls the data transfer object (DTO).
[0036] Before storing the DTO, the DTO data is hashed according to the defined application strategy, and the hash value is written to the application verification table before the DTO object is written to the database. Business data cannot be directly deleted; logical deletion must be implemented through updates. Deletion logic is not considered.
[0037] The application verification table contains policy ID, business ID, and HASH verification value. The HASH verification value is divided into the HASH value read from the application verification table and the HASH value recalculated by the general trigger. When the HASH values are inconsistent, the verification result is a failure and an abnormal transaction rollback needs to be triggered. When the verification results are consistent, the object is stored normally.
[0038] The application history table contains the policy ID, business ID, verification date, and verification result;
[0039] The protection policy includes policy ID, application name, business table name, hash algorithm, and log type.
[0040] In this embodiment, when data is stored in a relational database table, a general trigger is triggered. The data to be inserted or updated in the data transfer object DTO is obtained through the general trigger, and the HASH value is calculated according to the application strategy table. It is compared with the HASH verification value stored in the application verification table. If they match, the verification is considered successful; otherwise, the verification is considered to have failed.
[0041] If the verification is successful, the data is normally saved to the business database table; if the verification fails, an error is thrown, causing the business operation transaction to be rolled back.
[0042] After verification is completed, the verification log is stored according to the log type of the protection policy.
[0043] In this embodiment, the protection strategy selects the national cryptographic algorithm SM3 or the international algorithms SHA1, SHA256, SHA512, and MD5 hash algorithms. The same data protection strategy is used for the same protected object under the same data source.
[0044] Different data protection strategies are used for different data sources or different data protection objects.
[0045] In this embodiment, the data transmission object is selected as a regular data transmission object, or a transmission object implemented through an open-source data connection component.
[0046] In this embodiment, the present invention provides a data security protection device, including a main controller, on which a computer program is stored, and when the program is executed by the main controller, it implements the method as described in any one of the above.
[0047] The above description is merely a preferred embodiment of the present invention and is not intended to limit the invention. Various modifications and variations can be made to the invention by those skilled in the art. Any modifications, equivalent substitutions, or improvements made within the spirit and principles of the invention should be included within the scope of protection of the invention.
Claims
1. A data security protection method, characterized in that: Follow these steps: S1: First, the application server establishes an application policy table, an application verification table, and an application history table in the target relational database to be protected. The application policy table defines the protection policy for each business table that needs to be protected, the application verification table stores a temporary HASH verification value for each business table that needs to be protected, and the application history table stores the data after HASH verification. S2: Add application name and table name to the calculation of HASH checksum; S3: The application server automatically adds a general trigger to each business table that needs protection; S4: When the business table to be protected is inserted or modified, the general JDBC driver plus a dedicated ORM component controls the data transfer object (DTO). Furthermore, before storing the DTO, the DTO data is first hashed according to the defined application strategy, and the hash value is written to the application verification table before the DTO object is written to the database. Business data cannot be directly deleted; logical deletion must be implemented through updates. Deletion logic is not considered. When data is stored in a relational database table, a general trigger is triggered. The general trigger retrieves the data to be inserted or updated in the Data Transfer Object (DTO), calculates the hash value based on the application strategy table, and compares it with the hash verification value stored in the application verification table. If they match, the verification is considered successful; otherwise, the verification is considered to have failed. If the verification is successful, the data is normally saved to the business database table; if the verification fails, an error is thrown, causing the business operation transaction to be rolled back. After verification is completed, the verification log is stored according to the log type of the protection policy.
2. The data security protection method according to claim 1, characterized in that: The protection policy includes policy ID, application name, business table name, hash algorithm, and log type; The application verification table contains the policy ID, business ID, and hash verification value; The application history table contains the policy ID, business ID, verification date, and verification result.
3. The data security protection method according to claim 1, characterized in that, The protection strategy selects the national cryptographic algorithm SM3 or the international algorithms SHA1, SHA256, SHA512, and MD5 hash algorithms. The same data protection strategy is used for the same protected object under the same data source. Different data protection strategies are used for different data sources or different data protection objects.
4. The data security protection method according to claim 1, characterized in that, General triggers support different types of relational databases, and their implementation validation methods are the same, while using the same or different trigger syntax.
5. The data security protection method according to claim 1, characterized in that, The data transfer object is selected from those implemented using open-source data connection components.
6. A data security protection device, comprising a main controller, wherein a computer program is stored on the main controller, characterized in that, When the program is executed by the main controller, it implements the method as described in any one of claims 1-5.