CN110889130A - Database-based fine-grained data encryption method, system and device - Google Patents

Database-based fine-grained data encryption method, system and device Download PDF

Info

Publication number
CN110889130A
CN110889130A CN201911253407.4A CN201911253407A CN110889130A CN 110889130 A CN110889130 A CN 110889130A CN 201911253407 A CN201911253407 A CN 201911253407A CN 110889130 A CN110889130 A CN 110889130A
Authority
CN
China
Prior art keywords
encryption
database
data
strategy
data encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911253407.4A
Other languages
Chinese (zh)
Other versions
CN110889130B (en
Inventor
桂阳
岳小杰
白小勇
王滨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Lianshi Networks Technology Co ltd
Original Assignee
Beijing Lianshi Networks Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Lianshi Networks Technology Co ltd filed Critical Beijing Lianshi Networks Technology Co ltd
Publication of CN110889130A publication Critical patent/CN110889130A/en
Application granted granted Critical
Publication of CN110889130B publication Critical patent/CN110889130B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a database-based fine-grained data encryption method and device. The method comprises the following steps: the data encryption component is installed in each application needing to access the database in a plug-in mode, constantly monitors the process of the application and intercepts the operation of the application on the database, and is used for restoring entity information in the context of the application process, encrypting and decrypting data based on column or behavior granularity in a database table and decrypting or desensitizing sensitive data according to entity authority; the data encryption management component is connected with the data encryption component through a network and is used for managing entity access authority, encryption and decryption strategies and encryption and decryption keys of sensitive data in the database. Sensitive data are encrypted and decrypted by using the row or column in the database table as granularity in a data access layer of the application system, and the sensitive data originally submitted to a database driving layer in a plain text are replaced by a cipher text, so that the transmission safety and the storage safety of the data are ensured.

Description

Database-based fine-grained data encryption method, system and device
Technical Field
The invention relates to the technical field of computer security, in particular to a database-based fine-grained data encryption method, system and device.
Background
A large amount of high-price value data are circulated in an enterprise information system, and the data are generally stored in a database, are core assets of an enterprise and are targets of an attacker \35274andDNA. Once the data is leaked, immeasurable loss is brought to the enterprise. In order to maintain the benefits of the enterprises, attention must be paid to protecting the data security of the enterprises, and the database is the key point of security protection. The method is the most economic and effective means in safety protection by encrypting the key and sensitive data in the enterprise database.
Enterprise informatization is a continuous process, database products of different brands or different versions can be used, and protocols used by databases of different brands or versions are not uniform, and some databases are not even public, so that implementation difficulty is increased for database encryption. Enterprises need a universal database encryption product to carry out uniform security protection on important data of the enterprises.
However, the database encryption method currently used in the industry is subject to the difference of database brands or versions, needs to provide products or schemes respectively, is high in implementation cost, has limited effect, and is difficult to implement especially in the case that an enterprise has a large number of application systems. Therefore, a general database encryption solution is needed, which can completely decouple the brand or version of the database, reduce the implementation cost for the enterprise, and effectively protect the data security of the enterprise.
According to different data states, the requirements of data threat protection can be divided into three levels: the safety in the data storage process is to ensure the storage safety, the safety in the data transmission process is to ensure the transmission safety, and the safety in the data use process is to ensure the use safety. Although there are various data protection technologies and means for each of the three different requirements, the problem is that most technologies can only meet the data security protection requirement from one aspect. When data is switched between states, failure of data security protection is also often implied.
The core characteristic of the method is that data is encrypted and stored in a database in a ciphertext form by modifying a database management system and encrypting the data by using a database encryption server, as described in patent CN 101639882A/101639882B, "data security and confidentiality system based on storage encryption". Although the invention can ensure the storage security, when the data leaves the data encryption server of the system, namely the data is converted from the ciphertext into the plaintext to be transmitted, the invention can only protect the storage security of the data, and when a man-in-the-middle eavesdrops between networks, the protection means is invalid. The invention, namely a fine-grained data encryption method, a system and a device based on a database are different from the method, the system and the device, in that sensitive data are only encrypted and decrypted in an application layer, namely, only decrypted in a use state, and the sensitive data are circulated in a ciphertext form no matter the data are transmitted to the database from the application layer or the data are stored in the database, so that the transmission safety and the storage safety of the data are ensured.
As described in CN 101540704A, "untrusted DBMS malicious as new detection system and method", its core features are that a malicious intrusion detection system is introduced between DBMS and application, a client and a server of the intrusion detection system transmit data through secure connection, and it is ensured that data is stored in an encrypted manner and only legitimate database operations are executed finally by analyzing SQL statements, encrypting data using encryption technology, and detecting whether malicious behavior exists in database operations by establishing images of trusted DBMS and untrusted DBMS. The invention ensures the transmission safety and the storage safety of the data, but has the problem of over-coarse data use authorization granularity. The intrusion detection system only verifies the identity of the client and does not detect the entity information of the operation database, and when a target application system has a bug or the client is broken by an attacker, sensitive data used in a plaintext form can still be obtained. The invention relates to a database-based fine-grained data encryption method, a database-based fine-grained data encryption system and a database-based fine-grained data encryption device, which are different from the method, the system and the device, and the method are characterized in that a fine-grained access control strategy is established based on an access entity in a target application, entity information is restored by monitoring the context in the process of the target application, or the identity of the entity is identified by an authentication system which is connected with the target application, and data is only decrypted for a user with authority, so that sensitive data are prevented from being leaked under the condition that the system is broken, and data theft caused by misoperation or malicious behavior of internal personnel.
As described in CN1017888992A, "a method and system for converting query sentences of database", the core feature is to establish a correspondence between chinese and english, translate the user's chinese-based database operation sentences into english-based database operation sentences, check and submit them to the database for execution. The fine-grained data encryption method, the fine-grained data encryption system and the fine-grained data encryption device based on the database can integrate the fine-grained data encryption system with the existing system without establishing a Chinese-English mapping relation and an English mapping relation of database operation statements and changing or transforming the deployment mode and the operation mode of the existing application or the database.
Disclosure of Invention
The invention provides a database-based fine-grained data encryption method, a database-based fine-grained data encryption system and a database-based fine-grained data encryption device.
In order to achieve the above object, the present invention provides a database-based fine-grained data encryption method, including: recording meta information of sensitive data in the database, encrypting and decrypting the sensitive data at an application layer of the application system, limiting the access authority of the sensitive data and executing a preset encryption and decryption strategy, wherein when a write operation is executed on the database, an operation request is analyzed at a data access layer of the application system, the sensitive data is encrypted and replaced through encryption and is written into the database, when a read operation is executed on the database, the data obtained from the database is analyzed, and the sensitive data contained in the data obtained from the database is decrypted at a data access layer of the application system according to the access control strategy.
Furthermore, the application system of the application layer comprises a data encryption component and a data encryption management component, wherein: the data encryption component is installed in plug-in form in each application that needs to access the database,
the data encryption management component is connected with the data encryption component through a network and is used for managing entity access authority of the sensitive data in the database, the preset encryption and decryption strategy and the encryption and decryption key.
Furthermore, the data encryption component encapsulates the database standard connection driver based on the database access layer, so that semantic analysis for intercepting the operation request of the application layer to the database is realized, and encryption and decryption are performed on data according to the analysis result.
Furthermore, the data encryption component comprises a cryptographic software module, and the cryptographic software module is used for providing encryption and decryption capabilities for the data encryption component.
Further, the meta information includes library information, table information, column information, and row information of the database in which the sensitive data is located.
The meta-information includes content characteristics of the sensitive data including one or more of name, phone number, email, identification card, passport, military officer card, home address, biometric, location coordinates, and personal or business asset information.
Furthermore, the encryption and decryption strategy and the access control strategy are set in a data encryption management component in a self-defined mode, or the sensitive data encryption and decryption strategy and the access control strategy are preset in a specific data encryption management component,
the data encryption and decryption policy includes meta-information of the data to be encrypted and the encryption method used,
the data access control policy includes entity information of an access subject, sensitive data meta information, and processing policy information on data including performing decryption processing, non-decryption processing, and desensitization processing on the data,
and the data encryption management component sends the sensitive data to the corresponding data encryption component in the appointed application system in an encryption and decryption strategy and an access control strategy issuing unit.
Furthermore, the encryption and decryption keys are obtained from a key management unit of the data encryption management component, a hardware security module, a key management system of an enterprise or obtained from the key management system through a database encryption management device; in the preset data encryption strategy, an encryption algorithm supports the adoption of a deterministic encryption method to realize accurate retrieval of the ciphertext.
Further, the entity information is obtained by monitoring the target application process through the data encryption component, by restoring context information in the process thereof, or by an entity authentication system used by the target application.
The invention also provides a fine-grained data encryption device based on the database, which comprises the following components: the system comprises an encryption component, a control panel, a strategy storage library and a key manager;
the encryption component is arranged on a database access layer of the application system and used for executing encryption processing and access control on data written into the database by the application system according to the acquired data encryption and decryption strategy and access control strategy;
the control panel is used for setting a data encryption strategy and an access control strategy, and a user configures the data encryption strategy and the access control strategy on the module according to the step prompt according to the requirement;
the policy repository is used for storing the configured data encryption policy and the configured access control policy and sending the data encryption policy and the access control policy to a database encryption component installed in an application system;
the key manager is used for managing keys used for providing encrypted data for the database encryption component installed in the application system, and the keys can be from the key management system or from a hardware security module of the manager.
The invention also provides a fine-grained data encryption device based on the database, which is characterized in that: it includes: the system comprises an encryption component, a control panel, a policy repository, a key manager and a database management tool;
the encryption component is arranged on a database access layer of the application system and is used for executing encryption processing and access control on data written into the database by the application system according to the acquired data encryption and decryption strategy and access control strategy;
the control panel is used for setting a data encryption strategy and an access control strategy, and a user configures the data encryption strategy and the access control strategy on the module according to the step prompt according to the requirement;
the policy repository is used for storing the configured data encryption policy and the configured access control policy and sending the data encryption policy and the access control policy to a database encryption component installed in an application system;
the key manager is used for managing keys for providing encrypted data for the database encryption components installed in the application system, and the keys come from the key management system or from a hardware security module of the manager;
the database management tool is used for providing an authorized database manager with management of the encrypted sensitive data, and the database manager can check the encrypted sensitive data in a clear text mode and perform common database maintenance operation by means of the database management tool.
The invention also provides a fine-grained data encryption system based on the database, which comprises the following steps: the system comprises an application system, a database encryption management device and a database;
the database encryption management device comprises a policy management module, an encryption module and a database management tool;
the strategy management module comprises a strategy editing unit, a strategy storage unit and a strategy issuing unit; the strategy editing unit is used for newly building and editing a data encryption strategy and an access control strategy, and a user configures the data encryption strategy and the access control strategy according to step prompts according to requirements; the strategy storage unit is used for storing the set data encryption strategy and the set access control strategy to form a database of the data encryption strategy and the access control strategy; the strategy issuing unit is used for sending the data encryption strategy and the access control strategy to the encryption module so as to execute data encryption processing and access control processing.
The encryption module comprises an encryption execution unit and a key management unit; the encryption execution unit is used for receiving the data encryption strategy and the access control strategy of the strategy management module and executing corresponding data encryption processing and access control processing; and the key management unit is used for providing a key used for encryption for the encryption execution unit.
The database management tool is used for authorizing a database administrator to manage the encrypted sensitive data, so that the database administrator can check the plaintext information of the sensitive data after authorization and perform maintenance operation on the database.
The application system is a target information system to be subjected to data encryption protection, and is provided with an encryption execution unit; and
the database is used for storing application system data and carrying out encryption protection on the stored data.
The invention discloses a database-based fine-grained data encryption method, a database-based fine-grained data encryption system and a database-based fine-grained data encryption device. The data encryption component is installed in each application needing to access the database in a plug-in mode, constantly monitors the process of the application and intercepts the operation of the application on the database, and is used for restoring entity information in the context of the application process, encrypting and decrypting data based on the column or behavior granularity in the database table, and decrypting or desensitizing sensitive data according to entity authority; the data encryption management component is connected with the data encryption component through a network and is used for managing entity access authority, encryption and decryption strategies and encryption and decryption keys of sensitive data in the database. The invention has the advantages that: the sensitive data is encrypted and decrypted by using the row or column in the database table as granularity in a data access layer of the application system, and the sensitive data originally submitted to a database driving layer in a plaintext is replaced by a ciphertext, so that the transmission safety and the storage safety of the data are ensured; meanwhile, a desensitization or decryption strategy of the sensitive data is set according to the access authority of the entity, so that the safety control of the sensitive data in use is strengthened, and the sensitive data leakage caused by system defects, application bugs or internal personnel threats is prevented.
Drawings
FIG. 1 is a flow chart of a database-based fine-grained data encryption method according to an embodiment of the present invention;
fig. 2 is a structural diagram of a database-based fine-grained data encryption device according to an embodiment of the present invention;
fig. 3 is a structural diagram of a database-based fine-grained data encryption device according to an embodiment of the present invention;
FIG. 4 is a schematic topology diagram of a database encryption system according to an embodiment of the present invention;
FIG. 5 is a deployment flow diagram of an embodiment of the present invention;
FIG. 6 is a flow chart of database protection policy configuration according to an embodiment of the present invention;
FIG. 7 is a flow chart of data encryption according to an embodiment of the present invention;
FIG. 8 is a flowchart illustrating data decryption according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be further described in detail with reference to the accompanying drawings and the embodiments. It should be understood that the detailed description and specific examples, while indicating some embodiments of the invention, are intended for purposes of illustration only and are not intended to limit the scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, a fine-grained data encryption method based on a database of the present invention includes:
step S101, recording the meta-information of the sensitive data in the database, encrypting and decrypting the sensitive data in the application layer of the application system, limiting the access authority of the sensitive data and executing a preset encryption and decryption strategy.
Step S102, when the writing operation is executed to the database, the operation request is analyzed at the data access layer of the application system, the sensitive data is encrypted and replaced through encryption and is written into the database, when the reading operation is executed to the database, the data obtained from the database is analyzed, and the sensitive data contained in the data obtained from the database is decrypted at the data access layer of the application system according to the access control strategy.
When a write operation is performed on the database, the database encryption and decryption component intercepts operation instructions transmitted to the database by an application, the instructions are usually SQL statements or an operation protocol supported by a target database, analyzes instruction actions (such as Insert, Update, Select, Find, Delete, and the like) contained in the SQL statements or the operation protocol, and identifies table, field, and content features to which all data in the operation belong. After the analysis is completed, the table, field and content characteristics and the like of the data are matched with the table, field and content characteristic information marked in the sensitive data encryption and decryption strategy one by one, and if the table, field or content information of a certain data is consistent with the table and field information marked in the sensitive data encryption and decryption strategy, the data is encrypted and replaced. And when all the data are compared, the SQL statements or the operation protocol are recombined, and the instruction actions contained in the recombined SQL statements or the operation protocol are consistent with the original SQL statements or the operation protocol. After the recombination is finished, transmitting the operation instruction to the database to write data,
when the database is read, the database encryption and decryption component intercepts a result set transmitted by the database to an application, analyzes and identifies that table, field and content information contained in the result set is matched with the table, field and content characteristics marked in the sensitive data encryption and decryption strategy, and decrypts and replaces certain data if the table, field or content information of the certain data is consistent with the table and field information marked in the sensitive data encryption and decryption strategy. And when all the data are compared, the SQL sentences or the operation protocols are recombined, and the recombined result set is consistent with the original result set. And after the recombination is completed, returning the result set to the application.
In one embodiment, the application system in which the application layer is located includes a data encryption component and a data encryption management component, wherein: the data encryption component is installed in each application needing to access the database in a plug-in mode, and the data encryption management component is connected with the data encryption component through a network and used for managing entity access rights of the sensitive data in the database, the preset encryption and decryption strategies and encryption and decryption keys.
In one embodiment, the data encryption component encapsulates a database standard connection driver based on the database access layer, so as to implement semantic analysis for intercepting the operation request of the application layer to the database, and perform encryption and decryption on data according to the analysis result.
In one embodiment, the data encryption component comprises a cryptographic software module for providing encryption and decryption capabilities for the data encryption component.
In one embodiment, the meta information includes bank information, table information, column information, and row information of the database in which the sensitive data is located. The meta-information includes content characteristics of the sensitive data including at least one of: name, cell phone number, email, identification card, passport, military officer card, home address, biometric, location coordinates, personal or business asset information, but is not limited to such information.
In one embodiment, the encryption and decryption policy and the access control policy are set in a data encryption management component in a self-defined manner, or the sensitive data encryption and decryption policy and the access control policy are preset in a specific data encryption management component, the data encryption and decryption policy includes meta-information of data to be encrypted and an encryption method used, the data access control policy includes entity information of an access subject, sensitive data meta-information, and processing policy information of data, the processing policy information of data includes performing decryption processing, non-decryption processing, and desensitization processing on data, and the data encryption management component issues the sensitive data to the corresponding data encryption component in a specified application system through an encryption and decryption policy and access control policy issuing unit.
In one embodiment, the encryption and decryption keys are from a key management unit of the data encryption management component, a hardware security module, a key management system of an enterprise or obtained from the key management system through a database encryption management device; in the preset data encryption strategy, an encryption algorithm supports the adoption of a deterministic encryption method to realize accurate retrieval of the ciphertext.
In one embodiment, the entity information is obtained by the data encryption component monitoring the target application process, by restoring context information in its process, or by an entity authentication system used by the interfacing target application.
As shown in fig. 2, an apparatus for encrypting fine-grained data based on a database includes: encryption component 201, control panel 202, policy store 203, key manager 204;
the encryption component 201 is installed on a database access layer of the application system and is used for executing encryption processing and access control on data written into the database by the application system according to the acquired data encryption and decryption strategy and access control strategy;
the control panel 202 is used for setting a data encryption policy and an access control policy, and a user configures the data encryption policy and the access control policy on the module according to the step prompt according to the requirement;
the policy repository 203 is configured to store the configured data encryption policy and access control policy, and send the data encryption policy and access control policy to a database encryption component installed in the application system;
the key manager 204 is configured to manage a key used for providing encrypted data to a database encryption component installed in the application system, where the key may be from a key management system or from a hardware security module of the manager itself.
As shown in fig. 3, the fine-grained data encryption device based on database of the present invention includes: encryption component 301, control panel 302, policy store 303, key manager 304, and database management tool 305;
the encryption component 301 is installed on a database access layer of the application system, and is used for executing encryption processing and access control on data written into the database by the application system according to the acquired data encryption and decryption strategy and access control strategy;
the control panel 302 is configured to set a data encryption policy and an access control policy, and a user configures the data encryption policy and the access control policy on the module according to the step prompt as required;
the policy repository 303 is configured to store the configured data encryption policy and access control policy, and send the data encryption policy and the access control policy to a database encryption component installed in the application system;
the key manager 304 is used for managing keys for providing encrypted data to the database encryption components installed in the application system, and the keys come from the key management system or from a hardware security module of the manager;
the database management tool 305 is used to provide an authorized database manager with the management of the encrypted sensitive data, and the database manager can view the encrypted sensitive data in a clear text form and perform common database maintenance operations by means of the database management tool.
As shown in fig. 4, a database-based fine-grained data encryption system of the present invention includes: the system comprises an application system, a database encryption management device and a database;
the database encryption management device comprises a policy management module, an encryption module and a database management tool;
the strategy management module comprises a strategy editing unit, a strategy storage unit and a strategy issuing unit; the strategy editing unit is used for newly building and editing a data encryption strategy and an access control strategy, and a user configures the data encryption strategy and the access control strategy according to step prompts according to requirements; the strategy storage unit is used for storing the set data encryption strategy and the set access control strategy to form a database of the data encryption strategy and the access control strategy; the strategy issuing unit is used for sending the data encryption strategy and the access control strategy to the encryption module so as to execute data encryption processing and access control processing.
The encryption module comprises an encryption execution unit and a key management unit; the encryption execution unit is used for receiving the data encryption strategy and the access control strategy of the strategy management module and executing corresponding data encryption processing and access control processing; and the key management unit is used for providing a key used for encryption for the encryption execution unit.
The database management tool is used for authorizing a database administrator to manage the encrypted sensitive data, so that the database administrator can check the plaintext information of the sensitive data after authorization and perform maintenance operation on the database.
The application system is a target information system to be subjected to data encryption protection, and is provided with an encryption execution unit; and the database is used for storing application system data and carrying out encryption protection on the stored data.
The database-based fine-grained data encryption method of the present invention is described in detail below with reference to a specific embodiment, which is implemented based on an existing ERP system of an enterprise, the ERP system is based on a C/S architecture, developed by using a Java technology, and establishes a system client by using a browser through an Applet technology, and exchanges data between the browser and an ERP server by using an EJB technology. The ERP system uses Oracle as a database of the system to store data. The method, apparatus and system of the present invention are applied to this system, which is described in detail in conjunction with fig. 4-8.
First, a data encryption component is installed, which is published in the form of a Java Jar package, and placed in a library file directory of the Java environment of the system.
And then, replacing the database driver configuration of the ERP system, and changing the package name of the original database driver into the package name of the data encryption component.
And configuring the service address of the data encryption management component connected with the data encryption component in the configuration file of the data encryption component.
And restarting the ERP system to load the data encryption component as a database driver. And then entering a database protection panel in the data encryption equipment, and adding a database protection strategy.
Further, setting a sensitive data encryption strategy according to the prompt of the database protection panel, including: inputting connection information of a database to be protected, and after the information is input, connecting the data encryption management component with the database and acquiring relevant information of all tables and all columns in the database; determining a table in which the encrypted data is located; determining a column or a row where the encrypted data is located; determining an encryption mode used by encrypted data; and finishing the setting of the sensitive data encryption strategy. After the newly added or edited sensitive data encryption strategy is completed, the meta information and the encryption strategy of the sensitive data are stored by the data encryption management component and are issued to all data encryption components accessing the database.
The data encryption component applies for the encryption key to the data encryption management component, and transmits the encryption key to the database encryption component after the data encryption management component obtains the application.
And entering an entity definition management panel, and adding or editing entity information in the application. The specific operation is that the entity in the system is managed according to the prompt message in the entity definition management panel, and the specific operation comprises the following steps: selecting an authentication mode used by a target application system; inputting relevant information of an authentication system; and after the setting is finished, the data encryption management component is connected with the authentication system and acquires all entity information in the target system.
And (4) entering a data protection panel in the data encryption management assembly, and adding a sensitive data desensitization strategy. Further, a desensitization strategy for sensitive data is set according to a prompt of the data protection panel, and the specific operations include: selecting the encrypted sensitive data; selecting an entity granting decryption rights; and finishing the setting of the data desensitization strategy. After the setting is completed, the desensitization strategy is issued to all data encryption components accessing the data.
When the target application executes writing operation on the database, the data encryption component receives the request, carries out semantic analysis on SQL sentences in the request and generates a syntax analysis tree. And matching meta information of sensitive data in the encryption strategy by scanning node information in the syntax analysis tree, and encrypting the data by using an encryption method defined in the strategy and replacing the original data with a ciphertext when the data matched with the meta information exists. And after the data encryption component finishes scanning the syntax analysis tree completely, reconstructing an SQL statement, replacing the sensitive data in the form of plain text with the encrypted ciphertext, and submitting the encrypted ciphertext to a database for execution.
When the target application executes a read operation on the database, the data encryption component receives the request and a result set returned by the database. And the data encryption component analyzes the SQL sentence in the request for semantic analysis and generates a syntax analysis tree, matches the meta-information of the sensitive data in the encryption strategy by scanning the node information in the syntax analysis tree, and detects the entity information contained in the context of the target application process when the data matched with the meta-information exists. When the entity has the right to use the sensitive data, the data encryption component decrypts the sensitive data in the result set; when the entity does not have the sensitive data use right, the data encryption component carries out desensitization processing on the sensitive data in the result set. And after the data encryption component finishes scanning the syntax analysis tree, reconstructing a result set and returning the result set to the target application.
The method has the technical effects that: the sensitive data is encrypted and decrypted by using the row or column in the database table as granularity in a data access layer of the application system, and the sensitive data originally submitted to a database driving layer in a plaintext is replaced by a ciphertext, so that the transmission safety and the storage safety of the data are ensured; meanwhile, a desensitization or decryption strategy of the sensitive data is set according to the access authority of the entity, so that the safety control of the sensitive data in use is strengthened, and the sensitive data leakage caused by system defects, application bugs or internal personnel threats is prevented.
It should be noted that the present invention may be implemented in software and/or a combination of software and hardware, for example, using a special purpose computer or any other similar hardware device. Also, the software program of the present invention may be stored in a computer readable storage medium, such as a RAM memory, a magnetic or optical drive or diskette and the like.
In addition, some of the present invention can be applied as a computer program product, such as computer program instructions, which when executed by a computer, can invoke or provide the method and/or technical solution according to the present invention through the operation of the computer. Program instructions which invoke the methods of the present invention may be stored on fixed or removable storage media and/or transmitted via a data stream over a broadcast or other signal-bearing medium and/or stored within a working memory of a computer device operating in accordance with the program instructions. An embodiment according to the invention herein comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to perform a method and/or solution according to the aforementioned embodiments of the invention.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is to be understood that the word "comprising" does not exclude other modules or steps, and the singular does not exclude the plural. A plurality of modules or means recited in the claims may also be implemented by one module or means through software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.

Claims (10)

1. A fine-grained data encryption method based on a database is characterized in that:
recording meta-information of sensitive data in the database, encrypting and decrypting the sensitive data at an application system layer of an information system, defining access rights of the sensitive data and executing a predetermined encryption and decryption strategy,
wherein when a write operation is performed on the database, an operation request is analyzed at a data access layer of an application system, the sensitive data is encrypted and replaced by encryption, and written to the database,
when reading operation is carried out on the database, analyzing data obtained from the database, and decrypting the sensitive data contained in the data obtained from the database at a data access layer of an application system according to an access control strategy;
the encryption and decryption strategy and the access control strategy are set in a data encryption management component in a self-defined mode, or the sensitive data encryption and decryption strategy and the access control strategy are preset in a specific data encryption management component,
the data encryption and decryption policy includes meta-information of the data to be encrypted and the encryption method used,
the data access control policy includes entity information of an access subject, sensitive data meta information, and processing policy information on data including performing decryption processing, non-decryption processing, and desensitization processing on the data,
and the data encryption management component sends the sensitive data to the corresponding data encryption component in the appointed application system in an encryption and decryption strategy and an access control strategy issuing unit.
2. The database-based fine-grained data encryption method according to claim 1, characterized in that:
the application system of the application layer comprises a data encryption component and a data encryption management component, wherein: the data encryption component is installed in each application needing to access the database in a plug-in mode;
the data encryption management component is connected with the data encryption component through a network and is used for managing entity access authority of the sensitive data in the database, the preset encryption and decryption strategy and the encryption and decryption key.
3. The database-based fine-grained data encryption method according to claim 2, characterized in that:
and the data encryption component encapsulates the database standard connection driver based on the database access layer, thereby realizing the semantic analysis of intercepting the operation request of the application layer to the database and executing encryption and decryption on data according to the analysis result.
4. The database-based fine-grained data encryption method according to claim 3, characterized in that:
the data encryption component comprises a password software module which is used for providing encryption and decryption capabilities for the data encryption component.
5. The database-based fine-grained data encryption method according to claim 1, characterized in that:
the meta information comprises library information, table information, column information and row information of the database where the sensitive data are located;
the meta-information includes content characteristics of the sensitive data including one or more of name, phone number, email, identification card, passport, military officer card, home address, biometric, location coordinates, and personal or business asset information.
6. The database-based fine-grained data encryption method according to claim 1, characterized in that:
the encryption and decryption keys are from a key management unit of the data encryption management component, a hardware security module, a key management system of an enterprise or obtained from the key management system through a database encryption management device;
in the preset data encryption strategy, an encryption algorithm supports the adoption of a deterministic encryption method to realize accurate retrieval of the ciphertext.
7. The database-based fine-grained data encryption method according to claim 6, characterized in that:
the entity information is obtained by monitoring the target application process through the data encryption component, by restoring context information in the process, or by an entity authentication system used by the docking target application.
8. An encryption apparatus according to the database-based fine-grained data encryption method of one of claims 1 to 6, comprising: encryption component, control panel, policy repository, key manager, its characterized in that:
the encryption component is arranged on a database access layer of the application system and used for executing encryption processing and access control on data written into the database by the application system according to the acquired data encryption and decryption strategy and access control strategy;
the control panel is used for setting a data encryption strategy and an access control strategy, and a user configures the data encryption strategy and the access control strategy on the module according to the step prompt according to the requirement;
the policy repository is used for storing the configured data encryption policy and the configured access control policy and sending the data encryption policy and the access control policy to a database encryption component installed in an application system;
the key manager is used for managing keys used for providing encrypted data for the database encryption component installed in the application system, and the keys can be from the key management system or from a hardware security module of the manager.
9. A fine-grained data encryption device based on a database is characterized in that: it includes: the system comprises an encryption component, a control panel, a policy repository, a key manager and a database management tool;
the encryption component is arranged on a database access layer of the application system and is used for executing encryption processing and access control on data written into the database by the application system according to the acquired data encryption and decryption strategy and access control strategy;
the control panel is used for setting a data encryption strategy and an access control strategy, and a user configures the data encryption strategy and the access control strategy on the module according to the step prompt according to the requirement;
the policy repository is used for storing the configured data encryption policy and the configured access control policy and sending the data encryption policy and the access control policy to a database encryption component installed in an application system;
the key manager is used for managing keys for providing encrypted data for the database encryption components installed in the application system, and the keys come from the key management system or from a hardware security module of the manager;
the database management tool is used for providing an authorized database manager with management of the encrypted sensitive data, and the database manager can check the encrypted sensitive data in a clear text mode and perform common database maintenance operation by means of the database management tool.
10. A fine-grained data encryption system based on a database is characterized in that: the method comprises the following steps: the system comprises an application system, a database encryption management device and a database;
the database encryption management device comprises a policy management module, an encryption module and a database management tool;
the strategy management module comprises a strategy editing unit, a strategy storage unit and a strategy issuing unit; the strategy editing unit is used for newly building and editing a data encryption strategy and an access control strategy, and a user configures the data encryption strategy and the access control strategy according to step prompts according to requirements; the strategy storage unit is used for storing the set data encryption strategy and the set access control strategy to form a database of the data encryption strategy and the access control strategy; the strategy issuing unit is used for sending the data encryption strategy and the access control strategy to the encryption module for executing data encryption processing and access control processing;
the encryption module comprises an encryption execution unit and a key management unit; the encryption execution unit is used for receiving the data encryption strategy and the access control strategy of the strategy management module and executing corresponding data encryption processing and access control processing; the key management unit is used for providing a key used for encryption for the encryption execution unit;
the database management tool is used for authorizing a database administrator to manage the encrypted sensitive data, so that the database administrator can check the plaintext information of the sensitive data after authorization and perform maintenance operation on the database;
the application system is a target information system to be subjected to data encryption protection, and is provided with an encryption execution unit; and
the database is used for storing application system data and carrying out encryption protection on the stored data.
CN201911253407.4A 2018-12-10 2019-12-09 Database-based fine-grained data encryption method, system and device Active CN110889130B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2018115014058 2018-12-10
CN201811501405 2018-12-10

Publications (2)

Publication Number Publication Date
CN110889130A true CN110889130A (en) 2020-03-17
CN110889130B CN110889130B (en) 2023-03-28

Family

ID=69751188

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911253407.4A Active CN110889130B (en) 2018-12-10 2019-12-09 Database-based fine-grained data encryption method, system and device

Country Status (1)

Country Link
CN (1) CN110889130B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111427908A (en) * 2020-04-23 2020-07-17 北京中安星云软件技术有限公司 Transparent encryption and decryption method, system and device based on quantum key
CN112035871A (en) * 2020-07-22 2020-12-04 北京中安星云软件技术有限公司 Dynamic desensitization method and system based on database driven proxy
CN112270012A (en) * 2020-11-19 2021-01-26 北京炼石网络技术有限公司 Device, method and system for distributed data security protection
CN112580100A (en) * 2020-12-28 2021-03-30 北京炼石网络技术有限公司 ODBC (optical distribution bus) driving agent based structured data fine-grained encryption and decryption method and system
CN112711762A (en) * 2020-12-22 2021-04-27 航天信息股份有限公司 Transparent encryption method for database
CN113127927A (en) * 2021-04-27 2021-07-16 泰山学院 Attribute reconstruction encryption method and system for license chain data sharing and supervision
CN116595564A (en) * 2023-07-13 2023-08-15 南京煋禾网络科技有限公司 Information system database detection management method
CN116910784A (en) * 2023-07-17 2023-10-20 北京炼石网络技术有限公司 Device, method and system for data availability and non-rotatable secure sharing

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020078049A1 (en) * 2000-12-15 2002-06-20 Vipin Samar Method and apparatus for management of encrypted data through role separation
CN101504706A (en) * 2009-03-03 2009-08-12 中国科学院软件研究所 Database information encryption method and system
CN103327002A (en) * 2013-03-06 2013-09-25 西安电子科技大学 Cloud storage access control system based on attribute
CN104378386A (en) * 2014-12-09 2015-02-25 浪潮电子信息产业股份有限公司 Method for cloud data confidentiality protection and access control
CN104573549A (en) * 2014-12-25 2015-04-29 中国科学院软件研究所 Credible method and system for protecting confidentiality of database

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020078049A1 (en) * 2000-12-15 2002-06-20 Vipin Samar Method and apparatus for management of encrypted data through role separation
CN101504706A (en) * 2009-03-03 2009-08-12 中国科学院软件研究所 Database information encryption method and system
CN103327002A (en) * 2013-03-06 2013-09-25 西安电子科技大学 Cloud storage access control system based on attribute
CN104378386A (en) * 2014-12-09 2015-02-25 浪潮电子信息产业股份有限公司 Method for cloud data confidentiality protection and access control
CN104573549A (en) * 2014-12-25 2015-04-29 中国科学院软件研究所 Credible method and system for protecting confidentiality of database

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111427908A (en) * 2020-04-23 2020-07-17 北京中安星云软件技术有限公司 Transparent encryption and decryption method, system and device based on quantum key
CN112035871A (en) * 2020-07-22 2020-12-04 北京中安星云软件技术有限公司 Dynamic desensitization method and system based on database driven proxy
CN112270012B (en) * 2020-11-19 2022-04-12 北京炼石网络技术有限公司 Device, method and system for distributed data security protection
CN112270012A (en) * 2020-11-19 2021-01-26 北京炼石网络技术有限公司 Device, method and system for distributed data security protection
CN112711762A (en) * 2020-12-22 2021-04-27 航天信息股份有限公司 Transparent encryption method for database
CN112580100A (en) * 2020-12-28 2021-03-30 北京炼石网络技术有限公司 ODBC (optical distribution bus) driving agent based structured data fine-grained encryption and decryption method and system
CN112580100B (en) * 2020-12-28 2022-06-10 北京炼石网络技术有限公司 ODBC (optical distribution bus) driving agent based structured data fine-grained encryption and decryption method and system
CN113127927B (en) * 2021-04-27 2022-03-18 泰山学院 Attribute reconstruction encryption method and system for license chain data sharing and supervision
CN113127927A (en) * 2021-04-27 2021-07-16 泰山学院 Attribute reconstruction encryption method and system for license chain data sharing and supervision
CN116595564A (en) * 2023-07-13 2023-08-15 南京煋禾网络科技有限公司 Information system database detection management method
CN116595564B (en) * 2023-07-13 2023-09-15 南京煋禾网络科技有限公司 Information system database detection management method
CN116910784A (en) * 2023-07-17 2023-10-20 北京炼石网络技术有限公司 Device, method and system for data availability and non-rotatable secure sharing
CN116910784B (en) * 2023-07-17 2024-04-30 北京炼石网络技术有限公司 Device, method and system for data availability and non-rotatable secure sharing

Also Published As

Publication number Publication date
CN110889130B (en) 2023-03-28

Similar Documents

Publication Publication Date Title
CN110889130B (en) Database-based fine-grained data encryption method, system and device
US7904732B2 (en) Encrypting and decrypting database records
US10666647B2 (en) Access to data stored in a cloud
EP4229532B1 (en) Behavior detection and verification
US11379601B2 (en) Detection of sensitive database information
CN113468576B (en) Role-based data security access method and device
US11658996B2 (en) Historic data breach detection
CN114978605A (en) Page access method and device, electronic equipment and storage medium
KR102542213B1 (en) Real-time encryption/decryption security system and method for data in network based storage
CN113901507B (en) Multi-party resource processing method and privacy computing system
US11611570B2 (en) Attack signature generation
Kamra et al. Responding to anomalous database requests
Karlzén An Analysis of Security Information and Event Management Systems-The Use or SIEMs for Log Collection, Management and Analysis
JP2007004291A (en) Fragility diagnostic method, fragility diagnostic device to be used for the same, fragility diagnostic program and recording medium with its program recorded, diagnostic report preparing device, diagnostic report preparing program and recording medium with its program recorded
CN117150453B (en) Network application detection method, device, equipment, storage medium and program product
US11582248B2 (en) Data breach protection
CN117454420A (en) Cloud computing encryption storage service system and method
CN115310060A (en) Computer encryption and decryption method and system
CN113839922A (en) Video monitoring system information safety protection system and method
CN117521132A (en) Security measures and access control method for SAAS system
GB2569553A (en) Historic data breach detection
CN115580433A (en) Dynamic authority system, device and authority management method thereof
CN118395461A (en) Database data encryption and decryption method, system, electronic equipment and storage medium
NZ618683B2 (en) Access control to data stored in a cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant