CN109583220A - A method of realizing data base encryption protocol analysis - Google Patents
A method of realizing data base encryption protocol analysis Download PDFInfo
- Publication number
- CN109583220A CN109583220A CN201811463840.6A CN201811463840A CN109583220A CN 109583220 A CN109583220 A CN 109583220A CN 201811463840 A CN201811463840 A CN 201811463840A CN 109583220 A CN109583220 A CN 109583220A
- Authority
- CN
- China
- Prior art keywords
- data
- key
- packet
- client
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a kind of methods for realizing data base encryption protocol analysis, including cipher key initialization step: obtaining specified data according to the type of database packet, the symmetric key and vector of symmetric encipherment algorithm are calculated using pseudo-random algorithm;Using data decryption step: in application data transmission procedure, data packet being decrypted using symmetric key and vector.The present invention has rational design, it extracts specified data according to the type of database packet, to the data of parsing carries out that symmetric key and initial vector is calculated and application data is decrypted, to realize the decryption function of the data packet grabbed during encrypted transmission under bypass mode, the analytic ability in data transmission procedure is improved, has a wide range of applications scene in database security field.
Description
Technical field
The invention belongs to technical field of database security, especially a kind of method for realizing data base encryption protocol analysis.
Background technique
SSL (Secure Socket Layer, security socket layer) is that data transmit it on internet to ensure
Safety before being transmitted first encrypts data using data encryption technology, and the other end recycles after receiving the data
Data are decrypted in identical key and vector.
Since the performance of rivest, shamir, adelman is relatively low, symmetric encipherment algorithm performance is very high, therefore, in practical applications
The exchange of key is carried out using rivest, shamir, adelman mostly, and really data transfer phase uses symmetric encipherment algorithm.Its
Principle are as follows: in handshake phase, carry out the exchange of key, client and server end has just obtained identical close after key exchange
Next key can carry out decrypted for symmetrical enciphering and deciphering algorithm using this data key in data transfer phase.
In the overall architecture of user, database plays the role of a very core.Under normal circumstances, user can be
All important data all save in the database, wait and go to be inquired in database again when needs, for the sake of security,
Client will use encrypted transmission technology when accessing database, to prevent leakage of data of the data in transmission process.This
Kind mode substantially increases the safety of data, but for the database audit product of bypass mode, this mode is but
It has caused great difficulties, since the data that data are caught are by encryption, designer can't see original initial data, thus
Database protocol package can not just be parsed.Thus to having used the client of audit product to cause very big problem: one
Aspect encrypt to the data in transmission process to improve safety, on the other hand can not due to having carried out encryption
It audits to database manipulation, many clients have in face of the choice of alternative.
Summary of the invention
It is an object of the invention to overcome the deficiencies in the prior art, propose a kind of side for realizing data base encryption protocol analysis
Method makes client under the premise of keeping encrypted transmission, audits to database.
The present invention solves its technical problem and adopts the following technical solutions to achieve:
A method of realizing data base encryption protocol analysis, comprising the following steps:
Step 1, cipher key initialization step: specified data is obtained according to the type of database packet, uses pseudo-random algorithm
Calculate the symmetric key and vector of symmetric encipherment algorithm;
Step 2, using data decryption step: application data transmission procedure in, using symmetric key and vector to data
Packet is decrypted.
The concrete methods of realizing of the step 1 be the following steps are included:
(1) initialization step: the relevant context environmental of initialization encryption and decryption;
(2) Preliminary Analysis is carried out to database packet: obtaining the protocol header of 5 bytes, judge that the database packet is encryption data
(3) packet, then enter step;
(3) following information: version, the client random data, server of cryptographic protocol is obtained in handshake packet
Random data and seleted cipher data, pre master secret data;
(4), to client random data, server random data, pre master secret data, use is non-
Symmetrical enciphering and deciphering algorithm is calculated, and the key and initialization vector of symmetrical enciphering and deciphering algorithm are obtained.
The concrete methods of realizing of the step (3) are as follows:
1. obtaining the version of cryptographic protocol according to the packet header of handshake packet;;
2. obtaining client random data in client hello packet and saving;
3. obtaining server random data and seleted cipher data in server hello packet and saving;
4. obtaining pre master secret data in client key exchange packet and saving.
The concrete methods of realizing of the step (4) are as follows:
1. the private key using asymmetric enciphering and deciphering algorithm decrypts pre master secret, new pre master is obtained
secret;
2. being calculated using pre master secret, client random, server random three as parameter using RPF
Method calculates master secret;
3. being calculated again using RPF using master secret, server random, client random three as parameter
Method calculates the key block of 108 bytes;
4. successively being taken out from the key block of 108 bytes: Client MAC key, Server MAC key, Client
Key (16 byte), Server Key, Client IV, Server IV.
The concrete methods of realizing of the step 2 the following steps are included:
(1) symmetrical enciphering and deciphering algorithm is initialized as follows:
1. obtaining the title of symmetrical decipherment algorithm using the selected cipher in server hello packet;
2. initializing the upper of symmetrical decipherment algorithm using client key, server key, client iv, server iv
Hereafter environment obtains decryption handle;
(2) in application data transmission procedure, data are decrypted in the decryption handle 2. generated using step;
(3) step is repeated (2) data are decrypted.
The advantages and positive effects of the present invention are:
The present invention has rational design, extracts specified data according to the type of database packet, counts to the data of parsing
Calculation obtains symmetric key and initial vector and application data is decrypted, to realize under bypass mode during encrypted transmission
The decryption function of the data packet grabbed, improves the analytic ability in data transmission procedure, has in database security field
It is widely applied scene.
Detailed description of the invention
Fig. 1 is packet process flow diagram of the invention;
Fig. 2 is asymmetric decipherment algorithm flow chart of the invention.
Specific embodiment
The embodiment of the present invention is further described below in conjunction with attached drawing.
A method of realizing data base encryption protocol analysis, comprising the following steps:
Step 1, cipher key initialization step: specified data is obtained according to the type of database packet, uses pseudo-random algorithm
Calculate the symmetric key and vector of symmetric encipherment algorithm.
The concrete methods of realizing of this step includes following treatment process:
(1) initialization step: the relevant context environmental of initialization encryption and decryption;
(2) Preliminary Analysis is carried out to the database packet caught: obtaining the protocol header of 5 bytes, judgement is encryption data
Packet, if not encrypted packet, there is no need to handle;If it is encrypted packet, then continue to handle down.
(3) necessary information is obtained in handshake packet.
As shown in Figure 1, the concrete methods of realizing of this step includes following treatment process:
1. the version of cryptographic protocol is judged according to the packet header of handshake packet, it is subsequent to have difference according to different encryption versions
Processing, rough process is all consistent in subsequent processing, if only version number is different, can be produced in certain details
Raw difference, we are by taking latest edition 1.2 as an example, to be illustrated;
2. obtaining client random data in client hello packet, preserve;
3. server random data and seleted cipher data are obtained in server hello packet, under preservation
Come;
4. obtaining pre master secret data in client key exchange packet, preserve.
(4), to client random, server random, pre master secret data, asymmetric plus solution is used
Close algorithm is calculated, and the key and initialization vector of symmetrical enciphering and deciphering algorithm are obtained;
As shown in Fig. 2, the concrete methods of realizing of this step includes following treatment process:
1. the private key using asymmetric enciphering and deciphering algorithm decrypts pre master secret, new pre master is obtained
secret;
2. being calculated using pre master secret, client random, server random three as parameter using RPF
Method calculates master secret;
3. being calculated again using RPF using master secret, server random, client random three as parameter
Method calculates the key block of 108 bytes;
4. successively being taken out from the key block of 108 bytes: Client MAC key (20 byte), Server MAC
Key (20 byte), Client Key (16 byte), Server Key (16 byte), Client IV (16 byte), Server IV
(16 byte).
Step 2, using data decryption step: application data transmission procedure in, using symmetric key and vector to data
Packet is decrypted.
(1) symmetrical enciphering and deciphering algorithm is initialized, and concrete methods of realizing is as follows:
1. obtaining the title of symmetrical decipherment algorithm using the selected cipher in server hello packet;
2. initializing the upper of symmetrical decipherment algorithm using client key, server key, client iv, server iv
Hereafter environment obtains decryption handle.
(2) in application data transmission procedure, data are decrypted using decryption handle;
(3) step is repeated (2) data are decrypted.
It is emphasized that embodiment of the present invention be it is illustrative, without being restrictive, therefore packet of the present invention
Include and be not limited to embodiment described in specific embodiment, it is all by those skilled in the art according to the technique and scheme of the present invention
The other embodiments obtained, also belong to the scope of protection of the invention.
Claims (5)
1. a kind of method for realizing data base encryption protocol analysis, it is characterised in that the following steps are included:
Step 1, cipher key initialization step: specified data is obtained according to the type of database packet, is calculated using pseudo-random algorithm
The symmetric key and vector of symmetric encipherment algorithm out;
Step 2, using data decryption step: in application data transmission procedure, using symmetric key and vector to data packet into
Row decryption.
2. a kind of method for realizing data base encryption protocol analysis according to claim 1, it is characterised in that: the step
1 concrete methods of realizing be the following steps are included:
(1) initialization step: the relevant context environmental of initialization encryption and decryption;
(2) Preliminary Analysis is carried out to database packet: obtaining the protocol header of 5 bytes, judge that the database packet is encrypted packet, then
It enters step (3);
(3) following information: the version of cryptographic protocol, client random data, server random number is obtained in handshake packet
According to seleted cipher data, pre master secret data;
(4), to client random data, server random data, pre master secret data, use is asymmetric
Enciphering and deciphering algorithm is calculated, and the key and initialization vector of symmetrical enciphering and deciphering algorithm are obtained.
3. a kind of method for realizing data base encryption protocol analysis according to claim 2, it is characterised in that: the step
(3) concrete methods of realizing are as follows:
1. obtaining the version of cryptographic protocol according to the packet header of handshake packet;;
2. obtaining client random data in client hello packet and saving;
3. obtaining server random data and seleted cipher data in server hello packet and saving;
4. obtaining pre master secret data in client key exchange packet and saving.
4. a kind of method for realizing data base encryption protocol analysis according to claim 2, it is characterised in that: the step
(4) concrete methods of realizing are as follows:
1. the private key using asymmetric enciphering and deciphering algorithm decrypts pre master secret, new pre master is obtained
secret;
2. utilizing RPF algorithm meter using pre master secret, client random, server random three as parameter
Calculate master secret;
3. utilizing RPF algorithm meter again using master secret, server random, client random three as parameter
Calculate the key block of 108 bytes;
4. successively being taken out from the key block of 108 bytes: Client MAC key, Server MAC key, Client Key
(16 byte), Server Key, Client IV, Server IV.
5. a kind of method for realizing data base encryption protocol analysis according to claim 1, it is characterised in that: the step
2 concrete methods of realizing the following steps are included:
(1) symmetrical enciphering and deciphering algorithm is initialized as follows:
1. obtaining the title of symmetrical decipherment algorithm using the selected cipher in server hello packet;
2. initializing the context of symmetrical decipherment algorithm using client key, server key, client iv, server iv
Environment obtains decryption handle;
(2) in application data transmission procedure, data are decrypted using decryption handle;
(3) step is repeated (2) data are decrypted.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811463840.6A CN109583220A (en) | 2018-12-03 | 2018-12-03 | A method of realizing data base encryption protocol analysis |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811463840.6A CN109583220A (en) | 2018-12-03 | 2018-12-03 | A method of realizing data base encryption protocol analysis |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109583220A true CN109583220A (en) | 2019-04-05 |
Family
ID=65926017
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811463840.6A Pending CN109583220A (en) | 2018-12-03 | 2018-12-03 | A method of realizing data base encryption protocol analysis |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109583220A (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106131207A (en) * | 2016-08-03 | 2016-11-16 | 杭州安恒信息技术有限公司 | A kind of method and system bypassing audit HTTPS packet |
CN106161404A (en) * | 2015-04-22 | 2016-11-23 | 阿里巴巴集团控股有限公司 | The method of SSL Session state reuse, server and system |
-
2018
- 2018-12-03 CN CN201811463840.6A patent/CN109583220A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106161404A (en) * | 2015-04-22 | 2016-11-23 | 阿里巴巴集团控股有限公司 | The method of SSL Session state reuse, server and system |
CN106131207A (en) * | 2016-08-03 | 2016-11-16 | 杭州安恒信息技术有限公司 | A kind of method and system bypassing audit HTTPS packet |
Non-Patent Citations (1)
Title |
---|
徐劲松等: "一种专用公开密钥基础框架的研究与应用", 《电子测量技术》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109525386B (en) | Paillier homomorphic encryption private aggregation and method based on Paillier | |
Juang | Efficient multi-server password authenticated key agreement using smart cards | |
CN101834840B (en) | There is efficient key derivation system, the method and apparatus for end-to-end network security of business visuality | |
CN104821874B (en) | A kind of method that quantum key is applied to Internet of Things data encrypted transmission | |
CN104219041A (en) | Data transmission encryption method applicable for mobile internet | |
US20020056040A1 (en) | System and method for establishing secure communication | |
CN111756529B (en) | Quantum session key distribution method and system | |
CN109005027B (en) | Random data encryption and decryption method, device and system | |
CN107104977A (en) | A kind of block chain data safe transmission method based on Stream Control Transmission Protocol | |
CN104202158A (en) | Symmetric and asymmetric hybrid data encryption/decryption method based on cloud computing | |
Mohamed et al. | Hybrid cryptographic approach for internet ofhybrid cryptographic approach for internet ofthings applications: A review | |
CN102594842A (en) | Device-fingerprint-based network management message authentication and encryption scheme | |
CN111756528B (en) | Quantum session key distribution method, device and communication architecture | |
TW201537937A (en) | Unified identity authentication platform and authentication method thereof | |
CN113312608B (en) | Electric power metering terminal identity authentication method and system based on time stamp | |
CN204180095U (en) | A kind of ciphering and deciphering device for network data encryption transmission | |
CN106453391A (en) | Long repeating data encryption and transmission method and system | |
CN110049002A (en) | A kind of ipsec certification method based on PUF | |
CN109104278A (en) | A kind of encrypting and decrypting method | |
CN113572607A (en) | Secure communication method adopting unbalanced SM2 key exchange algorithm | |
CN112532384B (en) | Method for quickly encrypting and decrypting transmission key based on packet key mode | |
WO2020042023A1 (en) | Instant messaging data encryption method and apparatus | |
CN109583220A (en) | A method of realizing data base encryption protocol analysis | |
CN115150067A (en) | TLS protocol construction method and system based on network covert channel | |
CN110365482B (en) | Data communication method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190405 |