CN109583220A - A method of realizing data base encryption protocol analysis - Google Patents

A method of realizing data base encryption protocol analysis Download PDF

Info

Publication number
CN109583220A
CN109583220A CN201811463840.6A CN201811463840A CN109583220A CN 109583220 A CN109583220 A CN 109583220A CN 201811463840 A CN201811463840 A CN 201811463840A CN 109583220 A CN109583220 A CN 109583220A
Authority
CN
China
Prior art keywords
data
key
packet
client
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811463840.6A
Other languages
Chinese (zh)
Inventor
杨海峰
刘晓强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING ANHUA JINHE TECHNOLOGY CO LTD
Original Assignee
BEIJING ANHUA JINHE TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING ANHUA JINHE TECHNOLOGY CO LTD filed Critical BEIJING ANHUA JINHE TECHNOLOGY CO LTD
Priority to CN201811463840.6A priority Critical patent/CN109583220A/en
Publication of CN109583220A publication Critical patent/CN109583220A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of methods for realizing data base encryption protocol analysis, including cipher key initialization step: obtaining specified data according to the type of database packet, the symmetric key and vector of symmetric encipherment algorithm are calculated using pseudo-random algorithm;Using data decryption step: in application data transmission procedure, data packet being decrypted using symmetric key and vector.The present invention has rational design, it extracts specified data according to the type of database packet, to the data of parsing carries out that symmetric key and initial vector is calculated and application data is decrypted, to realize the decryption function of the data packet grabbed during encrypted transmission under bypass mode, the analytic ability in data transmission procedure is improved, has a wide range of applications scene in database security field.

Description

A method of realizing data base encryption protocol analysis
Technical field
The invention belongs to technical field of database security, especially a kind of method for realizing data base encryption protocol analysis.
Background technique
SSL (Secure Socket Layer, security socket layer) is that data transmit it on internet to ensure Safety before being transmitted first encrypts data using data encryption technology, and the other end recycles after receiving the data Data are decrypted in identical key and vector.
Since the performance of rivest, shamir, adelman is relatively low, symmetric encipherment algorithm performance is very high, therefore, in practical applications The exchange of key is carried out using rivest, shamir, adelman mostly, and really data transfer phase uses symmetric encipherment algorithm.Its Principle are as follows: in handshake phase, carry out the exchange of key, client and server end has just obtained identical close after key exchange Next key can carry out decrypted for symmetrical enciphering and deciphering algorithm using this data key in data transfer phase.
In the overall architecture of user, database plays the role of a very core.Under normal circumstances, user can be All important data all save in the database, wait and go to be inquired in database again when needs, for the sake of security, Client will use encrypted transmission technology when accessing database, to prevent leakage of data of the data in transmission process.This Kind mode substantially increases the safety of data, but for the database audit product of bypass mode, this mode is but It has caused great difficulties, since the data that data are caught are by encryption, designer can't see original initial data, thus Database protocol package can not just be parsed.Thus to having used the client of audit product to cause very big problem: one Aspect encrypt to the data in transmission process to improve safety, on the other hand can not due to having carried out encryption It audits to database manipulation, many clients have in face of the choice of alternative.
Summary of the invention
It is an object of the invention to overcome the deficiencies in the prior art, propose a kind of side for realizing data base encryption protocol analysis Method makes client under the premise of keeping encrypted transmission, audits to database.
The present invention solves its technical problem and adopts the following technical solutions to achieve:
A method of realizing data base encryption protocol analysis, comprising the following steps:
Step 1, cipher key initialization step: specified data is obtained according to the type of database packet, uses pseudo-random algorithm Calculate the symmetric key and vector of symmetric encipherment algorithm;
Step 2, using data decryption step: application data transmission procedure in, using symmetric key and vector to data Packet is decrypted.
The concrete methods of realizing of the step 1 be the following steps are included:
(1) initialization step: the relevant context environmental of initialization encryption and decryption;
(2) Preliminary Analysis is carried out to database packet: obtaining the protocol header of 5 bytes, judge that the database packet is encryption data (3) packet, then enter step;
(3) following information: version, the client random data, server of cryptographic protocol is obtained in handshake packet Random data and seleted cipher data, pre master secret data;
(4), to client random data, server random data, pre master secret data, use is non- Symmetrical enciphering and deciphering algorithm is calculated, and the key and initialization vector of symmetrical enciphering and deciphering algorithm are obtained.
The concrete methods of realizing of the step (3) are as follows:
1. obtaining the version of cryptographic protocol according to the packet header of handshake packet;;
2. obtaining client random data in client hello packet and saving;
3. obtaining server random data and seleted cipher data in server hello packet and saving;
4. obtaining pre master secret data in client key exchange packet and saving.
The concrete methods of realizing of the step (4) are as follows:
1. the private key using asymmetric enciphering and deciphering algorithm decrypts pre master secret, new pre master is obtained secret;
2. being calculated using pre master secret, client random, server random three as parameter using RPF Method calculates master secret;
3. being calculated again using RPF using master secret, server random, client random three as parameter Method calculates the key block of 108 bytes;
4. successively being taken out from the key block of 108 bytes: Client MAC key, Server MAC key, Client Key (16 byte), Server Key, Client IV, Server IV.
The concrete methods of realizing of the step 2 the following steps are included:
(1) symmetrical enciphering and deciphering algorithm is initialized as follows:
1. obtaining the title of symmetrical decipherment algorithm using the selected cipher in server hello packet;
2. initializing the upper of symmetrical decipherment algorithm using client key, server key, client iv, server iv Hereafter environment obtains decryption handle;
(2) in application data transmission procedure, data are decrypted in the decryption handle 2. generated using step;
(3) step is repeated (2) data are decrypted.
The advantages and positive effects of the present invention are:
The present invention has rational design, extracts specified data according to the type of database packet, counts to the data of parsing Calculation obtains symmetric key and initial vector and application data is decrypted, to realize under bypass mode during encrypted transmission The decryption function of the data packet grabbed, improves the analytic ability in data transmission procedure, has in database security field It is widely applied scene.
Detailed description of the invention
Fig. 1 is packet process flow diagram of the invention;
Fig. 2 is asymmetric decipherment algorithm flow chart of the invention.
Specific embodiment
The embodiment of the present invention is further described below in conjunction with attached drawing.
A method of realizing data base encryption protocol analysis, comprising the following steps:
Step 1, cipher key initialization step: specified data is obtained according to the type of database packet, uses pseudo-random algorithm Calculate the symmetric key and vector of symmetric encipherment algorithm.
The concrete methods of realizing of this step includes following treatment process:
(1) initialization step: the relevant context environmental of initialization encryption and decryption;
(2) Preliminary Analysis is carried out to the database packet caught: obtaining the protocol header of 5 bytes, judgement is encryption data Packet, if not encrypted packet, there is no need to handle;If it is encrypted packet, then continue to handle down.
(3) necessary information is obtained in handshake packet.
As shown in Figure 1, the concrete methods of realizing of this step includes following treatment process:
1. the version of cryptographic protocol is judged according to the packet header of handshake packet, it is subsequent to have difference according to different encryption versions Processing, rough process is all consistent in subsequent processing, if only version number is different, can be produced in certain details Raw difference, we are by taking latest edition 1.2 as an example, to be illustrated;
2. obtaining client random data in client hello packet, preserve;
3. server random data and seleted cipher data are obtained in server hello packet, under preservation Come;
4. obtaining pre master secret data in client key exchange packet, preserve.
(4), to client random, server random, pre master secret data, asymmetric plus solution is used Close algorithm is calculated, and the key and initialization vector of symmetrical enciphering and deciphering algorithm are obtained;
As shown in Fig. 2, the concrete methods of realizing of this step includes following treatment process:
1. the private key using asymmetric enciphering and deciphering algorithm decrypts pre master secret, new pre master is obtained secret;
2. being calculated using pre master secret, client random, server random three as parameter using RPF Method calculates master secret;
3. being calculated again using RPF using master secret, server random, client random three as parameter Method calculates the key block of 108 bytes;
4. successively being taken out from the key block of 108 bytes: Client MAC key (20 byte), Server MAC Key (20 byte), Client Key (16 byte), Server Key (16 byte), Client IV (16 byte), Server IV (16 byte).
Step 2, using data decryption step: application data transmission procedure in, using symmetric key and vector to data Packet is decrypted.
(1) symmetrical enciphering and deciphering algorithm is initialized, and concrete methods of realizing is as follows:
1. obtaining the title of symmetrical decipherment algorithm using the selected cipher in server hello packet;
2. initializing the upper of symmetrical decipherment algorithm using client key, server key, client iv, server iv Hereafter environment obtains decryption handle.
(2) in application data transmission procedure, data are decrypted using decryption handle;
(3) step is repeated (2) data are decrypted.
It is emphasized that embodiment of the present invention be it is illustrative, without being restrictive, therefore packet of the present invention Include and be not limited to embodiment described in specific embodiment, it is all by those skilled in the art according to the technique and scheme of the present invention The other embodiments obtained, also belong to the scope of protection of the invention.

Claims (5)

1. a kind of method for realizing data base encryption protocol analysis, it is characterised in that the following steps are included:
Step 1, cipher key initialization step: specified data is obtained according to the type of database packet, is calculated using pseudo-random algorithm The symmetric key and vector of symmetric encipherment algorithm out;
Step 2, using data decryption step: in application data transmission procedure, using symmetric key and vector to data packet into Row decryption.
2. a kind of method for realizing data base encryption protocol analysis according to claim 1, it is characterised in that: the step 1 concrete methods of realizing be the following steps are included:
(1) initialization step: the relevant context environmental of initialization encryption and decryption;
(2) Preliminary Analysis is carried out to database packet: obtaining the protocol header of 5 bytes, judge that the database packet is encrypted packet, then It enters step (3);
(3) following information: the version of cryptographic protocol, client random data, server random number is obtained in handshake packet According to seleted cipher data, pre master secret data;
(4), to client random data, server random data, pre master secret data, use is asymmetric Enciphering and deciphering algorithm is calculated, and the key and initialization vector of symmetrical enciphering and deciphering algorithm are obtained.
3. a kind of method for realizing data base encryption protocol analysis according to claim 2, it is characterised in that: the step (3) concrete methods of realizing are as follows:
1. obtaining the version of cryptographic protocol according to the packet header of handshake packet;;
2. obtaining client random data in client hello packet and saving;
3. obtaining server random data and seleted cipher data in server hello packet and saving;
4. obtaining pre master secret data in client key exchange packet and saving.
4. a kind of method for realizing data base encryption protocol analysis according to claim 2, it is characterised in that: the step (4) concrete methods of realizing are as follows:
1. the private key using asymmetric enciphering and deciphering algorithm decrypts pre master secret, new pre master is obtained secret;
2. utilizing RPF algorithm meter using pre master secret, client random, server random three as parameter Calculate master secret;
3. utilizing RPF algorithm meter again using master secret, server random, client random three as parameter Calculate the key block of 108 bytes;
4. successively being taken out from the key block of 108 bytes: Client MAC key, Server MAC key, Client Key (16 byte), Server Key, Client IV, Server IV.
5. a kind of method for realizing data base encryption protocol analysis according to claim 1, it is characterised in that: the step 2 concrete methods of realizing the following steps are included:
(1) symmetrical enciphering and deciphering algorithm is initialized as follows:
1. obtaining the title of symmetrical decipherment algorithm using the selected cipher in server hello packet;
2. initializing the context of symmetrical decipherment algorithm using client key, server key, client iv, server iv Environment obtains decryption handle;
(2) in application data transmission procedure, data are decrypted using decryption handle;
(3) step is repeated (2) data are decrypted.
CN201811463840.6A 2018-12-03 2018-12-03 A method of realizing data base encryption protocol analysis Pending CN109583220A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811463840.6A CN109583220A (en) 2018-12-03 2018-12-03 A method of realizing data base encryption protocol analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811463840.6A CN109583220A (en) 2018-12-03 2018-12-03 A method of realizing data base encryption protocol analysis

Publications (1)

Publication Number Publication Date
CN109583220A true CN109583220A (en) 2019-04-05

Family

ID=65926017

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811463840.6A Pending CN109583220A (en) 2018-12-03 2018-12-03 A method of realizing data base encryption protocol analysis

Country Status (1)

Country Link
CN (1) CN109583220A (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106131207A (en) * 2016-08-03 2016-11-16 杭州安恒信息技术有限公司 A kind of method and system bypassing audit HTTPS packet
CN106161404A (en) * 2015-04-22 2016-11-23 阿里巴巴集团控股有限公司 The method of SSL Session state reuse, server and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161404A (en) * 2015-04-22 2016-11-23 阿里巴巴集团控股有限公司 The method of SSL Session state reuse, server and system
CN106131207A (en) * 2016-08-03 2016-11-16 杭州安恒信息技术有限公司 A kind of method and system bypassing audit HTTPS packet

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
徐劲松等: "一种专用公开密钥基础框架的研究与应用", 《电子测量技术》 *

Similar Documents

Publication Publication Date Title
CN109525386B (en) Paillier homomorphic encryption private aggregation and method based on Paillier
Juang Efficient multi-server password authenticated key agreement using smart cards
CN101834840B (en) There is efficient key derivation system, the method and apparatus for end-to-end network security of business visuality
CN104821874B (en) A kind of method that quantum key is applied to Internet of Things data encrypted transmission
CN104219041A (en) Data transmission encryption method applicable for mobile internet
US20020056040A1 (en) System and method for establishing secure communication
CN111756529B (en) Quantum session key distribution method and system
CN109005027B (en) Random data encryption and decryption method, device and system
CN107104977A (en) A kind of block chain data safe transmission method based on Stream Control Transmission Protocol
CN104202158A (en) Symmetric and asymmetric hybrid data encryption/decryption method based on cloud computing
Mohamed et al. Hybrid cryptographic approach for internet ofhybrid cryptographic approach for internet ofthings applications: A review
CN102594842A (en) Device-fingerprint-based network management message authentication and encryption scheme
CN111756528B (en) Quantum session key distribution method, device and communication architecture
TW201537937A (en) Unified identity authentication platform and authentication method thereof
CN113312608B (en) Electric power metering terminal identity authentication method and system based on time stamp
CN204180095U (en) A kind of ciphering and deciphering device for network data encryption transmission
CN106453391A (en) Long repeating data encryption and transmission method and system
CN110049002A (en) A kind of ipsec certification method based on PUF
CN109104278A (en) A kind of encrypting and decrypting method
CN113572607A (en) Secure communication method adopting unbalanced SM2 key exchange algorithm
CN112532384B (en) Method for quickly encrypting and decrypting transmission key based on packet key mode
WO2020042023A1 (en) Instant messaging data encryption method and apparatus
CN109583220A (en) A method of realizing data base encryption protocol analysis
CN115150067A (en) TLS protocol construction method and system based on network covert channel
CN110365482B (en) Data communication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190405