CN102855448B - A kind of Field-level database encryption device - Google Patents
A kind of Field-level database encryption device Download PDFInfo
- Publication number
- CN102855448B CN102855448B CN201210284801.6A CN201210284801A CN102855448B CN 102855448 B CN102855448 B CN 102855448B CN 201210284801 A CN201210284801 A CN 201210284801A CN 102855448 B CN102855448 B CN 102855448B
- Authority
- CN
- China
- Prior art keywords
- encryption
- database
- field
- statement
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention is applicable to information security field, provides a kind of Field-level database encryption device, comprising: user information storage unit, for storing the data base encryption symmetric key after user's public-key encryption; Whether database field encryption setting unit, encrypt for the field in setting data storehouse; And database access preprocessor, for according to the data base encryption symmetric key after deciphering and the field encryption configuration information in described database field encryption setting unit, conversion or deciphering conversion are encrypted to database access statement.Pass through the embodiment of the present invention, user can according to different Cipher Strength need choose the different symmetric encipherment algorithm that Database Systems support, application program does not need to encrypt and decrypt operation to database, all data encrypting and deciphering operations have been come by Database Systems, can the full-text search function of supported data item, original database access statement does not need to carry out change process, direct transparent use.
Description
Technical field
The invention belongs to information security field, particularly relate to a kind of Field-level database encryption device.
Background technology
Database is the data of the important method that in modern software system, data store, the data stored in database user's sensitivity often, and encryption becomes protected data information not by the important means revealed.
At present, for storing data in a database, often adopt the mode of two kinds of different encryptions according to the difference of data character.
A kind of cipher mode is irreversible cipher mode.This mode carries out to clear data the eigenwert that data hash computing obtains data, and eigenwert be stored in database, clear data does not store.Because the data stored only preserve the eigenwert of data, so data are unreducible, there is larger limitation, the data type that some are special can only be used for, such as user cipher is often all adopted and is stored in this way, and object is used for the eigenwert of authentication of users password.
Another cipher mode is reversible cipher mode, adopts cryptographic algorithm to be encrypted, and adopt corresponding decipherment algorithm can by data deciphering to clear data.This mode does not have a kind of limitation of mode, can encrypt and decrypt various data.
At present, there is the encryption that various symmetry algorithm and asymmetrical algorithm realize database, but after data encryption, bring a lot of harmful effect can to the operation of database access, comprise the speed of data deciphering, the retrieval of data field, the search of data, the share and access etc. of data.
Specifically, there is following problem:
Data after encryption are taken out laggard row relax from database, are had a strong impact on the performance of database access, when data record is larger, substantially can not use by 1, performance issue: the mode often adopting client data to decipher in general application;
2, can not carry out full-text search: because database deposits ciphertext, general employing carries out full-text search again by after ciphertext taking-up deciphering, and efficiency is slower than the direct retrieval of Database Systems, also very large to the expense of system;
3, different users can not share: the key that have employed user special due to data is encrypted, and needs the occasion shared, then can not encrypt data in data;
4, can not arrange field encryption: whether can not select flexibly the encryption of Database field, cause data encryption performance issue serious;
5, application system accessing database is opaque: application system needs the operation encrypted and decrypted data, opaque.
Summary of the invention
The embodiment of the present invention provides a kind of Field-level database encryption device, while effectively to database data encipherment protection, can retain the various functions of database manipulation.
The embodiment of the present invention is achieved in that a kind of Field-level database encryption device, and described device comprises:
User information storage unit, for storing the data base encryption symmetric key after user's public-key encryption;
Whether database field encryption setting unit, encrypt for the field in setting data storehouse; And
Database access preprocessor, for according to the data base encryption symmetric key after deciphering and the field encryption configuration information in described database field encryption setting unit, is encrypted conversion or deciphering conversion to database access statement.
Pass through the embodiment of the present invention, user can according to different Cipher Strength need choose the different symmetric encipherment algorithm that Database Systems support, application program does not need to encrypt and decrypt operation to database, all data encrypting and deciphering operations have been come by Database Systems, can the full-text search function of supported data item, original database access statement does not need to carry out change process, direct transparent use, user only carried out the pre-process of database access statement before database manipulation.
Accompanying drawing explanation
Fig. 1 is the structural drawing of the Field-level database encryption device that the embodiment of the present invention provides;
Fig. 2 is the processing flow chart that application program that the embodiment of the present invention provides conducts interviews to database;
Fig. 3 is the process flow diagram processed SQL statement that the embodiment of the present invention provides.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
In embodiments of the present invention; user's public keys is adopted to encrypt database encrypted symmetric key; carry out encryption and decryption conversion by the database access statement of application programs, while effectively to database data encipherment protection, retain the various functions of database manipulation.
Fig. 1 shows the structure of the Field-level database encryption device that the embodiment of the present invention provides, for convenience of description and understand, illustrate only the part relevant to the embodiment of the present invention.
User information storage unit 11 stores the data base encryption symmetric key Kdb encrypted through user's public keys Kup.
In embodiments of the present invention, utilize data base encryption symmetric key Kdb to the field encryption in database, data base encryption symmetric key is by data base administrator or the unified setting of application management person, and other staff can not revise.
In the embodiment of the present invention, Advanced Encryption Standard (AdvancedEncryptionStandard can be adopted, AES) the cryptographic algorithm setting data storehouse encrypted symmetric key Kdb that supports of the Database Systems such as cryptographic algorithm, system manager can arrange a string password as key by Web interface.
During the encrypted symmetric key Kdb of system manager's setting data storehouse, use the public keys Kup of each user to encrypt database encrypted symmetric key Kdb, be stored in user information storage unit 11.
Application program is when usage data storehouse encrypted symmetric key Kdb, the private key Kus of user is utilized to be deciphered by the data base encryption symmetric key Kdb after encryption, just can obtain data base encryption symmetric key Kdb, then can carry out the encryption and decryption operation of follow-up Database field.
Each database is made up of several tables of data, and each tables of data is made up of several data fields.Whether database field encryption setting unit 12 is encrypted for the field in setting data storehouse.The encryption of field arranges and is completed by system manager, can be arranged by front-end interface.
In embodiments of the present invention, set up a database field encryption setting unit in each database, whether the field arranging associated databases encrypts.
Database access preprocessor 13 is encrypted conversion or deciphering conversion according to the data base encryption symmetric key Kdb after deciphering and the database field encryption configuration information in database field encryption setting unit 12 to database access statement.
Fig. 2 shows the treatment scheme that application program conducts interviews to database, and details are as follows:
In step s 201, private key for user Kus is used to decrypt data base encryption symmetric key Kdb;
In step S202, calling data access preprocessor;
In embodiments of the present invention, the data base encryption symmetric key Kdb after deciphering, when calling data access preprocessor 13, is passed to data access preprocessor 13 by application program;
In step S203, the database access statement accessing database after usage data access preprocessor 13 processes, operates accordingly.
Database in the embodiment of the present invention is generally data base management system (DBMS) (DataBaseManagementSystem, DBMS), MySQL can be adopted, application program adopts supertext pre-service language (HypertextPreprocessor, PHP), user side is by browser access, and database access generally adopts database structure query language (StructuredQueryLanguage, SQL).
In embodiments of the present invention, database access preprocessor 13 is general SQL handling procedures, SQL statement is carried out pre-service by the database field encryption configuration information set by database field encryption setting unit 12, forms the SQL statement meeting encryption and decryption needs.
In order to improve handling property, database access preprocessor 13 is realized by C++.
When data in user accesses data storehouse, application program obtains private key for user Kus by the log-on message of user, use private key for user Kus by preserve in user information storage unit 11 utilize user's public-key cryptography Kup to encrypt after data base encryption symmetric key Kdb be decrypted, obtain the plaintext of data base encryption symmetric key Kdb.
Application program is for each SQL statement, calling data storehouse access preprocessor 13, the plaintext of data base encryption symmetric key Kdb is passed to database access preprocessor 13, database access preprocessor 13 is according to according to the plaintext of storehouse encrypted symmetric key Kdb and database field encryption configuration information, encryption and decryption process is carried out to SQL statement, return the SQL statement after process to application program, application program conducts interviews to database according to the SQL statement after process.
As shown in Figure 3, database access preprocessor 13 carries out encryption and decryption conversion process according to the kind of the SQL statement of application program to SQL statement:
If SQL statement is reading statement, then database access preprocessor 13 Query Database field encryption setting unit 12, check which field encryption in database, then utilize data base encryption symmetric key Kdb that SQL statement is converted to deciphering statement, return application program;
If SQL statement is write statement, then database access preprocessor 13 Query Database field encryption setting unit 12, check that in database, which field needs encryption, then utilize data base encryption symmetric key Kdb that SQL statement is converted to encryption sentence, return application program;
If SQL statement is other data base administration statement, then database access preprocessor 13 pairs of SQL statement retain, and do not process, return application program.
Illustrate below by way of example, suppose that certain customer data base has a user information storage unit 11, user is called bizapp_users, and the field encryption configuration information of this database is as shown in the table:
| Sequence number | Field name | Data type | Length | Whether encrypt |
| 1 | id | Int | No | |
| 2 | name | Varchar | 50 | Be |
| 3 | password | Varchar | 100 | Be |
| 4 | Varchar | 200 | No |
Database access preprocessor 13 judges the kind of the SQL statement of application program:
If 1. for Select inquires about the SQL statement of class, it is an operation of reading to database, then this SQL statement is converted to deciphering statement:
Such as, Selectname, mobilephone, email, addressFROMbizapp_usersWHEREname=' thomas ';
Database access preprocessor 13 is by Query Database field encryption setting unit 12, if obtain field " name " and " password " encrypts, data base encryption symmetric key Kdb is ' dbpassword ', then this SQL statement be converted to:
SELECTAES_decrypt(name,‘dbpassword’),AES_decrypt(mobilephone,‘dbpassword’),AES_decrypt(UNHEX(email),‘dbpassword’),address
FROMbizapp_users;
WHEREAES_decrypt(UNHEX(name),‘dbpassword’)=‘thomas’;
2. if the SQL statement of Insert operation, then this SQL statement is converted to the SQL statement of encryption by database access preprocessor 13:
Such as, INSERTINTO`bizapp_users`
SET‘name’=‘thomas’,‘password’=‘123456a’,‘email’=‘gzhliming.com’;
This statement is a statement inserting record, carries out write operation to the data in database, then will the field of encryption be needed to be encrypted.If it is identical that encryption arranges with during upper routine SELECT, then this SQL statement should be converted to:
INSERT
INTO`bizapp_users`
SET
`id`=’0’,
`name`=HEX(AES_ENCRYPT('thomas','dbpassword')),
`password`=HEX(AES_ENCRYPT('123456a','dbpassword')),
`email`='gzhliming.com';
3., if UPDATE statement, be assumed to be:
UPDATE`bizapp_users`SET
`name`='martin',
`password`='123456a',
`email`='martinliming.com'
WHERE
`name`=′jason';
Above-mentioned SQL statement is UPDATE statement with good conditionsi, and the expression formula after WHERE is a process read, and uses decryption function, and other statements upgrade in data to data storehouse, uses encryption function.So this statement is converted to by database access preprocessor 13:
UPDATE`bizapp_users`SET
`name`=HEX(AES_ENCRYPT('martin','dbpassword')),
`password`=HEX(AES_ENCRYPT('123456a','dbpassword')),
`email`='martinliming.com'
WHERE
AES_DECRYPT(UNHEX(`name`),'dbpassword')=′jason';
4. if other operation, then database access preprocessor 13 judges the field that whether there is encryption in SQL statement, if do not had, return original statement directly to application program, if there is the field of encryption, then the field analyzing encryption is read or write in SQL statement.If read, then conversion is decrypted to field name, if write, then operation is encrypted to field contents.
As shown in the table:
The embodiment of the present invention is realized by amendment bottom class, and application programs does not need to carry out any amendment, directly uses original code to carry out calling.
As one embodiment of the present of invention, overall situation encryption switch can also be set, whether encrypt for setting data storehouse.When setting data storehouse is for encryption, inquires about all data field encryption setting units, encryption and decryption process is carried out to the data of all encrypted fields.
In embodiments of the present invention, user information storage unit 11 and database field encryption setting unit 12 adopt tables of data mode.
Pass through the embodiment of the present invention, user can according to different Cipher Strength need choose the different symmetric encipherment algorithm that Database Systems support, application program does not need to encrypt and decrypt operation to database, all data encrypting and deciphering operations have been come by Database Systems, can the full-text search function of supported data item, original database access statement does not need to carry out change process, direct transparent use, user only carried out the pre-process of database access statement before database manipulation.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any amendments done within the spirit and principles in the present invention, equivalent replacement and improvement etc., all should be included within protection scope of the present invention.
Claims (4)
1. a Field-level database encryption device, is characterized in that, described device comprises:
User information storage unit, for storing the data base encryption symmetric key after user's public-key encryption;
Whether database field encryption setting unit, encrypt for the field in setting data storehouse; And
Database access preprocessor, for according to the data base encryption symmetric key after deciphering and the field encryption configuration information in described database field encryption setting unit, is encrypted conversion or deciphering conversion to database access statement;
Wherein, described being encrypted database access statement is changed or deciphering conversion, is specially:
Kind according to the database structure query language SQL statement of application program carries out encryption and decryption conversion process to SQL statement;
If SQL statement is reading statement, then described database access preprocessor Query Database field encryption setting unit, check which field encryption in database, then utilize data base encryption symmetric key Kdb that SQL statement is converted to deciphering statement, return application program;
If SQL statement is write statement, then described database access preprocessor Query Database field encryption setting unit, check that in database, which field needs encryption, then utilize data base encryption symmetric key Kdb that SQL statement is converted to encryption sentence, return application program;
If SQL statement is other data base administration statement, then described database access preprocessor retains SQL statement, does not process, returns application program.
2. Field-level database encryption device as claimed in claim 1, is characterized in that, the cryptographic algorithm that described data base encryption symmetric key adopts Database Systems to support is arranged.
3. Field-level database encryption device as claimed in claim 1, it is characterized in that, described device also comprises:
Whether overall situation encryption switch, encrypt for setting data storehouse.
4. Field-level database encryption device as claimed in claim 1, is characterized in that, described user information storage unit and database field encryption setting unit adopt tables of data mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210284801.6A CN102855448B (en) | 2012-08-10 | 2012-08-10 | A kind of Field-level database encryption device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210284801.6A CN102855448B (en) | 2012-08-10 | 2012-08-10 | A kind of Field-level database encryption device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102855448A CN102855448A (en) | 2013-01-02 |
| CN102855448B true CN102855448B (en) | 2016-02-10 |
Family
ID=47402028
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210284801.6A Expired - Fee Related CN102855448B (en) | 2012-08-10 | 2012-08-10 | A kind of Field-level database encryption device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102855448B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105302822B (en) * | 2014-06-27 | 2020-07-31 | 中兴通讯股份有限公司 | Method for reading and writing data of database and application response device |
| CN106484378B (en) * | 2015-08-28 | 2019-08-09 | 阿里巴巴集团控股有限公司 | A kind of data processing method and device of no landing |
| CN107871082A (en) * | 2016-11-15 | 2018-04-03 | 平安科技(深圳)有限公司 | The method of data encryption and control extension terminal in oracle database |
| CN106971119A (en) * | 2017-02-24 | 2017-07-21 | 江苏信源久安信息科技有限公司 | The key data in database safe read-write authentication method of trusted identity |
| CN106934298B (en) * | 2017-03-06 | 2019-12-31 | 戴林 | Transparent encryption system for universal database |
| CN107579987A (en) * | 2017-09-22 | 2018-01-12 | 郑州云海信息技术有限公司 | A kind of encryption of server high in the clouds diagnostic system rule base two level, access method and system |
| CN110048830B (en) * | 2018-01-15 | 2023-04-07 | 北京京东尚科信息技术有限公司 | Data encryption and decryption method and encryption and decryption device |
| CN109960942B (en) * | 2019-03-27 | 2021-04-27 | 厦门商集网络科技有限责任公司 | Database data encryption and decryption method and system based on database connection pool |
| CN111740826B (en) * | 2020-07-20 | 2021-06-18 | 腾讯科技(深圳)有限公司 | Encryption method, decryption method, device and equipment based on encryption proxy gateway |
| CN113434535B (en) * | 2021-08-25 | 2022-03-08 | 阿里云计算有限公司 | Data processing method, communication system, device, product and storage medium |
| CN114491580B (en) * | 2021-12-30 | 2022-10-04 | 深圳市恒创智达信息技术有限公司 | Database sensitive information encryption method and device |
| CN115085903A (en) * | 2022-06-16 | 2022-09-20 | 平安普惠企业管理有限公司 | Data encryption and decryption method, device, equipment and medium based on encryption algorithm |
| CN116796355A (en) * | 2023-08-24 | 2023-09-22 | 江苏数兑科技有限公司 | Data security protection and leakage prevention production method for data warehouse |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1667396A1 (en) * | 2004-12-02 | 2006-06-07 | Protegrity Corporation | Database system with second preprocessor and method for accessing a database |
| CN101504706A (en) * | 2009-03-03 | 2009-08-12 | 中国科学院软件研究所 | Database information encryption method and system |
| CN101504668A (en) * | 2009-03-24 | 2009-08-12 | 北京理工大学 | Cryptograph index supported database transparent encryption method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7353387B2 (en) * | 2001-03-08 | 2008-04-01 | International Business Machines Corporation | Method and system for integrating encryption functionality into a database system |
| US7421442B2 (en) * | 2002-07-02 | 2008-09-02 | American Express Travel Related Services Company, Inc. | System and method for data capture and reporting |
-
2012
- 2012-08-10 CN CN201210284801.6A patent/CN102855448B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1667396A1 (en) * | 2004-12-02 | 2006-06-07 | Protegrity Corporation | Database system with second preprocessor and method for accessing a database |
| CN101504706A (en) * | 2009-03-03 | 2009-08-12 | 中国科学院软件研究所 | Database information encryption method and system |
| CN101504668A (en) * | 2009-03-24 | 2009-08-12 | 北京理工大学 | Cryptograph index supported database transparent encryption method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102855448A (en) | 2013-01-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102855448B (en) | A kind of Field-level database encryption device | |
| CN106971121B (en) | Data processing method, device, server and storage medium | |
| CN102902932B (en) | The using method of the outside encrypting and deciphering system of the database based on SQL rewrite | |
| US10541983B1 (en) | Secure storage and searching of information maintained on search systems | |
| US20220277099A1 (en) | Encrypting data records and processing encrypted records without exposing plaintext | |
| CN102402664B (en) | Data access control device and data access control method | |
| US9172532B1 (en) | Multi-tiered encryption system for efficiently regulating use of encryption keys | |
| KR101403745B1 (en) | Encrypted data search | |
| KR101371608B1 (en) | Database Management System and Encrypting Method thereof | |
| US20190147170A1 (en) | Processing data queries in a logically sharded data store | |
| US9881164B1 (en) | Securing data | |
| US8769302B2 (en) | Encrypting data and characterization data that describes valid contents of a column | |
| US20090240956A1 (en) | Transparent encryption using secure encryption device | |
| CN106022155A (en) | Method and server for security management in database | |
| US20120257743A1 (en) | Multiple independent encryption domains | |
| CN103279715A (en) | Database data encryption and decryption method and device | |
| CA3065767C (en) | Cryptographic key generation for logically sharded data stores | |
| CN103647636A (en) | Method and device for safe access to data | |
| US20110107109A1 (en) | Storage system and method for managing data security thereof | |
| WO2019223098A1 (en) | File reading and writing method and device | |
| US9218296B2 (en) | Low-latency, low-overhead hybrid encryption scheme | |
| CN105119917B (en) | Strengthen the method and system of Information Security | |
| US20210091940A1 (en) | Key rotation for sensitive data tokenization | |
| CN115694921B (en) | Data storage method, device and medium | |
| Li | Research of key technologies on encrypting vector spatial data in oracle spatial |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160210 Termination date: 20170810 |