CN111475524B - Data processing method and device based on interceptor and computer equipment - Google Patents
Data processing method and device based on interceptor and computer equipment Download PDFInfo
- Publication number
- CN111475524B CN111475524B CN202010148232.7A CN202010148232A CN111475524B CN 111475524 B CN111475524 B CN 111475524B CN 202010148232 A CN202010148232 A CN 202010148232A CN 111475524 B CN111475524 B CN 111475524B
- Authority
- CN
- China
- Prior art keywords
- specified
- interceptor
- appointed
- encrypted
- sql request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 27
- 238000012545 processing Methods 0.000 claims abstract description 88
- 238000000034 method Methods 0.000 claims abstract description 44
- 238000004590 computer program Methods 0.000 claims description 12
- 230000004048 modification Effects 0.000 abstract description 5
- 238000012986 modification Methods 0.000 abstract description 5
- 230000008569 process Effects 0.000 description 24
- 230000009466 transformation Effects 0.000 description 16
- 230000006870 function Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000011426 transformation method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Mathematical Physics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a data processing method, a device and computer equipment based on an interceptor, wherein the method comprises the following steps: adding a configuration file under a first appointed directory of the application system; receiving an input encrypted jar packet, and adding configuration information carried in the encrypted jar packet into a configuration file; configuring a specified interceptor within the application system; the SQL request to be executed is intercepted by the appointed interceptor, and after the SQL request is intercepted successfully, the appointed parameters corresponding to the configuration information in the SQL request are encrypted and decrypted. The embodiment of the application abandons the existing mode of safely modifying the data of the application system based on the application code, innovatively configures and uses the appointed interceptor in the application system to quickly and conveniently execute encryption processing and decryption processing aiming at the appointed parameter corresponding to the configuration information, effectively reduces the modification cost of the application system and improves the modification efficiency of the appointed parameter.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a data processing method, apparatus, and computer device based on an interceptor.
Background
Along with the rapid development of technology, the update speed of the application system is faster and faster, but at the same time, some data security problems of the application system are continuously exposed, so that the demand for data security protection of the application system is stronger and stronger. In the prior art, a modification mode for implementing security modification on data of an application system generally depends on application codes of the application system to encrypt and decrypt important data in the application system. Specifically, the application system needs to be correspondingly upgraded firstly, that is, the application code of the application system needs to be modified in relation to upgrading. And then encrypting and decrypting the upgraded application system, for example, coupling some cases written by a developer and used for encrypting and decrypting the data into the modified application code, so as to complete the safe modification of the data of the application system. However, the code amount of the application system is generally relatively large, so that the safe transformation of the application system by adopting the transformation mode is easy to consume time and labor, the transformation cost is high, and the transformation efficiency is low.
Disclosure of Invention
The application mainly aims to provide a data processing method, a data processing device and computer equipment based on an interceptor, and aims to solve the technical problems that the prior transformation method is easy to consume time and labor when the safety transformation of an application system is carried out, the transformation cost is high and the transformation efficiency is low.
The application provides a data processing method based on an interceptor, which comprises the following steps:
adding a configuration file under a first appointed directory of the application system;
Receiving an input encrypted jar packet, and adding configuration information carried in the encrypted jar packet into the configuration file;
configuring a specified interceptor within the application system;
And intercepting the SQL request to be executed through the appointed interceptor, and after the SQL request is successfully intercepted, carrying out encryption processing and decryption processing on appointed parameters corresponding to the configuration information in the SQL request.
Optionally, the specified interceptor includes a first interceptor and a second interceptor, and the step of configuring the specified interceptor in the application system includes:
Acquiring a specified file under a second specified directory of the application system;
adding a first code for configuring the first interceptor in a specified label under the specified file; and
And adding a second code for configuring the second interceptor in the specified label.
Optionally, the step of intercepting, by the specified interceptor, the SQL request to be executed, and after the SQL request is successfully intercepted, performing encryption processing and decryption processing on specified parameters corresponding to the configuration information in the SQL request includes:
Judging whether a preset encryption switch is turned on or not;
if the preset encryption switch is judged to be turned on, intercepting the SQL request through the first interceptor;
after the SQL request is successfully intercepted, encrypting the appointed parameters in the SQL request according to a first preset rule to obtain the encrypted appointed parameters;
after executing the preset time period for completing the encryption processing of the specified parameters, judging whether a preset decryption switch is started or not;
if the preset decryption switch is judged to be started, the SQL request is intercepted again through the second interceptor;
after the SQL request is successfully intercepted again, extracting the encrypted specified parameters from the SQL request;
and carrying out decryption processing on the encrypted specified parameters to obtain corresponding decryption results.
Optionally, the step of encrypting the specified parameter in the SQL request according to the first preset rule to obtain the encrypted specified parameter includes:
judging whether a specified table exists in the SQL request, wherein the specified table is a table to be encrypted;
if judging that the SQL request has a specified table, acquiring the data type of the specified table;
According to the data type, the parameter type of the appointed table is adapted to be the appointed parameter type corresponding to the data type, and an adapted appointed table is obtained;
Judging whether an appointed field exists in the adapted appointed table, wherein the appointed field is a field to be encrypted;
if the fact that the appointed field exists in the adapted appointed table is judged, encryption processing is conducted on the appointed field according to a second preset rule, and the encrypted appointed field is obtained.
Optionally, the step of encrypting the specified field according to a second preset rule to obtain an encrypted specified field includes:
a first interface of a key management service of the application system is called to create a master key;
invoking a second interface of the key management service to create a data key, encrypting the data key by the key management service by using the master key, and returning a plaintext data key and a ciphertext data key corresponding to the data key;
And encrypting the appointed field by using the plaintext data key to obtain the encrypted appointed field.
Optionally, after the step of encrypting the specified field using the plaintext data key to obtain an encrypted specified field, the method includes:
Deleting a local plaintext data key of an application system;
and storing the ciphertext data key and the encrypted specified field.
Optionally, the step of decrypting the encrypted specified parameter to obtain a corresponding decryption result includes:
reading the ciphertext data key;
Invoking a third interface of the key management service to decrypt the ciphertext data key into a corresponding specified plaintext data key;
and decrypting the encrypted specified field by using the specified plaintext data key to obtain a corresponding decryption result.
The application also provides a data processing device based on the interceptor, which comprises:
the adding module is used for adding the configuration file under a first appointed directory of the application system;
The adding module is used for receiving an input encrypted jar packet and adding configuration information carried in the encrypted jar packet into the configuration file;
The configuration module is used for configuring a specified interceptor in the application system;
the processing module is used for intercepting the SQL request to be executed through the appointed interceptor, and carrying out encryption processing and decryption processing on appointed parameters corresponding to the configuration information in the SQL request after the SQL request is successfully intercepted.
The application also provides a computer device comprising a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the method when executing the computer program.
The application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the above method.
The data processing method, the data processing device, the computer equipment and the storage medium based on the interceptor provided by the application have the following beneficial effects:
The application provides a data processing method, a data processing device, a computer device and a storage medium based on an interceptor, wherein a configuration file is added under a first appointed directory of an application system; receiving an input encrypted jar packet, and adding configuration information carried in the encrypted jar packet into the configuration file; configuring a specified interceptor within the application system; and intercepting the SQL request to be executed through the appointed interceptor, and after the SQL request is successfully intercepted, carrying out encryption processing and decryption processing on appointed parameters corresponding to the configuration information in the SQL request. The application abandons the prior mode of carrying out safe reconstruction on the data of the application system based on the application code, innovatively configures and uses the appointed interceptor in the application system to carry out encryption processing and decryption processing on the appointed parameter corresponding to the configuration information quickly and conveniently, and the encryption processing and the decryption processing are carried out under the condition of being transparent to the application, so that the safe reconstruction implementation process of the appointed parameter is more flexible and concise, the reconstruction cost of the application system is effectively reduced, the reconstruction efficiency of the appointed parameter is improved, the complexity of the structure and the code reconstruction of the application system of encryption and decryption service is reduced, and the reconstruction success rate of the application system is improved.
Drawings
FIG. 1 is a flow chart of an interceptor-based data processing method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an interceptor-based data processing apparatus in accordance with one embodiment of the present application;
Fig. 3 is a schematic structural diagram of a computer device according to an embodiment of the present application.
The achievement of the objects, functional features and advantages of the present application will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
It should be noted that, in the embodiments of the present application, all directional indicators (such as up, down, left, right, front, and rear … …) are merely used to explain the relative positional relationship, movement conditions, and the like between the components in a specific posture (as shown in the drawings), if the specific posture is changed, the directional indicators correspondingly change, and the connection may be a direct connection or an indirect connection.
Referring to fig. 1, an interceptor-based data processing method according to an embodiment of the present application includes:
s1: adding a configuration file under a first appointed directory of the application system;
S2: receiving an input encrypted jar packet, and adding configuration information carried in the encrypted jar packet into the configuration file;
S3: configuring a specified interceptor within the application system;
S4: and intercepting the SQL request to be executed through the appointed interceptor, and after the SQL request is successfully intercepted, carrying out encryption processing and decryption processing on appointed parameters corresponding to the configuration information in the SQL request.
As described in steps S1 to S4, the execution subject of the embodiment of the method is an interceptor-based data processing apparatus. In practical applications, the interceptor-based data processing apparatus may be implemented by virtual means, such as software code, or by physical means written or integrated with the associated execution code. The data processing device based on the interceptor can quickly and conveniently realize the safe transformation of related data in the application system, wherein the related data is specifically specified parameters contained in an SQL request of an application system server (namely an application server of the application system).
Specifically, a configuration file is added under a first designated directory of the application system, wherein the first designated directory may be modules/fintelligen-common/resource/, and the configuration file is specifically an encryptions. After the configuration file is added, receiving an encrypted jar packet input by a developer, and adding configuration information carried in the encrypted jar packet into the configuration file. The configuration information may specifically include information such as an encryption table, an encryption field, an encryption switch, a DTO base class, a paging object, an encryption key, and a related configuration of a key management service. After the addition of the configuration information is completed, a specified interceptor is configured in the application system, and then SQL requests to be executed in the application system server are intercepted by using the specified interceptor. The number of the specified interceptors is not particularly limited, and may specifically include a first interceptor and a second interceptor. And after the SQL request is successfully intercepted by the specified interceptor, the specified parameters corresponding to the configuration information in the SQL request are encrypted and decrypted so as to complete the security transformation of the specified parameters contained in the SQL request executed in the application system server.
The embodiment abandons the existing mode of carrying out safe reconstruction on the data of the application system based on the application code, innovatively configures and uses the appointed interceptor in the application system to carry out encryption processing and decryption processing on the appointed parameter corresponding to the configuration information quickly and conveniently, and the encryption processing and the decryption processing are carried out under the condition of being transparent to the application, so that the safe reconstruction implementation process of the appointed parameter is more flexible and concise, the reconstruction cost of the application system is effectively reduced, the reconstruction efficiency of the appointed parameter is improved, the complexity of the structure and the code reconstruction of the application system of encryption and decryption service is reduced, and the reconstruction success rate of the application system is improved.
Further, in an embodiment of the present application, the specified interceptor includes a first interceptor and a second interceptor, and the step S3 includes:
s300: acquiring a specified file under a second specified directory of the application system;
S301: adding a first code for configuring the first interceptor in a specified label under the specified file; and
S302: and adding a second code for configuring the second interceptor in the specified label.
As described in steps S300 to S302, the specific interceptor includes a first interceptor and a second interceptor, and the step of embedding the specific interceptor in the application system may specifically include: firstly, acquiring a specified file under a second specified directory of the application system, wherein the second specified directory can be modules/fintelligen-report/core/mybatis/, and the specified file can be a mybatis-config-ensable.
And then adding a first code for configuring the first interceptor in a specified tag under the specified file, wherein the specified tag is plugins tag, the first code can be :<plugin interceptor="com.jryzt.apsi.base.dataEncrypt.interceptor.ParameterHandlerInterceptor"/>., and the first interceptor can be PARAMETERHANDLER interceptor for intercepting specified parameters contained in SQL requests executed in an application system server when the application system is running so as to encrypt the specified parameters later. And adding a second code for configuring the second interceptor in a specified tag in the specified file, wherein the second code specifically may be: < plugin interceptor = "com.jryzt.apsi.base.dataencrypt.interface.executor integrator"/>. In addition, the second interceptor may be named Executor interceptor, and is configured to intercept the specified parameter in the encrypted SQL request in the application system server when the application system is running, so as to decrypt the encrypted specified parameter subsequently.
According to the embodiment, the first code and the second code are configured under the appointed label of the appointed file, so that the first interceptor and the second interceptor which are used for carrying out encryption processing and decryption processing on related data needing to be subjected to security transformation processing are successfully configured in the application system, the security transformation implementation process of the appointed parameter corresponding to the configuration information in the SQL request is more flexible and concise, and the complexity of the structure and the code transformation of the application system of the encryption and decryption service is effectively reduced.
Further, in an embodiment of the present application, the step S4 includes:
s400: judging whether a preset encryption switch is turned on or not;
S401: if the preset encryption switch is judged to be turned on, intercepting the SQL request through the first interceptor;
S402: after the SQL request is successfully intercepted, encrypting the appointed parameters in the SQL request according to a first preset rule to obtain the encrypted appointed parameters;
S403: after executing the preset time period for completing the encryption processing of the specified parameters, judging whether a preset decryption switch is started or not;
s404: if the preset decryption switch is judged to be started, the SQL request is intercepted again through the second interceptor;
s405: after the SQL request is successfully intercepted again, extracting the encrypted specified parameters from the SQL request;
s406: and carrying out decryption processing on the encrypted specified parameters to obtain corresponding decryption results.
As described in the steps S400 to S406, the steps of intercepting, by the specified interceptor, the SQL request to be executed, and after the SQL request is successfully intercepted, performing encryption processing and decryption processing on specified parameters corresponding to the configuration information in the SQL request may specifically include: firstly, judging whether a preset encryption switch is started or not, wherein the encryption switch is a control field in configuration information and is used for controlling whether encryption processing is needed to be carried out on parameters or not. If the encryption switch is turned on, which indicates that there is a need to encrypt the specified parameter, the SQL request is intercepted by the first interceptor. After the SQL request is successfully intercepted, the appointed parameters in the SQL request are encrypted according to a first preset rule, and the encrypted appointed parameters are obtained.
The key management service KMS (KEY MANAGEMENT SERVICE ) may be used in combination to encrypt the specified parameter, or other encryption techniques may be used to encrypt the specified parameter. The KMS is a safety management service, can easily create and manage keys, protect confidentiality, integrity and availability of the keys, meet the key management requirements of multiple applications and multiple services of users, and meet the requirements of supervision and compliance. After executing the preset time period for completing the encryption processing of the specified parameters, judging whether a preset decryption switch is started or not. The preset time period is not particularly limited, and may be, for example, 2 minutes.
In addition, the decryption switch is also a control field in the configuration information, and is used for controlling whether decryption processing is needed to be performed on the parameters. If the decryption switch is turned on, which indicates that the request has a requirement of decrypting the encrypted specified parameters in the SQL request, the SQL request is intercepted again through the second interceptor, and the encrypted specified parameters are extracted from the SQL request after the SQL request is intercepted successfully. And finally, carrying out decryption processing on the encrypted specified parameters to obtain corresponding decryption results, and further returning the decryption results.
The decryption method for decrypting the encrypted specified parameter corresponds to the encryption method for encrypting the specified parameter, for example, if the specified parameter is encrypted by using the encryption method of the key management service, the encrypted specified parameter is decrypted by using the decryption method of the corresponding key management service, so as to obtain the corresponding decryption result.
According to the embodiment, the SQL request can be intercepted through the first interceptor and the second interceptor which are configured in advance, the appointed parameters in the SQL request are subjected to transparent encryption processing according to the preset encryption switch starting condition, and the encrypted appointed parameters in the SQL request are subjected to decryption processing according to the preset decryption switch starting condition, so that the security transformation of relevant data in an application system is realized, and the complexity of the encryption and decryption service on the structure and code transformation of the application system is effectively reduced.
Further, in an embodiment of the present application, the step S402 includes:
S4020: judging whether a specified table exists in the SQL request, wherein the specified table is a table to be encrypted;
s4021: if judging that the SQL request has a specified table, acquiring the data type of the specified table;
S4022: according to the data type, the parameter type of the appointed table is adapted to be the appointed parameter type corresponding to the data type, and an adapted appointed table is obtained;
S4023: judging whether an appointed field exists in the adapted appointed table, wherein the appointed field is a field to be encrypted;
s4024: if the fact that the appointed field exists in the adapted appointed table is judged, encryption processing is conducted on the appointed field according to a second preset rule, and the encrypted appointed field is obtained.
As described in the above steps S4020 to S4024, the step of encrypting the specified parameter in the SQL request according to the first preset rule to obtain the encrypted specified parameter may specifically include: firstly judging whether the SQL request has a designated table, wherein the designated table is a table to be encrypted, namely a table to be encrypted, and judging the designated table is a table to be encrypted if table information corresponding to the designated table exists in the configuration information. If the SQL request has a specified table, the data type of the specified table is obtained, wherein the data type can be map, string and the like. After the data types of the specified tables are obtained, the parameter types of the specified tables are adapted to the specified parameter types corresponding to the data types, and the adapted specified tables are obtained.
For example, if the data type is map, the specified parameter type is also map. And then judging whether a specified field exists in the adapted specified table, wherein the specified field is a field to be encrypted, namely a field to be encrypted, and judging that the specified field is a field to be encrypted if field information corresponding to the specified field exists in the configuration information. If the specified fields exist in the adapted specified table, encrypting the specified fields according to a second preset rule to obtain the encrypted specified fields.
The above-mentioned designated field may be encrypted by using a key management service KMS, or may be encrypted by using another encryption technique. According to the embodiment, the SQL request can be intercepted through the first interceptor which is pre-configured, and the appointed parameters in the SQL request are encrypted through the key management service or other encryption technologies, so that transparent encryption of the appointed parameters in the SQL request is realized quickly and conveniently, and the complexity of the encryption service on the structure and code transformation of an application system is effectively reduced.
Further, in an embodiment of the present application, the step S4024 includes:
s40240: a first interface of a key management service of the application system is called to create a master key;
S40241: invoking a second interface of the key management service to create a data key, encrypting the data key by the key management service by using the master key, and returning a plaintext data key and a ciphertext data key corresponding to the data key;
S40242: and encrypting the appointed field by using the plaintext data key to obtain the encrypted appointed field.
As described in steps S40240 to S40242, the present embodiment may specifically combine the key management service KMS to perform encryption processing and decryption processing on the related parameter data of the SQL request executed in the application system, so as to realize security protection on the related parameter data, and effectively ensure that the lawbreaker cannot obtain the related parameter data subjected to encryption processing in the cracked application system even if the application configuration leaks or the data leaks.
Specifically, the step of encrypting the specified field according to the second preset rule to obtain the encrypted specified field may include: a master key is first created by a first interface that invokes the key management service of the application system. The key management service may be installed in the application system in advance. The first interface may be a CREATEKEY interface, and the CREATEKEY interface is a special interface for generating a master key, and when the CREATEKEY interface is called, a master key is created by default for a user, or the master key may be created through a KMS console. In addition, after the creation of the master key is completed, an alias can be further added to the master key, the specific content of the alias is not particularly limited, and the alias can be set according to the personal actual requirement of the user. If the user does not add an alias to the master key, the ID of the master key is directly used as its alias. And then invoking a second interface of the key management service to create a data key to encrypt the data key with the master key by the key management service and return a plaintext data key and a ciphertext data key corresponding to the data key. The second interface may be a GENERATEDATAKEY interface, the GENERATEDATAKEY interface is a special interface for generating a data key, when the GENERATEDATAKEY interface is called, the data key is generated for the user on line by default, and specific data included in the generated data key is random.
In addition, after the data key is encrypted by the key management service using the master key, ciphertext and plaintext corresponding to the data key, that is, the plaintext data key and ciphertext data key, can be generated and returned. After the plaintext data key is obtained, the appointed field is encrypted by using the plaintext data key, and the encrypted appointed field is further obtained, so that the safe encryption protection of the appointed field in the SQL request of the application system by using the key management service is effectively realized.
In an embodiment of the present application, after the step S40242, the method includes:
s40243: deleting a local plaintext data key of an application system;
S40244: and storing the ciphertext data key and the encrypted specified field.
As described in steps S40243 to S40244, after encrypting the data key using the master key, the key management service returns a ciphertext data key corresponding to the data key in addition to a plaintext data key corresponding to the data key. After the specified field is encrypted by using the plaintext data key, the local plaintext data key, the ciphertext data key, and the encrypted specified field need to be further deleted or stored accordingly, so that the decryption process for the encrypted specified field can be performed smoothly.
Specifically, after the step of encrypting the specified field by using the plaintext data key to obtain an encrypted specified field, the method further includes: firstly deleting a local plaintext data key of an application system, and then storing the ciphertext data key and the encrypted designated field.
Further, in an embodiment of the present application, the step S405 includes:
S4050: reading the ciphertext data key;
S4051: invoking a third interface of the key management service to decrypt the ciphertext data key into a corresponding specified plaintext data key;
s4052: and decrypting the encrypted specified field by using the specified plaintext data key to obtain a corresponding decryption result.
As described in steps S4050 to S4052, after the key management service is used to encrypt the specified field to obtain an encrypted specified field, the embodiment may also correspondingly use the key management service to decrypt the encrypted specified field according to the preset on condition of the decryption switch, so as to output a required decryption result.
Specifically, the step of decrypting the encrypted specified parameter to obtain a corresponding decryption result includes: the ciphertext data key is first read. After the designated field is encrypted by using the plaintext data key, the ciphertext data key and the encrypted designated field are stored locally, so that the ciphertext data key can be read out from the local. After the ciphertext data key is read, a third interface of the key management service is called, and the ciphertext data key stored locally is decrypted into a corresponding appointed plaintext data key. The third interface may be a Decrypt interface, where the Decrypt interface is a special interface for decryption, and the data directly encrypted by the key management service may be decrypted through the Decrypt interface, that is, the ciphertext of the data key generated by the second interface (GENERATEDATAKEY interface) according to the data key (i.e., the ciphertext data key) may be decrypted.
Further, the specified plaintext data key has the same data as the deleted local plaintext data key, and thus the specified plaintext data key has the same function as the plaintext data key. After the specified plaintext data key is obtained, the encrypted specified field is decrypted by using the specified plaintext data key, and a corresponding decryption result is obtained. After the decryption result is obtained, the appointed plaintext data key stored locally is deleted, and the decryption result can be returned, so that the transparent decryption process of the appointed field encrypted in the SQL request can be conveniently and rapidly completed, and the complexity of the encryption and decryption service for the structure and code transformation of the application system is effectively reduced.
Referring to fig. 2, there is further provided in an embodiment of the present application an interceptor-based data processing apparatus including:
an adding module 1, configured to add a configuration file under a first specified directory of the application system;
the adding module 2 is used for receiving an input encrypted jar packet and adding configuration information carried in the encrypted jar packet into the configuration file;
A configuration module 3, configured to configure a specified interceptor in the application system;
and the processing module 4 is used for intercepting the SQL request to be executed through the specified interceptor and carrying out encryption processing and decryption processing on specified parameters corresponding to the configuration information in the SQL request after the SQL request is successfully intercepted.
In this embodiment, the implementation process of the functions and actions of the adding module, the configuring module and the processing module in the data processing device based on the interceptor is specifically described in the implementation process corresponding to steps S1 to S4 in the data processing method based on the interceptor, which is not described herein again.
Further, in an embodiment of the present application, the configuration module includes:
The acquisition sub-module is used for acquiring the specified file under the second specified directory of the application system;
A first adding sub-module, configured to add a first code for configuring the first interceptor in a specified tag under the specified file; and
And a second adding sub-module, configured to add a second code for configuring the second interceptor in the specified tag.
In this embodiment, the implementation process of the functions and actions of the acquiring sub-module, the first adding sub-module and the second adding sub-module in the data processing device based on the interceptor is specifically described in the implementation process corresponding to steps S300 to S302 in the data processing method based on the interceptor, which is not described herein.
Further, in an embodiment of the present application, the processing module includes:
the first judging submodule is used for judging whether a preset encryption switch is turned on or not;
The first interception sub-module is used for intercepting the SQL request through the first interceptor if the preset encryption switch is judged to be started;
The encryption sub-module is used for carrying out encryption processing on the appointed parameters in the SQL request according to a first preset rule after the SQL request is successfully intercepted, so as to obtain encrypted appointed parameters;
The second judging submodule is used for judging whether a preset decryption switch is started or not after executing a preset time period for completing encryption processing of the specified parameters;
The second interception sub-module is used for intercepting the SQL request again through the second interceptor if the preset decryption switch is judged to be started;
the extraction submodule is used for extracting the encrypted specified parameters from the SQL request after the SQL request is successfully intercepted again;
and the decryption sub-module is used for carrying out decryption processing on the encrypted specified parameters to obtain a corresponding decryption result.
In this embodiment, the implementation process of the functions and roles of the first judging sub-module, the first intercepting sub-module, the encrypting sub-module, the second judging sub-module, the second intercepting sub-module, the extracting sub-module and the decrypting sub-module in the data processing device based on the interceptor is specifically described in the implementation process corresponding to steps S400 to S406 in the data processing method based on the interceptor, and will not be described herein.
Further, in an embodiment of the present application, the encryption sub-module includes:
The first judging unit is used for judging whether a specified table exists in the SQL request, wherein the specified table is a table to be encrypted;
The acquisition unit is used for acquiring the data type of the appointed table if judging that the appointed table exists in the SQL request;
The adaptation unit is used for adapting the parameter type of the appointed table to the appointed parameter type corresponding to the data type according to the data type to obtain an adapted appointed table;
a second judging unit, configured to judge whether an appointed field exists in the adapted appointed table, where the appointed field is a field to be encrypted;
And the encryption unit is used for carrying out encryption processing on the specified field according to a second preset rule to obtain the encrypted specified field if the specified field exists in the adapted specified table.
In this embodiment, the implementation process of the functions and roles of the first determining unit, the acquiring unit, the adapting unit, the second determining unit and the encrypting unit in the data processing apparatus based on the interceptor is specifically described in the implementation process corresponding to steps S4020 to S4024 in the data processing method based on the interceptor, which is not described herein again.
Further, in an embodiment of the present application, the encryption unit includes:
a first creation subunit, configured to invoke a first interface of a key management service of the application system to create a master key;
A second creating subunit, configured to invoke a second interface of the key management service to create a data key, so as to encrypt the data key by using the master key through the key management service, and return a plaintext data key and a ciphertext data key corresponding to the data key;
And the encryption subunit is used for encrypting the appointed field by using the plaintext data key to obtain the encrypted appointed field.
In this embodiment, the implementation process of the functions and roles of the first creation subunit, the second creation subunit, and the encryption subunit in the interceptor-based data processing apparatus is specifically described in the implementation process corresponding to steps S40240 to S40242 in the interceptor-based data processing method, which is not described herein.
Further, in an embodiment of the present application, the encryption unit includes:
a deleting subunit, configured to delete a local plaintext data key of the application system;
And the storage subunit is used for storing the ciphertext data key and the encrypted specified field.
In this embodiment, the implementation process of the functions and actions of the deletion subunit and the storage subunit in the data processing apparatus based on the interceptor is specifically described in the implementation process corresponding to steps S40243 to S40244 in the data processing method based on the interceptor, which is not described herein again.
Further, in an embodiment of the present application, the decryption submodule includes:
The reading unit is used for reading the ciphertext data key;
The first decryption unit is used for calling a third interface of the key management service and decrypting the ciphertext data key into a corresponding appointed plaintext data key;
And the second decryption unit is used for decrypting the encrypted specified field by using the specified plaintext data key to obtain a corresponding decryption result.
In this embodiment, the implementation process of the functions and actions of the reading unit, the first decryption unit and the second decryption unit in the data processing apparatus based on the interceptor is specifically described in the implementation process corresponding to steps S4050 to S4052 in the data processing method based on the interceptor, which is not described herein again.
Referring to fig. 3, in an embodiment of the present application, there is further provided a computer device, which may be a server, and an internal structure thereof may be as shown in fig. 3. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing data such as configuration files, encrypted jar packets and configuration information. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements an interceptor-based data processing method.
The processor executes the steps of the interceptor-based data processing method:
adding a configuration file under a first appointed directory of the application system;
Receiving an input encrypted jar packet, and adding configuration information carried in the encrypted jar packet into the configuration file;
configuring a specified interceptor within the application system;
And intercepting the SQL request to be executed through the appointed interceptor, and after the SQL request is successfully intercepted, carrying out encryption processing and decryption processing on appointed parameters corresponding to the configuration information in the SQL request.
It will be appreciated by those skilled in the art that the structure shown in fig. 3 is merely a block diagram of a portion of the structure associated with the present application and is not intended to limit the apparatus, or computer device, to which the present application is applied.
An embodiment of the present application further provides a computer readable storage medium having a computer program stored thereon, the computer program when executed by a processor implementing a data processing method based on an interceptor, specifically:
adding a configuration file under a first appointed directory of the application system;
Receiving an input encrypted jar packet, and adding configuration information carried in the encrypted jar packet into the configuration file;
configuring a specified interceptor within the application system;
And intercepting the SQL request to be executed through the appointed interceptor, and after the SQL request is successfully intercepted, carrying out encryption processing and decryption processing on appointed parameters corresponding to the configuration information in the SQL request.
In summary, in the data processing method, device, computer equipment and storage medium based on interceptor provided in the embodiments of the present application, a configuration file is added under a first specified directory of an application system; receiving an input encrypted jar packet, and adding configuration information carried in the encrypted jar packet into the configuration file; configuring a specified interceptor within the application system; and intercepting the SQL request to be executed through the appointed interceptor, and after the SQL request is successfully intercepted, carrying out encryption processing and decryption processing on appointed parameters corresponding to the configuration information in the SQL request. The application abandons the prior mode of carrying out safe reconstruction on the data of the application system based on the application code, innovatively configures and uses the appointed interceptor in the application system to carry out encryption processing and decryption processing on the appointed parameter corresponding to the configuration information quickly and conveniently, and the encryption processing and the decryption processing are carried out under the condition of being transparent to the application, so that the safe reconstruction implementation process of the appointed parameter is more flexible and concise, the reconstruction cost of the application system is effectively reduced, the reconstruction efficiency of the appointed parameter is improved, the complexity of the structure and the code reconstruction of the application system of encryption and decryption service is reduced, and the reconstruction success rate of the application system is improved.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by hardware associated with a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium provided by the present application and used in embodiments may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual speed data rate SDRAM (SSRSDRAM), enhanced SDRAM (ESDRAM), synchronous link (SYNCHLINK) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, apparatus, article, or method that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, apparatus, article, or method. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, apparatus, article, or method that comprises the element.
The foregoing description is only of the preferred embodiments of the present application and is not intended to limit the scope of the application, and all equivalent structures or equivalent processes using the descriptions and drawings of the present application or directly or indirectly applied to other related technical fields are included in the scope of the application.
Claims (8)
1. A data processing method based on interceptors, comprising:
adding a configuration file under a first appointed directory of the application system;
Receiving an input encrypted jar packet, and adding configuration information carried in the encrypted jar packet into the configuration file;
configuring a specified interceptor within the application system;
Intercepting an SQL request to be executed through the appointed interceptor, and after the SQL request is successfully intercepted, carrying out encryption processing and decryption processing on appointed parameters corresponding to the configuration information in the SQL request; the configuration information comprises an encryption switch and a decryption switch; the encryption switch is a control field in the configuration information and is used for controlling whether the parameters need to be encrypted; the decryption switch is also a control field in the configuration information and is used for controlling whether decryption processing is needed to be carried out on the parameters or not;
the specified interceptor comprises a first interceptor and a second interceptor, and the step of configuring the specified interceptor in the application system comprises the following steps:
Acquiring a specified file under a second specified directory of the application system;
adding a first code for configuring the first interceptor in a specified label under the specified file; and
Adding a second code for configuring the second interceptor in the specified tag;
The step of intercepting, by the specified interceptor, the SQL request to be executed, and after the SQL request is successfully intercepted, performing encryption processing and decryption processing on specified parameters corresponding to the configuration information in the SQL request, includes:
Judging whether a preset encryption switch is turned on or not;
if the preset encryption switch is judged to be turned on, intercepting the SQL request through the first interceptor;
after the SQL request is successfully intercepted, encrypting the appointed parameters in the SQL request according to a first preset rule to obtain the encrypted appointed parameters;
after executing the preset time period for completing the encryption processing of the specified parameters, judging whether a preset decryption switch is started or not;
if the preset decryption switch is judged to be started, the SQL request is intercepted again through the second interceptor;
after the SQL request is successfully intercepted again, extracting the encrypted specified parameters from the SQL request;
and carrying out decryption processing on the encrypted specified parameters to obtain corresponding decryption results.
2. The interceptor-based data processing method of claim 1, wherein the step of encrypting the specified parameters in the SQL request according to a first preset rule to obtain encrypted specified parameters includes:
judging whether a specified table exists in the SQL request, wherein the specified table is a table to be encrypted;
if judging that the SQL request has a specified table, acquiring the data type of the specified table;
According to the data type, the parameter type of the appointed table is adapted to be the appointed parameter type corresponding to the data type, and an adapted appointed table is obtained;
Judging whether an appointed field exists in the adapted appointed table, wherein the appointed field is a field to be encrypted;
if the fact that the appointed field exists in the adapted appointed table is judged, encryption processing is conducted on the appointed field according to a second preset rule, and the encrypted appointed field is obtained.
3. The interceptor-based data processing method of claim 2, wherein the step of encrypting the specified field according to a second preset rule to obtain an encrypted specified field includes:
a first interface of a key management service of the application system is called to create a master key;
invoking a second interface of the key management service to create a data key, encrypting the data key by the key management service by using the master key, and returning a plaintext data key and a ciphertext data key corresponding to the data key;
And encrypting the appointed field by using the plaintext data key to obtain the encrypted appointed field.
4. The interceptor-based data processing method of claim 3, wherein said encrypting the specified field using the plaintext data key, after the step of obtaining an encrypted specified field, comprises:
Deleting a local plaintext data key of an application system;
and storing the ciphertext data key and the encrypted specified field.
5. The interceptor-based data processing method of claim 4, wherein the step of decrypting the encrypted specified parameters to obtain corresponding decryption results includes:
reading the ciphertext data key;
Invoking a third interface of the key management service to decrypt the ciphertext data key into a corresponding specified plaintext data key;
and decrypting the encrypted specified field by using the specified plaintext data key to obtain a corresponding decryption result.
6. An interceptor-based data processing apparatus for performing the interceptor-based data processing method of any of claims 1-5, comprising:
the adding module is used for adding the configuration file under a first appointed directory of the application system;
The adding module is used for receiving an input encrypted jar packet and adding configuration information carried in the encrypted jar packet into the configuration file;
The configuration module is used for configuring a specified interceptor in the application system;
the processing module is used for intercepting the SQL request to be executed through the appointed interceptor, and carrying out encryption processing and decryption processing on appointed parameters corresponding to the configuration information in the SQL request after the SQL request is successfully intercepted.
7. A computer device comprising a memory and a processor, the memory having stored therein a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 5.
8. A storage medium having stored thereon a computer program, which when executed by a processor, implements the steps of the method of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010148232.7A CN111475524B (en) | 2020-03-05 | 2020-03-05 | Data processing method and device based on interceptor and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010148232.7A CN111475524B (en) | 2020-03-05 | 2020-03-05 | Data processing method and device based on interceptor and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111475524A CN111475524A (en) | 2020-07-31 |
| CN111475524B true CN111475524B (en) | 2024-05-28 |
Family
ID=71748161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010148232.7A Active CN111475524B (en) | 2020-03-05 | 2020-03-05 | Data processing method and device based on interceptor and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111475524B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113221152A (en) * | 2021-05-31 | 2021-08-06 | 中国农业银行股份有限公司 | Data processing method, device, apparatus, storage medium, and program |
| CN115085903A (en) * | 2022-06-16 | 2022-09-20 | 平安普惠企业管理有限公司 | Data encryption and decryption method, device, equipment and medium based on encryption algorithm |
| CN115134152A (en) * | 2022-06-29 | 2022-09-30 | 北京天融信网络安全技术有限公司 | Data transmission method, data transmission device, storage medium, and electronic apparatus |
| CN114915495B (en) * | 2022-07-05 | 2022-11-01 | 浙江华东工程数字技术有限公司 | Message encryption and decryption method supporting multi-algorithm switching |
| CN115643063B (en) * | 2022-10-12 | 2024-06-21 | 平安银行股份有限公司 | Message data processing method and device, electronic equipment and medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103577771A (en) * | 2013-11-08 | 2014-02-12 | 中科信息安全共性技术国家工程研究中心有限公司 | Virtual desktop data leakage-preventive protection technology on basis of disk encryption |
| CN108509805A (en) * | 2018-03-21 | 2018-09-07 | 深圳天源迪科信息技术股份有限公司 | Data encrypting and deciphering and desensitization runtime engine and its working method |
| CN108804644A (en) * | 2018-06-05 | 2018-11-13 | 中国平安人寿保险股份有限公司 | Interface log storing method, device, computer equipment and storage medium |
| CN109857479A (en) * | 2018-12-14 | 2019-06-07 | 平安科技(深圳)有限公司 | Interface data processing method, device, computer equipment and storage medium |
| CN110598426A (en) * | 2019-08-14 | 2019-12-20 | 平安科技(深圳)有限公司 | Data communication method, device, equipment and storage medium based on information security |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9208105B2 (en) * | 2013-05-30 | 2015-12-08 | Dell Products, Lp | System and method for intercept of UEFI block I/O protocol services for BIOS based hard drive encryption support |
-
2020
- 2020-03-05 CN CN202010148232.7A patent/CN111475524B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103577771A (en) * | 2013-11-08 | 2014-02-12 | 中科信息安全共性技术国家工程研究中心有限公司 | Virtual desktop data leakage-preventive protection technology on basis of disk encryption |
| CN108509805A (en) * | 2018-03-21 | 2018-09-07 | 深圳天源迪科信息技术股份有限公司 | Data encrypting and deciphering and desensitization runtime engine and its working method |
| CN108804644A (en) * | 2018-06-05 | 2018-11-13 | 中国平安人寿保险股份有限公司 | Interface log storing method, device, computer equipment and storage medium |
| CN109857479A (en) * | 2018-12-14 | 2019-06-07 | 平安科技(深圳)有限公司 | Interface data processing method, device, computer equipment and storage medium |
| CN110598426A (en) * | 2019-08-14 | 2019-12-20 | 平安科技(深圳)有限公司 | Data communication method, device, equipment and storage medium based on information security |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111475524A (en) | 2020-07-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111475524B (en) | Data processing method and device based on interceptor and computer equipment | |
| CN111191286B (en) | HyperLegger Fabric block chain private data storage and access system and method thereof | |
| EP3387813B1 (en) | Mobile device having trusted execution environment | |
| TWI598814B (en) | System and method for managing and diagnosing a computing device equipped with unified extensible firmware interface (uefi)-compliant firmware | |
| CN106997439B (en) | TrustZone-based data encryption and decryption method and device and terminal equipment | |
| US10440111B2 (en) | Application execution program, application execution method, and information processing terminal device that executes application | |
| US9098715B1 (en) | Method and system for exchanging content between applications | |
| US10114932B2 (en) | Adapting a mobile application to a partitioned environment | |
| CN106992851B (en) | TrustZone-based database file password encryption and decryption method and device and terminal equipment | |
| CN108418785B (en) | Password calling method, server and storage medium | |
| CN112800393B (en) | Authorization authentication method, software development kit generation method, device and electronic equipment | |
| CN111274611A (en) | Data desensitization method, device and computer readable storage medium | |
| CN111917711B (en) | Data access method and device, computer equipment and storage medium | |
| CN111431718A (en) | TEE expansion-based computer universal security encryption conversion layer method and system | |
| CN115758420B (en) | File access control method, device, equipment and medium | |
| CN114428784A (en) | Data access method and device, computer equipment and storage medium | |
| CN112270002A (en) | Full-disk encryption method, system operation method and electronic equipment | |
| KR101979320B1 (en) | System and Method for automatic generation and execution of encryption SQL statements using meta-information and enterprise framework | |
| CN113420030A (en) | Data storage method, device, equipment and storage medium | |
| CN111542050A (en) | TEE-based method for guaranteeing remote initialization safety of virtual SIM card | |
| WO2010023683A2 (en) | A method and system for client data security | |
| CN112052464B (en) | Method for carrying out virtualization protection on resource file, intelligent terminal and storage medium | |
| US20230013844A1 (en) | System and method for securing keyboard input to a computing device | |
| CN118118209A (en) | Wasm-based universal data encryption method and wasm-based universal data encryption system | |
| CN116244671A (en) | Authentication method, authentication device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |