CN116915387A - Extensible database transparent encryption device and method - Google Patents
Extensible database transparent encryption device and method Download PDFInfo
- Publication number
- CN116915387A CN116915387A CN202311183149.3A CN202311183149A CN116915387A CN 116915387 A CN116915387 A CN 116915387A CN 202311183149 A CN202311183149 A CN 202311183149A CN 116915387 A CN116915387 A CN 116915387A
- Authority
- CN
- China
- Prior art keywords
- database
- protocol
- data
- module
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000012545 processing Methods 0.000 claims abstract description 121
- 238000004891 communication Methods 0.000 claims abstract description 44
- 230000004044 response Effects 0.000 claims description 67
- 238000004806 packaging method and process Methods 0.000 claims description 14
- 238000000586 desensitisation Methods 0.000 claims description 13
- 230000009466 transformation Effects 0.000 abstract description 3
- 230000005540 biological transmission Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000003780 insertion Methods 0.000 description 2
- 230000037431 insertion Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000010420 art technique Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/72—Signcrypting, i.e. digital signing and encrypting simultaneously
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses an extensible database transparent encryption device and a method, wherein the device is applied and deployed between a client and a database system, one end of the device is in communication connection with the client, and the other end of the device is in communication connection with the database system; comprising the following steps: the data distribution module is used for receiving a database request protocol sent by the client; forwarding the database request protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port; the database protocol processing module is used for receiving the corresponding database request protocol from the data distribution module, analyzing, encrypting and repackaging the corresponding database request protocol, and sending the corresponding database request protocol to the database system. The device does not need to carry out any configuration and transformation on the access client program and the database system, and is convenient to deploy. The method can support the expansion of various databases in a dynamic loading module mode, and supports the simultaneous use of various database agents; wide application range and high safety.
Description
Technical Field
The invention relates to the technical field of safe transmission and encryption of databases, in particular to an extensible transparent encryption device and method for a database, which are commonly used for products such as a database encryption gateway, a database transparent proxy gateway and the like.
Background
With the rapid development of modern technology, big data has become an important resource for various industries. Big data are generated continuously, and data from multiple channels such as social media, mobile applications, internet of things equipment and the like are continuously gushed into a database. These data contain valuable information, which helps enterprises make more informed decisions, optimize services, develop innovative products, and even helps breakthrough progress in the medical and scientific fields. However, as the size of data increases, data security issues also gradually emerge.
In fact, storing the plaintext data in the database has become no longer secure, as an attacker can steal the data by means of social engineering and technical intrusions, etc. In view of this, the security of the database becomes particularly important. Encrypting sensitive data fields in a database is a fairly effective security measure in order to guarantee the privacy of the data. This can greatly reduce potential risks and ensure the security of the data during storage and transmission.
In the related art: encryption and decryption functions are added to the data by rewriting the request SQL statement. The database service needs to add a UDF plug-in, but the database can be modified by using a plug-in mode, and the deployment is complicated, so that a plurality of different databases cannot be used. UDF: user defined function, the user defines the function.
In addition, some prior art techniques involve the way in which JDBC client driver modules rewrite the SQL of a request. Therefore, all application side changes are needed to replace the original database JDBC driver to be a new driver module, only Java development language is supported, and the limitation is large. JDBC: java DataBase Connectivity, java language database is connected with standard interface.
And the other part realizes the encryption protection of the database data through a database trigger and a disk encryption mode. However, the database server needs to be configured and modified, the trigger mode has different requirements on different databases, and the limitation is larger. In addition, the disk encryption mode needs to reconstruct and configure database software, and encrypts all data at a low speed.
In summary, the database has the following drawbacks:
1) The data of the database is stored in a clear text, and the high-authority users can access the sensitive data of the database to cause the data to be divulged.
2) The sensitive data of the database has no tamper-proof mechanism, and the integrity of the data cannot be checked when the data is tampered illegally.
3) The sensitive data of the database has no desensitization mechanism, and can not realize partial shielding of the data and specific character replacement function.
Disclosure of Invention
In view of this, the present invention provides an extensible transparent encryption device and method for databases, which aims to solve the problems existing in the use of databases in the above background technology, and also can solve the problem of difficult implementation of conventional database encryption deployment.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
in a first aspect, an embodiment of the present invention provides an extensible database transparent encryption device, where an application is deployed between a client and a database system, where one end is communicatively connected to the client and the other end is communicatively connected to the database system; the device is applied to the client side to send data to the database system, and specifically comprises the following steps: a data distribution module and a plurality of different types of database protocol processing modules;
the data distribution module is used for receiving a database request protocol sent by the client; forwarding the database request protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
the database protocol processing module is used for receiving a corresponding database request protocol from the data distribution module, analyzing, encrypting and repackaging the corresponding database request protocol and then sending the corresponding database request protocol to the database system; the database request protocol includes a plurality of data communication sub-packets.
In one embodiment, the database protocol processing module includes:
the database protocol analysis module is used for analyzing, dividing and extracting the SQL sentences from each data communication sub-packet in the database request protocol and transmitting the SQL sentences to the SQL sentence processing module;
the SQL sentence processing module is used for analyzing the received SQL sentence, analyzing and extracting the data of the field which is required to be encrypted from the sentence, and transmitting the data of the field which is required to be encrypted to the encryption and decryption module for processing;
the encryption and decryption module is used for carrying out encryption processing on the data of the expected encryption field according to the configured various data processing algorithms; the data processing algorithm comprises an encryption algorithm, a hash algorithm, a signature algorithm and a desensitization algorithm;
and the database protocol packaging module is used for re-packaging the encrypted ciphertext data processed by the encryption and decryption module into a corresponding type of database request protocol and sending the database request protocol to the database system.
In one embodiment, the encryption and decryption module is further configured to receive registration of other algorithms to the encryption and decryption module through a dynamic loading manner.
In a second aspect, an embodiment of the present invention further provides an extensible database transparent encryption device, where an application of the device is deployed between a client and a database system, and one end of the application is communicatively connected to the client, and the other end of the application is communicatively connected to the database system; the device is applied to the database system to send data to the client, and specifically comprises the following steps: a data distribution module and a plurality of different types of database protocol processing modules;
the data distribution module is used for receiving a database response protocol returned by the database system; forwarding the database response protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
the database protocol processing module is used for receiving the corresponding database response protocol from the data distribution module, analyzing, decrypting and repackaging the corresponding database response protocol, and returning the corresponding database response protocol to the corresponding client.
In one embodiment, the database protocol processing module includes:
the database protocol analysis module is used for analyzing each data communication sub-packet in the database response protocol, determining ciphertext field data in the data, and transmitting the ciphertext field data to the encryption and decryption module for processing;
the encryption and decryption device module is used for carrying out decryption processing on ciphertext field data to be decrypted according to the configured various data processing algorithms; the data processing algorithm comprises an encryption algorithm, a hash algorithm, a signature algorithm and a desensitization algorithm;
and the database protocol packaging module is used for re-packaging the plaintext data decrypted by the encryption and decryption module into a corresponding type of database response protocol and sending the corresponding type of database response protocol to the client.
In one embodiment, the encryption and decryption module is further configured to receive registration of other algorithms to the encryption and decryption module through a dynamic loading manner.
In a third aspect, an embodiment of the present invention further provides an extensible database transparent encryption method, using the extensible database transparent encryption apparatus according to any one of the first aspect, where the method specifically includes:
s10, the data distribution module receives a database request protocol sent by a client; forwarding the database request protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
s20, the database protocol processing module analyzes, encrypts and repackages the received corresponding database request protocol and sends the analyzed, encrypted and repackaged database request protocol to the database system; the database request protocol includes a plurality of data communication sub-packets.
In one embodiment, the step S20 specifically includes:
s201, analyzing, dividing and extracting SQL sentences from all data communication sub-packets in the database request protocol;
s202, analyzing the SQL sentence, and analyzing and extracting data of a field required to be encrypted from the sentence;
s203, encrypting the data of the expected encryption field according to the configured various data processing algorithms; the data processing algorithm comprises an encryption algorithm, a hash algorithm, a signature algorithm and a desensitization algorithm;
s204, the encrypted ciphertext data is repackaged into a database request protocol of a corresponding type, and the database request protocol is sent to the database system.
In one embodiment, the data processing algorithm in step S203 further includes supporting the receiving of other algorithms to register in the encryptor module by means of dynamic loading.
In a fourth aspect, an embodiment of the present invention further provides an extensible database transparent encryption method, using the extensible database transparent encryption apparatus according to any one of the second aspect, where the method specifically includes:
s30, the data distribution module receives a database response protocol returned by the database system; forwarding the database response protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
and S40, the database protocol processing module analyzes, decrypts and repackages the received corresponding database response protocol and returns the analyzed, decrypted and repackaged database response protocol to the corresponding client.
In one embodiment, the step S40 specifically includes:
s401, analyzing each data communication sub-packet in the database response protocol, and determining ciphertext field data in the data;
s402, decrypting the ciphertext field data to be decrypted according to the configured various data processing algorithms; the data processing algorithm comprises an encryption algorithm, a hash algorithm, a signature algorithm and a desensitization algorithm;
s403, repackaging the decrypted plaintext data into a corresponding type of database response protocol, and sending the database response protocol to the client.
In one embodiment, the data processing algorithm in step S402 further includes supporting the receiving of other algorithms to register in the encryptor module by means of dynamic loading.
In a fifth aspect, an embodiment of the present invention further provides an extensible database transparent encryption device, where an application of the device is deployed between a client and a database system, and one end of the application is communicatively connected to the client, and the other end of the application is communicatively connected to the database system; the method specifically comprises the following steps: a data distribution module and a plurality of different types of database protocol processing modules;
wherein, the device is applied to when the client sends data to the database system:
the data distribution module is used for receiving a database request protocol sent by the client; forwarding the database request protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
the database protocol processing module is used for receiving a corresponding database request protocol from the data distribution module, analyzing, encrypting and repackaging the corresponding database request protocol and then sending the corresponding database request protocol to the database system; the database request protocol comprises a plurality of data communication sub-packets;
the device is applied to the database system when sending data to the client:
the data distribution module is also used for receiving a database response protocol returned by the database system; forwarding the database response protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
the database protocol processing module is further configured to receive a corresponding database response protocol from the data distribution module, perform parsing, decryption, and repackaging processing, and return the result to the corresponding client.
The description of the second to fifth aspects of the present invention may refer to the detailed description of the first aspect; also, the advantageous effects described in the second aspect to the fifth aspect may refer to the advantageous effect analysis of the first aspect, and are not described herein.
Compared with the prior art, the invention discloses an extensible transparent encryption device for the database, which can be deployed between a client and a database without any configuration and modification of the access client program and the database system when the client access program, the database software or the operating system where the database is located is required to be modified for the safety of the access of the database. And by means of a dynamic loading module, various databases can be expanded and supported, and various database agents can be supported for simultaneous use.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a block diagram showing interaction of the scalable database transparent encryption apparatus according to embodiment 1 when sending an SQL request.
Fig. 2 is a block diagram showing interaction of the extensible database transparent encryption apparatus provided in embodiment 2 when returning SQL results.
Fig. 3 is a flowchart of the scalable database transparent encryption method provided in embodiment 3.
Fig. 4 is a specific flowchart of step S20 in embodiment 3.
Fig. 5 is a flowchart of the scalable database transparent encryption method provided in embodiment 4.
Fig. 6 is a specific flowchart of step S40 in embodiment 4.
Fig. 7 is a data communication flow chart of the scalable database transparent encryption apparatus provided in embodiment 5.
Fig. 8 is a schematic diagram of a deployment of the scalable database transparent encryption device in embodiment 5.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1:
the embodiment of the invention provides an extensible database transparent encryption device, as shown in figure 1, wherein the device is applied and deployed between a client and a database system, one end of the device is in communication connection with the client, and the other end of the device is in communication connection with the database system; the device is applied to the client side to send data to the database system, and specifically comprises the following steps: a data distribution module and a plurality of different types of database protocol processing modules;
the data distribution module is used for receiving an SQL request sent by the client, and the SQL request is encapsulated into a database request protocol; forwarding the database request protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port; the SQL request type contains Select, instert, update, delete, etc.
There are different database protocol processing modules for different database types, respectively. Database types such as: mySQL, microsoft Access, microsoft SQL Server, *** Fusion Tables, fileMaker, oracle databases, etc.
The database protocol processing module is used for receiving the corresponding database request protocol from the data distribution module, analyzing, encrypting and repackaging the corresponding database request protocol and then sending the corresponding database request protocol to the database system; wherein the database request protocol comprises a plurality of data communication sub-packets. By using a data distribution module and a plurality of database protocol processing modules, a plurality of different types of databases can be easily supported. This modular design makes it easier to add new database types or to modify existing modules, thereby improving the scalability and flexibility of the encryption device.
The device realizes transparent encryption of the database, and the client can encrypt and protect the sensitive data without modifying the existing application program or SQL query. This makes data protection more convenient, without requiring extensive modification to existing systems.
Each database protocol processing module comprises 4 sub-modules: the system comprises a database protocol analysis module, an SQL statement analysis module, a database protocol encapsulation module and an encryption and decryption module.
The database protocol analysis module is used for analyzing, dividing and extracting SQL sentences from each data communication sub-packet in the database request protocol, and then transmitting the SQL sentences to the SQL sentence processing module;
and the SQL sentence processing module is used for analyzing the received SQL sentence, analyzing and extracting the data of the field which is required to be encrypted in the sentence, and transmitting the data of the field which is required to be encrypted to the encryption and decryption module for processing.
The encryption and decryption module is used for carrying out encryption processing on the data of the expected encryption field according to the configured various data processing algorithms; the data processing algorithm comprises an encryption algorithm, a hash algorithm, a signature algorithm, a desensitization algorithm and the like; other algorithms can be registered in the encryptor module in a dynamic loading manner. The user can select the most suitable algorithm according to specific security requirements, so that higher-level data protection is realized under the condition of meeting different encryption requirements. Meanwhile, a new encryption algorithm can be added or an existing algorithm can be updated at any time without major modification of the whole encryption device. This flexibility allows the encryption device to accommodate changing security requirements.
And the database protocol packaging module is used for re-packaging the encrypted ciphertext data processed by the encryption and decryption module into a corresponding type of database request protocol and sending the database request protocol to the database system. Or directly encapsulating the field data which does not need to be encrypted into a corresponding type of database request protocol and sending the database request protocol to a database system.
In this embodiment, one end of the device is linked to the client, and the other end is linked to the database system. The device can receive the database request protocol sent by the client, analyze the communication protocol according to different processing modules, encrypt and repackage the communication protocol, and then send the communication protocol to the database system. The method is applied to the client to send data to the database system, does not need to carry out any configuration and transformation on the client and the database, and can carry out expansion support on various databases in a dynamic loading module mode. Multiple database agents may be used simultaneously; in addition, the algorithm may be loaded by way of dynamic loading and configuration files. Different algorithms can be expanded, and insertion realized by the custom algorithm is supported. Wide application range and high safety.
In addition, the implementation of the device can reduce the burden of the database server and improve the overall performance of the system by transferring processing operations such as encryption and decryption from the database server to the device. This is particularly applicable to the case of performing encryption processing on a large amount of data. And by encrypting the data of the encrypted field, the user privacy and the sensitive information can be protected even under the condition that the sensitive data cannot be directly accessed by internal personnel such as a database manager.
Example 2:
the present invention also provides an extensible transparent encryption device for a database, corresponding to embodiment 1, and the technical solution of embodiment 2 extends the advantages of embodiment 1 and focuses on providing a solution for data security and protection when the database system transmits data to a client. Except that the data is transmitted by the database system to the client.
The device is deployed between a client and a database system, one end of the device is in communication connection with the client, and the other end of the device is in communication connection with the database system; as shown in fig. 2, the apparatus is applied to a database system for transmitting data to a client, and specifically includes: a data distribution module and a plurality of different types of database protocol processing modules;
the data distribution module is used for receiving an SQL response result returned by the database system, wherein the SQL response result comprises a database response protocol; forwarding the database response protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
there are different database protocol processing modules for different database types, respectively.
And the database protocol processing module is used for receiving the corresponding database response protocol from the data distribution module, analyzing, decrypting and repackaging the corresponding database response protocol, and returning the corresponding database response protocol to the corresponding client.
Wherein, database protocol processing module includes:
the database protocol analysis module is used for analyzing each data communication sub-packet in the database response protocol, determining ciphertext field data in the data, and transmitting the ciphertext field data to the encryption and decryption module for processing;
the encryption and decryption device module is used for carrying out decryption processing on ciphertext field data to be decrypted according to the configured various data processing algorithms; the data processing algorithm comprises an encryption algorithm, a hash algorithm, a signature algorithm, a desensitization algorithm and the like;
and the database protocol packaging module is used for re-packaging the plaintext data decrypted by the encryption and decryption module into a corresponding type of database response protocol and sending the corresponding type of database response protocol to the client.
In this embodiment, one end of the device is linked to the client, and the other end is linked to the database system. The device can receive the database response protocol returned by the database system, analyze the communication protocol according to different processing modules, decrypt and repackage the communication protocol, and then return the communication protocol to the corresponding client. The device is applied to the database system to return data to the client, does not need to carry out any configuration and transformation on the client and the database, and can carry out expansion support on various databases in a dynamic loading module mode. Multiple database agents may be used simultaneously; in addition, the algorithm may be loaded by way of dynamic loading and configuration files. Different algorithms can be expanded, and insertion realized by the custom algorithm is supported. Wide application range and high safety.
Example 3:
the invention also provides a transparent encryption method of the extensible database, which uses the transparent encryption device of the extensible database in the embodiment 1, and provides a data security protection scheme under the condition that a client transmits data to a database system, and referring to fig. 3, the method specifically comprises the following steps:
s10, the data distribution module receives a database request protocol sent by a client; forwarding the database request protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
s20, the database protocol processing module analyzes, encrypts and repackages the received corresponding database request protocol and sends the analyzed, encrypted and repackaged database request protocol to the database system; the database request protocol includes a plurality of data communication sub-packets.
Step S20, referring to fig. 4, specifically includes:
s201, analyzing, dividing and extracting SQL sentences from all data communication sub-packets in the database request protocol;
s202, analyzing the SQL sentence, and analyzing and extracting data of a field required to be encrypted from the sentence;
s203, encrypting the data of the expected encryption field according to the configured various data processing algorithms; the data processing algorithm comprises an encryption algorithm, a hash algorithm, a signature algorithm and a desensitization algorithm;
s204, the encrypted ciphertext data is repackaged into a database request protocol of a corresponding type, and the database request protocol is sent to the database system.
The method of the embodiment provides a method for protecting data security when the client transmits data to the database system, combines various advantages of transparency, expandability, various data processing algorithms, privacy protection and the like, and provides a flexible, efficient and reliable solution to the security problem in the data transmission process.
Example 4:
the invention also provides a scalable transparent encryption method for database, using the scalable transparent encryption device for database as in example 2, and providing a data security protection scheme in the case that the database system transmits data to a client, referring to fig. 5, the method specifically includes:
s30, the data distribution module receives a database response protocol returned by the database system; forwarding the database response protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
and S40, the database protocol processing module analyzes, decrypts and repackages the received corresponding database response protocol and returns the analyzed, decrypted and repackaged database response protocol to the corresponding client.
Step S40, referring to fig. 6, specifically includes:
s401, analyzing each data communication sub-packet in the database response protocol, and determining ciphertext field data in the data;
s402, decrypting the ciphertext field data to be decrypted according to the configured various data processing algorithms; the data processing algorithm comprises an encryption algorithm, a hash algorithm, a signature algorithm and a desensitization algorithm;
s403, repackaging the decrypted plaintext data into a corresponding type of database response protocol, and sending the database response protocol to the client.
The method of the embodiment provides a method for protecting data security when the database system transmits data to the client, combines various advantages of transparency, expandability, various data processing algorithms, privacy protection and the like, and provides an efficient, flexible and reliable solution to the security problem in the data transmission process.
Example 5:
the specific explanation is given in connection with the above-described embodiment 1 and embodiment 2:
the invention provides an extensible database transparent encryption device, which is applied and deployed between a client and a database system, wherein one end of the extensible database transparent encryption device is in communication connection with the client, and the other end of the extensible database transparent encryption device is in communication connection with the database system; the method specifically comprises the following steps: a data distribution module and a plurality of different types of database protocol processing modules;
the different directions of data transmission are described as follows:
(1) As shown in fig. 1, the device is applied to when a client transmits data to a database system:
the data distribution module is used for receiving a database request protocol sent by the client; forwarding the database request protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
the database protocol processing module is used for receiving the corresponding database request protocol from the data distribution module, analyzing, encrypting and repackaging the corresponding database request protocol and then sending the corresponding database request protocol to the database system; the database request protocol comprises a plurality of data communication sub-packets;
(2) As shown in fig. 2, the device is applied to when the database system transmits data to the client:
the data distribution module is also used for receiving a database response protocol returned by the database system; forwarding the database response protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
the database protocol processing module is also used for receiving the corresponding database response protocol from the data distribution module, analyzing, decrypting and repackaging the corresponding database response protocol, and returning the corresponding database response protocol to the corresponding client.
The data communication flow of the device is as shown in fig. 7:
1. the client initiates an SQL request, the request type contains Select, instert, update, delete, etc.
2. The database request protocol reaches the data distribution module of the device, and the data distribution module forwards the data to the database processing module of the corresponding type according to the pre-configured TCP port. As the following examples:
a) And if the destination port is 3306, forwarding the data to a MySQL database processing module.
b) The destination port is 1521, the data is forwarded to the Oracle database processing module.
3. The database protocol analysis module analyzes the database request protocol into a plurality of protocol sub-packets, and SQL sentences are extracted from the sub-packets. The SQL statement is then passed to the SQL statement processing module.
The SQL statement processing module processes whether the SQL contains data needing encryption according to the type of the SQL, and the SQL comprises the following processing cases:
a) Select statement: judging whether the expected encryption field is contained or not, recording the field name if the expected encryption field is contained, and decrypting the response when the response is received.
b) Insert/Update statement: and judging whether the field is contained in the data, and encrypting the data content of the inserted and updated field if the field is contained in the data.
c) Delete statement: the SQL field is not encrypted.
d) The SQL statement contains the Where key: judging whether the Where key word contains a desired encryption field, and encrypting the corresponding field data if the Where key word contains the desired encryption field.
And 5. Encrypting and decrypting the data by the SQL sentence processing module by calling the encryption and decryption module, wherein the encryption and decryption module dynamically follows the pre-configuration information, and calls an internal algorithm or other externally registered algorithms to process the data.
6. The processed SQL statement is repackaged through a database protocol packaging module, and then the rewritten database request protocol is sent to a database system.
7. The database receives the request and processes the request. Including query data, insert data, update data, delete data, etc., and then respond to the processing results.
8. The response protocol of the database also enters a data distribution module of the device, and a TCP port pre-configured by the data distribution module forwards the data to a database protocol processing module of a corresponding type. As the following examples:
a) And if the source port is 3306, forwarding the data to a MySQL database protocol processing module.
b) The source port is 1521, the data is forwarded to the Oracle database protocol processing module.
9. And the database protocol analysis module judges whether the data contains the expected encryption field, and decrypts the data in the response if the data contains the expected encryption field.
10. The database protocol analysis module encrypts and decrypts the data by calling the encryption and decryption module, the encryption and decryption module dynamically follows the pre-configuration information, and an internal algorithm or other algorithms registered externally are called to process the data.
11. The processed response data is repackaged through the database protocol packaging module, and then the rewritten database response protocol is sent to the client.
12. The client receives the response data as plaintext.
Through the data communication flow, the client sends out a plaintext data request, and after the plaintext data request passes through the database transparent encryption device, ciphertext is operated on the database side, so that the safety of database data is ensured.
Through the above embodiment, as shown in fig. 8, the device may be deployed in a firewall and connected to the same switch as the database. The external service server is used as a client to access a database of the internal network, and the database transparent encryption device processes the request and the response of the service server. The data stored in the database is ciphertext but is not perceived by the service server.
In the embodiment, the technical scheme combines the advantages of transparent encryption, expandability, various encryption algorithm selections, isolation security and the like, and can provide a flexible, efficient and safe solution in the aspect of protecting sensitive data in a database.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (13)
1. An extensible database transparent encryption device is characterized in that the device is applied and deployed between a client and a database system, one end of the device is in communication connection with the client, and the other end of the device is in communication connection with the database system; the device is applied to the client side to send data to the database system, and specifically comprises the following steps: a data distribution module and a plurality of different types of database protocol processing modules;
the data distribution module is used for receiving a database request protocol sent by the client; forwarding the database request protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
the database protocol processing module is used for receiving a corresponding database request protocol from the data distribution module, analyzing, encrypting and repackaging the corresponding database request protocol and then sending the corresponding database request protocol to the database system; the database request protocol includes a plurality of data communication sub-packets.
2. The scalable database transparent encryption apparatus of claim 1, wherein the database protocol processing module comprises:
the database protocol analysis module is used for analyzing, dividing and extracting the SQL sentences from each data communication sub-packet in the database request protocol and transmitting the SQL sentences to the SQL sentence processing module;
the SQL sentence processing module is used for analyzing the received SQL sentence, analyzing and extracting the data of the field which is required to be encrypted from the sentence, and transmitting the data of the field which is required to be encrypted to the encryption and decryption module for processing;
the encryption and decryption module is used for carrying out encryption processing on the data of the expected encryption field according to the configured various data processing algorithms; the data processing algorithm comprises an encryption algorithm, a hash algorithm, a signature algorithm and a desensitization algorithm;
and the database protocol packaging module is used for re-packaging the encrypted ciphertext data processed by the encryption and decryption module into a corresponding type of database request protocol and sending the database request protocol to the database system.
3. The scalable transparent encryption device according to claim 2, wherein the encryptor module is further configured to receive registration of other algorithms to the encryptor module by dynamic loading.
4. An extensible database transparent encryption device is characterized in that the device is applied and deployed between a client and a database system, one end of the device is in communication connection with the client, and the other end of the device is in communication connection with the database system; the device is applied to the database system to send data to the client, and specifically comprises the following steps: a data distribution module and a plurality of different types of database protocol processing modules;
the data distribution module is used for receiving a database response protocol returned by the database system; forwarding the database response protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
the database protocol processing module is used for receiving the corresponding database response protocol from the data distribution module, analyzing, decrypting and repackaging the corresponding database response protocol, and returning the corresponding database response protocol to the corresponding client.
5. The scalable database transparent encryption apparatus of claim 4, wherein the database protocol processing module comprises:
the database protocol analysis module is used for analyzing each data communication sub-packet in the database response protocol, determining ciphertext field data in the data, and transmitting the ciphertext field data to the encryption and decryption module for processing;
the encryption and decryption device module is used for carrying out decryption processing on ciphertext field data to be decrypted according to the configured various data processing algorithms; the data processing algorithm comprises an encryption algorithm, a hash algorithm, a signature algorithm and a desensitization algorithm;
and the database protocol packaging module is used for re-packaging the plaintext data decrypted by the encryption and decryption module into a corresponding type of database response protocol and sending the corresponding type of database response protocol to the client.
6. The scalable database transparent encryption apparatus of claim 5, wherein the encryptor module is further configured to receive registration of other algorithms to the encryptor module by dynamic loading.
7. A method of transparent encryption of a scalable database, characterized in that a transparent encryption device of a scalable database according to any one of claims 1-3 is used, the method comprising in particular:
s10, the data distribution module receives a database request protocol sent by a client; forwarding the database request protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
s20, the database protocol processing module analyzes, encrypts and repackages the received corresponding database request protocol and sends the analyzed, encrypted and repackaged database request protocol to the database system; the database request protocol includes a plurality of data communication sub-packets.
8. The scalable transparent encryption method according to claim 7, wherein the step S20 specifically comprises:
s201, analyzing, dividing and extracting SQL sentences from all data communication sub-packets in the database request protocol;
s202, analyzing the SQL sentence, and analyzing and extracting data of a field required to be encrypted from the sentence;
s203, encrypting the data of the expected encryption field according to the configured various data processing algorithms; the data processing algorithm comprises an encryption algorithm, a hash algorithm, a signature algorithm and a desensitization algorithm;
s204, the encrypted ciphertext data is repackaged into a database request protocol of a corresponding type, and the database request protocol is sent to the database system.
9. The scalable transparent encryption method according to claim 8, wherein the data processing algorithm in step S203 further comprises supporting the receiving of other algorithms to register in the encryptor module by means of dynamic loading.
10. A method of transparent encryption of a scalable database, characterized in that a transparent encryption device of a scalable database according to any one of claims 4-6 is used, the method comprising in particular:
s30, the data distribution module receives a database response protocol returned by the database system; forwarding the database response protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
and S40, the database protocol processing module analyzes, decrypts and repackages the received corresponding database response protocol and returns the analyzed, decrypted and repackaged database response protocol to the corresponding client.
11. The scalable transparent encryption method according to claim 10, wherein the step S40 specifically comprises:
s401, analyzing each data communication sub-packet in the database response protocol, and determining ciphertext field data in the data;
s402, decrypting the ciphertext field data to be decrypted according to the configured various data processing algorithms; the data processing algorithm comprises an encryption algorithm, a hash algorithm, a signature algorithm and a desensitization algorithm;
s403, repackaging the decrypted plaintext data into a corresponding type of database response protocol, and sending the database response protocol to the client.
12. The scalable transparent encryption method according to claim 11, wherein the data processing algorithm in step S402 further comprises supporting the receiving of other algorithms to register in the encryptor module by means of dynamic loading.
13. An extensible database transparent encryption device is characterized in that the device is applied and deployed between a client and a database system, one end of the device is in communication connection with the client, and the other end of the device is in communication connection with the database system; the method specifically comprises the following steps: a data distribution module and a plurality of different types of database protocol processing modules;
wherein, the device is applied to when the client sends data to the database system:
the data distribution module is used for receiving a database request protocol sent by the client; forwarding the database request protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
the database protocol processing module is used for receiving a corresponding database request protocol from the data distribution module, analyzing, encrypting and repackaging the corresponding database request protocol and then sending the corresponding database request protocol to the database system; the database request protocol comprises a plurality of data communication sub-packets;
the device is applied to the database system when sending data to the client:
the data distribution module is also used for receiving a database response protocol returned by the database system; forwarding the database response protocol to a database protocol processing module of a corresponding type according to a pre-configured TCP port;
the database protocol processing module is further configured to receive a corresponding database response protocol from the data distribution module, perform parsing, decryption, and repackaging processing, and return the result to the corresponding client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311183149.3A CN116915387A (en) | 2023-09-14 | 2023-09-14 | Extensible database transparent encryption device and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311183149.3A CN116915387A (en) | 2023-09-14 | 2023-09-14 | Extensible database transparent encryption device and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116915387A true CN116915387A (en) | 2023-10-20 |
Family
ID=88360694
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311183149.3A Pending CN116915387A (en) | 2023-09-14 | 2023-09-14 | Extensible database transparent encryption device and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116915387A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106506147A (en) * | 2016-10-27 | 2017-03-15 | 国网江苏省电力公司南京供电公司 | A kind of method that IPsec VPN are realized based on the close algorithm of state |
| CN108509805A (en) * | 2018-03-21 | 2018-09-07 | 深圳天源迪科信息技术股份有限公司 | Data encrypting and deciphering and desensitization runtime engine and its working method |
| CN111859426A (en) * | 2020-07-21 | 2020-10-30 | 西安电子科技大学 | Universal encrypted database connector and setting method thereof |
| CN113162974A (en) * | 2021-03-03 | 2021-07-23 | 北京中安星云软件技术有限公司 | Method and system for realizing dynamic encryption and decryption of database based on TCP (Transmission control protocol) proxy |
| CN113987062A (en) * | 2021-09-15 | 2022-01-28 | 深圳番多拉信息科技有限公司 | Data uplink storage method, system, device and storage medium |
-
2023
- 2023-09-14 CN CN202311183149.3A patent/CN116915387A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106506147A (en) * | 2016-10-27 | 2017-03-15 | 国网江苏省电力公司南京供电公司 | A kind of method that IPsec VPN are realized based on the close algorithm of state |
| CN108509805A (en) * | 2018-03-21 | 2018-09-07 | 深圳天源迪科信息技术股份有限公司 | Data encrypting and deciphering and desensitization runtime engine and its working method |
| CN111859426A (en) * | 2020-07-21 | 2020-10-30 | 西安电子科技大学 | Universal encrypted database connector and setting method thereof |
| CN113162974A (en) * | 2021-03-03 | 2021-07-23 | 北京中安星云软件技术有限公司 | Method and system for realizing dynamic encryption and decryption of database based on TCP (Transmission control protocol) proxy |
| CN113987062A (en) * | 2021-09-15 | 2022-01-28 | 深圳番多拉信息科技有限公司 | Data uplink storage method, system, device and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 苗春雨 等: "《云计算安全 关键技术原理及应用》", 《机械工业出版社》, pages: 109 - 110 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102291387B (en) | The network traffic interception of encryption and inspection | |
| CN1522516B (en) | Secure header information for multi-content e-mail | |
| AU2012288609B2 (en) | Anonymisation and filtering data | |
| EP1461720B1 (en) | Dynamic file access control and management | |
| US20060129830A1 (en) | Method and apparatus for storing data on the application layer in mobile devices | |
| CN103856485A (en) | System and method for initializing safety indicator of credible user interface | |
| US20120290837A1 (en) | Method and system for secured management of online XML document services through structure-preserving asymmetric encryption | |
| CN106992851B (en) | TrustZone-based database file password encryption and decryption method and device and terminal equipment | |
| CN104903861B (en) | Clipboard management | |
| US20140059341A1 (en) | Creating and accessing encrypted web based content in hybrid applications | |
| CN115238298A (en) | Method and device for desensitizing sensitive field of database | |
| EP0518466B1 (en) | Data processing system with cryptographic facility | |
| CN116436682A (en) | Data processing method, device and system | |
| CN112966303A (en) | Data encryption and decryption method and device, electronic equipment and computer storage medium | |
| CN116956308A (en) | Database processing method, device, equipment and medium | |
| CN101106451A (en) | A data transmission method and device | |
| CN107733841A (en) | Method for message transmission and device based on multi-enciphering | |
| CN111831978A (en) | Method and device for protecting configuration file | |
| CN116915387A (en) | Extensible database transparent encryption device and method | |
| Itani et al. | SPECSA: a scalable, policy-driven, extensible, and customizable security architecture for wireless enterprise applications | |
| CN112910834B (en) | Data sharing method, device, system, equipment and medium | |
| CN116896444B (en) | File packet management method and device | |
| WO2010023683A2 (en) | A method and system for client data security | |
| CN117896153A (en) | Data processing method, apparatus, device, medium, and program product | |
| US11032320B1 (en) | Systems and methods for dynamic application level encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |