CN114826702A - Database access password encryption method and device and computer equipment - Google Patents
Database access password encryption method and device and computer equipment Download PDFInfo
- Publication number
- CN114826702A CN114826702A CN202210373593.0A CN202210373593A CN114826702A CN 114826702 A CN114826702 A CN 114826702A CN 202210373593 A CN202210373593 A CN 202210373593A CN 114826702 A CN114826702 A CN 114826702A
- Authority
- CN
- China
- Prior art keywords
- password
- current user
- encrypted
- access
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 91
- 238000004590 computer program Methods 0.000 claims description 25
- 230000004044 response Effects 0.000 claims description 15
- 238000013507 mapping Methods 0.000 claims description 12
- 230000011218 segmentation Effects 0.000 claims description 10
- 238000012790 confirmation Methods 0.000 claims description 6
- 238000007499 fusion processing Methods 0.000 claims description 5
- 238000004891 communication Methods 0.000 description 19
- 230000008569 process Effects 0.000 description 16
- 238000012795 verification Methods 0.000 description 13
- 230000005540 biological transmission Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000013475 authorization Methods 0.000 description 4
- 238000013478 data encryption standard Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 235000019580 granularity Nutrition 0.000 description 3
- 238000003062 neural network model Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000004377 microelectronic Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Abstract
The application relates to a database access password encryption method, a database access password encryption device and computer equipment. Firstly, if a user password request of a current user is received and the identity of the current user is legal, an access password of the current user is generated, a target password machine is distributed to the current user, the access password is encrypted through the target password machine to obtain an encrypted access password, then the encrypted access password is sent to the current user, and the encrypted access password is used for indicating the current user to access a database according to the encrypted access password. The method improves the security of database access and ensures the reliability of the database access.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a database access password encryption method, apparatus, and computer device.
Background
A distributed database system is a physically distributed and logically centralized database system that can be viewed as an organic combination of computer networks and database systems. The rapid development of computer technology has pushed the development of distributed databases, but at the same time, has increased the complexity of the security problem of distributed databases.
Network security is the basis of distributed database security, and usually, hackers use data access holes of the distributed database to overcome a network security system of the whole server, so that a large number of data leakage events are caused.
Therefore, in order to prevent data leakage, improving the access security of the distributed database is an urgent problem to be solved.
Disclosure of Invention
Therefore, in order to solve the above technical problems, it is necessary to provide a database access password encryption method, device and computer device, which can prevent data leakage and improve access security of a distributed database.
In a first aspect, the present application provides a database access password encryption method, including:
if a user password request of the current user is received and the identity of the current user is legal, generating an access password of the current user;
distributing a target cipher machine to the current user; the target cipher machine comprises at least two cipher machines;
encrypting the access password through a target password machine to obtain an encrypted access password;
and sending the encrypted access password to the current user, wherein the encrypted access password is used for indicating the current user to access the database according to the encrypted access password.
In one embodiment, the user password request includes identity information of the current user, and before generating the access password of the current user, the method further includes:
detecting whether identity information identical to the identity information of the current user exists in an identity information database; the identity information database comprises identity information of a plurality of users;
and if so, determining that the identity of the current user is legal.
In one embodiment, assigning a target cryptographic engine to a current user comprises:
distributing a target cipher machine to a current user according to a preset mapping table; the mapping table includes a plurality of user and cipher machine correspondences.
In one embodiment, encrypting the access password by the target password machine to obtain an encrypted access password includes:
performing segmentation operation on the access password according to the number of the password machines in the target password machine to obtain a plurality of password sections; the number of the cipher sections is the same as that of the cipher machines, and one cipher machine corresponds to one cipher section respectively;
sending each code segment to a corresponding code machine respectively, and encrypting each code segment through each code machine to obtain a plurality of encrypted code segments;
and receiving the encrypted password segments returned by the password machines, and generating the encrypted access password according to the received encrypted password segments.
In one embodiment, each cipher machine obtains cross-encrypted cipher segments by cross-encrypting each cipher segment, and creates corresponding indexes for the cross-encrypted cipher segments according to the arrangement sequence of each cipher segment to obtain a plurality of encrypted cipher segments.
In one embodiment, generating an encrypted access password from a received encrypted password segment includes:
and performing fusion processing on each encrypted password segment based on the index corresponding to each encrypted password segment to obtain an encrypted access password.
In one embodiment, sending the encrypted access password to the current user includes:
acquiring a public key of an access password and a private key of a current user, and performing identity authentication operation on the current user through the public key and the private key;
and if the identity authentication of the current user passes, sending the encrypted access password to the current user.
In one embodiment, performing an identity authentication operation on a current user through a public key and a private key includes:
sending a private key to a current user;
if a response signal of the current user is received, matching the public key with the private key; the response signal represents a confirmation signal after the current user receives the private key;
and if the public key and the private key are successfully matched, determining that the identity authentication of the current user passes.
In a second aspect, the present application further provides a database access password encryption apparatus, including:
the generation module is used for generating the access password of the current user if the user password request of the current user is received and the identity of the current user is legal;
the distribution module is used for distributing a target cipher machine to the current user; the target cipher machine comprises at least two cipher machines;
the encryption module is used for encrypting the access password through the target password machine to obtain the encrypted access password;
and the sending module is used for sending the encrypted access password to the current user, and the encrypted access password is used for indicating the current user to access the database according to the encrypted access password.
In a third aspect, an embodiment of the present application provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements the steps of any one of the methods provided in the embodiments of the first aspect when executing the computer program.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of any one of the methods provided in the embodiments of the first aspect.
In a fifth aspect, the present application provides a computer program product, which includes a computer program that, when executed by a processor, implements the steps of any one of the methods provided in the embodiments of the first aspect.
According to the method, the device and the computer equipment for encrypting the database access password, firstly, if a user password request of a current user is received and the identity of the current user is legal, the access password of the current user is generated, a target password machine is distributed to the current user, the access password is encrypted through the target password machine to obtain an encrypted access password, then the encrypted access password is sent to the current user, and the encrypted access password is used for indicating the current user to access the database according to the encrypted access password. According to the method, firstly, the identity of a user is judged according to the user password request of the current user, then, if the identity of the user is legal, an access password is generated for the current user, a password machine is distributed for the current user, the password machine is used for encrypting the access password, and at least two password machines are used for encrypting the access password, so that the security of the access password is ensured, and the reliability and the security of database access are improved.
Drawings
FIG. 1 is a diagram of an application environment for a database access password encryption method in one embodiment;
FIG. 2 is a schematic flow chart diagram illustrating a database access password encryption methodology in one embodiment;
FIG. 3 is a flowchart illustrating a database access password encryption method according to another embodiment;
FIG. 4 is a schematic flow chart diagram of a database access password encryption method in another embodiment;
FIG. 5 is a flowchart illustrating a database access password encryption method according to another embodiment;
FIG. 6 is a flowchart illustrating a database access password encryption method according to another embodiment;
FIG. 7 is a flowchart illustrating a database access password encryption method according to another embodiment;
FIG. 8 is a flowchart illustrating a database access password encryption method according to another embodiment;
FIG. 9 is a block diagram showing the construction of a database access password encrypting apparatus according to one embodiment;
FIG. 10 is a diagram showing an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The database access password encryption method provided by the embodiment of the application can be applied to the environment as shown in fig. 1. Wherein the current user communicates with the server via the network. The database may store data that the server needs to process. The database may be integrated on a server or may be placed on the cloud or other network server.
The server may be implemented by an independent server or a server cluster composed of a plurality of servers.
The embodiment of the application provides a database access password encryption method, a database access password encryption device and computer equipment, which can prevent data leakage and improve the access security of a distributed database.
The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application.
In an embodiment, an encryption method for a database access password is provided, taking application environment in fig. 1 as an example, and the embodiment relates to first, if a user password request of a current user is received and the identity of the current user is legal, generating an access password of the current user, allocating a target password machine to the current user, then encrypting the access password by the target password machine to obtain an encrypted access password, where the current user sends the encrypted access password, and the encrypted access password is used to indicate a specific process of accessing a database by the current user according to the encrypted access password, as shown in fig. 2, the embodiment includes the following steps:
s201, if a user password request of the current user is received and the identity of the current user is legal, an access password of the current user is generated.
First, when a user wants to access data in a database, a user password request is required to be sent to the server, and the user password request represents a request sent by the user to the server to access the database.
The current user represents a user needing to access the database currently, if the server receives a user password request of the current user, the server can further judge whether the identity of the current user is legal, and if the identity of the current user is legal, the server can generate an access password of the current user.
Whether the identity of the current user is legal or not is judged by a certain means, and the identity of the current user is confirmed, namely identity verification is completed, wherein the aim of the identity verification is to confirm that the user who claims to be of a certain identity currently is really the claimed user.
The ways of judging whether the identity of the current user is legal include three ways: a shared key based, biometric feature based, public key based encryption algorithm.
The user identity validity verification based on the shared key means that the server and the user commonly have one or a group of passwords, when the user needs identity verification, the user submits the passwords commonly owned by the user and the server through inputting or through equipment in which the passwords are stored, after the server receives the passwords submitted by the user, whether the passwords submitted by the user are consistent with the passwords stored by the server is checked, and if the passwords are consistent, the user is judged to be a legal user. And if the password submitted by the user is inconsistent with the password stored by the server, judging that the authentication fails.
If the identity of the current user is judged to be legal by using a key sharing mode, the password commonly owned by the current user and the server can be carried in the user password request of the current user, after the server receives the user password request of the current user, whether the password in the user password request is consistent with the password stored in the server or not can be judged, if so, the identity of the current user is judged to be legal, otherwise, the identity of the current user is judged to be illegal.
The authentication based on the public key encryption algorithm means that two parties in communication respectively hold a public key and a private key, one party encrypts specific data by using the private key, the other party decrypts the data by using the public key, if the decryption is successful, the user is considered to be a legal user, otherwise, the authentication is considered to be failed.
If the identity of the current user is judged to be legal by using a public key encryption algorithm, the user password request of the current user can carry specific data encrypted by using a private key of the current user, the server decrypts the encrypted data carried in the user password request by using a public key of the server after receiving the user password request, and if the decryption is successful, the identity of the current user is determined to be legal, otherwise, the identity of the current user is illegal.
If the identity of the current user is legal, generating an access password of the current user, wherein the access password is set in the server, and the current user can access the database through the access password; the access password is generated in a manner that the server generates the access password of the current user according to a preset access policy to the database; the access policy may be a corresponding access policy configured for a current user, where the access policy includes relevant information such as DNS intelligent resolution, a master/backup address pool set, and an effective address pool set switching policy, and for example, the access policy may be a preset access protocol.
The above description explains the case that the identity of the current user is legal, and there is also a case that the identity of the current user is illegal, and if the identity of the current user is illegal, the server pulls the current user into the blacklist.
S202, distributing a target cipher machine to the current user; the target crypto machine includes at least two crypto machines.
The cipher machine is a special device for implementing encryption and decryption processing and authentication on information by using a cipher. The basic function of the cipher machine is information encryption protection; the cipher machine is mainly used for communication security, namely, the cipher machine carries out cipher conversion on information transmitted by various communication means, communication facilities and communication modes.
Besides being used for communication security, the cipher machine is also applied to information integrity check, identity authentication and digital signature, is closely combined with various information media and military application, and provides services for information security and integrity.
The main classes of crypto-engines are: according to the technical structure division, a mechanical cipher machine, an electromechanical cipher machine, a photoelectric cipher machine, an electronic cipher machine and a microelectronic cipher machine are provided; the cipher machines are divided according to the use objects and are used for general purpose and military troops and special troops; the equipment is divided into carriers, and the special cipherers comprise a vehicle-mounted cipherer, a ship-mounted cipherer, an airborne cipherer, a satellite-mounted cipherer and the like; the system is divided according to the equipment environment and comprises a low-radiation cipher machine, a rugged environment-resistant reinforcing cipher machine and a portable cipher machine used in maneuvering operation; there are terminal type cipherers, server type cipherers, gateway type cipherers, node type cipherers, etc. divided according to physical locations in the communication network; the network protection method includes that the network protection method is divided according to the network Protocol level of a computer where protected data are located, and the network protection method includes a physical layer cipher machine, a link layer cipher machine, an Internet Protocol (IP) layer cipher machine, a transmission layer cipher machine, an application layer cipher machine and the like.
It should be noted that the embodiment of the present application does not limit the type of the cryptographic engine.
And after the access password is generated for the current user, distributing the cipher machines for the current user, determining the cipher machines distributed for the current user as target cipher machines, and distributing at least two cipher machines for the current user.
The method for allocating the cryptographic engines to the current user may be allocated according to a preset allocation method, where the preset allocation method may be preset to allocate a preset number of cryptographic engines to the current user, for example, 4 cryptographic engines may be allocated to the current user.
S203, the access password is encrypted through the target password machine to obtain the encrypted access password.
To combat hackers directly accessing database files using network protocols, operating system security vulnerabilities, and security mechanisms that bypass the database, the access password may be encrypted.
Encryption is a technique for restricting access to data transmitted over a network that prevents an intruder from viewing confidential data files, from revealing or tampering with confidential data, from viewing private data files by a privileged user (e.g., a system administrator), and from easily finding a system file.
The cipher machine can apply cipher to encrypt and decrypt information, so that the cipher machine can encrypt the access cipher to obtain the encrypted access cipher.
The method for encrypting the access password may be that a preset password exists in the target password machine, the access password is encrypted through the preset password, and in the encryption process, the access password may be encrypted by using a data encryption algorithm.
The data encryption algorithm comprises a symmetric encryption algorithm and an asymmetric encryption algorithm; the symmetric encryption algorithm is a relatively traditional encryption mode, the same secret key is used for encryption operation and decryption operation, and a sender of information and a receiver of the information must commonly hold the secret key (called symmetric secret key) when the information is transmitted and processed, and the specific process is as follows: the sender of the information performs special encryption processing on the plaintext (original information) and the password to generate a complex encrypted ciphertext and sends the complex encrypted ciphertext. Asymmetric encryption algorithms use a set of public/private key systems, one key for encryption and another key for decryption: if the public key is used for encrypting data, the data can be decrypted only by using a corresponding private key; if the data is encrypted with the private key, then the decryption can be performed only with the corresponding public key; public keys can be widely shared and revealed when data needs to be transferred externally to the server in an encrypted manner. The basic process of data encryption is to process the original plaintext file or data according to some algorithm to make it become a section of code which is not directly readable, usually called "ciphertext", so as to achieve the purpose of protecting data from being illegally stolen and read.
Optionally, when the access password is encrypted, two Encryption methods can be used, namely a Data Encryption Standard (DES), a 64-bit password is used in the DES, an algorithm is implemented on a small integrated circuit chip, and a ciphertext is processed at an operation speed of 1 Mb/s; another method is called public key cryptosystem, whose idea is to give each user two codes, one encryption code and one decryption code, the encryption code of the user is public, like a telephone number, but only the corresponding decryption code can decrypt the message, and it is impossible to derive the decryption code from the encryption code, because the cryptosystem is asymmetric, i.e. the encryption process is not reversible.
Several encryption and decryption algorithms with different security strengths and speeds should be provided for encryption of the password, so that the user can set the appropriate algorithm according to the importance degree and the access speed requirement of the data object. At the same time, it should also be possible to adjust the granularity of the encrypted data objects, which can improve the access speed while ensuring the security of important data objects. In addition, the encrypted data index is skillfully established for the encrypted data object, and the ciphertext can be quickly searched. If an attacker knows part of the information of the original library and tries to decipher the ciphertext using cryptanalysis methods accordingly, a different encryption key may be assigned to each object to be encrypted using a basic encryption algorithm feedback concatenation or otherwise.
And S204, sending the encrypted access password to the current user, wherein the encrypted access password is used for indicating the current user to access the database according to the encrypted access password.
After encrypting the access password, the server may send the encrypted access password to the current user. And after the current user receives the encrypted access password, the database can be accessed according to the encrypted access password.
The database is a warehouse for storing data, and the database includes a distributed database, in this application embodiment, when a user accesses the database, the corresponding database may be the distributed database, and it should be noted that the application does not limit the type of the database in the embodiment.
The distributed database system uses a computer network to disperse geographic locations and a plurality of logical units (usually centralized databases) with different centralized management and control requirements are connected together to form a unified database system.
In general, distributed databases face two broad categories of security issues: one type is caused by natural factors such as single-site faults, network faults and the like, and the faults can generally realize safety protection by utilizing the safety provided by the network; the other type of artificial attack from the local machine or the network is hacking, and at present, the hacking mode of the network mainly comprises interception, retransmission attack, impersonation attack, unauthorized attack, ciphertext breaking and the like.
Therefore, when accessing the database, the identity of the accessing user needs to be verified, and in order to ensure the security of the database access, the access password needs to be encrypted, so as to ensure the reliability of the database access.
The database access password encryption method comprises the steps of firstly, if a user password request of a current user is received and the identity of the current user is legal, generating an access password of the current user, distributing a target password machine to the current user, encrypting the access password through the target password machine to obtain an encrypted access password, and then sending the encrypted access password to the current user, wherein the encrypted access password is used for indicating the current user to access a database according to the encrypted access password. According to the method, firstly, the identity of a user is judged according to the user password request of the current user, then, if the identity of the user is legal, an access password is generated for the current user, a password machine is distributed for the current user, the password machine is used for encrypting the access password, and at least two password machines are used for encrypting the access password, so that the security of the access password is ensured, and the reliability and the security of database access are improved.
The generation of the access password of the current user is explained by one embodiment, before the access password of the current user is generated, whether the identity of the current user is legal or not needs to be judged, and if the identity of the current user is legal, the access password of the current user is generated; how to determine that the identity of the current user is legitimate is described below by an embodiment, which includes the following steps in one embodiment, as shown in fig. 3:
s301, detecting whether identity information identical to the identity information of the current user exists in an identity information database; the identity information database comprises identity information of a plurality of users.
Before a user sends a user password request to a server, the user can firstly carry out identity registration on the server and store the identity information of the user who successfully registers in an identity information database of the server; the identity information database stores the identity information of all the users registered on the server, and therefore the identity information database includes the identity information of a plurality of users.
The method comprises the steps that a current user sends a user password request to a server, and after the server receives the user password request of the current user, the server firstly carries out validity verification on identity information of the user; specifically, the user password request carries the identity information of the user, and after receiving the identity information of the user, the server detects whether the identity information identical to the identity information of the current user exists in the identity information database.
S301, if yes, determining that the identity of the current user is legal.
If the identity information database has the identity information which is the same as the identity information of the current user, the identity information of the current user is legal, and if the identity information database does not have the identity information which is the same as the identity information of the current user, the identity of the current user is determined to be illegal.
Optionally, the filled-in information also includes selected service and authentication information when the user registers on the server. The selected service may represent a service that the user needs to perform in the server, for example: access a database, modify a database, etc., the authentication information indicating authentication information that the user filled in according to an authentication question at the time of registration, for example, the authentication question "what your name of school of primary school is", and the authentication information that the user can fill in according to this authentication question at the time of registration is "x school".
The user password request can also carry service and verification information selected by the current user, the validity of the identity information of the current user is judged, meanwhile, the service and the verification information selected by the current user are also judged, if the identity information, the selected service and the verification information of the current user are the same as the information in the identity information database, the identity of the current user is legal, an access password of the current user is generated, and a globally unique user number can be allocated to the current user and used for uniquely identifying the current user; otherwise, the identity of the current user is illegal, and the current user is pulled into a blacklist.
The database access password encryption method comprises the steps of detecting whether identity information identical to identity information of a current user exists in an identity information database, wherein the identity information database comprises identity information of a plurality of users; and if so, determining that the identity of the current user is legal. In the method, whether the identity of the current user is legal or not is judged according to the identity information of the current user, so that the safety and reliability of database access are improved.
In one embodiment, assigning a target cryptographic engine to a current user comprises: distributing a target cipher machine to a current user according to a preset mapping table; the mapping table includes a plurality of user and cipher machine correspondences.
After the user successfully registers on the server, the server allocates the cryptographic machines to the user, and stores the user and the allocated number of the cryptographic machines into a mapping table, where there is a corresponding relationship between the user and the number of the cryptographic machines in the mapping table, for example, user 1 corresponds to 3 cryptographic machines, and user 2 corresponds to 5 cryptographic machines. If the user 1 is the current user, 3 cipher machines are distributed for the user 1; if user 2 is the current user, then user 2 is assigned 5 cipher machines.
The number of the cipher machines in the target cipher machine allocated for the current user at least comprises two, one cipher machine is a main cipher machine, and the other cipher machines are all slave cipher machines, and if the number of the cipher machines in the target cipher machine is 5, 1 main cipher machine and 4 slave cipher machines exist.
In one embodiment, as shown in fig. 4, the encrypting the access password by the target password machine to obtain the encrypted access password includes the following steps:
s401, performing segmentation operation on an access password according to the number of the password machines in the target password machine to obtain a plurality of password sections; the number of the cipher sections is the same as that of the cipher machines, and one cipher machine corresponds to one cipher section respectively.
The method for performing the segmentation operation on the access password can be that the number of the password machines in the target password machine and the access password are used as the input of a preset neural network model in a preset neural network model mode, and a plurality of password segments are output through the analysis of the neural network model; the number of the output cipher sections is the same as that of the cipher machines in the target cipher machine, and one cipher section corresponds to one cipher machine.
For example, the target cipher machine comprises a cipher machine 1, a cipher machine 2 and a cipher machine 3, and the obtained multiple cipher sections comprise a cipher section 1, a cipher section 2 and a cipher section 3, so that the cipher section 1 corresponds to the cipher machine 1, the cipher section 2 corresponds to the cipher machine 2 and the cipher section 3 corresponds to the cipher machine 3 according to a preset corresponding rule; the cipher section 1 can also correspond to the cipher machine 2, the cipher section 2 corresponds to the cipher machine 1, and the cipher section 3 corresponds to the cipher machine 3.
It should be noted that the cipher machines 1, 2 and 3 are names named for better distinguishing the cipher machines in the embodiment of the present application, and have no practical meaning.
S402, sending each password segment to a corresponding password machine respectively, and encrypting each password segment through each password machine to obtain a plurality of encrypted password segments.
Continuing to explain that the password section 1 corresponds to the password machine 1, the password section 2 corresponds to the password machine 2, and the password section 3 corresponds to the password machine 3, and each password section is respectively sent to the corresponding password machine, then the server sends the password section 1 to the password machine 1, sends the password section 2 to the password machine 2, and sends the password section 3 to the password machine 3.
And after the cipher machine receives the corresponding cipher sections, respectively encrypting the respective cipher sections to obtain a plurality of encrypted cipher sections.
When each cipher machine encrypts each cipher segment, the used encryption algorithms may be different or the same, and the embodiment of the present application is not limited herein.
Specifically, the encryption algorithm includes a symmetric encryption algorithm and an asymmetric encryption algorithm, and the symmetric encryption algorithm includes: DES, Triple Data Encryption Algorithm (TDEA), International Data Encryption Algorithm (IDEA), and the like, and the asymmetric Encryption Algorithm includes: a knapsack algorithm, an Elliptic Curve Cryptography (ECC) algorithm, etc.
And S403, receiving the encrypted password segments returned by the password machines, and generating the encrypted access password according to the received encrypted password segments.
And after each receiver encrypts each password segment, each encrypted password segment is returned to the server, and the server receives the encrypted password segments returned by each password machine.
After receiving the encrypted password segments of the password machines, the server generates encrypted access passwords according to the encrypted password segments; each encrypted password segment is obtained by segmenting the original access password and then encrypting each segmented password segment through each password machine, so that the encrypted access password can be obtained according to the encrypted password segment.
Optionally, the encrypted access password may be generated by determining through a preset generation algorithm, taking each encrypted password segment as an input of the generation algorithm, and finally outputting the encrypted access password by running the generation algorithm.
According to the database access password encryption method, the access password is segmented according to the number of the cipher machines in the target cipher machine to obtain a plurality of password sections, each password section is respectively sent to the corresponding cipher machines, each password section is encrypted through each cipher machine to obtain a plurality of encrypted password sections, then the encrypted password sections returned by each cipher machine are received, and the encrypted access password is generated according to the received encrypted password sections. According to the method, the access password is divided into password sections with the same number as the password machines, one password section corresponds to one password machine, so that each password machine can encrypt each password section respectively, and each password section is encrypted through a plurality of password machines respectively, so that the security of the access password is improved, and the access security of the distributed database is improved.
In one embodiment, each cipher machine performs cross encryption on each cipher section to obtain cross-encrypted cipher sections, and creates corresponding indexes for the cross-encrypted cipher sections according to the arrangement sequence of each cipher section to obtain a plurality of encrypted cipher sections.
The cross encryption may be cross-interlock, and cross encryption of the cipher segments may be expressed as: and inserting data into the password segment, wherein successful insertion indicates that the password segment is subjected to cross encryption to obtain the encrypted password segment, namely, an encryption lock is obtained, so that the password segment cannot be changed.
Each cipher machine carries out cross encryption on each cipher section to obtain a cross-encrypted cipher section, and a corresponding index is established for the cross-encrypted cipher section according to the sequence of each cipher section in the access cipher to obtain an encrypted cipher section; and after each password segment is cross-encrypted and an index is created, each password can delete the original password segment.
An index is a structure that sorts one or more columns of values in a database table, and the index can be used to quickly access specific information in the database table.
For example, if the access code has a sequence of { code segment 1, code segment 2, and code segment 3}, the access code is divided into 3 segments, which are: the code segment 1 is at the first position of an access code, the code segment 2 is at the middle position of the access code, and the code segment 3 is at the last position of the access code, so that an index 1 can be created for the code segment 1 after cross encryption, an index 2 can be created for the code segment 2 after cross encryption, and an index 3 can be created for the code segment 3 after cross encryption.
The encrypted password segment comprises all the password segments subjected to cross encryption and corresponding indexes.
Optionally, the cryptographic engines in the target cryptographic engine include a master cryptographic engine and at least one slave cryptographic engine, and when each cryptographic engine performs cross encryption on each cryptographic section, the master cryptographic engine performs cross interlocking on the cryptographic section corresponding to the master cryptographic engine by using the access password, and each slave cryptographic engine performs cross interlocking on the cryptographic section corresponding to each slave cryptographic engine by using the cryptographic section corresponding to the master cryptographic engine.
In one embodiment, generating an encrypted access password from a received encrypted password segment comprises: and performing fusion processing on each encrypted password segment based on the index corresponding to each encrypted password segment to obtain an encrypted access password.
According to the index corresponding to each encrypted password segment, the encrypted password segments can be fused, for example, the index corresponding to the encrypted password segment 1 is a, the index corresponding to the encrypted password segment 2 is b, the index corresponding to the encrypted password segment 3 is c, and if the sequence of the preset indexes is abc, the encrypted access password is { the encrypted password segment 1, the encrypted password segment 2, and the encrypted password segment 3 }.
In one embodiment, as shown in fig. 5, sending the encrypted access password to the current user includes the following steps:
s501, obtaining a public key of the access password and a private key of the current user, and performing identity authentication operation on the current user through the public key and the private key.
And respectively acquiring a public key of the access password and a private key of the current user through key delegation.
Optionally, the public key of the access password and the private key of the current user may be obtained by obtaining a public key of a server and a private key of the current user in a key management center, where the public key of the server is the public key of the access password; the key management center stores public keys and private keys of a plurality of users and servers in advance.
In one embodiment, the server and the user share a set of public key and private key, so that the current user is authenticated by the public key and the private key, and the specific data may be encrypted by the public key and decrypted by the private key.
And S502, if the identity authentication of the current user passes, sending the encrypted access password to the current user.
Based on the above embodiment, if the private key can decrypt the encrypted specific data and the decryption succeeds, it indicates that the identity authentication of the current user passes, and the server sends the encrypted access password to the current user.
The identity authentication of the current user can further determine that the current user is a legal user and is a user with data block access authority through representation, so that the encrypted access password is sent to the current user, and the current user can access the database according to the encrypted access password.
The above is an explanation of a case that the identity authentication of the current user passes, and there is a case that the identity authentication of the current user does not pass, and in an embodiment, the embodiment includes: and if the identity authentication of the current user does not pass, executing a timing task, clearing the invalid access password, and then re-executing the steps of obtaining the access password and encrypting.
After a target cipher machine and an access cipher are distributed for a current user, a list of data tables is newly added in a server, and the data tables are used for recording the number of the cipher machines and the access cipher transmission thread information which are obtained currently.
If the identity authentication of the current user does not pass, firstly, whether the number and the thread information of the cipher machines in the data table are the same as those of the current user is inquired, and if so, the encrypted access password is directly sent to the current user; if not, starting to record the access password failure time, executing a timing task, clearing the failed access password, re-acquiring the access password, and executing the step of encrypting the access password; the timing task is that if the access password failure time reaches the preset time, the access password is cleared.
In this embodiment, the step of reacquiring the access password and performing encryption on the access password is the same as that described in the above embodiment, and is not described herein again.
The database access password encryption method comprises the steps of obtaining a public key of an access password and a private key of a current user, executing identity authentication operation on the current user through the public key and the private key, and sending the encrypted access password to the current user if the identity authentication of the current user passes. In the method, the identity of the current user is further authenticated, and if the identity authentication operation of the current user is successful, the encrypted access password is sent to the current user, so that the validity of the identity of the current user is further verified, and the access security of the database is improved.
In one embodiment, as shown in fig. 6, performing an identity authentication operation on a current user through a public key and a private key includes the following steps:
s601, sending a private key to the current user.
When the identity authentication operation is executed for the current user, firstly, the private key is firstly sent to the current user.
S602, if a response signal of the current user is received, matching the public key with the private key; the response signal represents the confirmation signal after the current user receives the private key.
After receiving the private key, the current user sends a response signal to the server, and the response signal is used for indicating that the current user has received the private key; and if the server receives the response signal of the current user, the server matches the public key with the private key, and the matching mode can be that whether the public key and the private key accord with a preset matching rule is verified.
Optionally, the matching rule may be that the server encrypts the preset data by using a public key, and then decrypts the encrypted preset data according to a private key.
S603, if the public key and the private key are successfully matched, the identity authentication of the current user is determined to be passed.
If the preset data encrypted by the public key is decrypted by the private key and is the original preset data, the successful matching of the public key and the private key is represented, otherwise, the unsuccessful matching of the public key and the private key is represented.
In order to prevent various impersonation attacks, two-way authentication is performed between a user and a master server before data access operation is performed, for example, the user needs to verify the identity when logging in a distributed database or data transmission is performed between a server and a server of a distributed database system.
In the authentication protocol, each station obtains a key for communication with a target station from a key management center station to perform secure communication. Because the key management center is responsible for managing and safely distributing a large number of keys, and a key management center trusted by all sites is required in the system; in the embodiment of the present application, the site and the target site may correspond to the user and the database one to one.
The database access password encryption method comprises the steps of sending a private key to a current user, matching the public key with the private key if a response signal of the current user is received, wherein the response signal represents a confirmation signal after the current user receives the private key, and determining that the identity authentication of the current user passes if the public key is successfully matched with the private key. The method further limits the identity authentication mode of the current user, and improves the access security of the database.
In an embodiment, as shown in fig. 7, the embodiment provides a process of encrypting an access password, where a server takes a master control server as an example, after receiving a user password request submitted by a user, the master control server first performs identity authentication on the user, determines validity of the user identity, if the user identity is illegal, invokes a verification result and pulls a current user into a blacklist, and if the user identity is legal, allocates a globally unique user ID of a system to the legal user.
Then, the master control server distributes at least two cipher machines for the user with the legal user identity judgment, wherein one master cipher machine and at least one slave cipher machine generate an access password for the user according to the formulated access strategy; segmenting access passwords according to the number of the password machines, wherein one password machine corresponds to one password segment; and the password section of the main password machine and the access password are subjected to cross interlocking and encryption, the slave password machine encrypts the stored password section and creates a unique index, and the encrypted access password is obtained according to the encrypted password section.
And finally, obtaining a public key of the master control server and a private key of the current user through key delegation, sending the private key of the current user to the user, judging that the password verification is passed if the user receives the key, executing authentication operation and sending the encrypted access password to the user, and if the password verification is not passed, re-executing the process of obtaining and encrypting the access password.
In one embodiment, in order to simplify distribution of a communication key between a user and a server, a bidirectional identity authentication technology based on a public key cryptosystem can be adopted, in the technology, the user and the server generate a public key pair of an asymmetric cryptographic algorithm, a private key is stored by the user, and the public key of the user and the private key can be distributed to other cryptographic machines in a distributed system through a trusted channel, so that identities can be mutually authenticated by using obtained public key information between any two users and the server.
The method has the advantages that the method is prospective, the safety performance is guaranteed for the safety problem of the distributed password, strong safety control is provided, the reliability and the privacy of the password are enhanced, the global trust of the centralized server is removed by using the distributed password, the password access control is provided by using encryption, and the reliability, the usability and the correctness are guaranteed. Because of the re-encryption using the crypto segment, the unencrypted symmetric key (capable of decrypting private data) is never exposed on the server side, even if hacked, the re-encrypted key is only available to hackers, and access to files is still protected.
In a distributed system environment, the same encryption method can be executed by only one thread of one machine at the same time, and meanwhile, the method has high availability and high performance, and can acquire the legality of the user identity and verify the legality of the user identity, so that the safety of the encryption process is ensured.
In one embodiment, after the user successfully authenticates with the master crypto-machine and the slave crypto-machine, data transmission can be performed, and in order to resist message eavesdropping and message retransmission attacks, a secret channel needs to be established between two communication parties to perform encrypted transmission on the data. In the distributed database, the system is encrypted and decrypted by using an encryption and decryption algorithm because the transmitted data volume is large. The process of establishing the secure channel is to agree on a session key, and encrypt and decrypt data with the session key. This process can also be combined with authentication in general. The Secure communication may be implemented by a distributed database system, or may employ a security mechanism provided by an underlying network protocol, such as Secure Socket Layer (SSL).
Generally, in a database management system, any user cannot directly manipulate inventory data in order to prevent an unauthorized attack. The data access request of the user is firstly sent to the access control module for examination, and then the access control module of the system acts on the user with the access authority to complete corresponding data operation. Access control for users has two forms: autonomous access authorization control and mandatory access authorization control; wherein the autonomous access authorization control is set by an administrator an access control table which specifies operations which can be performed and operations which cannot be performed by the user; the mandatory access authorization control respectively grants security levels to the user and the data object in the system, and the operation authority of the user is limited according to the security level relation between the user and the data object.
In the two methods, the smaller the granularity of the data object, the finer the access authority is defined, and the greater the overhead of system management, especially in the distributed database system, on one hand, there are more users and data objects, and on the other hand, the burden of system access control is further aggravated if distributed access control is to be performed.
Many users in the system have similar access rights, so that roles can be determined according to the user rights, one role can be granted to a plurality of users, and one user can have a plurality of roles, thereby reducing the overhead of system access control management to a certain extent
In one embodiment, in the distributed password database, authentication, secret communication, password encryption and the like all use encryption and decryption algorithms, and authentication only needs to transmit a small amount of control information; secure communications typically convey large data messages in addition to small amounts of control information; the password encryption needs to design data objects with different granularities, and also needs to consider the operations of inserting, deleting, changing data passwords and the like of a password database; therefore, when the encryption and decryption algorithm is selected, the appropriate encryption and decryption algorithm can be selected according to the characteristics of different operation steps of the distributed database system.
Key management includes key generation, key distribution, key storage, key update, key revocation, and the like, and key distribution is a core issue. In addition, because the security strength of the cryptosystem strongly depends on the security of the key, a strict management scheme is made for a large number of public keys and keys involved in the distributed cryptographic database to ensure that the public keys are not counterfeited and the keys are not leaked.
In an embodiment, the server is a master server, as shown in fig. 8, the embodiment includes:
s801, a main control server receives a user password request of a user;
the user password request carries the identity information of the user, the selected service and the verification information.
S802, judging the validity of the user identity according to the user password request;
specifically, if the user identity exists in the database of the master control server, the user identity is legal, otherwise, the user identity is illegal; black is not true;
s803, if the user identity is legal, at least two cipher machines are distributed to the user;
wherein, the at least two cipher machines comprise a master cipher machine and at least one slave cipher machine; if the user identity is legal, the method further comprises the following steps: and allocating a user number to the user, wherein the user number can uniquely identify the user identity.
S804, generating an access password for the user according to a preset access strategy;
among them, access policy, e.g., access protocol, etc.
S805, segmenting the access password according to the number of the password machines to obtain password segments corresponding to the password machines;
wherein, one cipher machine corresponds to one cipher section; the segmentation mode may be an average segmentation mode or a preset segmentation mode.
S806, the master control server sends each password segment to a corresponding password machine, and instructs the password machine to encrypt the password segment to obtain each encrypted access password segment;
the encryption process comprises the following steps: the code section of the main code machine and the access code are cross interlocked to obtain the encrypted code section of the main code machine; and respectively encrypting the password segments of the slave password machines according to the password segment of the master password machine to obtain the encrypted password segments of the slave password machines, and creating a unique index, wherein one slave password machine corresponds to one index.
S807, receiving each encrypted access password segment returned by each password machine, and obtaining an encrypted access password according to each encrypted access password segment.
And S808, obtaining the public key of the master control server and the private key of the current user through key delegation.
S809, the master control server sends a private key to the user, if the user receives the private key of the user, the password verification is judged to be passed, and the authentication operation is continuously executed;
the authentication operation is to match the public key of the master control server with the private key of the user.
And S810, when the password is not verified, restarting encryption steps S806-S809 to carry out re-encryption.
And S811, if the authentication operation is successful, sending the encrypted access password to the user.
The specific limitations of the database access password encryption method provided in this embodiment may refer to the above step limitations of each embodiment in the database access password encryption method, and are not described herein again.
It should be understood that, although the respective steps in the flowcharts attached in the above-described embodiments are sequentially shown as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the figures attached to the above-mentioned embodiments may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of the steps or stages in other steps.
In one embodiment, as shown in fig. 9, the present application further provides a database access password encryption apparatus 900, where the apparatus 900 includes: a generating module 901, a distributing module 902, an encrypting module 903 and a sending module 904, wherein:
a generating module 901, configured to generate an access password of a current user if a user password request of the current user is received and an identity of the current user is legal;
an allocation module 902, configured to allocate a target cryptographic engine to a current user; the target cipher machine comprises at least two cipher machines;
an encryption module 903, configured to encrypt the access password by using the target password machine to obtain an encrypted access password;
a sending module 904, configured to send the encrypted access password to the current user, where the encrypted access password is used to instruct the current user to access the database according to the encrypted access password.
In one embodiment, the generating module 901 includes:
the detection unit is used for detecting whether identity information which is the same as the identity information of the current user exists in the identity information database; the identity information database comprises identity information of a plurality of users;
and the determining unit is used for determining that the identity of the current user is legal if the user is legal.
In one embodiment, the assignment module 902 includes:
the distribution unit is used for distributing a target cipher machine to the current user according to a preset mapping table; the mapping table includes a plurality of user and cipher machine correspondences.
In one embodiment, the encryption module 903 comprises:
the segmentation unit is used for carrying out segmentation operation on the access password according to the number of the cipher machines in the target cipher machine to obtain a plurality of cipher sections; the number of the cipher sections is the same as that of the cipher machines, and one cipher machine corresponds to one cipher section respectively;
the encryption unit is used for respectively sending each password segment to the corresponding password machine, and encrypting each password segment through each password machine to obtain a plurality of encrypted password segments;
and the generating unit is used for receiving the encrypted password segments returned by the password machines and generating the encrypted access password according to the received encrypted password segments.
In one embodiment, each cipher machine obtains the cross-encrypted cipher segments by cross-encrypting each cipher segment, and creates corresponding indexes for the cross-encrypted cipher segments according to the arrangement sequence of each cipher segment to obtain a plurality of encrypted cipher segments.
In one embodiment, the generating unit includes:
and the generating subunit is used for performing fusion processing on each encrypted password segment based on the index corresponding to each encrypted password segment to obtain the encrypted access password.
In one embodiment, the sending module 904 includes:
the authentication unit is used for acquiring a public key of the access password and a private key of the current user and executing identity authentication operation on the current user through the public key and the private key;
and the sending unit is used for sending the encrypted access password to the current user if the identity authentication of the current user passes.
In one embodiment, the authentication unit comprises:
the sending subunit is used for sending the private key to the current user;
the matching subunit is used for matching the public key with the private key if receiving the response signal of the current user; the response signal represents a confirmation signal after the current user receives the private key;
and the authentication subunit is used for determining that the identity authentication of the current user passes if the public key and the private key are successfully matched.
For specific limitations of the database access password encryption device, reference may be made to the above limitations of each step in the database access password encryption method, and details are not repeated here. The modules in the database access password encryption device can be wholly or partially realized by software, hardware and a combination thereof. The modules may be embedded in hardware or independent of the target device, or may be stored in software in a memory of the target device, so that the target device invokes and executes operations corresponding to the modules.
In one embodiment, a computer device is provided, as shown in fig. 10, comprising a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program when executed by a processor implements a database access password encryption method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structural description of the computer apparatus described above is only a partial structure relevant to the present application, and does not constitute a limitation on the computer apparatus to which the present application is applied, and a particular computer apparatus may include more or less components than those shown in the drawings, or may combine certain components, or have a different arrangement of components.
In one embodiment, there is also provided a computer device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the following steps when executing the computer program:
if a user password request of the current user is received and the identity of the current user is legal, generating an access password of the current user;
distributing a target cipher machine to the current user; the target cipher machine comprises at least two cipher machines;
encrypting the access password through a target password machine to obtain an encrypted access password;
and sending the encrypted access password to the current user, wherein the encrypted access password is used for indicating the current user to access the database according to the encrypted access password.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
detecting whether identity information identical to the identity information of the current user exists in an identity information database; the identity information database comprises identity information of a plurality of users;
and if so, determining that the identity of the current user is legal.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
distributing a target cipher machine to a current user according to a preset mapping table; the mapping table includes a plurality of user and cipher machine correspondences.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
performing segmentation operation on the access password according to the number of the password machines in the target password machine to obtain a plurality of password sections; the number of the cipher sections is the same as that of the cipher machines, and one cipher machine corresponds to one cipher section respectively;
sending each code segment to a corresponding code machine respectively, and encrypting each code segment through each code machine to obtain a plurality of encrypted code segments;
and receiving the encrypted password segments returned by the password machines, and generating the encrypted access password according to the received encrypted password segments.
In one embodiment, each cipher machine obtains the cross-encrypted cipher segments by cross-encrypting each cipher segment, and creates corresponding indexes for the cross-encrypted cipher segments according to the arrangement sequence of each cipher segment to obtain a plurality of encrypted cipher segments.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
and performing fusion processing on each encrypted password segment based on the index corresponding to each encrypted password segment to obtain an encrypted access password.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
acquiring a public key of an access password and a private key of a current user, and performing identity authentication operation on the current user through the public key and the private key;
and if the identity authentication of the current user passes, sending the encrypted access password to the current user.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
sending a private key to a current user;
if a response signal of the current user is received, matching the public key with the private key; the response signal represents a confirmation signal after the current user receives the private key;
and if the public key and the private key are successfully matched, determining that the identity authentication of the current user passes.
In the steps implemented by the processor in this embodiment, the implementation principle and technical effect are similar to those of the above database access password encryption method, and are not described herein again.
In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In the present embodiment, the implementation principle and technical effect of each step implemented when the computer program is executed by the processor are similar to the principle of the above-mentioned database access password encryption method, and are not described herein again.
In an embodiment, a computer program product is provided, comprising a computer program which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In the present embodiment, the implementation principle and technical effect of each step implemented when the computer program is executed by the processor are similar to the principle of the above-mentioned database access password encryption method, and are not described herein again.
It should be noted that, the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), Magnetic Random Access Memory (MRAM), Ferroelectric Random Access Memory (FRAM), Phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application should be subject to the appended claims.
Claims (10)
1. A database access password encryption method, the method comprising:
if a user password request of a current user is received and the identity of the current user is legal, generating an access password of the current user;
distributing a target cipher machine to the current user; the target cipher machine comprises at least two cipher machines;
encrypting the access password through the target password machine to obtain an encrypted access password;
and sending the encrypted access password to the current user, wherein the encrypted access password is used for indicating the current user to access a database according to the encrypted access password.
2. The method of claim 1, wherein the user password request includes identity information of the current user, and prior to the generating the access password of the current user, the method further comprises:
detecting whether identity information identical to the identity information of the current user exists in an identity information database; the identity information database comprises identity information of a plurality of users;
and if so, determining that the identity of the current user is legal.
3. The method of claim 1 or 2, wherein said assigning a target cryptographic machine to the current user comprises:
distributing a target cipher machine to the current user according to a preset mapping table; the mapping table comprises a plurality of corresponding relations between users and the cipher machine.
4. The method according to claim 1 or 2, wherein the encrypting the access password by the target password machine to obtain an encrypted access password comprises:
performing segmentation operation on the access password according to the number of the password machines in the target password machine to obtain a plurality of password sections; the number of the password sections is the same as that of the password machines, and one password machine corresponds to one password section respectively;
sending each password segment to a corresponding password machine respectively, and encrypting each password segment through each password machine to obtain a plurality of encrypted password segments;
and receiving the encrypted password segments returned by the password machines, and generating the encrypted access password according to the received encrypted password segments.
5. The method of claim 4, wherein each of the cryptographic engines obtains cross-encrypted cryptographic segments by cross-encrypting each of the cryptographic segments, and creates corresponding indexes for the cross-encrypted cryptographic segments according to the arrangement order of each of the cryptographic segments to obtain the plurality of encrypted cryptographic segments.
6. The method of claim 5, wherein generating the encrypted access password from the received encrypted password segment comprises:
and performing fusion processing on each encrypted password segment based on the index corresponding to each encrypted password segment to obtain the encrypted access password.
7. The method of claim 1 or 2, wherein sending the encrypted access password to the current user comprises:
acquiring a public key of the access password and a private key of the current user, and executing identity authentication operation on the current user through the public key and the private key;
and if the identity authentication of the current user passes, sending the encrypted access password to the current user.
8. The method of claim 7, wherein performing an identity authentication operation on the current user through the public key and the private key comprises:
sending the private key to the current user;
if the response signal of the current user is received, matching the public key with the private key; the response signal represents a confirmation signal after the current user receives the private key;
and if the public key is successfully matched with the private key, determining that the identity authentication of the current user passes.
9. A database access password encryption apparatus, the apparatus comprising:
the generation module is used for generating an access password of the current user if a user password request of the current user is received and the identity of the current user is legal;
the distribution module is used for distributing a target cipher machine to the current user; the target cipher machine comprises at least two cipher machines;
the encryption module is used for encrypting the access password through the target password machine to obtain an encrypted access password;
and the sending module is used for sending the encrypted access password to the current user, and the encrypted access password is used for indicating the current user to access a database according to the encrypted access password.
10. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210373593.0A CN114826702A (en) | 2022-04-11 | 2022-04-11 | Database access password encryption method and device and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210373593.0A CN114826702A (en) | 2022-04-11 | 2022-04-11 | Database access password encryption method and device and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114826702A true CN114826702A (en) | 2022-07-29 |
Family
ID=82534010
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210373593.0A Pending CN114826702A (en) | 2022-04-11 | 2022-04-11 | Database access password encryption method and device and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114826702A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115811397A (en) * | 2022-11-21 | 2023-03-17 | 北京神州安付科技股份有限公司 | High-safety server cipher machine |
| CN116541550A (en) * | 2023-07-06 | 2023-08-04 | 广州方图科技有限公司 | Photo classification method and device for self-help photographing equipment, electronic equipment and medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050240995A1 (en) * | 2004-04-23 | 2005-10-27 | Ali Valiuddin Y | Computer security system and method |
| CN103001957A (en) * | 2012-11-26 | 2013-03-27 | 广州大学 | Key generation method, device and server |
| CN108228316A (en) * | 2017-12-26 | 2018-06-29 | 成都卫士通信息产业股份有限公司 | A kind of method and apparatus of encryption device virtualization |
| CN108259175A (en) * | 2017-12-28 | 2018-07-06 | 成都卫士通信息产业股份有限公司 | A kind of distribution routing algorithm method of servicing and system |
| US20190020646A1 (en) * | 2017-07-12 | 2019-01-17 | Logmein, Inc. | Federated login for password vault |
| CN109525544A (en) * | 2018-06-01 | 2019-03-26 | 中央军委后勤保障部信息中心 | A kind of operation system access method and system based on cipher machine cluster |
| CN112003690A (en) * | 2019-08-16 | 2020-11-27 | 华控清交信息科技(北京)有限公司 | Password service system, method and device |
| US20210243020A1 (en) * | 2020-01-31 | 2021-08-05 | Visa International Service Association | Distributed symmetric encryption |
| CN114239000A (en) * | 2021-11-11 | 2022-03-25 | 中国南方电网有限责任公司 | Password processing method, device, computer equipment and storage medium |
-
2022
- 2022-04-11 CN CN202210373593.0A patent/CN114826702A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050240995A1 (en) * | 2004-04-23 | 2005-10-27 | Ali Valiuddin Y | Computer security system and method |
| CN103001957A (en) * | 2012-11-26 | 2013-03-27 | 广州大学 | Key generation method, device and server |
| US20190020646A1 (en) * | 2017-07-12 | 2019-01-17 | Logmein, Inc. | Federated login for password vault |
| CN108228316A (en) * | 2017-12-26 | 2018-06-29 | 成都卫士通信息产业股份有限公司 | A kind of method and apparatus of encryption device virtualization |
| CN108259175A (en) * | 2017-12-28 | 2018-07-06 | 成都卫士通信息产业股份有限公司 | A kind of distribution routing algorithm method of servicing and system |
| CN109525544A (en) * | 2018-06-01 | 2019-03-26 | 中央军委后勤保障部信息中心 | A kind of operation system access method and system based on cipher machine cluster |
| CN112003690A (en) * | 2019-08-16 | 2020-11-27 | 华控清交信息科技(北京)有限公司 | Password service system, method and device |
| US20210243020A1 (en) * | 2020-01-31 | 2021-08-05 | Visa International Service Association | Distributed symmetric encryption |
| CN114239000A (en) * | 2021-11-11 | 2022-03-25 | 中国南方电网有限责任公司 | Password processing method, device, computer equipment and storage medium |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115811397A (en) * | 2022-11-21 | 2023-03-17 | 北京神州安付科技股份有限公司 | High-safety server cipher machine |
| CN115811397B (en) * | 2022-11-21 | 2023-08-04 | 北京神州安付科技股份有限公司 | High-safety server cipher machine |
| CN116541550A (en) * | 2023-07-06 | 2023-08-04 | 广州方图科技有限公司 | Photo classification method and device for self-help photographing equipment, electronic equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6547079B1 (en) | Registration / authorization method, device and system | |
| CN107959567B (en) | Data storage method, data acquisition method, device and system | |
| JP5860815B2 (en) | System and method for enforcing computer policy | |
| AU2003202511B2 (en) | Methods for authenticating potential members invited to join a group | |
| US8059818B2 (en) | Accessing protected data on network storage from multiple devices | |
| US8856530B2 (en) | Data storage incorporating cryptographically enhanced data protection | |
| CN102404726B (en) | Distributed control method for information of accessing internet of things by user | |
| US9332002B1 (en) | Authenticating and authorizing a user by way of a digital certificate | |
| US20170244687A1 (en) | Techniques for confidential delivery of random data over a network | |
| US20140112470A1 (en) | Method and system for key generation, backup, and migration based on trusted computing | |
| CN111079128A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
| KR20150141362A (en) | Network node and method for operating the network node | |
| CN110881177B (en) | Anti-quantum computing distributed Internet of vehicles method and system based on identity secret sharing | |
| CN114826702A (en) | Database access password encryption method and device and computer equipment | |
| CN103973698B (en) | User access right revoking method in cloud storage environment | |
| CN114826652A (en) | Traceable access control method based on double block chains | |
| Tu et al. | A secure, efficient and verifiable multimedia data sharing scheme in fog networking system | |
| Chidambaram et al. | Enhancing the security of customer data in cloud environments using a novel digital fingerprinting technique | |
| CN115001841A (en) | Identity authentication method, identity authentication device and storage medium | |
| CN110519222B (en) | External network access identity authentication method and system based on disposable asymmetric key pair and key fob | |
| JP6533542B2 (en) | Secret key replication system, terminal and secret key replication method | |
| Senthil Kumari et al. | Key derivation policy for data security and data integrity in cloud computing | |
| CN103312671A (en) | Method and system for verifying server | |
| CN114553557B (en) | Key calling method, device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |