CN111753320A - Data encryption method and device based on interceptor and computer equipment - Google Patents

Data encryption method and device based on interceptor and computer equipment Download PDF

Info

Publication number
CN111753320A
CN111753320A CN202010595278.3A CN202010595278A CN111753320A CN 111753320 A CN111753320 A CN 111753320A CN 202010595278 A CN202010595278 A CN 202010595278A CN 111753320 A CN111753320 A CN 111753320A
Authority
CN
China
Prior art keywords
result set
interceptor
sql statement
key
authentication information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010595278.3A
Other languages
Chinese (zh)
Inventor
叶怡宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
OneConnect Smart Technology Co Ltd
OneConnect Financial Technology Co Ltd Shanghai
Original Assignee
OneConnect Financial Technology Co Ltd Shanghai
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by OneConnect Financial Technology Co Ltd Shanghai filed Critical OneConnect Financial Technology Co Ltd Shanghai
Priority to CN202010595278.3A priority Critical patent/CN111753320A/en
Publication of CN111753320A publication Critical patent/CN111753320A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2433Query languages
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2433Query languages
    • G06F16/2448Query languages for particular applications; for extensibility, e.g. user defined types
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Computational Linguistics (AREA)
  • Mathematical Physics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a data encryption method and device based on an interceptor, computer equipment and a storage medium, and relates to big data and block chain technology, wherein if a first precompiled SQL statement is intercepted by a Mybatis interceptor, personal verification information is obtained by a reflection mechanism; acquiring an initial master key and an initial working key which are randomly generated, and encrypting the personal authentication information by using the initial working key to obtain encrypted personal authentication information; storing the data into a current data table to obtain an updated data table; if a second precompiled SQL statement is intercepted by the Mybatis interceptor, acquiring a corresponding result set in an updated data table of the database; and decrypting the encrypted result set to obtain a decrypted result set. The method realizes that the personal verification information is automatically encrypted before entering the database and automatically decrypted when coming out, improves the data security, and the encryption and decryption processes are fully automatically carried out, thereby improving the encryption and decryption efficiency.

Description

Data encryption method and device based on interceptor and computer equipment
Technical Field
The invention relates to the technical field of data processing of big data, in particular to a data encryption method and device based on an interceptor, computer equipment and a storage medium.
Background
At present, when data is stored in a MySQL database, if the data includes sensitive data such as personal verification information, encryption is generally performed in two ways. The first is to encrypt the table space storing the personal verification information, and the second is to call Utils encryption tool to encrypt and decrypt the personal verification information.
When an encryption mode for a tablespace is adopted, a keying _ file plug (which is an encryption plug) of a MySQL community version is generally adopted, a Master Key (which is used for decrypting the tablespace) obtained after the tablespace is encrypted is generally adopted, the Master Key is generally stored in a local database server, and data security in the tablespace cannot be guaranteed. And under the condition that the tablespace is encrypted, a database administrator still has the right to view the data in the tablespace, so that the data security is reduced.
When the encryption tool Utils is called to encrypt and decrypt the personal verification information, the personal verification information defined by different developers has different forms, and when the encryption tool Utils is called to encrypt the personal verification information of different forms, the professional requirement on an editor of the encryption tool Utils is high, the labor cost for encryption implementation is high, and the efficiency is low.
Disclosure of Invention
The embodiment of the invention provides a data encryption method, a data encryption device, computer equipment and a storage medium based on an interceptor, and aims to solve the problems that when sensitive data such as personal authentication information and the like are stored in a data table in the prior art, the whole data table is generally encrypted or a special encryption tool is generally used for local encryption, so that not only is the encryption operation complicated, but also the data can be checked by the authority of an administrator after encryption, and the data security is low.
In a first aspect, an embodiment of the present invention provides an interceptor-based data encryption method, which includes:
judging whether a first precompiled SQL statement is intercepted by a Mybatis interceptor; the original SQL statement corresponding to the first precompiled SQL statement is used for adding personal verification information in a database;
if the first precompiled SQL statement is intercepted through the Mybatis interceptor, personal verification information included in the entry parameters of the first precompiled SQL statement is acquired through a reflection mechanism;
acquiring an initial master key and an initial working key which are randomly generated, and encrypting the personal authentication information by taking the initial working key as a key to obtain encrypted personal authentication information;
storing the encrypted personal verification information to a current data table to obtain an updated data table;
judging whether a second precompiled SQL statement is intercepted by a Mybatis interceptor; the original SQL statement corresponding to the second precompiled SQL statement is used for inquiring personal verification information; and
if a second precompiled SQL statement is intercepted by the Mybatis interceptor, acquiring a corresponding result set in an updated data table of the database;
and sending the decrypted result set obtained by decrypting the result set to the user side.
In a second aspect, an embodiment of the present invention provides an interceptor-based data encryption apparatus, which includes:
the first statement intercepting unit is used for judging whether a first precompiled SQL statement is intercepted by a Mybatis interceptor; the original SQL statement corresponding to the first precompiled SQL statement is used for adding personal verification information in a database;
the personal verification information acquisition unit is used for acquiring personal verification information included in the entries of the first precompiled SQL statement through a reflection mechanism if the first precompiled SQL statement is intercepted through a Mybatis interceptor;
the information encryption unit is used for acquiring an initial master key and an initial working key which are randomly generated, and encrypting the personal authentication information by taking the initial working key as a key to obtain encrypted personal authentication information;
the data table updating unit is used for storing the encrypted personal verification information to a current data table to obtain an updated data table;
the second statement intercepting unit is used for judging whether a second precompiled SQL statement is intercepted by a Mybatis interceptor; the original SQL statement corresponding to the second precompiled SQL statement is used for inquiring personal verification information; and
the result set acquisition unit is used for acquiring a corresponding result set in the updated data table of the database if a second precompiled SQL statement is intercepted by the Mybatis interceptor;
and the decryption sending unit is used for sending the decrypted result set obtained by decrypting the result set to the user side.
In a third aspect, an embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the processor implements the interceptor-based data encryption method according to the first aspect.
In a fourth aspect, the present invention further provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, and the computer program, when executed by a processor, causes the processor to execute the interceptor-based data encryption method according to the first aspect.
The embodiment of the invention provides a data encryption method and device based on an interceptor, computer equipment and a storage medium, wherein the method comprises the steps of judging whether a first precompiled SQL statement is intercepted by a Mybatis interceptor or; if the first precompiled SQL statement is intercepted through the Mybatis interceptor, personal verification information included in the entry parameters of the first precompiled SQL statement is acquired through a reflection mechanism; acquiring an initial master key and an initial working key which are randomly generated, and encrypting the personal authentication information by taking the initial working key as a key to obtain encrypted personal authentication information; storing the encrypted personal verification information to a current data table to obtain an updated data table; judging whether a second precompiled SQL statement is intercepted by a Mybatis interceptor; if a second precompiled SQL statement is intercepted by the Mybatis interceptor, acquiring a corresponding result set in the updated data table of the database; and sending the decrypted result set obtained by decrypting the result set to the user side. The method realizes that the personal verification information is automatically encrypted before entering the database and automatically decrypted when coming out, improves the data security, and the encryption and decryption processes are fully automatically carried out, thereby improving the encryption and decryption efficiency.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic view of an application scenario of an interceptor-based data encryption method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of an interceptor-based data encryption method according to an embodiment of the present invention;
fig. 3 is a sub-flow diagram of an interceptor-based data encryption method according to an embodiment of the present invention;
FIG. 4 is a schematic view of another sub-flow of an interceptor-based data encryption method according to an embodiment of the present invention;
FIG. 5 is a schematic view of another sub-flow of an interceptor-based data encryption method according to an embodiment of the present invention;
FIG. 6 is a schematic block diagram of an interceptor-based data encryption apparatus provided by an embodiment of the present invention;
FIG. 7 is a schematic block diagram of sub-units of an interceptor-based data encryption apparatus according to an embodiment of the present invention;
FIG. 8 is a schematic block diagram of another sub-unit of an interceptor-based data encryption apparatus according to an embodiment of the present invention;
FIG. 9 is a schematic block diagram of another sub-unit of an interceptor-based data encryption apparatus according to an embodiment of the present invention;
FIG. 10 is a schematic block diagram of a computer device provided by an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the specification of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic view illustrating an application scenario of an interceptor-based data encryption method according to an embodiment of the present invention; fig. 2 is a schematic flowchart of an interceptor-based data encryption method according to an embodiment of the present invention, where the interceptor-based data encryption method is applied to a server and is executed by application software installed in the server.
As shown in fig. 2, the method includes steps S110 to S170.
S110, judging whether a first precompiled SQL statement is intercepted by a Mybatis interceptor; and the original SQL statement corresponding to the first precompiled SQL statement is used for adding personal verification information in a database.
In this embodiment, in order to more clearly understand the technical solution of the present application, the following detailed description is made on the terminal concerned. The technical scheme is described in the perspective of a server.
The first is a user side, which can be a desktop computer, a notebook computer, a tablet computer, or other terminals when implemented. The user can input SQL (structured query Language) statements (the SQLde is called totally a structured query Language) on a user interactive interface corresponding to the server, and the SQL statements are precompiled at the user side and then sent to the server.
The original SQL statement corresponding to the first precompiled SQL statement is used to write data into a database of the server, where the written data includes personal authentication Information (PII for short, and personal authentication Information for all), and the personal authentication Information is any data related to a person, and the data can help to identify the person, such as name, fingerprint or other biometric data, email address, phone number or social security number.
And the second is a server, wherein a MySQL database and Mybatis Plus are deployed in the server, wherein MybatisPlus is an enhanced version of Mybatis, and Mybatis is a Java-based persistent layer framework. After receiving the first precompiled SQL sentence uploaded by the user side, the server can intercept the first precompiled SQL sentence through an interceptor corresponding to the Mybatis Plus, and then modify some sentence parameters and then perform corresponding data operation on the MySQL database.
The persistence layer framework for Mybatis Plus is generally as follows:
1) loading configuration: the configuration comes from two places, one is a configuration file, the other is the annotation of Java code, the SQL configuration information is loaded into a MappedStatement object (including the incoming parameter mapping configuration, the executed SQL statement and the result mapping configuration), and the object is stored in the memory.
2) SQL analysis: when the API interface layer receives a call request, the ID and an incoming object (which can be Map, JavaBean or basic data type) of incoming SQL are received, Mybatis finds the corresponding MappedStatement according to the ID of SQL, then analyzes the MappedStatement according to the incoming parameter object, and finally the SQL statement and parameters to be executed can be obtained after the analysis.
3) SQL executes: and taking the finally obtained SQL and the parameters into a database for execution to obtain a result of operating the database.
4) And (3) mapping the result: and converting the result of the operation database according to the mapping configuration, converting the result into a HashMap, JavaBean or basic data type, and returning the final result.
When the MybatisPlus framework is deployed on the server, any precompiled SQL statement can be intercepted through the Mybatis interceptor.
And S120, if the first precompiled SQL statement is intercepted through the Mybatis interceptor, acquiring personal verification information included in the entry of the first precompiled SQL statement through a reflection mechanism.
In this embodiment, after the first pre-compiled SQL statement uploaded by the user side is intercepted by the Mybatis interceptor in the server, the personal verification information included in the entry of the first pre-compiled SQL statement may be obtained through the reflection mechanism.
The reflection mechanism refers to that in the running state of a program, an object of any class can be constructed, the class to which any object belongs can be known, member variables and methods of any class can be known, and the attribute and method of any object can be called. This function of dynamically acquiring program information and dynamically calling objects is called a reflection mechanism of the Java language, and reflection is regarded as a key of the dynamic language.
Generally, the first precompiled SQL statement includes an entry Entity (Entity representation Entity), and the entry Entity in the present application includes personal authentication information.
The personal authentication information in the application is generally annotated and marked in advance, and the reflection mechanism can quickly acquire the personal authentication information annotated and marked in the access references.
S130, acquiring an initial master key and an initial working key which are randomly generated, and encrypting the personal authentication information by taking the initial working key as a key to obtain the encrypted personal authentication information.
In this embodiment, a mechanism of a secondary key is used for encryption. In the secondary key mechanism, two types of keys are generally used: one type is the master key and the other type is the working key. Wherein the master key is used to encrypt the working key, which supports replacement; the work key is used to encrypt data to be encrypted (e.g., personal authentication information), which does not support replacement. When a secondary key mechanism is adopted for encryption, the key rotation can be flexibly supported, so that the safety of the personal authentication information is kept.
In one embodiment, as shown in fig. 3, as a first embodiment of step S130, step S130 includes:
s1311, encrypting the personal verification information by taking the personal verification information as a plaintext and the initial working key as a key to obtain initially encrypted personal verification information;
s1312, adding the encryption flag to the prefix of the encrypted personal authentication information to obtain the encrypted personal authentication information.
In this embodiment, when the personal authentication information is encrypted by using the secondary key mechanism, the specific process is as follows: a master key A is generated in a key management system (the master key A is an initial master key) and a working key B is generated (the working key B is an initial working key). B is then encrypted using a to yield C. The working key B is then deleted from the key management system and C (ciphertext B encrypted by a) is placed into configuration center encryption custody and the application acquires a and unwraps C with it to get B at the time of use. If the keys need to be rotated, a new master key D is generated in the key management system after B is obtained by using A to unlock C, and after E is obtained by using D to encrypt B (obtained by using A to unlock C), the old master key A is deleted and E is updated in the configuration center.
As a first embodiment of step S130, when the personal authentication information is used as a plaintext and the initial working key is used as a key for encryption, the initially encrypted personal authentication information can be obtained. And then, in order to facilitate subsequent decryption, the encryption mark can be added to the prefix of the encrypted personal authentication information, and once the encryption mark is found in the subsequent decryption process, the field needing to be decrypted is searched for decryption, so that the decryption efficiency is improved.
In one embodiment, as shown in fig. 4, as a second embodiment of step S130, step S130 includes:
s1321, encrypting the personal verification information by taking the personal verification information as a plaintext and the initial working key as a key to obtain initially encrypted personal verification information;
s1322, adding the predefined decryption annotation to the prefix of the encrypted personal authentication information to obtain the encrypted personal authentication information.
In this embodiment, as a second embodiment of step S130, when the personal authentication information is used as a plaintext and the initial working key is used as a key for encryption, the initially encrypted personal authentication information can be obtained. And then, in order to facilitate subsequent decryption, at the moment, a predefined decryption annotation can be added to the prefix of the encrypted personal authentication information, and once the decryption annotation is found in the subsequent decryption process, a field needing to be decrypted is searched for decryption, so that the decryption efficiency is improved.
After the initially encrypted personal authentication information is encrypted by the two modes, once an encryption mark or decryption annotation is found, the field needing to be decrypted is searched for and decrypted.
S140, storing the encrypted personal verification information to a current data table to obtain an updated data table.
In this embodiment, after the encryption of the personal authentication information in the data table is completed in the server, the encrypted personal authentication information is stored in the current data table to obtain an updated data table, so that the data table is updated in time.
In an embodiment, step S140 is followed by:
and uploading the updated data table to a block chain network.
In this embodiment, the blockchain corresponding to the blockchain network is a novel application mode of computer technologies such as distributed data storage, peer-to-peer transmission, consensus mechanism, and encryption algorithm. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product services layer, and an application services layer. And uploading the updated data table to a block chain network, wherein the updated data table can be preserved for a long time in the block chain network, so that subsequent traceability query is facilitated.
S150, judging whether a second precompiled SQL statement is intercepted by a Mybatis interceptor; and the original SQL statement corresponding to the second precompiled SQL statement is used for inquiring personal verification information.
In this embodiment, the original SQL statement corresponding to the second precompiled SQL statement is used to obtain personal verification information from the database of the server, that is, the SQL statement having the query function. The server detects the second precompiled SQL statement, namely, judges whether a user terminal initiates a request to inquire data.
And S160, if the second precompiled SQL statement is intercepted by the Mybatis interceptor, acquiring a corresponding result set in the updated data table of the database.
In this embodiment, when the server detects the second precompiled SQL statement and detects the second precompiled SQL statement, the Mybatis interceptor intercepts the second precompiled SQL statement first, and then, if the second precompiled SQL statement corresponds to the right to obtain the personal verification data, the corresponding result set is obtained in the data table and fed back to the user side.
In one embodiment, as shown in fig. 5, step S160 includes:
s161, acquiring an ID and an incoming object corresponding to the second precompiled SQL statement;
s162, acquiring a corresponding initial result set in a local database according to the ID and the incoming object;
and S163, performing data type conversion on the initial result set according to the preset mapping configuration to obtain a result set.
In this embodiment, that is, when data related to personal authentication information stored in a local database is acquired through a query statement, an API interface layer of the database receives an ID and an incoming object (which may be Map, JavaBean, or a basic data type) of incoming SQL, Mybatis finds a corresponding mappedstatus according to the ID of the SQL, then parses the mappedstatus according to the incoming parameter object, and obtains an SQL statement and a parameter to be executed finally after parsing.
And then, taking the finally obtained SQL and the parameters to a local MySQL database for execution to obtain the result of the operation database, namely obtaining an initial result set. The initial result set also needs to be converted according to the mapping configuration, and can be converted into a HashMap, a JavaBean or a basic data type, and the final result is returned, that is, the result set is returned.
S170, the decrypted result set obtained by decrypting the result set is sent to the user side.
In this embodiment, in order to accelerate data processing efficiency, after the Mybatis interceptor obtains a result set queried according to a second precompiled SQL statement, a decrypted result set obtained by automatically decrypting the result set is sent to the user side.
In one embodiment, step S170 includes:
judging whether an encryption mark or a decryption annotation exists in the result set;
and if the result set has the encryption mark or the decryption annotation, acquiring a corresponding target result set, and decrypting the target result set through a current working key corresponding to the initial working key to obtain a decrypted result set.
In this embodiment, if some data in the obtained result set has an encryption mark or a decryption comment, when the Mybatis interceptor intercepts the target result sets, the current working key is obtained to decrypt the target result sets to obtain decrypted result sets, and the decrypted result sets are sent to the user side.
The process corresponds to a decryption process and is also finished in a Mybatis interceptor, namely, the data is automatically decrypted when being fed back to the user side, manual decryption by the user is not needed, and the decryption efficiency is improved.
The method realizes that the personal verification information is automatically encrypted before entering the database and automatically decrypted when coming out, improves the data security, and the encryption and decryption processes are fully automatically carried out, thereby improving the encryption and decryption efficiency.
The embodiment of the invention also provides a data encryption device based on the interceptor, which is used for executing any embodiment of the data encryption method based on the interceptor. Specifically, referring to fig. 6, fig. 6 is a schematic block diagram of an interceptor-based data encryption device according to an embodiment of the present invention. The interceptor-based data encryption device 100 may be configured in a server.
As shown in fig. 6, the interceptor-based data encryption device 100 includes: a first sentence interception unit 110, a personal authentication information acquisition unit 120, an information encryption unit 130, a data table update unit 140, a second sentence interception unit 150, a result set acquisition unit 160, and a decryption transmission unit 170.
The first statement intercepting unit 110 is configured to determine whether a first precompiled SQL statement is intercepted by a Mybatis interceptor; and the original SQL statement corresponding to the first precompiled SQL statement is used for adding personal verification information in a database.
In this embodiment, the original SQL statement corresponding to the first precompiled SQL statement is used to write data into the database of the server, where the written data includes personal authentication Information (PII for short, and personal identity Information for all), and the personal authentication Information is any data related to a person, and these data can help identify the person, such as name, fingerprint or other biometric data, email address, phone number, or social security number.
The persistence layer framework for Mybatis Plus is generally as follows:
1) loading configuration: the configuration comes from two places, one is a configuration file, the other is the annotation of Java code, the SQL configuration information is loaded into a MappedStatement object (including the incoming parameter mapping configuration, the executed SQL statement and the result mapping configuration), and the object is stored in the memory.
2) SQL analysis: when the API interface layer receives a call request, the ID and an incoming object (which can be Map, JavaBean or basic data type) of incoming SQL are received, Mybatis finds the corresponding MappedStatement according to the ID of SQL, then analyzes the MappedStatement according to the incoming parameter object, and finally the SQL statement and parameters to be executed can be obtained after the analysis.
3) SQL executes: and taking the finally obtained SQL and the parameters into a database for execution to obtain a result of operating the database.
4) And (3) mapping the result: and converting the result of the operation database according to the mapping configuration, converting the result into a HashMap, JavaBean or basic data type, and returning the final result.
When the Mybatis Plus framework is deployed on the server, any precompiled SQL statement can be intercepted through the Mybatis interceptor.
The personal verification information obtaining unit 120 is configured to, if the first precompiled SQL statement is intercepted by the Mybatis interceptor, obtain, through a reflection mechanism, personal verification information included in the entry of the first precompiled SQL statement.
In this embodiment, after the first pre-compiled SQL statement uploaded by the user side is intercepted by the Mybatis interceptor in the server, the personal verification information included in the entry of the first pre-compiled SQL statement may be obtained through the reflection mechanism.
The reflection mechanism refers to that in the running state of a program, an object of any class can be constructed, the class to which any object belongs can be known, member variables and methods of any class can be known, and the attribute and method of any object can be called. This function of dynamically acquiring program information and dynamically calling objects is called a reflection mechanism of the Java language, and reflection is regarded as a key of the dynamic language.
Generally, the first precompiled SQL statement includes an entry Entity (Entity representation Entity), and the entry Entity in the present application includes personal authentication information.
The personal authentication information in the application is generally annotated and marked in advance, and the reflection mechanism can quickly acquire the personal authentication information annotated and marked in the access references.
An information encryption unit 130, configured to obtain an initial master key and an initial working key that are randomly generated, and encrypt the personal authentication information with the initial working key as a key to obtain encrypted personal authentication information.
In this embodiment, a mechanism of a secondary key is used for encryption. In the secondary key mechanism, two types of keys are generally used: one type is the master key and the other type is the working key. Wherein the master key is used to encrypt the working key, which supports replacement; the work key is used to encrypt data to be encrypted (e.g., personal authentication information), which does not support replacement. When a secondary key mechanism is adopted for encryption, the key rotation can be flexibly supported, so that the safety of the personal authentication information is kept.
In an embodiment, as shown in fig. 7, as a first embodiment of the information encrypting unit 130, the information encrypting unit 130 includes:
a first encryption unit 1311, configured to encrypt the personal authentication information with the personal authentication information as a plaintext and the initial working key as a key, to obtain initially encrypted personal authentication information;
an encryption flag unit 1312 is configured to add an encryption flag to a prefix of the encrypted personal authentication information to obtain the encrypted personal authentication information.
In this embodiment, when the personal authentication information is encrypted by using the secondary key mechanism, the specific process is as follows: a master key A is generated in a key management system (the master key A is an initial master key) and a working key B is generated (the working key B is an initial working key). B is then encrypted using a to yield C. The working key B is then deleted from the key management system and C (ciphertext B encrypted by a) is placed into configuration center encryption custody and the application acquires a and unwraps C with it to get B at the time of use. If the keys need to be rotated, a new master key D is generated in the key management system after B is obtained by using A to unlock C, and after E is obtained by using D to encrypt B (obtained by using A to unlock C), the old master key A is deleted and E is updated in the configuration center.
As a first embodiment of the information encrypting unit 130, when the personal authentication information is used as a plaintext and the initial work key is used as a key for encryption, initially encrypted personal authentication information can be obtained. And then, in order to facilitate subsequent decryption, the encryption mark can be added to the prefix of the encrypted personal authentication information, and once the encryption mark is found in the subsequent decryption process, the field needing to be decrypted is searched for decryption, so that the decryption efficiency is improved.
In one embodiment, as shown in fig. 8, as a second embodiment of the information encrypting unit 130, the information encrypting unit 130 includes:
a second encryption unit 1321, configured to encrypt the personal authentication information with the personal authentication information as a plaintext and the initial working key as a key, to obtain initially encrypted personal authentication information;
a decryption annotation unit 1322, configured to add a predefined decryption annotation to the prefix of the encrypted personal authentication information to obtain the encrypted personal authentication information.
In this embodiment, as a second embodiment of the information encrypting unit 130, when the personal authentication information is used as a plaintext and the initial working key is used as a key for encryption, the initially encrypted personal authentication information can be obtained. And then, in order to facilitate subsequent decryption, at the moment, a predefined decryption annotation can be added to the prefix of the encrypted personal authentication information, and once the decryption annotation is found in the subsequent decryption process, a field needing to be decrypted is searched for decryption, so that the decryption efficiency is improved.
After the initially encrypted personal authentication information is encrypted by the two modes, once an encryption mark or decryption annotation is found, the field needing to be decrypted is searched for and decrypted.
And a data table updating unit 140, configured to store the encrypted personal authentication information in the current data table, so as to obtain an updated data table.
In this embodiment, after the encryption of the personal authentication information in the data table is completed in the server, the encrypted personal authentication information is stored in the current data table to obtain an updated data table, so that the data table is updated in time.
In one embodiment, the interceptor-based data encryption device 100 further comprises:
and the data uplink unit is used for uploading the updated data table to a block chain network.
In this embodiment, the blockchain corresponding to the blockchain network is a novel application mode of computer technologies such as distributed data storage, peer-to-peer transmission, consensus mechanism, and encryption algorithm. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product services layer, and an application services layer. And uploading the updated data table to a block chain network, wherein the updated data table can be preserved for a long time in the block chain network, so that subsequent traceability query is facilitated.
The second statement intercepting unit 150 is configured to determine whether a second precompiled SQL statement is intercepted by a Mybatis interceptor; and the original SQL statement corresponding to the second precompiled SQL statement is used for inquiring personal verification information.
In this embodiment, the original SQL statement corresponding to the second precompiled SQL statement is used to obtain personal verification information from the database of the server, that is, the SQL statement having the query function. The server detects the second precompiled SQL statement, namely, judges whether a user terminal initiates a request to inquire data.
And the result set obtaining unit 160 is configured to obtain a corresponding result set in the updated data table of the database if the second precompiled SQL statement is intercepted by the Mybatis interceptor.
In this embodiment, when the server detects the second precompiled SQL statement and detects the second precompiled SQL statement, the Mybatis interceptor intercepts the second precompiled SQL statement first, and then, if the second precompiled SQL statement corresponds to the right to obtain the personal verification data, the corresponding result set is obtained in the data table and fed back to the user side.
In one embodiment, as shown in fig. 9, the result set obtaining unit 160 includes:
a statement parsing unit 161, configured to obtain an ID and an incoming object corresponding to the second precompiled SQL statement;
an initial result set obtaining unit 162, configured to obtain a corresponding initial result set according to the ID and the incoming object in the local database;
and the data type converting unit 163 is configured to perform data type conversion on the initial result set according to a preset mapping configuration, so as to obtain a result set.
In this embodiment, that is, when data related to personal authentication information stored in a local database is acquired through a query statement, an API interface layer of the database receives an ID and an incoming object (which may be Map, JavaBean, or a basic data type) of incoming SQL, Mybatis finds a corresponding mappedstatus according to the ID of the SQL, then parses the mappedstatus according to the incoming parameter object, and obtains an SQL statement and a parameter to be executed finally after parsing.
And then, taking the finally obtained SQL and the parameters to a local MySQL database for execution to obtain the result of the operation database, namely obtaining an initial result set. The initial result set also needs to be converted according to the mapping configuration, and can be converted into a HashMap, a JavaBean or a basic data type, and the final result is returned, that is, the result set is returned.
A decryption sending unit 170, configured to send the decrypted result set obtained by decrypting the result set to the user side.
In this embodiment, in order to accelerate data processing efficiency, after the Mybatis interceptor obtains a result set queried according to a second precompiled SQL statement, a decrypted result set obtained by automatically decrypting the result set is sent to the user side.
In one embodiment, the decryption transmitting unit 170 includes:
a result set judgment unit for judging whether the result set has an encryption mark or a decryption comment;
and the result set decryption unit is used for acquiring a corresponding target result set if the result set has the encryption mark or the decryption annotation, and decrypting the target result set through the current working key corresponding to the initial working key to obtain a decrypted result set.
In this embodiment, if some data in the obtained result set has an encryption mark or a decryption comment, when the Mybatis interceptor intercepts the target result sets, the current working key is obtained to decrypt the target result sets to obtain decrypted result sets, and the decrypted result sets are sent to the user side.
The process corresponds to a decryption process and is also finished in a Mybatis interceptor, namely, the data is automatically decrypted when being fed back to the user side, manual decryption by the user is not needed, and the decryption efficiency is improved.
The device realizes that the personal verification information is automatically encrypted before entering the database and automatically decrypted when coming out, thereby improving the data security, and the full-automatic encryption and decryption process is carried out, thereby improving the encryption and decryption efficiency.
The above-described interceptor-based data encryption apparatus may be implemented in the form of a computer program that can be run on a computer device as shown in fig. 10.
Referring to fig. 10, fig. 10 is a schematic block diagram of a computer device according to an embodiment of the present invention. The computer device 500 is a server, and the server may be an independent server or a server cluster composed of a plurality of servers.
Referring to fig. 10, the computer device 500 includes a processor 502, memory, and a network interface 505 connected by a system bus 501, where the memory may include a non-volatile storage medium 503 and an internal memory 504.
The non-volatile storage medium 503 may store an operating system 5031 and a computer program 5032. The computer program 5032, when executed, may cause the processor 502 to perform an interceptor-based data encryption method.
The processor 502 is used to provide computing and control capabilities that support the operation of the overall computer device 500.
The internal memory 504 provides an environment for the execution of the computer program 5032 in the non-volatile storage medium 503, and when the computer program 5032 is executed by the processor 502, the processor 502 may be caused to perform an interceptor-based data encryption method.
The network interface 505 is used for network communication, such as providing transmission of data information. Those skilled in the art will appreciate that the configuration shown in fig. 10 is a block diagram of only a portion of the configuration associated with aspects of the present invention and is not intended to limit the computing device 500 to which aspects of the present invention may be applied, and that a particular computing device 500 may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
The processor 502 is configured to run a computer program 5032 stored in the memory to implement the interceptor-based data encryption method disclosed in the embodiment of the present invention.
Those skilled in the art will appreciate that the embodiment of a computer device illustrated in fig. 10 does not constitute a limitation on the specific construction of the computer device, and that in other embodiments a computer device may include more or fewer components than those illustrated, or some components may be combined, or a different arrangement of components. For example, in some embodiments, the computer device may only include a memory and a processor, and in such embodiments, the structures and functions of the memory and the processor are consistent with those of the embodiment shown in fig. 10, and are not described herein again.
It should be understood that, in the embodiment of the present invention, the Processor 502 may be a Central Processing Unit (CPU), and the Processor 502 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, and the like. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
In another embodiment of the invention, a computer-readable storage medium is provided. The computer readable storage medium may be a non-volatile computer readable storage medium. The computer readable storage medium stores a computer program, wherein the computer program, when executed by a processor, implements the interceptor-based data encryption method disclosed by an embodiment of the present invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses, devices and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again. Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided by the present invention, it should be understood that the disclosed apparatus, device and method can be implemented in other ways. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only a logical division, and there may be other divisions when the actual implementation is performed, or units having the same function may be grouped into one unit, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may also be an electric, mechanical or other form of connection.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk.
While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications and substitutions can be easily made by those skilled in the art within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. An interceptor-based data encryption method, comprising:
judging whether a first precompiled SQL statement is intercepted by a Mybatis interceptor; the original SQL statement corresponding to the first precompiled SQL statement is used for adding personal verification information in a database;
if the first precompiled SQL statement is intercepted through the Mybatis interceptor, personal verification information included in the entry parameters of the first precompiled SQL statement is acquired through a reflection mechanism;
acquiring an initial master key and an initial working key which are randomly generated, and encrypting the personal authentication information by taking the initial working key as a key to obtain encrypted personal authentication information;
storing the encrypted personal verification information to a current data table to obtain an updated data table;
judging whether a second precompiled SQL statement is intercepted by a Mybatis interceptor; the original SQL statement corresponding to the second precompiled SQL statement is used for inquiring personal verification information; and
if a second precompiled SQL statement is intercepted by the Mybatis interceptor, acquiring a corresponding result set in an updated data table of the database;
and sending the decrypted result set obtained by decrypting the result set to the user side.
2. The interceptor-based data encryption method of claim 1, wherein sending the decrypted result set obtained by decrypting the result set to the user side comprises:
judging whether an encryption mark or a decryption annotation exists in the result set;
and if the result set has the encryption mark or the decryption annotation, acquiring a corresponding target result set, and decrypting the target result set through a current working key corresponding to the initial working key to obtain a decrypted result set.
3. The interceptor-based data encryption method of claim 1, wherein encrypting the personal authentication information with the initial working key as a key to obtain encrypted personal authentication information comprises:
encrypting the personal verification information by taking the personal verification information as a plaintext and the initial working key as a key to obtain initially encrypted personal verification information;
and adding an encryption mark to the prefix of the encrypted personal authentication information to obtain the encrypted personal authentication information.
4. The interceptor-based data encryption method of claim 1, wherein encrypting the personal authentication information with the initial working key as a key to obtain encrypted personal authentication information comprises:
encrypting the personal verification information by taking the personal verification information as a plaintext and the initial working key as a key to obtain initially encrypted personal verification information;
adding a predefined decryption annotation to the prefix of the encrypted personal authentication information to obtain the encrypted personal authentication information.
5. The interceptor-based data encryption method of claim 1, wherein obtaining the corresponding result set in the updated data table of the database comprises:
acquiring an ID and an incoming object corresponding to the second precompiled SQL statement;
acquiring a corresponding initial result set in a local database according to the ID and the incoming object;
and performing data type conversion on the initial result set according to preset mapping configuration to obtain a result set.
6. The interceptor-based data encryption method of claim 1, wherein after storing the encrypted personal authentication information in a current data table and obtaining an updated data table, further comprising:
and uploading the updated data table to a block chain network.
7. An interceptor-based data encryption device, comprising:
the first statement intercepting unit is used for judging whether a first precompiled SQL statement is intercepted by a Mybatis interceptor; the original SQL statement corresponding to the first precompiled SQL statement is used for adding personal verification information in a database;
the personal verification information acquisition unit is used for acquiring personal verification information included in the entries of the first precompiled SQL statement through a reflection mechanism if the first precompiled SQL statement is intercepted through a Mybatis interceptor;
the information encryption unit is used for acquiring an initial master key and an initial working key which are randomly generated, and encrypting the personal authentication information by taking the initial working key as a key to obtain encrypted personal authentication information;
the data table updating unit is used for storing the encrypted personal verification information to a current data table to obtain an updated data table;
the second statement intercepting unit is used for judging whether a second precompiled SQL statement is intercepted by a Mybatis interceptor; the original SQL statement corresponding to the second precompiled SQL statement is used for inquiring personal verification information; and
the result set acquisition unit is used for acquiring a corresponding result set in the updated data table of the database if a second precompiled SQL statement is intercepted by the Mybatis interceptor;
and the decryption sending unit is used for sending the decrypted result set obtained by decrypting the result set to the user side.
8. The interceptor-based data encryption device of claim 7, wherein the decryption transmitting unit comprises:
a result set judgment unit for judging whether the result set has an encryption mark or a decryption comment;
and the result set decryption unit is used for acquiring a corresponding target result set if the result set has the encryption mark or the decryption annotation, and decrypting the target result set through the current working key corresponding to the initial working key to obtain a decrypted result set.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the interceptor-based data encryption method of any one of claims 1-6 when executing the computer program.
10. A computer-readable storage medium, characterized in that it stores a computer program which, when executed by a processor, causes the processor to carry out the interceptor-based data encryption method of any one of claims 1-6.
CN202010595278.3A 2020-06-23 2020-06-23 Data encryption method and device based on interceptor and computer equipment Pending CN111753320A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010595278.3A CN111753320A (en) 2020-06-23 2020-06-23 Data encryption method and device based on interceptor and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010595278.3A CN111753320A (en) 2020-06-23 2020-06-23 Data encryption method and device based on interceptor and computer equipment

Publications (1)

Publication Number Publication Date
CN111753320A true CN111753320A (en) 2020-10-09

Family

ID=72677445

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010595278.3A Pending CN111753320A (en) 2020-06-23 2020-06-23 Data encryption method and device based on interceptor and computer equipment

Country Status (1)

Country Link
CN (1) CN111753320A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112711762A (en) * 2020-12-22 2021-04-27 航天信息股份有限公司 Transparent encryption method for database
CN113127505A (en) * 2021-05-17 2021-07-16 北京奇艺世纪科技有限公司 Monitoring method and device for Structured Query Language (SQL) system and electronic equipment
CN113486326A (en) * 2021-07-02 2021-10-08 重庆沄析工业互联网有限公司 Method for realizing data line permission based on Mybatis interceptor
CN113779598A (en) * 2021-08-27 2021-12-10 北京达佳互联信息技术有限公司 Data processing method, device, server and storage medium
CN114297699A (en) * 2022-03-10 2022-04-08 好享家舒适智能家居股份有限公司 Automatic encryption and decryption method and system for complex structure data

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112711762A (en) * 2020-12-22 2021-04-27 航天信息股份有限公司 Transparent encryption method for database
CN113127505A (en) * 2021-05-17 2021-07-16 北京奇艺世纪科技有限公司 Monitoring method and device for Structured Query Language (SQL) system and electronic equipment
CN113127505B (en) * 2021-05-17 2024-04-23 北京奇艺世纪科技有限公司 Monitoring method and device of Structured Query Language (SQL) system and electronic equipment
CN113486326A (en) * 2021-07-02 2021-10-08 重庆沄析工业互联网有限公司 Method for realizing data line permission based on Mybatis interceptor
CN113779598A (en) * 2021-08-27 2021-12-10 北京达佳互联信息技术有限公司 Data processing method, device, server and storage medium
CN114297699A (en) * 2022-03-10 2022-04-08 好享家舒适智能家居股份有限公司 Automatic encryption and decryption method and system for complex structure data

Similar Documents

Publication Publication Date Title
CN111753320A (en) Data encryption method and device based on interceptor and computer equipment
US10284372B2 (en) Method and system for secure management of computer applications
US10129028B2 (en) Relational encryption for password verification
EP2778951B1 (en) Database encryption system, method and program
US9600677B2 (en) Database apparatus, method, and program
CN111884986B (en) Data encryption processing method and device and storage medium
CN111737720B (en) Data processing method and device and electronic equipment
CN109787956B (en) Data table encryption method and device, computer equipment and storage medium
CN109936546B (en) Data encryption storage method and device and computing equipment
JP2019057822A (en) Medical data retrieval system, medical data retrieval method, and medical data retrieval program
CN111917711B (en) Data access method and device, computer equipment and storage medium
CN108170753B (en) Key-Value database encryption and security query method in common cloud
US11748521B2 (en) Privacy-enhanced computation via sequestered encryption
CN114416773A (en) Data processing method, device, storage medium and server
US20230144072A1 (en) Data storage server and client devices for securely storing data
US20220353092A1 (en) System and Method for Secure Internet Communications
CN115361198A (en) Decryption method, encryption method, device, computer equipment and storage medium
US11455404B2 (en) Deduplication in a trusted execution environment
CN114329596A (en) Firmware updating method, device and system for Internet of things equipment
CN110166452B (en) Access control method and system based on JavaCard shared interface
CN109933994B (en) Data hierarchical storage method and device and computing equipment
CN113434535A (en) Data processing method, communication system, device, product and storage medium
EP4154149B1 (en) Data storage server and client devices for securely storing data
CN117313144A (en) Sensitive data management method and device, storage medium and electronic equipment
CN116318991A (en) Sensitive data desensitization method, device and medium based on cloud service

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination