CN113918997A - Data management system, and control method and device for data encryption and decryption - Google Patents

Data management system, and control method and device for data encryption and decryption Download PDF

Info

Publication number
CN113918997A
CN113918997A CN202111496938.3A CN202111496938A CN113918997A CN 113918997 A CN113918997 A CN 113918997A CN 202111496938 A CN202111496938 A CN 202111496938A CN 113918997 A CN113918997 A CN 113918997A
Authority
CN
China
Prior art keywords
data
database
encryption
time
time stamp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111496938.3A
Other languages
Chinese (zh)
Inventor
张立杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Bamboocloud Technology Co ltd
Original Assignee
Shenzhen Bamboocloud Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Bamboocloud Technology Co ltd filed Critical Shenzhen Bamboocloud Technology Co ltd
Priority to CN202111496938.3A priority Critical patent/CN113918997A/en
Publication of CN113918997A publication Critical patent/CN113918997A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioethics (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention relates to the technical field of data management, and discloses a data management system, a data encryption and decryption control method and a data encryption and decryption control device, wherein the data encryption control method comprises the following steps: when the data in the database is updated, reading the data in the database, wherein the data carries a writing time stamp; encrypting the read data and recording a corresponding encryption timestamp; and writing the encrypted data into the database. Through the mode, the embodiment of the invention can reduce the burden of the application terminal and the database, and the system coupling is small. The encryption frequency can be set according to actual requirements, and the practicability is high.

Description

Data management system, and control method and device for data encryption and decryption
Technical Field
The embodiment of the invention relates to the technical field of data management, in particular to a data management system, a data encryption and decryption control method and a data encryption and decryption control device.
Background
The information technology is increasingly widely applied to various industries, a database is used as an information carrier to store various information resources, the information resources contain a large amount of critical sensitive information, once the sensitive information is leaked, serious consequences are brought, along with the current increasingly severe safety situation, how to ensure that the system has high performance and high availability and simultaneously improve the data safety is needed, and the key information is ensured not to be leaked urgently.
Databases are generally classified into two broad categories, relational databases and non-relational databases. The relational database has a storage format which can visually reflect the relation between entities, and a plurality of complex association relations exist between tables in the database. Relational databases mostly follow the SQL structured query language standard. Common operations include query, add, update, delete, sum, sort, and the like. The non-relational database refers to a distributed data storage system which does not guarantee following the principle of the relational database, and the non-relational database technology is very suitable for big data processing work.
In the prior art, an encryption method for encrypting database information in an application system is relatively simple, and only a secret key needs to be managed properly, but by adopting the method, program intervention is needed to encrypt and decrypt data every time when the database is read and written, and the requirement for programming is high.
In addition, encryption and decryption of data are realized in a kernel layer of the database. The database management system of the scheme is responsible for carrying out encryption and decryption operations of data, and the data completes encryption and decryption work before physical access. The encryption mode has the advantages that the encryption function is strong, the encryption function hardly influences the function of the database, and seamless coupling between the encryption function and the database management system can be realized.
Disclosure of Invention
In view of the above problems, embodiments of the present invention provide a data management system, a method and an apparatus for controlling data encryption and decryption, which overcome or at least partially solve the above problems.
According to an aspect of an embodiment of the present invention, there is provided a method for controlling data encryption, the method including: when the data in the database is updated, reading the data in the database, wherein the data carries a writing time stamp; encrypting the read data and recording a corresponding encryption timestamp; and writing the encrypted data into the database.
In an optional manner, before reading the data of the database, the method further includes: periodically scanning the database and judging whether the database is updated or not; and when the database has data updating, turning to the step of reading the data of the database.
In an optional manner, the determining whether the database is updated includes: acquiring the last write time stamp in the database; and judging whether the database is updated or not based on the acquired writing time stamp and the time point of the last scanning.
In an alternative mode, the database includes a write time stamp for each data row, and the reading the data of the database includes: updated data is read from the database based on the write timestamp of each data row and the point in time of the last scan.
In an optional manner, before encrypting the read data and recording a corresponding encryption timestamp, the method further includes: a write time stamp and/or an encryption time stamp of the read data is determined, and an encryption level is determined according to the write time stamp and/or the encryption time stamp of the read data.
In an alternative mode, the determining the write time stamp and/or the encryption time stamp of the read data, and the determining the encryption level according to the write time stamp and/or the encryption time stamp of the read data includes: when a first time difference between the writing time stamp and the current time is smaller than a first time threshold value and/or a second time difference between the encryption time stamp and the current time is smaller than a second time threshold value, performing initial level encryption on the read data; when a first time difference between the writing time stamp and the current time is greater than or equal to a first time threshold and a second time difference between the encryption time stamp and the current time is less than a second time threshold, or when the first time difference between the writing time stamp and the current time is less than the first time threshold and the second time difference between the encryption time stamp and the current time is greater than or equal to the second time threshold, performing second-level encryption on the read data; and when the first time difference between the writing time stamp and the current time is larger than or equal to a first time threshold value, and/or the second time difference between the encryption time stamp and the current time is larger than or equal to a second time threshold value, performing reinforced level encryption on the read data.
In an alternative approach, determining a write time stamp and/or an encryption time stamp of the read data, determining an encryption level according to the write time stamp and/or the encryption time stamp of the read data, includes: comparing the write timestamp with a time point of a last scan; and if the time for writing the acquired data is later than the time for scanning the database last time and the acquired data does not carry the encryption timestamp, determining that the acquired data needs to be encrypted.
According to another aspect of the embodiments of the present invention, there is provided a method for controlling data decryption, the method including: reading data from a database; analyzing whether the read data needs to be decrypted or not based on a timestamp carried by the read data; and if decryption is needed, decrypting the read data.
In an alternative mode, analyzing whether the read data needs to be decrypted based on a time stamp corresponding to the read data includes: analyzing whether the read data carries an encryption timestamp; and if the data is carried, determining that the acquired data needs to be decrypted.
According to another aspect of the embodiments of the present invention, there is provided a control apparatus for data encryption, the apparatus including: the reading unit is used for reading the data of the database when the data of the database is updated, and the data carries a writing time stamp; the encryption unit is used for encrypting the read data and recording a corresponding encryption timestamp; and the writing unit is used for writing the encrypted data into the database.
According to another aspect of the embodiments of the present invention, there is provided a control apparatus for data decryption, the apparatus including: a reading unit for reading data from the database; the analysis unit is used for analyzing whether the read data needs to be decrypted or not based on the time stamp carried by the read data; and the decryption unit is used for decrypting the read data if decryption is needed.
According to another aspect of the embodiments of the present invention, there is provided a data management system including: a database for storing data; the data encryption control device is used for acquiring the data of the database when the database has data updating and encrypting the acquired data; and the data decryption control device is used for decrypting the data of the database when the data decryption is required.
According to another aspect of embodiments of the present invention, there is provided a computing device including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the steps of the control method for data encryption.
According to another aspect of the embodiments of the present invention, there is provided a computer storage medium, wherein at least one executable instruction is stored in the storage medium, and the executable instruction causes the processor to execute the steps of the above control method for data encryption.
The embodiment of the invention has the advantages of independent data encryption operation, capability of reducing the burden of an application terminal and a database, small system coupling, capability of setting encryption frequency according to actual requirements and strong practicability.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and the embodiments of the present invention can be implemented according to the content of the description in order to make the technical means of the embodiments of the present invention more clearly understood, and the detailed description of the present invention is provided below in order to make the foregoing and other objects, features, and advantages of the embodiments of the present invention more clearly understandable.
Drawings
The drawings are only for purposes of illustrating embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic flow chart illustrating a control method for data encryption according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a control device for data encryption according to an embodiment of the present invention;
fig. 3 is a flow chart illustrating a control method for data decryption according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram illustrating a control apparatus for data decryption according to an embodiment of the present invention;
FIG. 5 is a schematic diagram illustrating a data management system according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a computing device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein.
Fig. 1 is a flowchart illustrating a control method for data encryption according to an embodiment of the present invention. The method comprises the following steps:
step S11: when the database has data updating, the data of the database is read.
In the embodiment of the invention, when the database needs to be scanned and the database is found to be updated,
the data of the database, which may be encrypted or unencrypted, is read, which is not limited herein. Optionally, the scanning may first perform scanning of the data line based on the current time, scan only the data line later than the current time (further preferably, scan only the data line later than the data line corresponding to the last encryption timestamp), and then read the data. The data read at this time is data that has been updated, i.e., not encrypted. In addition, the data of the database can be randomly scanned and read, the read data can be encrypted or encrypted, and the data of the database carries the writing time stamp. In this embodiment, only the data row later than the current time or the last encryption timestamp is scanned, and it is not necessary to scan all the data, so that resources can be saved, the cost can be reduced, and the efficiency can be improved.
Step S12: the read data is encrypted and the corresponding encryption time stamp is recorded.
In the embodiment of the present invention, optionally, if the currently read data needs to be encrypted, the data is encrypted, then the current encryption time is recorded, and the encrypted data is recorded after being time-stamped. There are many ways of encryption, for example: a key algorithm, a one-way hash algorithm, an encoding algorithm, etc., are employed, and are not limited thereto. In the embodiment of the invention, the encryption algorithm is classified into initial level encryption, second level encryption and reinforced level encryption, wherein the initial level encryption is simple encryption, the reinforced level encryption is multiple combined encryption, and the encryption strength of the second level encryption is between the reinforced level encryption of the initial level encryption machine. Wherein a write time stamp and/or an encryption time stamp of the read data is determined, and the encryption level is determined according to the write time stamp and/or the encryption time stamp of the read data. Specifically, when a first time difference between a writing time stamp and the current time is smaller than a first time threshold value and/or a second time difference between the encryption time stamp and the current time is smaller than a second time threshold value, performing initial level encryption on the read data; when a first time difference between the writing time stamp and the current time is greater than or equal to a first time threshold and a second time difference between the encryption time stamp and the current time is less than a second time threshold, or when the first time difference between the writing time stamp and the current time is less than the first time threshold and the second time difference between the encryption time stamp and the current time is greater than or equal to the second time threshold, performing second-level encryption on the read data; and when the first time difference between the writing time stamp and the current time is larger than or equal to a first time threshold value, and/or the second time difference between the encryption time stamp and the current time is larger than or equal to a second time threshold value, performing reinforced level encryption on the read data. Due to the fact that potential safety hazards exist when the time for writing or encrypting the data is too long, the data can be encrypted in a personalized mode according to the encryption or writing time, and therefore the safety of the data is improved.
Step S13: and writing the encrypted data into the database.
In the embodiment of the invention, after the data is encrypted, the encrypted data needs to be rewritten into the database. Optionally, the encrypted data may be stored according to the value (i.e. the encryption time sequence) of the encryption timestamp, for example, in a database, the data is arranged according to the encryption time sequence, or may be stored according to other manners, which is not limited herein.
In the embodiment of the present invention, optionally, before the step S11, the method further includes:
periodically scanning the database and judging whether the database is updated or not;
in the embodiment of the present invention, the encryption module periodically scans the database, determines whether the data line of the current database is updated after one scan, and goes to step S11 if there is an update.
In the embodiment of the present invention, whether the database is updated is determined, first obtaining a last writing time stamp in the database, optionally, writing data row by row generally, the database includes a plurality of data rows, each data row has a corresponding writing time stamp, due to a difference in writing time of each data row, the data rows may be sorted based on the writing time stamp, and then finding the last writing time stamp, wherein,
the last write time stamp is a time point of writing the data row at the latest, for example, n data rows are provided in the database, each data row is labeled according to the write time, and is respectively a 1 st data row, a 2 nd data row, …, an n-1 st data row and an nth data row, the write time of the n-1 st data row is 12 points 32 minutes 33 seconds, the write time of the nth data row is 12 points 32 minutes 35 seconds, and then 12 points 32 minutes 35 seconds is the last write time stamp. In this embodiment, whether the database is updated or not is determined based on the last write timestamp, since whether the database is updated or not cannot be determined by randomly obtaining the write timestamp, if the write time of the last data row is later than the time point of the last scanning, it is indicated that the data is not updated, so that the determination speed can be increased, and the calculation amount can be reduced.
Then, whether the database is updated is judged based on the acquired writing time stamp and the time point of the last scanning. Optionally, whether the database is updated is determined based on the last writing time stamp and the time point of the last scanning, for example, the last writing time stamp is 12 o 'clock 32 min 35 sec, the time point of the last scanning is 12 o' clock 30 min 35 sec on the same day, it indicates that data is written in the last scanning, it indicates that the database has data update (the updated data is currently written only and is not encrypted), the updated data needs to be encrypted, and then the process goes to step S12.
In the embodiment of the present invention, optionally, the scanning period may be set according to actual requirements, for example: 5 minutes, 10 minutes, 1 hour, 2 hours, 5 hours, 10 hours, or other time period, as such is not limiting.
In the embodiment of the present invention, reading updated data from the database based on the write time stamp of each data row and the time point of the last scan includes:
data of a data line whose writing time is later than the time of the previous scan is acquired based on the time point of the previous scan, for example, if the writing time is 12 o 'clock 32 min 35 sec, 12 o' clock 31 min 35 sec, 12 o 'clock 30 min 35 sec, 12 o' clock 29 min 35 sec, 12 o 'clock 28 min 35 sec, 12 o' clock 27 min 35 sec on the same day, and the time point of the previous scan is 12 o 'clock 29 min 35 sec, data corresponding to the writing time is 12 o' clock 32 min 35 sec, 12 o 'clock 31 min 35 sec, 12 o' clock 30 min 35 sec belongs to updated data, and the updated data is read from the database.
In the invention, the encryption operation of the data is independent, the burden of an application terminal and a database can be reduced, and the system coupling is small.
The encryption frequency can be set according to actual requirements, and the practicability is high.
Another embodiment of the present invention provides a method for controlling data encryption, including:
step S21: when the database has data updating, the data of the database is read.
In the embodiment of the invention, when the database needs to be scanned and the database is found to be updated,
the data of the database, which may be encrypted or unencrypted, is read, which is not limited herein. Optionally, the scanning may first perform scanning of the data line based on the current time, scan only the data line later than the current time (further preferably, scan only the data line later than the data line corresponding to the last encryption timestamp), and then read the data. The data read at this time is data that has not been updated, i.e., not encrypted. In addition, the data of the database can be randomly scanned and read, the data read at this time can be encrypted or already encrypted, and the data of the database carries the writing time stamp. In this embodiment, only the data row later than the current time or the last encryption timestamp is scanned, and it is not necessary to scan all the data, so that resources can be saved, the cost can be reduced, and the efficiency can be improved.
Step S22: the read data is encrypted and the corresponding encryption time stamp is recorded.
In the embodiment of the present invention, optionally, if the currently read data needs to be encrypted, the data is encrypted, then the current encryption time is recorded, and the encrypted data is recorded after being time-stamped. There are many ways of encryption, for example: a key algorithm, a one-way hash algorithm, an encoding algorithm, etc., are employed, and are not limited thereto.
Step S23: and writing the encrypted data into the database.
In the embodiment of the invention, after the data is encrypted, the encrypted data needs to be rewritten into the database. Optionally, the encrypted data may be stored according to the value size of the encryption timestamp, for example, in a database, the data is arranged first and second according to the encryption time, and may also be stored according to other manners, which is not limited herein.
In this embodiment of the present invention, step S21 may further include:
periodically scanning the database and judging whether the database is updated or not;
in the embodiment of the present invention, the encryption module periodically scans the database, determines whether the data line of the current database is updated after one scan, and goes to step S21 if there is an update.
In the embodiment of the present invention, whether the database is updated is determined, first obtaining a last writing time stamp in the database, optionally, writing data row by row generally, the database includes a plurality of data rows, each data row has a corresponding writing time stamp, due to a difference in writing time of each data row, the data rows may be sorted based on the writing time stamp, and then finding the last writing time stamp, wherein,
the last write time stamp is a time point of writing the data row at the latest, for example, n data rows are provided in the database, each data row is labeled according to the write time, and is respectively a 1 st data row, a 2 nd data row, …, an n-1 st data row and an nth data row, the write time of the n-1 st data row is 12 points 32 minutes 33 seconds, the write time of the nth data row is 12 points 32 minutes 35 seconds, and then 12 points 32 minutes 35 seconds is the last write time stamp. In this embodiment, whether the database is updated or not is determined based on the last write timestamp, since whether the database is updated or not cannot be determined by randomly obtaining the write timestamp, if the write time of the last data row is later than the time point of the last scanning, it is indicated that the data is not updated, so that the determination speed can be increased, and the calculation amount can be reduced.
Then, whether the database is updated is judged based on the acquired writing time stamp and the time point of the last scanning. Optionally, whether the database is updated is determined based on the last writing time stamp and the time point of the last scanning, for example, the last writing time stamp is 12 o 'clock 32 min 35 sec, the time point of the last scanning is 12 o' clock 30 min 35 sec on the same day, it indicates that data is written in the last scanning, it indicates that the database has data update (the updated data is currently written only and is not encrypted), the updated data needs to be encrypted, and then the process goes to step S22.
In the embodiment of the present invention, optionally, the scanning period may be set according to actual requirements, for example: 5 minutes, 10 minutes, 1 hour, 2 hours, 5 hours, 10 hours, or other time period, as such is not limiting.
In the embodiment of the present invention, reading updated data from the database based on the write time stamp of each data row and the time point of the last scan includes:
data of a data line whose writing time is later than the time of the previous scan is acquired based on the time point of the previous scan, for example, if the writing time is 12 o 'clock 32 min 35 sec, 12 o' clock 31 min 35 sec, 12 o 'clock 30 min 35 sec, 12 o' clock 29 min 35 sec, 12 o 'clock 28 min 35 sec, 12 o' clock 27 min 35 sec on the same day, and the time point of the previous scan is 12 o 'clock 29 min 35 sec, data corresponding to the writing time is 12 o' clock 32 min 35 sec, 12 o 'clock 31 min 35 sec, 12 o' clock 30 min 35 sec belongs to updated data, and the updated data is read from the database. In this embodiment of the present invention, step S22 is preceded by:
and judging whether the currently read data needs to be encrypted or not based on the timestamp carried by the read data.
In the embodiment of the present invention, optionally, whether the currently read data needs to be encrypted may be determined according to a timestamp carried by the read data. The time stamp may be a write time stamp or an encryption time stamp, which is not limited herein.
In the embodiment of the present invention, optionally, when judging whether the currently read data needs to be encrypted according to the timestamp carried by the read data, first analyzing whether the obtained data carries an encryption timestamp; if the encryption timestamp is carried, the currently acquired data is determined not to need to be encrypted, and if the encryption timestamp is not carried, the data needs to be encrypted. Note that, when data is written into the database, it is necessary to record a write time stamp in order to manage and store the data, and therefore any data read from the database carries the write time stamp.
In the embodiment of the present invention, optionally, when it is determined whether the currently read data needs to be encrypted according to the timestamp carried by the read data, the write timestamp is compared with the time point of the last scanning, and if the time for writing the obtained data is earlier than the time for scanning the database last time and the obtained data does not carry the encryption timestamp, that is, the write time carried by the currently obtained data is earlier than the time for scanning last time, for example, the write time carried by the currently obtained data is 21/10/2021, 51/32 seconds at 10 am, 21/10/2021, 51/32 seconds at 9 am, it can be seen that the currently obtained data is written into the database after the last scanning, and the data does not carry the encryption timestamp, and it can be determined that the data needs to be encrypted. If the data is written at 10/21/2021 and 50/32/9 am, the data is written before the last scan and the data should have been encrypted. It may not be necessary to verify that the data carries an encryption timestamp at this point.
In the embodiment of the invention, the encryption module periodically scans the database, reads data from the database after scanning once, encrypts the data needing to be encrypted in the database, and waits for the next scanning encryption after scanning. The period of scanning can be set according to actual requirements, for example: 5 minutes, 10 minutes, 1 hour, 2 hours, 5 hours, 10 hours, or other time period, as such is not limiting.
It should be noted that, in this embodiment, after reading data, a determination process of whether encryption is required is added, that is, in an early stage of reading data, it is not necessary to first determine whether the data is update data, the data can be read randomly, and whether encryption is required is determined by using a simple write time stamp or an encryption time stamp, so that efficiency can be improved.
In the invention, the encryption operation of the data is independent, the burden of an application terminal and a database can be reduced, and the system coupling is small.
Secondly, can set up encryption frequency according to actual demand, the practicality is strong.
In addition, only scanning unencrypted or only scanning updated data can reduce cost and improve efficiency.
Fig. 2 is a schematic structural diagram of a control apparatus for data encryption according to an embodiment of the present invention. Based on the corresponding embodiment of fig. 1, as shown in fig. 2, the apparatus includes: a reading unit 301, an encryption unit 302, and a writing unit 303. Wherein:
when the database has data update, the reading unit 301 is configured to read the data of the database, the encrypting unit 302 is configured to encrypt the read data and record a corresponding encryption timestamp, and the writing unit 303 is configured to write the encrypted data into the database.
In an alternative manner, the reading unit 301 is used to perform a database update when a database scan is needed and an update is found in the database,
the data of the database, which may be encrypted or unencrypted, is read, which is not limited herein. Optionally, the scanning may first perform scanning of the data line based on the current time, scan only the data line later than the current time (further preferably, scan only the data line later than the data line corresponding to the last encryption timestamp), and then read the data. The data read at this time is data that has been updated, i.e., not encrypted. In addition, the data of the database can be randomly scanned and read, the read data can be encrypted or encrypted, and the data of the database carries the writing time stamp. In this embodiment, only the data row later than the current time or the last encryption timestamp is scanned, and it is not necessary to scan all the data, so that resources can be saved, the cost can be reduced, and the efficiency can be improved.
In an alternative manner, the encryption unit 302 is configured to perform an encryption operation on currently read data if the data needs to be encrypted, record a current encryption time, and record the encrypted data after a timestamp is applied to the encrypted data. There are many ways of encryption, for example: a key algorithm, a one-way hash algorithm, an encoding algorithm, etc., are employed, and are not limited thereto.
In an alternative, after the data is encrypted, the writing unit 303 is configured to rewrite the encrypted data into the database. Optionally, the encrypted data may be stored according to the value (i.e. the encryption time sequence) of the encryption timestamp, for example, in a database, the data is arranged according to the encryption time sequence, or may be stored according to other manners, which is not limited herein.
In the embodiment of the present invention, optionally, the control device further includes: a scanning unit connected to the reading unit 301, wherein:
the scanning unit is used for periodically scanning the database and judging whether the database is updated or not;
in the embodiment of the present invention, the encryption module periodically scans the database, determines whether the data row of the current database is updated once, and feeds back the updated data row to the reading unit 301.
The specific working process of the control device for data encryption according to the embodiment of the present invention is substantially the same as the specific steps of the above method embodiments, and details are not repeated here.
In the invention, the encryption operation of the data is independent, the burden of an application terminal and a database can be reduced, and the system coupling is small.
Secondly, can set up encryption frequency according to actual demand, the practicality is strong.
In addition, only scanning unencrypted or only scanning updated data can reduce cost and improve efficiency.
Fig. 3 is a flowchart illustrating a control method for data decryption according to another embodiment of the present invention. The method comprises the following steps:
step S51: reading data from a database;
in the embodiment of the present invention, when the data user needs to use the data, the data is read from the database, and the data can be read according to actual requirements, such as random reading or reading the required data according to the identification code, which is not limited herein.
Step 52, analyzing whether the read data needs to be decrypted or not based on the time stamp carried by the read data;
in the embodiment of the invention, if the read data is encrypted, the data carries the encryption timestamp, the data needs to be decrypted, and if the data is not encrypted, the data does not carry the encryption timestamp, and the data does not need to be decrypted. It is then analysed whether decryption is required, depending on whether the data carries an encryption time stamp.
And step S53, if decryption is needed, decrypting the read data.
In the embodiment of the invention, if the read data is decrypted when the decryption is needed, the decryption method can adopt the existing mode of, for example, plaintext and ciphertext.
In the embodiment of the present invention, if decryption processing is not required, the data is directly used. The load of the application system can be reduced only by decrypting and using the encrypted data.
Based on the above embodiment corresponding to fig. 3, fig. 4 is a schematic structural diagram illustrating a control apparatus for data decryption according to another embodiment of the present invention. The apparatus is used to implement the method shown in fig. 3 described above.
The control device includes: a reading unit 601, an analyzing unit 602, and a decrypting unit 603.
In an embodiment of the invention: the reading unit 601 is used for reading data from a database, and the analyzing unit 602 is used for judging whether the read data needs to be decrypted or not based on a timestamp carried by the read data; a decryption unit 603, configured to decrypt the read data when decryption is required.
In the embodiment of the invention, if decryption processing is not required, the data is directly used. The load of the application system can be reduced only by decrypting and using the encrypted data.
Fig. 5 is a schematic structural diagram of a data management system according to another embodiment of the present invention. The data management system includes: a database 701, a control device 702 for data encryption, and a control device 703 for data decryption.
In the present embodiment, the database 701 is used for storing data; the data encryption control device 702 is configured to obtain data of the database when the database has data update, and encrypt the obtained data; the data decryption control device 703 is used to decrypt the data of the database when data decryption is required.
In this embodiment, the control device 702 for data encryption is consistent with the description of fig. 2 in the above embodiment, the control device 703 for data decryption is consistent with the description of fig. 4, and the specific structure, the corresponding technical effect, and the working principle are consistent with the description corresponding to the foregoing, and are not repeated herein.
In the embodiment of the invention, the encryption operation of the data is independent, the burden of an application terminal and a database can be reduced, and the system coupling is small. The encryption frequency can be set according to actual requirements, and the practicability is high.
An embodiment of the present invention provides a non-volatile computer storage medium, where the computer storage medium stores at least one executable instruction, and the computer executable instruction may execute the control method for data encryption in any method embodiment described above.
The executable instructions may be specifically configured to cause the processor to:
when the data in the database is updated, reading the data in the database, wherein the data carries a writing time stamp;
encrypting the read data and recording a corresponding encryption timestamp;
and writing the encrypted data into the database.
In an alternative, the executable instructions cause the processor to:
periodically scanning the database and judging whether the database is updated or not;
and when the database has data updating, turning to the step of reading the data of the database.
In an alternative, the executable instructions cause the processor to:
acquiring the last write time stamp in the database;
and judging whether the database is updated or not based on the acquired writing time stamp and the time point of the last scanning.
In an alternative, the database includes a write timestamp for each data line, the executable instructions causing the processor to:
updated data is read from the database based on the write timestamp of each data row and the point in time of the last scan.
In an alternative, the executable instructions cause the processor to:
and judging whether the currently read data needs to be encrypted or not based on the timestamp carried by the read data.
In an alternative, the executable instructions cause the processor to:
judging whether the currently read data needs to be encrypted or not based on the timestamp carried by the read data, wherein the judging step comprises the following steps:
analyzing whether the acquired data carries an encryption timestamp;
and if not, determining that the acquired data needs to be encrypted.
In an alternative, the executable instructions cause the processor to:
comparing the write timestamp with a time point of a last scan;
and if the time for writing the acquired data is later than the time for scanning the database last time and the acquired data does not carry the encryption timestamp, determining that the acquired data needs to be encrypted.
The embodiment of the invention has the advantages that the encryption operation of the data is independent, the burden of an application terminal and a database can be reduced, and the system coupling is small. The encryption frequency can be set according to actual requirements, and the practicability is high.
An embodiment of the present invention provides a non-volatile computer storage medium, where the computer storage medium stores at least one executable instruction, and the computer executable instruction may execute the control method for data decryption in any method embodiment described above.
The executable instructions may be specifically configured to cause the processor to:
reading data from a database;
judging whether the read data needs to be decrypted or not based on the timestamp carried by the read data;
and if the decryption is needed, decrypting the read data.
In an alternative, the executable instructions cause the processor to:
analyzing whether the read data carries an encryption timestamp;
and if the data is carried, determining that the acquired data needs to be decrypted.
An embodiment of the present invention provides a computer program product, which includes a computer program stored on a computer storage medium, the computer program including program instructions, which, when executed by a computer, cause the computer to execute the control management method for data encryption in any of the above-mentioned method embodiments.
The executable instructions may be specifically configured to cause the processor to:
when the data in the database is updated, reading the data in the database, wherein the data carries a writing time stamp;
encrypting the read data and recording a corresponding encryption timestamp;
and writing the encrypted data into the database.
In an alternative, the executable instructions cause the processor to:
periodically scanning the database and judging whether the database is updated or not;
and when the database has data updating, turning to the step of reading the data of the database.
In an alternative, the executable instructions cause the processor to:
acquiring the last write time stamp in the database;
and judging whether the database is updated or not based on the acquired writing time stamp and the time point of the last scanning.
In an alternative, the database includes a write timestamp for each data line, the executable instructions causing the processor to:
updated data is read from the database based on the write timestamp of each data row and the point in time of the last scan.
In an alternative, the executable instructions cause the processor to:
and judging whether the currently read data needs to be encrypted or not based on the timestamp carried by the read data.
In an alternative, the executable instructions cause the processor to:
analyzing whether the acquired data carries an encryption timestamp;
and if not, determining that the acquired data needs to be encrypted.
In an alternative, the executable instructions cause the processor to:
comparing the write timestamp with a time point of a last scan;
and if the time for writing the acquired data is later than the time for scanning the database last time and the acquired data does not carry the encryption timestamp, determining that the acquired data needs to be encrypted.
In the invention, the encryption operation of the data is independent, the burden of an application terminal and a database can be reduced, and the system coupling is small. The encryption frequency can be set according to actual requirements, and the practicability is high.
An embodiment of the present invention provides a computer program product, which includes a computer program stored on a computer storage medium, the computer program including program instructions, which, when executed by a computer, cause the computer to execute the control management method for data decryption in any of the above-mentioned method embodiments.
The executable instructions may be specifically configured to cause the processor to:
reading data from a database;
judging whether the read data needs to be decrypted or not based on the timestamp carried by the read data;
and if the decryption is needed, decrypting the read data.
In an alternative, the executable instructions cause the processor to:
analyzing whether the read data carries an encryption timestamp;
and if the data is carried, determining that the acquired data needs to be decrypted.
In the embodiment of the invention, if decryption processing is not required, the data is directly used. The load of the application system can be reduced only by decrypting and using the encrypted data.
Fig. 6 is a schematic structural diagram of a computing device according to an embodiment of the present invention, and a specific embodiment of the present invention does not limit a specific implementation of the device.
As shown in fig. 6, the computing device may include: a processor (processor)802, a Communications Interface 804, a memory 806, and a communication bus 808.
Wherein: the processor 802, communication interface 804, and memory 806 communicate with one another via a communication bus 808. A communication interface 804 for communicating with network elements of other devices, such as clients or other servers. The processor 802 is configured to execute the program 810, and may specifically execute relevant steps in the above-described control method embodiment for data encryption.
In particular, the program 810 may include program code comprising computer operating instructions.
The processor 802 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement embodiments of the present invention. The one or each processor included in the device may be the same type of processor, such as one or each CPU; or may be different types of processors such as one or each CPU and one or each ASIC.
The memory 806 stores a program 810. The memory 806 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 810 may be specifically configured to cause the processor 802 to perform the following operations:
when the data in the database is updated, reading the data in the database, wherein the data carries a writing time stamp;
encrypting the read data and recording a corresponding encryption timestamp;
and writing the encrypted data into the database.
In an alternative, the program 810 causes the processor to:
periodically scanning the database and judging whether the database is updated or not;
and when the database has data updating, turning to the step of reading the data of the database.
In an alternative, the program 810 causes the processor to:
acquiring the last write time stamp in the database;
and judging whether the database is updated or not based on the acquired writing time stamp and the time point of the last scanning.
In an alternative approach, where the database includes a write timestamp for each row of data, the program 810 causes the processor to:
updated data is read from the database based on the write timestamp of each data row and the point in time of the last scan.
In an alternative, the program 810 causes the processor to:
and judging whether the currently read data needs to be encrypted or not based on the timestamp carried by the read data.
In an alternative, the program 810 causes the processor to:
judging whether the currently read data needs to be encrypted or not based on the timestamp carried by the read data, wherein the judging step comprises the following steps:
analyzing whether the acquired data carries an encryption timestamp;
and if not, determining that the acquired data needs to be encrypted.
In an alternative, the program 810 causes the processor to:
comparing the write timestamp with a time point of a last scan;
and if the time for writing the acquired data is later than the time for scanning the database last time and the acquired data does not carry the encryption timestamp, determining that the acquired data needs to be encrypted.
The embodiment of the invention has the advantages that the encryption operation of the data is independent, the burden of an application terminal and a database can be reduced, and the system coupling is small. The encryption frequency can be set according to actual requirements, and the practicability is high.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.

Claims (14)

1. A method for controlling data encryption, the method comprising:
when the data in the database is updated, reading the data in the database, wherein the data carries a writing time stamp;
encrypting the read data and recording a corresponding encryption timestamp;
and writing the encrypted data into the database.
2. The method of claim 1, wherein before reading the data of the database, further comprising:
periodically scanning the database and judging whether the database is updated or not;
and when the database has data updating, turning to the step of reading the data of the database.
3. The method of claim 2, wherein said determining whether the database is updated comprises:
acquiring the last write time stamp in the database;
and judging whether the database is updated or not based on the acquired writing time stamp and the time point of the last scanning.
4. The method of claim 3, wherein the database includes a write timestamp for each row of data, and wherein reading the data of the database includes:
updated data is read from the database based on the write timestamp of each data row and the point in time of the last scan.
5. The method of claim 1, wherein prior to encrypting the read data and recording the corresponding encryption timestamp, further comprising:
a write time stamp and/or an encryption time stamp of the read data is determined, and an encryption level is determined according to the write time stamp and/or the encryption time stamp of the read data.
6. The method of claim 5, wherein determining the write time stamp and/or the encryption time stamp of the read data, and determining the encryption level according to the write time stamp and/or the encryption time stamp of the read data comprises:
when a first time difference between the writing time stamp and the current time is smaller than a first time threshold value and/or a second time difference between the encryption time stamp and the current time is smaller than a second time threshold value, performing initial level encryption on the read data;
when a first time difference between the writing time stamp and the current time is greater than or equal to a first time threshold and a second time difference between the encryption time stamp and the current time is less than a second time threshold, or when the first time difference between the writing time stamp and the current time is less than the first time threshold and the second time difference between the encryption time stamp and the current time is greater than or equal to the second time threshold, performing second-level encryption on the read data;
and when the first time difference between the writing time stamp and the current time is larger than or equal to a first time threshold value, and/or the second time difference between the encryption time stamp and the current time is larger than or equal to a second time threshold value, performing reinforced level encryption on the read data.
7. The method of claim 5, wherein determining a write time stamp and/or an encryption time stamp for the read data, and determining an encryption level based on the write time stamp and/or the encryption time stamp for the read data comprises:
comparing the write timestamp with a time point of a last scan;
and if the time for writing the acquired data is later than the time for scanning the database last time and the acquired data does not carry the encryption timestamp, determining that the acquired data needs to be encrypted.
8. A method for controlling data decryption, the method comprising:
reading data from a database;
judging whether the read data needs to be decrypted or not based on the timestamp carried by the read data;
and if the decryption is needed, decrypting the read data.
9. The method of claim 8, wherein determining whether the read data needs to be decrypted based on a timestamp corresponding to the read data comprises:
analyzing whether the read data carries an encryption timestamp;
and if the data is carried, determining that the acquired data needs to be decrypted.
10. A control apparatus for data encryption, the apparatus comprising:
the reading unit is used for reading the data of the database when the data of the database is updated, and the data carries a writing time stamp;
the encryption unit is used for encrypting the read data and recording a corresponding encryption timestamp;
and the writing unit is used for writing the encrypted data into the database.
11. A control apparatus for data decryption, the apparatus comprising:
a reading unit for reading data from the database;
the analysis unit is used for analyzing whether the read data needs to be decrypted or not based on the time stamp carried by the read data;
and the decryption unit is used for decrypting the read data if decryption is needed.
12. A data management system, comprising:
a database for storing data;
the data encryption control device is used for acquiring the data of the database when the database has data updating and encrypting the acquired data;
and the data decryption control device is used for decrypting the data of the database when the data decryption is required.
13. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction which causes the processor to execute the steps of the control method for data encryption according to any one of claims 1-7.
14. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform the steps of a method for controlling encryption of data according to any one of claims 1 to 7.
CN202111496938.3A 2021-12-09 2021-12-09 Data management system, and control method and device for data encryption and decryption Pending CN113918997A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111496938.3A CN113918997A (en) 2021-12-09 2021-12-09 Data management system, and control method and device for data encryption and decryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111496938.3A CN113918997A (en) 2021-12-09 2021-12-09 Data management system, and control method and device for data encryption and decryption

Publications (1)

Publication Number Publication Date
CN113918997A true CN113918997A (en) 2022-01-11

Family

ID=79248853

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111496938.3A Pending CN113918997A (en) 2021-12-09 2021-12-09 Data management system, and control method and device for data encryption and decryption

Country Status (1)

Country Link
CN (1) CN113918997A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1207443A2 (en) * 2000-11-16 2002-05-22 Protegrity Research & Development Encryption of databases based on a combination of hardware and software
US7490248B1 (en) * 1999-11-12 2009-02-10 Protegrity Corporation Method for reencryption of a database
WO2013184712A2 (en) * 2012-06-04 2013-12-12 Google Inc. Systems and methods of increasing database access concurrency using granular timestamps
CN104601325A (en) * 2013-10-31 2015-05-06 华为技术有限公司 Data encryption method, device, equipment and system and data decryption method, device, equipment and system
US20190121749A1 (en) * 2017-10-23 2019-04-25 Samsung Electronics Co., Ltd. Data encryption method and electronic apparatus performing data encryption method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7490248B1 (en) * 1999-11-12 2009-02-10 Protegrity Corporation Method for reencryption of a database
EP1207443A2 (en) * 2000-11-16 2002-05-22 Protegrity Research & Development Encryption of databases based on a combination of hardware and software
WO2013184712A2 (en) * 2012-06-04 2013-12-12 Google Inc. Systems and methods of increasing database access concurrency using granular timestamps
CN104601325A (en) * 2013-10-31 2015-05-06 华为技术有限公司 Data encryption method, device, equipment and system and data decryption method, device, equipment and system
US20190121749A1 (en) * 2017-10-23 2019-04-25 Samsung Electronics Co., Ltd. Data encryption method and electronic apparatus performing data encryption method

Similar Documents

Publication Publication Date Title
CN101587479B (en) Database management system kernel oriented data encryption/decryption system and method thereof
US9672274B1 (en) Scalable message aggregation
US8639948B2 (en) Encrypted data management in database management systems
US20180285596A1 (en) System and method for managing sensitive data
US20120246471A1 (en) Information processing device, information processing system, distribution method, and program thereof
CN111061798B (en) Configurable data transmission and monitoring method, equipment and medium
EP2778953A1 (en) Encoded-search database device, method for adding and deleting data for encoded search, and addition/deletion program
CN112514349B (en) Detecting duplication using exact and fuzzy matching of cryptographic matching indices
CN111858519B (en) System and method for sharing confidential data on blockchain
CN110620657A (en) Webpage word processing method, system and device
CN108229190B (en) Transparent encryption and decryption control method, device, program, storage medium and electronic equipment
CN114327261A (en) Data file storage method and data security agent
US20090282055A1 (en) Database unload/reload of partitioned tables
CN105511814A (en) Storage method of static data file
US9218296B2 (en) Low-latency, low-overhead hybrid encryption scheme
CN113918997A (en) Data management system, and control method and device for data encryption and decryption
CN107832021A (en) A kind of electronic evidence fixing means, terminal device and storage medium
CN114297274A (en) Big data extraction method and device, computer equipment and storage medium
CN114490773A (en) Data query method based on cloud platform and cloud data management system
CN109241180B (en) Data synchronization method and device based on log
CN113641694A (en) Massive historical data backup method and recovery method for database
CN113821819B (en) Data reading and writing method and device, electronic equipment and computer readable storage medium
CN112667730B (en) External data verification method, system, equipment and storage medium
CN111488557A (en) Encryption and decryption method and device, electronic equipment and readable storage medium
CN117910055A (en) Encryption transmission method and device for chip data, chip and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20220111