A method, system, device and medium for encrypted packaging of database communication content

By using a two-layer proxy mechanism involving client-side and server-side Socket communication proxies to encrypt and encapsulate database communication content, the problem of attackers identifying database types is solved, thereby enhancing the security of database communication.

CN122394852APending Publication Date: 2026-07-14TRAVELSKY TECHNOLOGY LIMITED

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
TRAVELSKY TECHNOLOGY LIMITED
Filing Date
2026-04-13
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

In existing technologies, during database communication, attackers can identify the type of the backend database through scanning and protocol analysis, and then carry out injection or brute-force attacks, resulting in insufficient data security.

Method used

A two-layer proxy mechanism is constructed using client-server Socket communication proxy. Database communication content is encrypted and encapsulated, making the proxy port invisible. The forwarded content is no longer the native protocol, and multiple verification mechanisms such as IP whitelist, temporary IP blacklist and authentication information are introduced.

Benefits of technology

This effectively prevents attackers from identifying the backend database type, enhances data security during database communication, and prevents unauthorized access and attacks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394852A_ABST
    Figure CN122394852A_ABST
Patent Text Reader

Abstract

The application belongs to the technical field of data security, and particularly relates to a database communication content encryption packaging method, system, device and medium, which comprises the following steps: deploying a client Socket communication agent on a server deploying a database access program, receiving a local initial data access request and encrypting and packaging the same to obtain first encryption packaging data; receiving the data by the server Socket communication agent, performing legality verification, and then recording a result, blacklisting an IP, or decrypting and unpackaging the data to obtain parsed data access request; forwarding the parsed request to a database native monitoring port, encrypting and packaging returned response data to obtain second encryption packaging data; and returning an original response to a local access program after decryption and unpackaging by the client agent. The application improves the data security in the database communication process.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application belongs to the field of data security technology, and in particular relates to a method, system, device and medium for encrypting and encapsulating database communication content. Background Technology

[0002] Databases are the core technological carrier and the most important foundational software for storing, maintaining, controlling, and utilizing data; they are the cornerstone of ensuring the stable operation of computer systems. To maximize illicit gains, hackers frequently intrude into computer system databases and steal the stored data. Besides direct economic losses, this also causes significant social impact.

[0003] To address the serious data security situation, enterprises and organizations are employing various security protection technologies and management methods to improve the security of their database systems. Commonly used database security protection technologies include: database encryption (encryption of core data storage), database firewalls (preventing vulnerabilities and attacks), and data anonymization (anonymizing sensitive data).

[0004] Current technologies typically employ only a single forwarding proxy layer, where the proxy port itself remains visible to the outside world, and the forwarded content still uses the database's native protocol. Attackers can identify the backend database type by scanning the proxy port and analyzing the protocol, and then attempt injection or brute-force attacks. Summary of the Invention

[0005] To address the aforementioned issues, this application provides a method, system, device, and medium for encrypting and encapsulating database communication content. It employs a client-side Socket communication proxy and a server-side Socket communication proxy to construct a two-layer proxy mechanism. This encrypts and encapsulates the native database protocol, making the proxy port invisible to the outside world. Furthermore, the forwarded content is no longer based on the native protocol, effectively preventing attackers from identifying the backend database type through scanning and protocol analysis. This significantly improves data security during database communication.

[0006] Firstly, this application provides an encrypted encapsulation method for database communication content, the method comprising: Deploy a client Socket communication proxy on the database server where the database access program is deployed. Receive the initial data access request from the local database access program, encrypt and encapsulate the initial data access request, and obtain the first encrypted and encapsulated data. Create a server-side Socket communication proxy, send the first encrypted encapsulated data to the server-side Socket communication proxy, verify the first encrypted encapsulated data, obtain the verification result, record the violation record based on the verification result, or add it to the blacklist, or decrypt and decapsulate the first encrypted encapsulated data to obtain the parsed data access request; The parsed data access request is sent to the native listening port of the database server to receive the data access response from the native listening port. The data access response is then encrypted and encapsulated to obtain the second encrypted encapsulated data. The second encrypted encapsulated data is sent to the client Socket communication proxy, which decrypts and decapsulates the second encrypted encapsulated data to obtain the original database response data, and then returns the original database response data to the local database access program.

[0007] Furthermore, The initial data access request is encrypted and encapsulated, specifically including: The initial byte stream of the initial data access request is encrypted using a predefined key to obtain an encrypted byte stream; Convert the encrypted byte stream into a BASE64 format character stream; The character stream is encapsulated according to a preset format to generate the first encrypted encapsulated data.

[0008] Furthermore, Verifying the first encrypted encapsulated data and obtaining the verification result specifically includes: Check whether the client IP address that sent the first encrypted encapsulated data is in the preset IP whitelist; Check if the client's IP address is in the temporary IP blacklist; Check whether the format of the first encrypted encapsulated data conforms to the predefined protocol specifications; And / or, check whether the authentication information carried in the first encrypted encapsulated data is valid; The first encrypted encapsulated data verification fails when the client IP address is not in the IP whitelist, or is in the temporary IP blacklist, or the format of the first encrypted encapsulated data does not conform to the predefined protocol specification, or the authentication information is invalid. The first encrypted encapsulated data is successfully verified when the client IP address is in the IP whitelist and not in the temporary IP blacklist, the format of the first encrypted encapsulated data conforms to the predefined protocol specifications, and the authentication information is valid.

[0009] Furthermore, Based on the verification results, violations are recorded, the data is added to a blacklist, or the first encrypted and encapsulated data is decrypted and decapsulated, specifically including: If the verification of the first encrypted encapsulated data fails, the number of violations by the client IP address is recorded. When the cumulative number of violations by the same client IP address reaches a preset threshold, the client IP address will be added to a temporary IP blacklist. If the first encrypted encapsulated data is successfully verified, then decryption and decapsulation operations are performed, and the existing violation records of the client IP address are cleared.

[0010] Furthermore, Performing decryption and decapsulation operations specifically includes: The first encrypted and encapsulated data is decapsulated in the reverse process of the preset format to extract the content area data. The data in the content area is restored from BASE64 format to an encrypted string; The string is decrypted using the key and decryption method corresponding to the encryption, and the parsed data access request is obtained.

[0011] Furthermore, the client-side Socket communication proxy creates an independent Socket connection for each database connection initiated by the local database access program, for communicating with the server-side Socket communication proxy.

[0012] Furthermore, Sending the parsed data access request to the native listening port of the database server, and receiving the data access response from the native listening port, specifically includes: For the client IP address that sent the parsed data access request, create or reuse a Socket connection; The byte stream of the parsed data access request is pushed to the database's native listening port via the Socket connection; The response byte stream is received from the database's native listening port via the same Socket connection, serving as the data access response.

[0013] Secondly, based on the same inventive concept, this application provides an encrypted encapsulation system for database communication content, the system comprising: The client deployment module is used to deploy a client Socket communication proxy on the database server where the database access program is deployed. It receives the initial data access request from the local database access program, encrypts and encapsulates the initial data access request, and obtains the first encrypted and encapsulated data. The server-side deployment module is used to create a server-side Socket communication proxy, send the first encrypted encapsulated data to the server-side Socket communication proxy, verify the first encrypted encapsulated data, obtain the verification result, record the violation record based on the verification result, or add it to the blacklist, or decrypt and decapsulate the first encrypted encapsulated data to obtain the parsed data access request; The port listening module is used to send the parsed data access request to the native listening port of the database server, receive the data access response from the native listening port, encrypt and encapsulate the data access response, and obtain the second encrypted encapsulated data. The data return module is used to send the second encrypted encapsulated data to the client Socket communication proxy, decrypt and decapsulate the second encrypted encapsulated data to obtain the original database response data, and return the original database response data to the local database access program.

[0014] Thirdly, this application also provides an electronic device, including a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other through the communication bus; Memory, used to store computer programs; When a processor executes a program stored in memory, it implements the steps of any of the database communication content encryption and encapsulation methods described above.

[0015] Fourthly, this application also provides a computer storage medium storing a computer program, which, when executed by a processor, implements the steps of any of the database communication content encryption and encapsulation methods described above.

[0016] Compared with the prior art, this application has the following advantages: This application implements double-layer encryption and encapsulation of database communication content by deploying a client-server Socket communication proxy. This effectively hides the real native database listening port, preventing attackers from directly scanning the database port or identifying the backend database type through protocol analysis, thereby enhancing database security. Furthermore, this application introduces multiple verification mechanisms, including IP whitelists, temporary IP blacklists, and authentication information, further improving database access security and effectively preventing unauthorized access and attacks.

[0017] Other features and advantages of this application will be set forth in the description which follows, and will be apparent in part from the description, or may be learned by practicing the application. The objectives and other advantages of this application may be realized and obtained by means of the structures pointed out in the description, claims and drawings. Attached Figure Description

[0018] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0019] Figure 1 A flowchart illustrating an encrypted encapsulation method for database communication content according to an embodiment of this application is shown. Figure 2 The diagram illustrates the various stages of the socket communication process in a method for encrypting and encapsulating database communication content according to an embodiment of this application. Detailed Implementation

[0020] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0021] Figure 1 A flowchart illustrating an encryption and encapsulation method for database communication content according to an embodiment of this application is shown, as follows: Figure 1 As shown in the figure, an embodiment of this application provides a method for encrypting and encapsulating database communication content, including: S1, Deploy a client Socket communication proxy on the database server where the database access program is deployed, receive the initial data access request from the local database access program, encrypt and encapsulate the initial data access request, and obtain the first encrypted and encapsulated data; In this embodiment, a client-side Socket communication proxy is deployed on the same server as the database access program. This program starts a ServerSocket instance, which resides in memory and listens for socket connection requests on a specified local port. The database client program does not directly access the database's listening port; instead, it accesses the listening port of this program. The database client program assumes that the local server and this port are the remote database server and its service listening port, and the access method is exactly the same as accessing a remote database. After receiving the database socket access request from the local client database access program through the ServerSocket instance, this listening program calls the database access request encryption and encapsulation program to encrypt and encapsulate the request before proceeding to the next step. Therefore, the communication protocol of the program's listening port is consistent with the native database service listening port. To ensure security, network policies or firewalls should be used to allow only the local machine to access this port, blocking access requests from other machines and avoiding unnecessary network scanning and penetration activities.

[0022] In this embodiment of the application, step S1 specifically includes: S11, use a predefined key to encrypt the initial byte stream of the initial data access request to obtain an encrypted byte stream; S12, convert the encrypted byte stream into a character stream in BASE64 format; S13, The character stream is encapsulated according to a preset format to generate the first encrypted encapsulated data.

[0023] In this embodiment, the client's database access request is encrypted and encapsulated according to a specific protocol. The received byte stream is encrypted and encapsulated according to a specific protocol. At this stage, the byte stream can be encrypted with an agreed-upon or dynamically acquired key, then converted into a character stream in BASE64 format, and finally encapsulated into a string in a specific XML or JSON format. Besides an IP whitelist, user password authentication can be added to each access request to verify the client's legitimacy. For example, the password information can be combined with a timestamp to form a string, and the SHA-512 digest of this string can be appended to the access request string. The encapsulated information includes at least: request header information (username, digest, timestamp) and request content information (encrypted and BASE64-processed request information).

[0024] In this embodiment of the application, the encryption and decryption process supports symmetric encryption algorithms or asymmetric encryption algorithms; the predefined key is either a statically configured symmetric key or a public / private key pair for asymmetric encryption.

[0025] In this embodiment, the encryption and encapsulation process of the initial data access request further includes generating authentication information, which is used for legality verification on the server side. Specifically, this includes: generating an original string according to preset rules (e.g., user password combined with current timestamp), calculating a message digest from the string using a specified digest algorithm (e.g., SHA-512), and adding the user identifier, timestamp, and message digest as authentication information to the protocol header encapsulated according to the preset format.

[0026] In this embodiment of the application, the authentication information encapsulated in the first encrypted encapsulation data enables the server-side Socket communication proxy to recalculate and compare the message digest based on the stored valid credentials and the received timestamp, thereby achieving effective authentication of the request source and content.

[0027] In this embodiment, by pre-encrypting the original plaintext byte stream of the database access request, it is ensured that even if the request content is sniffed or captured by the network during cross-network transmission, the plaintext information cannot be directly read. This fundamentally eliminates the risk of data leakage and content tampering during transmission. The encryption process supports symmetric and asymmetric encryption algorithms and is compatible with various key management modes such as statically configured symmetric keys and asymmetric public-private key pairs. It can be flexibly selected according to the security level requirements of the business, balancing encryption strength and transmission efficiency. It solves the problems of byte truncation, encoding anomalies, and protocol parsing compatibility that may occur when binary encrypted byte streams are transmitted across networks and devices. The encrypted data is converted into a general text format, ensuring stable transmission of the encrypted and encapsulated data in various network environments. The protocol encapsulation is completed through custom formats such as XML / JSON, completely breaking away from the native database protocol framework and forming a dedicated communication standard. Even if attackers obtain the transmitted data, they cannot complete data parsing or construct spoofed requests because they do not understand the encapsulation format. This eliminates the possibility of SQL attacks targeting the native database protocol at the protocol level. Conventional attack methods such as injection and password brute-force attacks are mitigated by reserving standardized protocol header extension bits, which can flexibly carry authentication information, request metadata, and other content. This achieves an integrated design of encrypted transmission and identity authentication, providing a standardized data carrier for multi-dimensional legitimacy verification on the server side.

[0028] S2, create a server-side Socket communication proxy, send the first encrypted encapsulated data to the server-side Socket communication proxy, verify the first encrypted encapsulated data, obtain the verification result, record the violation record based on the verification result, or add it to the blacklist, or decrypt and decapsulate the first encrypted encapsulated data to obtain the parsed data access request; In this embodiment, a server-side Socket communication proxy is created. For the database access program, this proxy replaces the server-side database listener, accepts remote, encrypted client access, forwards access requests to the database listening port, receives the database's response information, encapsulates it, and sends it to the client Socket proxy.

[0029] In this embodiment of the application, after the first encrypted encapsulated data is sent to the server-side Socket communication proxy, a network policy or network firewall policy is set to ensure that the database service listening port can only be accessed by the local machine and cannot be accessed by other networks or machines, so as to ensure that the original database service listening port is not exposed on the network and to avoid being detected by hacker port scanning software.

[0030] In this embodiment of the application, step S2 specifically includes: S21, Check whether the client IP address that sent the first encrypted encapsulated data is in the preset IP whitelist; S22, Check whether the client IP address is in the temporary IP blacklist; S23, Check whether the format of the first encrypted encapsulated data conforms to the predefined protocol specification; S24, and / or, check whether the authentication information carried in the first encrypted encapsulation data is valid; S25, when the client IP address is not in the IP whitelist, or is in the temporary IP blacklist, or the format of the first encrypted encapsulated data does not conform to the predefined protocol specification, or the authentication information is invalid, the verification of the first encrypted encapsulated data fails; S26, when the client IP address is in the IP whitelist and not in the temporary IP blacklist, and the format of the first encrypted encapsulated data conforms to the predefined protocol specification, and the authentication information is valid, then the first encrypted encapsulated data verification is successful.

[0031] In this embodiment, verification is completed at the initial stage of TCP connection establishment, before the data packet content is read and parsed. Non-whitelisted IPs are directly closed, eliminating the need for subsequent parsing and decryption computation. This quickly blocks random port scanning and indiscriminate attacks within the wide area network, allowing only trusted service server IPs to initiate connections. This completely blocks penetration attempts by untrusted hosts at the network access level, preventing attackers from accessing subsequent protocol parsing and authentication verification stages, significantly reducing the system's attack surface. For IPs that have already triggered violations, connections are directly closed at the initial stage of connection establishment, eliminating the need for subsequent verification processes. This achieves zero-latency interception of brute-force attacks, malicious data packet construction, and continuous scanning, preventing repeated violations from continuously consuming server resources. Format verification is completed before decryption, directly intercepting malformed and maliciously constructed data. This system prevents malicious data packets from triggering vulnerabilities such as memory overflow and code execution during decryption and parsing, ensuring the operational security of the server proxy itself. It uses client-encapsulated user identifiers, timestamps, and message digests, combined with legitimate credentials stored on the server, to perform verification. Even if attackers bypass IP whitelist control, they cannot forge legitimate authentication information, achieving dual protection at the identity level. Timestamp validity verification intercepts requests exceeding a reasonable time window, preventing legitimate request data packets from being sniffed and stolen for replay attacks, ensuring the uniqueness and timeliness of each request. Message digest comparison based on algorithms such as SHA-512 verifies whether the request content has been tampered with during transmission, ensuring that the request received by the server is completely consistent with the original request initiated by the client, eliminating the risk of content tampering due to man-in-the-middle attacks.

[0032] In this embodiment of the application, step S2 further includes: S27, If the verification of the first encrypted encapsulated data fails, the number of violations by the client IP address is recorded; S28. When the cumulative number of violations by the same client IP address reaches a preset threshold, the client IP address is added to a temporary IP blacklist. S29, if the first encrypted encapsulated data is successfully verified, then decryption and decapsulation operations are performed, and the existing violation records of the client IP address are cleared.

[0033] In this embodiment, a server-side Socket communication proxy handler is deployed on the same server as the database. This handler starts a ServerSocket instance, which resides in memory and listens for socket connection requests on a specified port. This port is used to listen for encrypted database access requests sent by client socket programs. When a client sends a request to the listening port, the listener automatically creates a socket to connect to the client. An IP whitelist mechanism can be added to this listener; data requests from machines outside the whitelist are immediately closed. After passing through the whitelist, the system checks a temporarily locked IP blacklist. If the connected client machine's IP is within the blacklist, the socket connection is also immediately closed. If it is not in the blacklist, the process proceeds to the next step.

[0034] In this embodiment, the format of the database access request string transmitted from the reader object of the socket connecting to the client is checked for compliance, as well as the compliance of the username and password agreed upon in the request string. If non-compliant, the socket connection is closed and the client IP is recorded as having committed a violation. Once the number of violations reaches a certain threshold, the client IP is added to the blacklist of temporarily locked machine IPs. If compliant, the existing violation record for the client is cleared.

[0035] In this embodiment of the application, the preset number of times threshold is 5.

[0036] In this embodiment, the format of the database access request string sent from the reader object of the client's socket is checked for compliance. The timestamp in the request header is also checked for reasonableness. The timestamp should be within a reasonable time range from the current server system time; otherwise, it may be a spoofed request and is directly judged as illegitimate. After combining the username and password stored in the program's database with the timestamp, the Digest calculated using the same Digest algorithm as the client is compared to the Digest string in the request header. If they match, the request is valid; otherwise, it is invalid. For invalid cases, the connection is closed, and the client IP is recorded as having committed a violation in the program's database. Once a certain number of violations are accumulated, the client IP is added to the IP blacklist. If the request is valid, the existing violation record for that client is cleared.

[0037] In this embodiment, by verifying compliance and accumulating behavior, even IPs on the whitelist that initiate malicious requests will be automatically blocked due to accumulated violations, which greatly improves the robustness of the protection system. All processing actions are completed at the server-side Socket proxy layer. Illegal requests are completely intercepted before they are decrypted and forwarded to the database's native port. The core database service is not exposed or comes into contact with any malicious traffic throughout the process, thus achieving the core objective of hiding the database and avoiding database attacks from the source.

[0038] In this embodiment of the application, step S29 specifically includes: S291, the first encrypted encapsulated data is decapsulated according to the reverse process of the preset format to extract the content area data therein; S292, restore the content area data from BASE64 format to the encrypted string; S293, use the key and decryption method corresponding to the encryption to decrypt the string and restore the parsed data access request.

[0039] In this embodiment, by encrypting and encapsulating the initial data access request into first encrypted encapsulated data during the encryption phase, not only is the confidentiality of the data during transmission ensured, but the verification of the request source and content is also enhanced by adding authentication information. During the verification phase, the first encrypted encapsulated data is checked from multiple dimensions, including the client IP address, data format, and authentication information, which can quickly and effectively intercept various illegal requests, avoiding waste of server resources and potential security risks. In the decryption phase, the decapsulation and restoration operations are performed in reverse order according to a preset format, accurately restoring the parsed data access request and providing a reliable foundation for subsequent database operations.

[0040] In this embodiment of the application, the encapsulated database access request string content is decoded in the reverse manner of the agreed encapsulation method, and decrypted according to the agreed key or dynamic key and decryption method to restore the original database access request byte stream information.

[0041] In this embodiment of the application, the client Socket communication proxy creates an independent Socket connection for each database connection initiated by the local database access program, for communicating with the server Socket communication proxy.

[0042] S3, send the parsed data access request to the native listening port of the database server to receive the data access response from the native listening port, encrypt and encapsulate the data access response to obtain the second encrypted encapsulated data; In this embodiment of the application, step S3 specifically includes: S31, create or reuse a Socket connection for the client IP address that sent the parsed data access request; S32, the byte stream of the parsed data access request is pushed to the database native listening port through the Socket connection; S33, through the same Socket connection, receive the returned response byte stream from the database native listening port as the data access response.

[0043] In this embodiment, by creating independent Socket connections, the independence and security of each database connection can be guaranteed, avoiding interference between different connections. When a data access request is sent to the database server's native listening port, the database processes the request and returns a corresponding data access response. Upon receiving the data access response, it needs to be encrypted and encapsulated to ensure data security during transmission.

[0044] In this embodiment of the application, for each client IP, a socket is started or the socket created during the last access of the client IP is used to connect to the original database listening port on the server, and the original database access request byte stream information is pushed to the socket's writer object.

[0045] S4, the second encrypted encapsulated data is sent to the client Socket communication proxy, the second encrypted encapsulated data is decrypted and decapsulated to obtain the original database response data, and the original database response data is returned to the local database access program.

[0046] In this embodiment, the client Socket communication proxy first checks the integrity and validity of the received second encrypted encapsulated data. This includes verifying whether the data format conforms to predefined protocol specifications and whether the authentication information carried in the data is valid. Once the verification is successful, the client Socket communication proxy decrypts the second encrypted encapsulated data according to a preset decryption algorithm and key, restoring the original data access response byte stream. Subsequently, these byte streams are further processed to extract the original database response data contained within. Finally, the client Socket communication proxy encapsulates these original database response data into a format suitable for processing by the local database access program and returns it to the local database access program through the corresponding communication interface, thereby completing the entire process of encrypted encapsulation and transmission of database communication content. This design not only ensures the security of database communication content but also improves the efficiency and reliability of data transmission.

[0047] Based on the above method, this application embodiment also provides an encryption and encapsulation system for database communication content corresponding to the above method, the system comprising: The client deployment module is used to deploy a client Socket communication proxy on the database server where the database access program is deployed. It receives the initial data access request from the local database access program, encrypts and encapsulates the initial data access request, and obtains the first encrypted and encapsulated data. The server-side deployment module is used to create a server-side Socket communication proxy, send the first encrypted encapsulated data to the server-side Socket communication proxy, verify the first encrypted encapsulated data, obtain the verification result, record the violation record based on the verification result, or add it to the blacklist, or decrypt and decapsulate the first encrypted encapsulated data to obtain the parsed data access request; The port listening module is used to send the parsed data access request to the native listening port of the database server, receive the data access response from the native listening port, encrypt and encapsulate the data access response, and obtain the second encrypted encapsulated data. The data return module is used to send the second encrypted encapsulated data to the client Socket communication proxy, decrypt and decapsulate the second encrypted encapsulated data to obtain the original database response data, and return the original database response data to the local database access program.

[0048] Figure 2 This diagram illustrates the socket communication process at each stage of a method for encrypting and encapsulating database communication content according to an embodiment of this application. (See attached diagram.) Figure 2 As shown in the diagram, this diagram includes two main modules: client and server. Each module contains core components and interactive sockets. The client module includes client applications (such as the database query program of a business system) that initiate database access requests, namely Database Access Program 1 and Database Access Program 2. The client socket communication proxy acts as an intermediary layer between the client and the server, responsible for encrypting and encapsulating requests, decrypting and encapsulating responses, and forwarding data. Socket1B / Socket2B: The connection between the client socket communication proxy and the local "Database Access Program 1" is used to receive the original request and return the decrypted response. Socket1C / Socket2C: The remote connection between the client socket communication proxy and the server socket communication proxy is used to send encrypted and encapsulated requests and receive encrypted and encapsulated responses. The server-side module includes: a database listener, a native database listening component (such as PostgreSQL's port 5432), which only receives requests from the local server proxy; a server-side Socket communication proxy, which acts as an intermediary between the server and the client, responsible for decrypting and encapsulating requests, encrypting and encapsulating responses, and forwarding data; Socket1D / Socket2D, a remote connection between the server-side Socket communication proxy and the client-side Socket communication proxy, used to receive encrypted and encapsulated requests and send encrypted and encapsulated responses; Socket1E / Socket2E, a connection between the server-side Socket communication proxy and the local database listener, used to send the restored original requests and receive native database responses; and Socket1F / Socket2F, the native listening Socket of the database listener, which only interacts with the server-side Socket communication proxy's Socket1E / Socket2E.

[0049] Based on the same inventive concept disclosed above, this application also provides an electronic device. The electronic device of this application includes at least one processor and at least one memory electrically connected to the processor. The memory is electrically connected to the processor, wherein the memory stores instructions executable by the at least one processor, which, when executed by the at least one processor, enables the at least one processor to perform the method described above.

[0050] It should be noted that the electrical connections between the above-mentioned units do not necessarily represent the connections between lines. Indirect connections are applicable to the embodiments of this application as long as they achieve the purpose of this application.

[0051] Based on the same inventive concept, this application also provides a computer storage medium storing a computer program, which, when executed by a processor, implements the steps of the above method.

[0052] Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this application.

Claims

1. A method for encrypting and encapsulating database communication content, characterized in that, The method includes, Deploy a client Socket communication proxy on the database server where the database access program is deployed. Receive the initial data access request from the local database access program, encrypt and encapsulate the initial data access request, and obtain the first encrypted and encapsulated data. Create a server-side Socket communication proxy, send the first encrypted encapsulated data to the server-side Socket communication proxy, verify the first encrypted encapsulated data, obtain the verification result, record the violation record based on the verification result, or add it to the blacklist, or decrypt and decapsulate the first encrypted encapsulated data to obtain the parsed data access request; The parsed data access request is sent to the native listening port of the database server to receive the data access response from the native listening port. The data access response is then encrypted and encapsulated to obtain the second encrypted encapsulated data. The second encrypted encapsulated data is sent to the client Socket communication proxy, which decrypts and decapsulates the second encrypted encapsulated data to obtain the original database response data, and then returns the original database response data to the local database access program.

2. The method according to claim 1, characterized in that, The initial data access request is encrypted and encapsulated, specifically including: The initial byte stream of the initial data access request is encrypted using a predefined key to obtain an encrypted byte stream; Convert the encrypted byte stream into a BASE64 format character stream; The character stream is encapsulated according to a preset format to generate the first encrypted encapsulated data.

3. The method according to claim 2, characterized in that, Verifying the first encrypted encapsulated data and obtaining the verification result specifically includes: Check whether the client IP address that sent the first encrypted encapsulated data is in the preset IP whitelist; Check if the client's IP address is in the temporary IP blacklist; Check whether the format of the first encrypted encapsulated data conforms to the predefined protocol specifications; And / or, check whether the authentication information carried in the first encrypted encapsulated data is valid; The first encrypted encapsulated data verification fails when the client IP address is not in the IP whitelist, or is in the temporary IP blacklist, or the format of the first encrypted encapsulated data does not conform to the predefined protocol specification, or the authentication information is invalid. The first encrypted encapsulated data is successfully verified when the client IP address is in the IP whitelist and not in the temporary IP blacklist, the format of the first encrypted encapsulated data conforms to the predefined protocol specifications, and the authentication information is valid.

4. The method according to claim 3, characterized in that, Based on the verification results, violations are recorded, the data is added to a blacklist, or the first encrypted and encapsulated data is decrypted and decapsulated, specifically including: If the verification of the first encrypted encapsulated data fails, the number of violations by the client IP address is recorded. When the cumulative number of violations by the same client IP address reaches a preset threshold, the client IP address will be added to a temporary IP blacklist. If the first encrypted encapsulated data is successfully verified, then decryption and decapsulation operations are performed, and the existing violation records of the client IP address are cleared.

5. The method according to claim 4, characterized in that, Performing decryption and decapsulation operations specifically includes: The first encrypted and encapsulated data is decapsulated in the reverse process of the preset format to extract the content area data. The data in the content area is restored from BASE64 format to an encrypted string; The string is decrypted using the key and decryption method corresponding to the encryption, and the parsed data access request is obtained.

6. The method according to claim 1, characterized in that, The client-side Socket communication proxy creates an independent Socket connection for each database connection initiated by the local database access program, for communicating with the server-side Socket communication proxy.

7. The method according to claim 1, characterized in that, Sending the parsed data access request to the native listening port of the database server, and receiving the data access response from the native listening port, specifically includes: For the client IP address that sent the parsed data access request, create or reuse a Socket connection; The byte stream of the parsed data access request is pushed to the database's native listening port via the Socket connection; The response byte stream is received from the database's native listening port via the same Socket connection, serving as the data access response.

8. A database communication content encryption and encapsulation system, characterized in that, The system includes: The client deployment module is used to deploy a client Socket communication proxy on the database server where the database access program is deployed. It receives the initial data access request from the local database access program, encrypts and encapsulates the initial data access request, and obtains the first encrypted and encapsulated data. The server-side deployment module is used to create a server-side Socket communication proxy, send the first encrypted encapsulated data to the server-side Socket communication proxy, verify the first encrypted encapsulated data, obtain the verification result, record the violation record based on the verification result, or add it to the blacklist, or decrypt and decapsulate the first encrypted encapsulated data to obtain the parsed data access request; The port listening module is used to send the parsed data access request to the native listening port of the database server, receive the data access response from the native listening port, encrypt and encapsulate the data access response, and obtain the second encrypted encapsulated data. The data return module is used to send the second encrypted encapsulated data to the client Socket communication proxy, decrypt and decapsulate the second encrypted encapsulated data to obtain the original database response data, and return the original database response data to the local database access program.

9. An electronic device, characterized in that, It includes a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other through the communication bus; Memory, used to store computer programs; When a processor executes a program stored in memory, it implements the steps of the encrypted encapsulation method for database communication content as described in any one of claims 1-7.

10. A computer storage medium, characterized in that, The computer storage medium stores a computer program, which, when executed by a processor, implements the steps of the encryption and encapsulation method for the database communication content of any one of claims 1-7.