CN116150242A - Transparent encryption and access control method, device and equipment for database - Google Patents

Transparent encryption and access control method, device and equipment for database Download PDF

Info

Publication number
CN116150242A
CN116150242A CN202211704173.2A CN202211704173A CN116150242A CN 116150242 A CN116150242 A CN 116150242A CN 202211704173 A CN202211704173 A CN 202211704173A CN 116150242 A CN116150242 A CN 116150242A
Authority
CN
China
Prior art keywords
database
access control
encryption
application server
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211704173.2A
Other languages
Chinese (zh)
Inventor
宣兆新
李博
邹雷
李东
杨彬彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Westone Information Industry Inc
Original Assignee
Chengdu Westone Information Industry Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Westone Information Industry Inc filed Critical Chengdu Westone Information Industry Inc
Priority to CN202211704173.2A priority Critical patent/CN116150242A/en
Publication of CN116150242A publication Critical patent/CN116150242A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • G06F9/44526Plug-ins; Add-ons
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a transparent encryption and access control method, device and equipment for a database, which relate to the technical field of database security and comprise the following steps: establishing a target connection between an application server and a database by using transparent encryption and an access control plug-in based on a security policy; when the transparent encryption and access control plug-in receives a write-in request of an application server through target connection, judging whether the write-in request is limited access, if not, writing data to be written in the write-in request into a database by utilizing an encryption strategy; when the transparent encryption and access control plug-in receives a read request of the application server through target connection, a read result corresponding to the read request and returned by the database is obtained, whether the read request is limited access is judged based on second target information of the read result and a matching result of an access control strategy, and if not, the read result is sent to the application server by using a decryption strategy. The method can realize low-cost database safe storage and safe access suitable for multiple scenes.

Description

Transparent encryption and access control method, device and equipment for database
Technical Field
The present invention relates to the field of database security technologies, and in particular, to a method, an apparatus, and a device for transparent encryption and access control of a database.
Background
Sensitive data is stored in the form of plaintext in a database and lacks effective access control measures, resulting in frequent data leakage events. The external adversary invades and steals the data, the internal high-authority user steals the data, and the storage medium loses the leakage data, so that the method is a main problem facing the security of the current database. The encryption storage of the database is the last defense line for the construction of a database security protection system, and the transparent encryption technology of the database is in a continuous development state all the time since the birth. At present, transparent encryption of a database mainly comprises the following four implementation modes:
1) Database proxy driven in-application transparent encryption system: for example, a schematic diagram of a specific in-application transparent encryption system shown in fig. 1 is that a database proxy driver is installed in an application system that needs to access a database, an application process is monitored in real time to intercept and store SQL (Structured Query Language serverdatabase, i.e., a structured query language database), sensitive data is encrypted according to a security policy, and then the database driver is called to store ciphertext data in the database.
2) Front-end proxy transparent encryption system based on database encryption gateway: a schematic diagram of a specific pre-proxy transparent encryption system, such as that shown in fig. 2, is that the pre-proxy encryption technique encrypts sensitive data before the data is saved to the database and stores ciphertext into the database. The pre-proxy encryption is typically implemented in the form of a database encryption gateway.
3) Trigger + view + UDF (User-defined function), i.e. User-defined function) +post-proxy transparent encryption system of ciphertext index: for example, fig. 3 shows a schematic diagram of a specific post-proxy transparent encryption system, where the post-proxy encryption technology is an encryption technology based on the capability of the database, and can fully utilize the expansion capability provided by the database to achieve the goals of data storage encryption, data retrieval after encryption, application transparency, and the like.
4) Transparent encryption system based on TDE (Transparent Data Encryption ): for example, fig. 4 is a schematic diagram of a specific transparent encryption system based on TDE, which is a database-side storage encryption technology that is completely transparent to an application system, and is typically implemented in a database engine by a database vendor, and encrypts data when it is written to a data file by a database shared memory; the data is decrypted when it is read from the database file to the database shared memory. That is, the data exists in the form of plaintext in the database shared memory and in the form of ciphertext in the data file. At the same time, due to the transparency of the technology, any legitimate and authorized database user can access and process the data in the encryption table.
The four technologies can realize transparent encryption of the database and have independent weight control systems, but the following defects are also existed at the same time:
1) Usage field Jing Shouxian: it is difficult for a single technical route to meet the transparent encryption requirements of databases in multiple scenarios. TDE technology is strongly dependent on database vendors and cannot be used if the database does not provide a transparent encryption extension interface. The encryption performance of the rear-end proxy is high in loss, and when the encryption columns are more or a great amount of data exists in the query result set, the normal use of the application system can be seriously affected. The gateway-based pre-proxy encryption needs to analyze the database protocol and grammar, strongly depends on the database type and the database version, and has the problems of single-point failure, performance loss and the like. Transparent encryption in application based on database proxy drive relates to diversified programming languages and frameworks, has certain invasiveness to the database, has field expansion problem, and can influence service logic of the application system even can not be used normally if the application system uses triggers, storage processes, database transactions and database functions.
2) The implementation cost is too high: the database encryption system on the market generally only realizes one encryption technology, and for complex database security scenes, such as a large-scale data center, multiple database encryption products need to be introduced to solve the problems of secure storage and secure access of multiple databases, and the hardware purchasing cost is too high. In the deployment implementation process, a plurality of database security manufacturers need to be coordinated, the coordination cost is too high, and the working efficiency is too low. After the system is on line, operation and maintenance personnel need to maintain multiple database encryption products from different manufacturers, and the learning and operation and maintenance costs are too high.
Thus making complex scenarios difficult to implement in database storage and access at high cost.
In summary, how to realize low-cost, secure storage and secure access of databases suitable for multiple scenarios is a problem to be solved in the art.
Disclosure of Invention
In view of the above, the present invention aims to provide a method, a device and a device for transparent encryption and access control of a database, which can realize low-cost secure storage and secure access of the database suitable for multiple scenes. The specific scheme is as follows:
in a first aspect, the present application discloses a method for transparent encryption and access control of a database, including:
based on the security policy, and utilizing transparent encryption and an access control plug-in to establish a target connection between an application server and a database; the security policy comprises an access control policy, an encryption policy and a decryption policy;
when the transparent encryption and access control plug-in receives a write-in request of the application server through the target connection, judging whether the write-in request is limited access or not based on a matching result of first target information in the write-in request and the access control strategy, and if not, writing data to be written in the write-in request into the database by utilizing the encryption strategy;
When the transparent encryption and access control plug-in receives a read request of the application server through the target connection, a read result corresponding to the read request and returned by the database is obtained, whether the read request is the limited access is judged based on second target information of the read result and a matching result of the access control strategy, and if not, the read result is sent to the application server by using the decryption strategy.
Optionally, the establishing a target connection between the application server and the database based on the security policy and using transparent encryption and an access control plug-in includes:
acquiring a connection request sent by an application server through a transparent encryption and access control plug-in, identifying third target information in the connection request by using the transparent encryption and access control plug-in, and judging whether the connection request is legal or not based on the third target information and a security policy; the third target information comprises any one or more of a database name, a database account number and an IP address;
if yes, establishing target connection between the application server and the database.
Optionally, the establishing a target connection between the application server and the database based on the security policy and using transparent encryption and an access control plug-in includes:
if a database local transparent encryption and access control plug-in a database server receives a connection request sent by an application server, establishing target connection between the application server and a first database in the database server based on a security policy by utilizing the database local transparent encryption and access control plug-in.
Optionally, the writing the data to be written in the write request into the database by using the encryption policy includes:
the database engine is used for calling the local transparent encryption and access control plug-in of the database to acquire an encryption strategy sent by a database security agent in the database server, and the encryption strategy is utilized to encrypt data to be written in the write-in request so as to obtain encrypted data;
the database local transparent encryption and access control plug-in returns the encrypted data to the database engine so that the database engine writes the encrypted data into the first database;
Correspondingly, the sending the read result to the application server by using the decryption policy includes:
and calling the database local transparent encryption and access control plug-in by the database engine to acquire a decryption strategy sent by a database security agent in the database server, decrypting the read result by utilizing the decryption strategy to obtain a decrypted read result, and returning the decrypted read result to the database engine so that the decrypted read result is sent to the application server by the database engine.
Optionally, the establishing a target connection between the application server and the database based on the security policy and using transparent encryption and an access control plug-in includes:
if a database remote transparent encryption and access control plug-in an application server receives a connection request sent by the application server, establishing target connection between the application server and a second database in the application server by utilizing the database remote transparent encryption and access control plug-in based on a security policy.
Optionally, the writing the data to be written in the write request into the database by using the encryption policy includes:
Acquiring an encryption strategy sent by a database security agent in the application server through the database remote transparent encryption and access control plug-in, and writing data to be written in the write request into the second database by utilizing the encryption strategy;
correspondingly, the sending the read result to the application server by using the decryption policy includes:
and acquiring a decryption strategy sent by a database security agent in the application server through the database remote transparent encryption and access control plug-in, decrypting the read result by utilizing the decryption strategy to obtain a decrypted read result, and then sending the decrypted read result to the application server.
Optionally, when the transparent encryption and access control plug-in receives a read request of the application server through the target connection, obtaining a read result corresponding to the read request returned by the database includes:
when the database remote transparent encryption and access control plug-in receives a read request of the application server through the target connection, judging whether a sensitive field exists in the read request;
And if the encrypted read request exists, carrying out reserved format encryption on the sensitive field based on the encryption strategy to obtain the encrypted read request, and sending the encrypted read request to the second database so as to acquire a read result corresponding to the encrypted read request, which is returned by the second database.
Optionally, the sending the read result to the application server by using the decryption policy includes:
judging whether sensitive data exist in the reading result, if so, performing data desensitization on the sensitive data to obtain a desensitized reading result, and transmitting the desensitized reading result to the application server by utilizing the decryption strategy.
In a second aspect, the present application discloses a transparent encryption and access control device for a database, including:
the connection establishment module is used for establishing target connection between the application server and the database by using the transparent encryption and access control plug-in based on the security policy; the security policy comprises an access control policy, an encryption policy and a decryption policy;
the writing module is used for judging whether the writing request is limited access or not based on the matching result of the first target information in the writing request and the access control strategy when the transparent encryption and access control plug-in receives the writing request of the application server through the target connection, and if not, writing the data to be written in the writing request into the database by utilizing the encryption strategy;
And the reading module is used for acquiring a reading result corresponding to the reading request returned by the database when the transparent encryption and access control plug-in receives the reading request of the application server through the target connection, judging whether the reading request is the limited access or not based on the second target information of the reading result and the matching result of the access control strategy, and if not, sending the reading result to the application server by using the decryption strategy.
In a third aspect, the present application discloses an electronic device comprising:
a memory for storing a computer program;
and a processor for executing the computer program to implement the steps of the database transparent encryption and access control method disclosed above.
The application is based on the security policy, and utilizes the transparent encryption and access control plug-in to establish target connection between the application server and the database; the security policy comprises an access control policy, an encryption policy and a decryption policy; when the transparent encryption and access control plug-in receives a write-in request of the application server through the target connection, judging whether the write-in request is limited access or not based on a matching result of first target information in the write-in request and the access control strategy, and if not, writing data to be written in the write-in request into the database by utilizing the encryption strategy; when the transparent encryption and access control plug-in receives a read request of the application server through the target connection, a read result corresponding to the read request and returned by the database is obtained, whether the read request is the limited access is judged based on second target information of the read result and a matching result of the access control strategy, and if not, the read result is sent to the application server by using the decryption strategy. Therefore, when data writing and data reading are performed on the database, the application can judge whether the writing request or the reading request of the application server is limited access or not based on the access control strategy, the data to be written in the writing request can be written in the database by utilizing the encryption strategy, and the reading result is sent to the application server by utilizing the decryption strategy, namely, the application comprises the access control strategy, the encryption strategy and the decryption strategy, multiple database encryption products are not required to be introduced, multiple database storage and access scenes can be met, and the cost is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
FIG. 1 is a schematic diagram of a transparent encryption system in a specific application disclosed in the present application;
FIG. 2 is a schematic diagram of a specific pre-proxy transparent encryption system disclosed in the present application;
FIG. 3 is a schematic diagram of a specific post-proxy transparent encryption system disclosed herein;
FIG. 4 is a schematic diagram of a specific TDE-based transparent encryption system disclosed in the present application;
FIG. 5 is a flowchart of a method for transparent encryption and access control of a database disclosed in the present application;
FIG. 6 is a schematic diagram of transparent encryption and access control of a specific database disclosed in the present application;
FIG. 7 is a flowchart of a specific database transparent encryption and access control method disclosed in the present application;
FIG. 8 is a flowchart of another exemplary database transparent encryption and access control method disclosed herein;
FIG. 9 is a schematic diagram of a transparent encryption and access control device for a database disclosed in the present application;
fig. 10 is a block diagram of an electronic device disclosed in the present application.
Detailed Description
The following description of the technical solutions in the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the existing transparent encryption and access control of the database, four systems capable of realizing the transparent encryption technology of the database are respectively an in-application transparent encryption system based on database proxy drive, a front-end proxy transparent encryption system based on a database encryption gateway, a rear-end proxy transparent encryption system based on trigger+view+UDF+ciphertext index and a transparent encryption system based on TDE, but the systems still have the defects of limited use scene and high implementation cost, so that the database has high cost in the security reinforcement process and complex scene is difficult to realize.
Therefore, the application correspondingly provides a transparent encryption and access control scheme for the database, so that the safe storage and safe access of the database which is low in cost and suitable for multiple scenes are realized.
Referring to fig. 5, an embodiment of the present application discloses a transparent encryption and access control method for a database, including:
step S11: based on the security policy, and utilizing transparent encryption and an access control plug-in to establish a target connection between an application server and a database; the security policies include an access control policy, an encryption policy and a decryption policy.
In this embodiment, the establishing, based on the security policy and using the transparent encryption and the access control plug-in, a target connection between the application server and the database includes: acquiring a connection request sent by an application server through a transparent encryption and access control plug-in, identifying third target information in the connection request by using the transparent encryption and access control plug-in, and judging whether the connection request is legal or not based on the third target information and a security policy; the third target information comprises any one or more of a database name, a database account number and an IP address; if yes, establishing target connection between the application server and the database.
The database security agent and the database local transparent encryption and access control plug-in can be installed to the database server, or the database security agent and the database remote transparent encryption and access control plug-in can be installed to the application server, so that two working modes, namely local working mode and remote working mode, can be supported, and the problems of data leakage possibly caused by internal theft and external attack can be effectively prevented. Setting a security policy comprising an access control policy, an encryption policy and a decryption policy through a database encryption and access control service, and issuing the security policy to a database security agent. Wherein the encryption and decryption strategy comprises information such as a table, a field, a key index and the like; the access control policy contains access rights to tables and fields of different roles, desensitization algorithms used for restricted access, etc. The database security agent in the database server synchronizes the security policies including the access control policies, encryption policies, and decryption policies to the database local transparent encryption and access control plugin; similarly, the database security agent in the application server synchronizes security policies including access control policies, encryption policies, and decryption policies to the database remote transparent encryption and access control plugin. For example, a specific database transparent encryption and access control diagram shown in fig. 6, the database encryption and access control service is responsible for policy management, key management, rights management, system management, and log management. The database local transparent encryption and access control plug-in is arranged on a database server and provides table space level transparent encryption and decryption, field level transparent encryption and decryption and field level access control for the local database. The database remote transparent encryption and access control plug-in is installed on an application server which needs to access the database and is used for monitoring an application process in real time, intercepting the operation of the application on the database and providing field-level transparent encryption and decryption and field-level access control for the database in the application. The database security agent is installed on a database server or an application server and is responsible for the functions of strategy synchronization, key synchronization, log synchronization and the like.
Step S12: when the transparent encryption and access control plug-in receives a write-in request of the application server through the target connection, judging whether the write-in request is limited access or not based on a matching result of first target information in the write-in request and the access control strategy, and if not, writing data to be written in the write-in request into the database by utilizing the encryption strategy.
In this embodiment, when the transparent encryption and access control plug-in intercepts a write-in request of the application server through the target connection, the transparent encryption and access control plug-in obtains a target key corresponding to the encryption policy from the database security agent, and sends the target key and the data to be written to the commercial cryptographic module, so as to obtain encrypted data to be written, and writes the encrypted data to be written to the database. It should be noted that it is also necessary to determine whether the write request is limited access, and the determination may be made by the matching result of the first target information in the write request and the access control policy, where the first target information includes a table and a field related to the write request, and if the first target information matches the access control policy, the determination is not limited access.
Step S13: when the transparent encryption and access control plug-in receives a read request of the application server through the target connection, a read result corresponding to the read request and returned by the database is obtained, whether the read request is the limited access is judged based on second target information of the read result and a matching result of the access control strategy, and if not, the read result is sent to the application server by using the decryption strategy.
In this embodiment, the sending the read result to the application server by using the decryption policy includes: judging whether sensitive data exist in the reading result, if so, performing data desensitization on the sensitive data to obtain a desensitized reading result, and transmitting the desensitized reading result to the application server by utilizing the decryption strategy.
It can be understood that the transparent encryption and access control plug-in obtains a target key corresponding to the decryption policy from the database security agent, and sends the target key and the read result to the commercial cryptographic module, so as to obtain a decrypted read result, and returns the encrypted read result to the application server. It should be noted that it is also necessary to determine whether the read request is limited access, and the determination may be made by the matching result of the access control policy and the second target information in the read request, where the second target information includes a table and a field related to the read result, and if the second target information matches, the access is not limited access.
The application is based on the security policy, and utilizes the transparent encryption and access control plug-in to establish target connection between the application server and the database; the security policy comprises an access control policy, an encryption policy and a decryption policy; when the transparent encryption and access control plug-in receives a write-in request of the application server through the target connection, judging whether the write-in request is limited access or not based on a matching result of first target information in the write-in request and the access control strategy, and if not, writing data to be written in the write-in request into the database by utilizing the encryption strategy; when the transparent encryption and access control plug-in receives a read request of the application server through the target connection, a read result corresponding to the read request and returned by the database is obtained, whether the read request is the limited access is judged based on second target information of the read result and a matching result of the access control strategy, and if not, the read result is sent to the application server by using the decryption strategy. Therefore, when data writing and data reading are performed on the database, the application can judge whether the writing request or the reading request of the application server is limited access or not based on the access control strategy, the data to be written in the writing request can be written in the database by utilizing the encryption strategy, and the reading result is sent to the application server by utilizing the decryption strategy, namely, the application comprises the access control strategy, the encryption strategy and the decryption strategy, multiple database encryption products are not required to be introduced, multiple database storage and access scenes can be met, and the cost is reduced.
Referring to fig. 7, an embodiment of the present application discloses a specific method for transparent encryption and access control of a database, including:
step S21: if a database local transparent encryption and access control plug-in a database server receives a connection request sent by an application server, establishing target connection between the application server and a first database in the database server based on a security policy by utilizing the database local transparent encryption and access control plug-in.
Step S22: when the database local transparent encryption and access control plug-in receives a write-in request of the application server through the target connection, judging whether the write-in request is limited access or not based on a matching result of first target information in the write-in request and the access control strategy, and if not, utilizing the encryption strategy to write data to be written in the write-in request into the database.
In this embodiment, the writing the data to be written in the write request into the database by using the encryption policy includes: the database engine is used for calling the local transparent encryption and access control plug-in of the database to acquire an encryption strategy sent by a database security agent in the database server, and the encryption strategy is utilized to encrypt data to be written in the write-in request so as to obtain encrypted data; the database local transparent encryption and access control plug-in returns the encrypted data to the database engine so that the database engine writes the encrypted data into the first database.
It should be noted that when the encryption policy is used to encrypt the data to be written in the write request, the encryption policy may be used to perform tablespace encryption to obtain encrypted data of the data to be written; the field level encryption may also be performed using an encryption policy to obtain encrypted data for the data to be written. The database local transparent encryption and access control plug-in provides table space encryption and decryption and field level encryption and decryption for the local database, the cipher operation is carried out in a built-in commercial cipher module, and the plaintext key does not go out of the cipher module, wherein the table space encryption and decryption is realized based on a TDE transparent encryption technology, and when the data is dropped, the database engine calls the database local transparent encryption and access control plug-in to encrypt the data; the field level encryption and decryption is realized based on view+trigger+UDF+ciphertext index technology, and when data is written into a database table, a database engine calls a database local transparent encryption and access control plug-in to encrypt the data.
Step S23: when the database local transparent encryption and access control plug-in receives a read request of the application server through the target connection, a read result corresponding to the read request returned by the database is obtained, whether the read request is the limited access is judged based on second target information of the read result and a matching result of the access control strategy, and if not, the read result is sent to the application server by using the decryption strategy.
In this embodiment, the sending the read result to the application server by using the decryption policy includes: and calling the database local transparent encryption and access control plug-in by the database engine to acquire a decryption strategy sent by a database security agent in the database server, decrypting the read result by utilizing the decryption strategy to obtain a decrypted read result, and returning the decrypted read result to the database engine so that the decrypted read result is sent to the application server by the database engine. When the read result is written into the database buffer from the database file, the database engine calls the database local transparent encryption and access control plug-in to decrypt the data.
Therefore, the method and the device have the advantages that the database local transparent encryption and access control plug-in is installed in the database service to support the local working mode, different encryption strategies and access control strategies can be adopted at the database local and application server sides, the problem that a single technical route cannot meet the use of complex scenes is avoided, the implementation cost and the operation and maintenance cost of the database safety protection are reduced in the complex scenes, and the data leakage caused by internal stealing can be effectively prevented.
Referring to fig. 8, another specific method for transparent encryption and access control of a database is disclosed in the embodiment of the present application, including:
step S31: if a database remote transparent encryption and access control plug-in an application server receives a connection request sent by the application server, establishing target connection between the application server and a second database in the application server by utilizing the database remote transparent encryption and access control plug-in based on a security policy.
Step S32: when the database remote transparent encryption and access control plug-in receives a write-in request of the application server through the target connection, judging whether the write-in request is limited access or not based on a matching result of first target information in the write-in request and the access control strategy, and if not, utilizing the encryption strategy to write data to be written in the write-in request into the database.
In this embodiment, the writing the data to be written in the write request into the database by using the encryption policy includes: and acquiring an encryption strategy sent by a database security agent in the application server through the database remote transparent encryption and access control plug-in, and writing the data to be written in the write request into the second database by utilizing the encryption strategy. The remote transparent encryption and access control plug-in of the database is responsible for calling a commercial cryptographic module and providing safe and compliant cryptographic operation capability for data encryption and decryption. Setting encryption strategies for sensitive fields of the database through the database encryption and access control service, and issuing the strategies to the database security agent. The encryption policy contains information such as encryption fields, cryptographic algorithms, key indexes, etc. After receiving the encryption policy, the database security agent acquires a target key for encryption from the database encryption and access control service according to the key index, sends a working key to the database remote transparent encryption and access control plug-in, and the database remote transparent encryption and access control plug-in sends the data to be written and the working key to the commercial cryptographic module so as to obtain encrypted data of the data to be written, and then writes the encrypted data into a second database.
Step S33: when the remote transparent encryption and access control plug-in of the database receives a read request of the application server through the target connection, a read result corresponding to the read request and returned by the database is obtained, whether the read request is the limited access is judged based on second target information of the read result and a matching result of the access control strategy, and if not, the read result is sent to the application server by using the decryption strategy.
In this embodiment, the sending the read result to the application server by using the decryption policy includes: and acquiring a decryption strategy sent by a database security agent in the application server through the database remote transparent encryption and access control plug-in, decrypting the read result by utilizing the decryption strategy to obtain a decrypted read result, and then sending the decrypted read result to the application server. It can be understood that after the database security agent receives the decryption policy, the database security agent obtains the corresponding working key for decryption from the database encryption and access control service according to the key index, sends the target key to the database remote transparent encryption and access control plug-in, and the database remote transparent encryption and access control plug-in sends the read result and the target key to the commercial cryptographic module so as to obtain a decrypted read result of the read result, and then writes the decrypted read result into the second database.
In this embodiment, when the transparent encryption and access control plug-in receives a read request of the application server through the target connection, the obtaining a read result corresponding to the read request returned by the database includes: when the database remote transparent encryption and access control plug-in receives a read request of the application server through the target connection, judging whether a sensitive field exists in the read request; and if the encrypted read request exists, carrying out reserved format encryption on the sensitive field based on the encryption strategy to obtain the encrypted read request, and sending the encrypted read request to the second database so as to acquire a read result corresponding to the encrypted read request, which is returned by the second database.
Therefore, the remote transparent encryption and access control plug-in of the database is installed in the application server so as to support a remote working mode, different encryption strategies and access control strategies can be adopted at the local and application server sides of the database, the problem that a single technical route cannot meet the use of a complex scene is avoided, and the implementation cost and the operation and maintenance cost of the safety protection of the database in the complex scene are reduced; aiming at the problem of safe access of sensitive fields in a database, the scene-based database access control method is provided, and data leakage possibly caused by external attack can be effectively prevented.
Referring to fig. 9, an embodiment of the present application discloses a transparent encryption and access control device for a database, including:
a connection establishment module 11, configured to establish a target connection between the application server and the database based on the security policy and using the transparent encryption and access control plug-in; the security policy comprises an access control policy, an encryption policy and a decryption policy;
a writing module 12, configured to, when the transparent encryption and access control plug-in receives a writing request of the application server through the target connection, determine whether the writing request is limited access based on a matching result of first target information in the writing request and the access control policy, and if not, write data to be written in the writing request into the database by using the encryption policy;
and the reading module 13 is configured to obtain a reading result corresponding to the reading request returned by the database when the transparent encryption and access control plug-in receives the reading request of the application server through the target connection, determine whether the reading request is the restricted access based on the second target information of the reading result and the matching result of the access control policy, and if not, send the reading result to the application server by using the decryption policy.
The application is based on the security policy, and utilizes the transparent encryption and access control plug-in to establish target connection between the application server and the database; the security policy comprises an access control policy, an encryption policy and a decryption policy; when the transparent encryption and access control plug-in receives a write-in request of the application server through the target connection, judging whether the write-in request is limited access or not based on a matching result of first target information in the write-in request and the access control strategy, and if not, writing data to be written in the write-in request into the database by utilizing the encryption strategy; when the transparent encryption and access control plug-in receives a read request of the application server through the target connection, a read result corresponding to the read request and returned by the database is obtained, whether the read request is the limited access is judged based on second target information of the read result and a matching result of the access control strategy, and if not, the read result is sent to the application server by using the decryption strategy. Therefore, when data writing and data reading are performed on the database, the application can judge whether the writing request or the reading request of the application server is limited access or not based on the access control strategy, the data to be written in the writing request can be written in the database by utilizing the encryption strategy, and the reading result is sent to the application server by utilizing the decryption strategy, namely, the application comprises the access control strategy, the encryption strategy and the decryption strategy, multiple database encryption products are not required to be introduced, multiple database storage and access scenes can be met, and the cost is reduced.
Further, the embodiment of the application also provides electronic equipment. Fig. 10 is a block diagram of an electronic device 20, according to an exemplary embodiment, and nothing in the figure should be taken as a limitation on the scope of use of the present application.
Fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present application. Specifically, the method comprises the following steps: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. Wherein the memory 22 is configured to store a computer program that is loaded and executed by the processor 21 to implement the steps associated with the database transparent encryption and access control method performed by the electronic device disclosed in any of the foregoing embodiments.
In this embodiment, the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device; the communication interface 24 can create a data transmission channel between the electronic device and an external device, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 25 is used for acquiring external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.
Processor 21 may include one or more processing cores, such as a 4-core processor, an 8-core processor, etc. The processor 21 may be implemented in at least one hardware form of DSP (Digital SignalProcessing ), FPGA (Field-Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array ). The processor 21 may also comprise a main processor, which is a processor for processing data in an awake state, also called CPU (Central Processing Unit ); a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, the processor 21 may integrate a GPU (Graphics Processing Unit, image processor) for rendering and drawing of content required to be displayed by the display screen. In some embodiments, the processor 21 may also include an AI (Artificial Intelligence ) processor for processing computing operations related to machine learning.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon include an operating system 221, a computer program 222, and data 223, and the storage may be temporary storage or permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device and the computer program 222, so as to implement the operation and processing of the processor 21 on the mass data 223 in the memory 22, which may be Windows, unix, linux. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the database transparent encryption and access control method performed by the electronic device as disclosed in any of the previous embodiments. The data 223 may include, in addition to data received by the electronic device and transmitted by the external device, data collected by the input/output interface 25 itself, and so on.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The method, the device, the equipment and the medium for transparent encryption and access control of the database provided by the invention are described in detail, and specific examples are applied to the description of the principle and the implementation mode of the invention, and the description of the above examples is only used for helping to understand the method and the core idea of the invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.

Claims (10)

1. A method for transparent encryption and access control of a database, comprising:
based on the security policy, and utilizing transparent encryption and an access control plug-in to establish a target connection between an application server and a database; the security policy comprises an access control policy, an encryption policy and a decryption policy;
when the transparent encryption and access control plug-in receives a write-in request of the application server through the target connection, judging whether the write-in request is limited access or not based on a matching result of first target information in the write-in request and the access control strategy, and if not, writing data to be written in the write-in request into the database by utilizing the encryption strategy;
When the transparent encryption and access control plug-in receives a read request of the application server through the target connection, a read result corresponding to the read request and returned by the database is obtained, whether the read request is the limited access is judged based on second target information of the read result and a matching result of the access control strategy, and if not, the read result is sent to the application server by using the decryption strategy.
2. The method for transparent encryption and access control of a database according to claim 1, wherein the establishing a target connection between an application server and the database based on the security policy and using the transparent encryption and access control plug-in comprises:
acquiring a connection request sent by an application server through a transparent encryption and access control plug-in, identifying third target information in the connection request by using the transparent encryption and access control plug-in, and judging whether the connection request is legal or not based on the third target information and a security policy; the third target information comprises any one or more of a database name, a database account number and an IP address;
If yes, establishing target connection between the application server and the database.
3. The method for transparent encryption and access control of a database according to claim 1, wherein the establishing a target connection between an application server and the database based on the security policy and using the transparent encryption and access control plug-in comprises:
if a database local transparent encryption and access control plug-in a database server receives a connection request sent by an application server, establishing target connection between the application server and a first database in the database server based on a security policy by utilizing the database local transparent encryption and access control plug-in.
4. A method of transparent encryption and access control of a database according to claim 3, wherein said writing data to be written in said write request to said database using said encryption policy comprises:
the database engine is used for calling the local transparent encryption and access control plug-in of the database to acquire an encryption strategy sent by a database security agent in the database server, and the encryption strategy is utilized to encrypt data to be written in the write-in request so as to obtain encrypted data;
The database local transparent encryption and access control plug-in returns the encrypted data to the database engine so that the database engine writes the encrypted data into the first database;
correspondingly, the sending the read result to the application server by using the decryption policy includes:
and calling the database local transparent encryption and access control plug-in by the database engine to acquire a decryption strategy sent by a database security agent in the database server, decrypting the read result by utilizing the decryption strategy to obtain a decrypted read result, and returning the decrypted read result to the database engine so that the decrypted read result is sent to the application server by the database engine.
5. The method for transparent encryption and access control of a database according to claim 1, wherein the establishing a target connection between an application server and the database based on the security policy and using the transparent encryption and access control plug-in comprises:
if a database remote transparent encryption and access control plug-in an application server receives a connection request sent by the application server, establishing target connection between the application server and a second database in the application server by utilizing the database remote transparent encryption and access control plug-in based on a security policy.
6. The method for transparent encryption and access control of a database according to claim 5, wherein said writing the data to be written in the write request to the database using the encryption policy comprises:
acquiring an encryption strategy sent by a database security agent in the application server through the database remote transparent encryption and access control plug-in, and writing data to be written in the write request into the second database by utilizing the encryption strategy;
correspondingly, the sending the read result to the application server by using the decryption policy includes:
and acquiring a decryption strategy sent by a database security agent in the application server through the database remote transparent encryption and access control plug-in, decrypting the read result by utilizing the decryption strategy to obtain a decrypted read result, and then sending the decrypted read result to the application server.
7. The transparent encryption and access control method according to claim 6, wherein when the transparent encryption and access control plug-in receives a read request of the application server through the target connection, obtaining a read result corresponding to the read request returned by the database includes:
When the database remote transparent encryption and access control plug-in receives a read request of the application server through the target connection, judging whether a sensitive field exists in the read request;
and if the encrypted read request exists, carrying out reserved format encryption on the sensitive field based on the encryption strategy to obtain the encrypted read request, and sending the encrypted read request to the second database so as to acquire a read result corresponding to the encrypted read request, which is returned by the second database.
8. The method according to any one of claims 1 to 7, wherein the transmitting the read result to the application server using the decryption policy includes:
judging whether sensitive data exist in the reading result, if so, performing data desensitization on the sensitive data to obtain a desensitized reading result, and transmitting the desensitized reading result to the application server by utilizing the decryption strategy.
9. A database transparent encryption and access control device, comprising:
the connection establishment module is used for establishing target connection between the application server and the database by using the transparent encryption and access control plug-in based on the security policy; the security policy comprises an access control policy, an encryption policy and a decryption policy;
The writing module is used for judging whether the writing request is limited access or not based on the matching result of the first target information in the writing request and the access control strategy when the transparent encryption and access control plug-in receives the writing request of the application server through the target connection, and if not, writing the data to be written in the writing request into the database by utilizing the encryption strategy;
and the reading module is used for acquiring a reading result corresponding to the reading request returned by the database when the transparent encryption and access control plug-in receives the reading request of the application server through the target connection, judging whether the reading request is the limited access or not based on the second target information of the reading result and the matching result of the access control strategy, and if not, sending the reading result to the application server by using the decryption strategy.
10. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the database transparent encryption and access control method according to any one of claims 1 to 8.
CN202211704173.2A 2022-12-29 2022-12-29 Transparent encryption and access control method, device and equipment for database Pending CN116150242A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211704173.2A CN116150242A (en) 2022-12-29 2022-12-29 Transparent encryption and access control method, device and equipment for database

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211704173.2A CN116150242A (en) 2022-12-29 2022-12-29 Transparent encryption and access control method, device and equipment for database

Publications (1)

Publication Number Publication Date
CN116150242A true CN116150242A (en) 2023-05-23

Family

ID=86340029

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211704173.2A Pending CN116150242A (en) 2022-12-29 2022-12-29 Transparent encryption and access control method, device and equipment for database

Country Status (1)

Country Link
CN (1) CN116150242A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116975926A (en) * 2023-08-16 2023-10-31 合肥安永信息科技有限公司 Database proxy encryption system based on trusted execution environment
CN117113423A (en) * 2023-10-24 2023-11-24 中电科网络安全科技股份有限公司 Transparent encryption method, device, equipment and storage medium for database

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116975926A (en) * 2023-08-16 2023-10-31 合肥安永信息科技有限公司 Database proxy encryption system based on trusted execution environment
CN117113423A (en) * 2023-10-24 2023-11-24 中电科网络安全科技股份有限公司 Transparent encryption method, device, equipment and storage medium for database
CN117113423B (en) * 2023-10-24 2024-04-12 中电科网络安全科技股份有限公司 Transparent encryption method, device, equipment and storage medium for database

Similar Documents

Publication Publication Date Title
CN109561047B (en) Encrypted data storage system and method based on key remote storage
CN116150242A (en) Transparent encryption and access control method, device and equipment for database
CN110489996B (en) Database data security management method and system
US8156331B2 (en) Information transfer
WO2020013381A1 (en) Online wallet device and method for creating and verifying same
CN106104558A (en) Secure hardware for striding equipment trusted applications
EP3869366A1 (en) Method and apparatus for updating password of electronic device, device and storage medium
CN111475841A (en) Access control method, related device, equipment, system and storage medium
US7315859B2 (en) Method and apparatus for management of encrypted data through role separation
CN113806777B (en) File access realization method and device, storage medium and electronic equipment
US10250387B1 (en) Quantum computer resistant algorithm cryptographic key generation, storage, and transfer device
CN101587479A (en) Database management system kernel oriented data encryption/decryption system and method thereof
US10164955B1 (en) Volatile encryption keys
CN104320389A (en) Fusion identify protection system and fusion identify protection method based on cloud computing
US20090150680A1 (en) Data Security in Mobile Devices
CN109325360B (en) Information management method and device
US20230198760A1 (en) Verified presentation of non-fungible tokens
CN114978664A (en) Data sharing method and device and electronic equipment
KR20210123518A (en) Systems that support smart work
CN114239015A (en) Data security management method and device, data cloud platform and storage medium
CN104955043A (en) Intelligent terminal safety protection system
CN116956308A (en) Database processing method, device, equipment and medium
KR102542213B1 (en) Real-time encryption/decryption security system and method for data in network based storage
CN116594567A (en) Information management method and device and electronic equipment
CN115801446A (en) Encryption database system based on trusted hardware

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination