CN117235752A - Cloud database encryption and decryption method, user and system based on service grid - Google Patents
Cloud database encryption and decryption method, user and system based on service grid Download PDFInfo
- Publication number
- CN117235752A CN117235752A CN202311016852.5A CN202311016852A CN117235752A CN 117235752 A CN117235752 A CN 117235752A CN 202311016852 A CN202311016852 A CN 202311016852A CN 117235752 A CN117235752 A CN 117235752A
- Authority
- CN
- China
- Prior art keywords
- data
- key
- cloud database
- encryption key
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000011218 segmentation Effects 0.000 claims description 9
- 238000004891 communication Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 description 10
- 238000007726 management method Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 6
- 102100035606 Beta-casein Human genes 0.000 description 5
- 101000947120 Homo sapiens Beta-casein Proteins 0.000 description 5
- 238000010586 diagram Methods 0.000 description 2
- 238000005206 flow analysis Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a cloud database encryption and decryption method, a user side and a system based on a service grid, wherein the method comprises the steps of intercepting a data writing request or a data reading request which accesses the cloud database, and calling an encryption interface or a decryption interface of a server cipher machine to process first data plaintext in the data writing request or first ciphertext information in the data reading request; receiving second ciphertext information or second data plaintext returned by the server cipher machine, wherein the second ciphertext information comprises ciphertext data, a ciphertext data encryption key and a key encryption key identifier, and the second data plaintext is obtained by decrypting the first ciphertext information by the server cipher machine by adopting the data encryption key; the first data plaintext in the data writing request is replaced by the second ciphertext information and then sent to the cloud database, or the first ciphertext information in the data reading request is replaced by the second data plaintext and then sent to the cloud database; the invention has certain advantages in key management, service transparency, password security and the like.
Description
Technical Field
The invention relates to the technical field of password application, in particular to a cloud database encryption and decryption method, a user side and a system based on a service grid.
Background
Database systems on the cloud face security challenges that are more complex than non-cloud environments, encryption being the best security means for some users with sensitive data storage requirements. The key management of database encryption on the cloud and the security guarantee of the cryptographic computing operation environment are key links related to the security of the whole system, and most of the current solutions adopt a third party or a cloud service provider for key escrow or a cloud access security agent (Cloud Access Security Broker, CASB) cloud gateway for carrying out integral business in and out flow encryption and decryption control on a database access key path, and the schemes have the following defects:
(1) Key escrow adds additional expense and operational flow, presents legal risks, and fails to meet the security requirements of some users with higher security requirements or higher data sensitivity.
(2) The CASB gateway has better service transparency, but is deployed on a network critical path, has larger processing flow, has high requirements on equipment performance, and has intervention and larger influence on the user network structure and data flow.
In the related art, patent application publication No. CN109726584a proposes a cloud database key management system, which sends a command for generating a key to a cryptographic engine through a software client, generates a real key in the cryptographic engine, and sends a mapping of the real key to a cloud database. Patent application publication No. CN113972985a proposes a private cloud encryption storage method based on cloud crypto secret key management, which employs asymmetric keys instead of symmetric keys to protect keys and sensitive information. In addition, the common schemes are to centrally manage the keys, apply the keys to the same key management entity and distribute the keys by the same key management entity, so that the security of the key remote cross-domain transmission process cannot be ensured.
Disclosure of Invention
The technical problem to be solved by the invention is how to realize the encryption and decryption processing of the database access flow by the user side, and the method has higher security.
The invention solves the technical problems by the following technical means:
in one aspect, the invention provides a cloud database encryption and decryption method based on a service grid, which is applied to a user side, and comprises the following steps:
intercepting a data writing request or a data reading request accessing a cloud database, and calling an encryption interface or a decryption interface of a server cipher machine to process a first data plaintext in the data writing request or a first ciphertext information in the data reading request;
receiving second ciphertext information or second data plaintext returned by the server crypto, wherein the second ciphertext information comprises ciphertext data, a ciphertext data encryption key and a key encryption key identifier, the ciphertext data is obtained by encrypting the first data plaintext by the server crypto by using a data encryption key, the ciphertext data encryption key is obtained by encrypting the data encryption key by using a key encryption key, and the second data plaintext is obtained by decrypting the first ciphertext information by using the data encryption key by using the server crypto;
and replacing the first data plaintext in the data writing request with the second ciphertext information and then sending the second ciphertext information to a cloud database, or replacing the first ciphertext information in the data reading request with the second data plaintext and then sending the second ciphertext information to the cloud database.
Further, the data encryption key is generated in real time for the server crypto-engine.
Further, the key encryption key is requested from the QKD network for the server crypto-engine.
Further, the replacing the first data plaintext in the data writing request with the second ciphertext information and then sending the second ciphertext information to a cloud database includes:
replacing a first data plaintext in the data writing request with the ciphertext data, the ciphertext data encryption key and the key encryption key to obtain a new data writing request, and adding a content segmentation tag after the ciphertext data, wherein the content segmentation tag is a readable character string or a number with a definite meaning;
and sending a new data writing request to the cloud database.
Further, upon intercepting a write data request to access the cloud database, the method further comprises:
and calling an encryption interface of the server crypto-engine by taking the first data plaintext in the data writing request as a parameter, so that the server crypto-engine requests a key encryption key from a QKD node connected with the server crypto-engine, and encrypting a data encryption key generated by the server crypto-engine by utilizing the key encryption key, wherein the data encryption key is used for symmetrically encrypting the first data plaintext to obtain the second ciphertext information.
Further, upon intercepting a read data request to access the cloud database, the method further comprises:
and stripping the encrypted data encryption key after the content in the first encrypted information in the read data request is segmented into labels and taking the label and the encrypted data together as parameters to call a decryption interface of a server cipher machine, so that the server cipher machine requests a corresponding key encryption key from a QKD node generating the key encryption key according to the label of the key encryption key and decrypts the encrypted data encryption key to obtain a data encryption key for decrypting the encrypted data.
Further, before intercepting the write data request or the read data request that accesses the cloud database, the method further includes:
and installing a service grid for encrypting and decrypting the read-write flow of the access cloud database by calling a server cipher machine for the user side, wherein the service grid is connected with a local server cipher machine, and a master key for carrying out safe connection with the QKD node is filled in the server cipher machine.
In addition, the invention further provides a user side, wherein the user side is provided with the service grid, and the service grid is used for executing the cloud database encryption and decryption method based on the service grid.
In addition, the invention also provides a cloud database encryption and decryption system based on the service grid, the system comprises a first user end, a second user end and a quantum key distribution network, wherein the first user end and the second user end are both connected with the cloud database, the first user end is connected with a local first server crypto machine, the second user end is connected with a local second server crypto machine, and the first server crypto machine and the second server crypto machine are respectively connected with corresponding QKD nodes in the quantum key distribution network;
the first user end intercepts a data writing request for accessing a cloud database and calls an encryption interface of the first server crypto machine to encrypt a first data plaintext in the data writing request;
the first user side receives second ciphertext information returned by the first server cipher machine, the second ciphertext information comprises ciphertext data, a ciphertext data encryption key and a key encryption key identifier, the ciphertext data is obtained by encrypting the first data plaintext by the first server cipher machine by adopting a data encryption key, and the ciphertext data encryption key is obtained by encrypting the data encryption key by adopting a key encryption key requested from a QKD node;
the first user side replaces a first data plaintext in the data writing request with the second ciphertext information and sends the second ciphertext information to a cloud database;
and the second user end intercepts a read data request for accessing the cloud database and calls a decryption interface of a second server crypto-engine to process the first ciphertext information in the read data request to obtain a second data plaintext.
Further, the first server crypto-engine or the second server crypto-engine is pre-charged with a master key, and communications between the first server crypto-engine or the second server crypto-engine and the responsive QKD node are protected with the master key.
The invention has the advantages that:
(1) Compared with a CASB gateway, the invention calls the server cipher interface to encrypt and decrypt the related read-write content of the database access flow by the user side, the distributed processing mode can not generate performance bottleneck when the concurrency number is higher, the service transparency is better, and the safety is higher because no plaintext flow appears on the service channel.
(2) Compared with a key escrow scheme, the method and the device have the advantages that the data are encrypted by using the data encryption key generated by the local server cipher machine, the data encryption key is encrypted and protected by using the key encryption key generated by the quantum key distribution network (Quantum key distribution, QKD), the key storage and transmission are not carried out on the cloud, and the security is high.
(3) The key management and distribution is a distributed cross-domain mode based on a QKD network, the generation and distribution of the key encryption key are not in the same entity, but are distributed and distributed in a cross-domain mode, the key ID of the unified number of the whole network is used for identification, when the key is required to be protected by using the key identified by a certain ID, the local QKD node applies for and synchronizes the QKD node generating the key through the QKD network, and then the local QKD node distributes the key to a required user terminal, and the distributed management and the cross-domain transmission of the key are realized by utilizing the QKD network, so that the security of the key in a remote cross-domain transmission process can be ensured by the QKD network.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
Fig. 1 is a schematic flow chart of a cloud database encryption and decryption method based on a service grid according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a cloud database encryption and decryption system based on a service grid according to an embodiment of the present invention;
fig. 3 is a schematic workflow diagram of a cloud database encryption and decryption system based on a service grid according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described in the following in conjunction with the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, an embodiment of the present invention provides a cloud database encryption and decryption method based on a service grid, applied to a user side, where the method includes the following steps:
s10, intercepting a data writing request or a data reading request accessing a cloud database, and calling an encryption interface or a decryption interface of a server crypto-engine to process a first data plaintext in the data writing request or a first ciphertext information in the data reading request;
s20, receiving second ciphertext information or second data plaintext returned by the server cipher machine, wherein the second ciphertext information comprises ciphertext data, a ciphertext data encryption key and a key encryption key identifier, the ciphertext data is obtained by encrypting the first data plaintext by the server cipher machine by using a data encryption key, the ciphertext data encryption key is obtained by encrypting the data encryption key by using a key encryption key, and the second data plaintext is obtained by decrypting the first ciphertext information by using the data encryption key by using the server cipher machine;
s30, replacing the first data plaintext in the data writing request with the second ciphertext information and then sending the second ciphertext information to a cloud database, or replacing the first ciphertext information in the data writing request with the second data plaintext and then sending the second ciphertext information to the cloud database.
In the embodiment, the user side calls the server cipher interface to encrypt and decrypt the related read-write content of the database access flow, and compared with the CASB gateway, the distributed processing mode has the advantages that the performance bottleneck does not appear when the concurrency number is higher, the service transparency is better, the plaintext flow does not appear on the service channel, and the security is higher.
In one embodiment, the data encryption key used to encrypt the plaintext data is generated in real-time by a server crypto-engine.
In one embodiment, the key encryption key is requested from the QKD network for the server crypto-engine.
The server crypto is connected with a QKD node in the quantum Key distribution network to request a Key encryption Key from the QKD node, the QKD node generates the Key encryption Key in real time, the Key is identified by adding a Key sequence number, i.e., id_qkd||seq_key, to an identification of the QKD node, and the Key generated in real time is stored in a Key pool and transmitted to the server crypto which sends the Key request together with the Key identification, and the data encryption Key is encrypted and protected by using the Key encryption Key.
In an embodiment, in the step S30, the first data plaintext in the data writing request is replaced by the second ciphertext information and then sent to a cloud database, which includes the following steps:
replacing a first data plaintext in the data writing request with the ciphertext data, the ciphertext data encryption key and the key encryption key to obtain a new data writing request, and adding a content segmentation tag after the ciphertext data, wherein the content segmentation tag is a readable character string or a number with a definite meaning;
and sending a new data writing request to the cloud database.
In an embodiment, in the step S10, when intercepting a write data request for accessing the cloud database, the method further includes:
and calling an encryption interface of the server crypto-engine by taking the first data plaintext in the data writing request as a parameter, so that the server crypto-engine requests a key encryption key from a QKD node connected with the server crypto-engine, and encrypting a data encryption key generated by the server crypto-engine by utilizing the key encryption key, wherein the data encryption key is used for symmetrically encrypting the first data plaintext to obtain the second ciphertext information.
In an embodiment, in the step S10, when intercepting a read data request for accessing the cloud database, the method further includes:
and stripping the encrypted data encryption key after the content in the first encrypted information in the read data request is segmented into labels and taking the label and the encrypted data together as parameters to call a decryption interface of a server cipher machine, so that the server cipher machine requests a corresponding key encryption key from a QKD node generating the key encryption key according to the label of the key encryption key and decrypts the encrypted data encryption key to obtain a data encryption key for decrypting the encrypted data.
Specifically, a local server cipher corresponding to a user end intercepting a read data request accessing a cloud database is connected with a QKD node, and a key encryption key is requested to the QKD node by using an identifier of the key encryption key; the QKD node initiates a Key trusted relay or Key transmission request to the QKD node that generated the Key protection Key based on the Key encryption Key identification (the identification of the QKD node plus the Key sequence number id_qkd||seq_key), obtains the Key encryption Key using the quantum Key distribution network, and transmits to the server cryptographic engine that issued the Key request.
Compared with a key escrow scheme, the embodiment encrypts data by using the data encryption key generated by the local server cipher machine, encrypts and protects the data encryption key by using the key encryption key generated by the quantum key distribution network, does not store and transmit the key on the cloud, has higher security, and can realize the trusted relay of the cross-domain remote key by using the encryption and decryption key of the server cipher machine from the QKD quantum key distribution network.
In an embodiment, before intercepting a write data request or a read data request to access a cloud database, the method further comprises:
and installing a service grid for encrypting and decrypting the read-write flow of the access cloud database by calling a server cipher machine for the user side, wherein the service grid is connected with a local server cipher machine, and a master key for carrying out safe connection with the QKD node is filled in the server cipher machine.
The present embodiment improves key distribution security by pre-filling the server crypto-engine with the master key, and the communication (key distribution) between the QKD node and the server crypto-engine is protected with the master key.
Further, an embodiment of the present invention also discloses a client, where the client is deployed with a service grid, and the service grid is used to execute the cloud database encryption and decryption method based on the service grid as described in the above embodiment.
The network service agent which is deployed in the user side device or application and is operated in the sidecar mode by the service grid in the embodiment has the security functions of routing, flow control, identity authentication, access control, flow analysis and the like, and is the security agent of the user side device or application. The service grid is responsible for encrypting and decrypting the read-write flow of the access cloud database by calling the server cipher machine, and the specific embodiment or the implementation method can refer to the method embodiments and is not redundant.
In addition, as shown in fig. 2, an embodiment of the present invention further discloses a cloud database encryption and decryption system based on a service grid, where the system includes a first user terminal, a second user terminal and a quantum key distribution network, where the first user terminal and the second user terminal are both connected to the cloud database, the first user terminal is connected to a local first server crypto machine, the second user terminal is connected to a local second server crypto machine, and the first server crypto machine and the second server crypto machine are respectively connected to corresponding QKD nodes in the quantum key distribution network;
the first user end intercepts a data writing request for accessing a cloud database and calls an encryption interface of the first server crypto machine to encrypt a first data plaintext in the data writing request;
the first user side receives second ciphertext information returned by the first server cipher machine, the second ciphertext information comprises ciphertext data, a ciphertext data encryption key and a key encryption key identifier, the ciphertext data is obtained by encrypting the first data plaintext by the first server cipher machine by adopting a data encryption key, and the ciphertext data encryption key is obtained by encrypting the data encryption key by adopting a key encryption key requested from a QKD node;
the first user side replaces a first data plaintext in the data writing request with the second ciphertext information and sends the second ciphertext information to a cloud database;
and the second user end intercepts a read data request for accessing the cloud database and calls a decryption interface of a second server crypto-engine to process the first ciphertext information in the read data request to obtain a second data plaintext.
In this embodiment, the user terminal accesses the relevant read-write content of the flow to the database, and invokes the server crypto interface to encrypt and decrypt, where the encryption and decryption key used by the server crypto is from the QKD network, so that the cross-domain remote key trusted relay can be implemented, and the method has certain advantages in key management, service transparency, password security, and other aspects compared with key escrow or CASB and other schemes.
Specifically, the client in this embodiment is generally a client device or an application that invokes a cloud database client to remotely operate a cloud database.
The service grid is a network service agent running in a side car mode, has the safety functions of routing, flow control, identity authentication, access control, flow analysis and the like, is a safety agent of user side equipment or application, and is responsible for calling a server cipher machine for encryption and decryption processing on read-write flow accessing a cloud database.
The server cipher machine is cipher equipment meeting the cipher industry standard of GM/T0030 technical Specification of the server cipher machine, and an interface function is customized for database encryption and decryption and quantum key distribution on the basis of 0018 application interface Specification of the cipher equipment.
The cloud database node is a node for providing public database service for cloud or cloud users, and in the embodiment, the node has universality and does not need customization.
Quantum key distribution network: the QKD node and the quantum network link control center are included, and services such as quantum key generation, quantum key relay, quantum key provision and the like are realized. The QKD nodes are responsible for intra-domain key distribution and inter-domain key transmission, and the transmission of inter-domain session keys over the QKD key distribution channels is considered secure, with key transmission and synchronization between directly connected QKD nodes over quantum network QKD links, and with key transmission and synchronization between non-directly connected QKD nodes over quantum key distribution networks and trusted relays. Quantum network link control center: quantum key distribution and relay links between nodes can be established according to QKD node IDs.
In one embodiment, the first server crypto-engine or the second server crypto-engine is pre-charged with a master key, and communications between the first server crypto-engine or the second server crypto-engine and the responsive QKD node are protected with the master key.
In this embodiment, the server crypto belongs to a service node connected to the QKD node, a transmission channel is protected between the QKD node and all service nodes connected to the QKD node in the domain by encrypting a master key, the master key is copied into each service node by a secure medium, communication (key distribution) between the QKD node and the service node is protected by using the master key, and security of quantum key distribution is improved.
Further, as shown in fig. 3, the workflow of the cloud database encryption and decryption system based on the service grid disclosed in this embodiment specifically includes:
(1) In the initialization stage, a service grid is installed for each user terminal, the service grid is connected with a local server cipher machine, a master key for carrying out secure connection with a QKD node is filled into the server cipher machine, and a key distribution secure channel between the cipher machine and the QKD node is established.
(2) The user side service grid with writing request to the cloud database intercepts the sql writing request such as insert or update of the cloud database by the user, and remotely invokes the customized symmetric encryption interface of the local server cipher machine by taking the data as parameters.
(3) The server cryptographic engine connects to the QKD node and requests a key encryption key from the QKD node to which it is connected.
(4) The QKD node generates a Key encryption Key in real time, and uses the Key serial number, namely ID_QKD||seq_Key, to identify the Key by the identification of the QKD node, and the Key generated in real time is stored in a Key pool and is transmitted to a server crypto machine sending a Key request together with the Key identification.
(5) The server cipher machine generates a data encryption key in real time, performs symmetric encryption processing on data transmitted by the service grid, performs encryption protection on the data encryption key by using a key encryption key obtained from the QKD node, and then attaches a ciphertext data encryption key and a key encryption key identifier to the data ciphertext and sends the ciphertext data encryption key and the key encryption key identifier to the service grid which sends the data encryption request.
(6) The service grid replaces the data content of the intercepted sql writing request of the user on the cloud database, such as insert or update, with the data ciphertext, the content segmentation label, the ciphertext data encryption key and the key encryption key identification, and sends the data content to the cloud database, wherein the content segmentation label is a readable character string or a number with a definite meaning.
(7) And intercepting result data of a select and other sql read request of a user on the cloud database by a service grid deployed in a user side with a read request on the cloud database, stripping a ciphertext data encryption key and a key encryption key identifier after content segmentation labels from the data, and remotely calling a customized symmetric decryption interface of a local server crypto machine together with the ciphertext data as parameters.
(8) The server cryptographic engine connects the QKD nodes and requests a key encryption key from the QKD nodes connected thereto using the key encryption key identification.
(9) The QKD node initiates a Key trusted relay (QKD link without direct connection between two QKD nodes) or a Key transfer request (QKD link with direct connection between two QKD nodes) to the QKD node that generated the Key protection Key based on the Key encryption Key identification (the identification of the QKD node plus the Key sequence number id_qkd||seq_key), obtains the Key encryption Key using the QKD quantum Key distribution network, and communicates to the crypto-engine that issued the Key request.
(10) The server cipher machine uses the key encryption key to decrypt the ciphertext data encryption key, obtains the data encryption key, uses the data encryption key to further obtain the data plaintext, replaces the intercepted result data of the select and other sql read requests of the user to the cloud database with the data plaintext, and returns the data plaintext to the database access interface called by the user application.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.
While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.
Claims (10)
1. The cloud database encryption and decryption method based on the service grid is characterized by being applied to a user side, and comprises the following steps:
intercepting a data writing request or a data reading request accessing a cloud database, and calling an encryption interface or a decryption interface of a server cipher machine to process a first data plaintext in the data writing request or a first ciphertext information in the data reading request;
receiving second ciphertext information or second data plaintext returned by the server crypto, wherein the second ciphertext information comprises ciphertext data, a ciphertext data encryption key and a key encryption key identifier, the ciphertext data is obtained by encrypting the first data plaintext by the server crypto by using a data encryption key, the ciphertext data encryption key is obtained by encrypting the data encryption key by using a key encryption key, and the second data plaintext is obtained by decrypting the first ciphertext information by using the data encryption key by using the server crypto;
and replacing the first data plaintext in the data writing request with the second ciphertext information and then sending the second ciphertext information to a cloud database, or replacing the first ciphertext information in the data reading request with the second data plaintext and then sending the second ciphertext information to the cloud database.
2. The service grid-based cloud database encryption and decryption method of claim 1, wherein the data encryption key is generated in real time for the server crypto-engine.
3. The service grid based cloud database encryption and decryption method of claim 1, wherein the key encryption key is requested from the QKD network for the server crypto.
4. The service grid-based cloud database encryption and decryption method as set forth in claim 1, wherein the replacing the first data plaintext in the write data request with the second ciphertext information and then sending the second ciphertext information to a cloud database includes:
replacing a first data plaintext in the data writing request with the ciphertext data, the ciphertext data encryption key and the key encryption key to obtain a new data writing request, and adding a content segmentation tag after the ciphertext data, wherein the content segmentation tag is a readable character string or a number with a definite meaning;
and sending a new data writing request to the cloud database.
5. The service grid-based cloud database encryption and decryption method of claim 1, wherein when intercepting a write data request to access the cloud database, the method further comprises:
and calling an encryption interface of the server crypto-engine by taking the first data plaintext in the data writing request as a parameter, so that the server crypto-engine requests a key encryption key from a QKD node connected with the server crypto-engine, and encrypting a data encryption key generated by the server crypto-engine by utilizing the key encryption key, wherein the data encryption key is used for symmetrically encrypting the first data plaintext to obtain the second ciphertext information.
6. The service grid-based cloud database encryption and decryption method of claim 1, wherein when intercepting a read data request to access the cloud database, the method further comprises:
and stripping the encrypted data encryption key after the content in the first encrypted information in the read data request is segmented into labels and taking the label and the encrypted data together as parameters to call a decryption interface of a server cipher machine, so that the server cipher machine requests a corresponding key encryption key from a QKD node generating the key encryption key according to the label of the key encryption key and decrypts the encrypted data encryption key to obtain a data encryption key for decrypting the encrypted data.
7. The service grid-based cloud database encryption and decryption method of claim 1, wherein prior to intercepting a write data request or a read data request to access a cloud database, the method further comprises:
and installing a service grid for encrypting and decrypting the read-write flow of the access cloud database by calling a server cipher machine for the user side, wherein the service grid is connected with a local server cipher machine, and a master key for carrying out safe connection with the QKD node is filled in the server cipher machine.
8. A client, wherein the client is deployed with a service grid, and the service grid is configured to execute the cloud database encryption and decryption method based on the service grid according to any one of claims 1 to 6.
9. The cloud database encryption and decryption system based on the service grid is characterized by comprising a first user side, a second user side and a quantum key distribution network, wherein the first user side and the second user side are both connected with a cloud database, the first user side is connected with a local first server crypto machine, the second user side is connected with a local second server crypto machine, and the first server crypto machine and the second server crypto machine are respectively connected with corresponding QKD nodes in the quantum key distribution network;
the first user end intercepts a data writing request for accessing a cloud database and calls an encryption interface of the first server crypto machine to encrypt a first data plaintext in the data writing request;
the first user side receives second ciphertext information returned by the first server cipher machine, the second ciphertext information comprises ciphertext data, a ciphertext data encryption key and a key encryption key identifier, the ciphertext data is obtained by encrypting the first data plaintext by the first server cipher machine by adopting a data encryption key, and the ciphertext data encryption key is obtained by encrypting the data encryption key by adopting a key encryption key requested from a QKD node;
the first user side replaces a first data plaintext in the data writing request with the second ciphertext information and sends the second ciphertext information to a cloud database;
and the second user end intercepts a read data request for accessing the cloud database and calls a decryption interface of a second server crypto-engine to process the first ciphertext information in the read data request to obtain a second data plaintext.
10. The service grid based cloud database encryption and decryption system of claim 9, wherein the first server crypto-engine or the second server crypto-engine is pre-charged with a master key, and communication between the first server crypto-engine or the second server crypto-engine and the responsive QKD node is protected with the master key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311016852.5A CN117235752A (en) | 2023-08-10 | 2023-08-10 | Cloud database encryption and decryption method, user and system based on service grid |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311016852.5A CN117235752A (en) | 2023-08-10 | 2023-08-10 | Cloud database encryption and decryption method, user and system based on service grid |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117235752A true CN117235752A (en) | 2023-12-15 |
Family
ID=89086937
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311016852.5A Pending CN117235752A (en) | 2023-08-10 | 2023-08-10 | Cloud database encryption and decryption method, user and system based on service grid |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117235752A (en) |
-
2023
- 2023-08-10 CN CN202311016852.5A patent/CN117235752A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101936758B1 (en) | Encryption apparatus and method for integrity of information inquiry history | |
| CN109995530B (en) | Safe distributed database interaction system suitable for mobile positioning system | |
| CN103986723B (en) | A kind of secret communication control, secret communication method and device | |
| CN105516157A (en) | Independent encryption based network information safe input system and method | |
| KR101648364B1 (en) | Method for improving encryption/decryption speed by complexly applying for symmetric key encryption and asymmetric key double encryption | |
| CN108270739A (en) | A kind of method and device of managing encrypted information | |
| CN107995147B (en) | Metadata encryption and decryption method and system based on distributed file system | |
| CN115022101B (en) | Account data changing method and device, computer equipment and storage medium | |
| CN112202713B (en) | User data security protection method in Kubernetes environment | |
| CN109379345A (en) | Sensitive information transmission method and system | |
| CN112491955B (en) | Method and system for realizing iframe system data exchange based on proxy server | |
| CN108809631B (en) | Quantum key service management system and method | |
| CN108494724A (en) | Cloud storage encryption system based on more authorized organization's encryption attribute algorithms and method | |
| CN103916237A (en) | Method and system for managing user encrypted-key retrieval | |
| KR20190139742A (en) | Distributed Ledger for logging inquiry time in blockchain | |
| CN117235752A (en) | Cloud database encryption and decryption method, user and system based on service grid | |
| CN112906032B (en) | File secure transmission method, system and medium based on CP-ABE and block chain | |
| CN114866778A (en) | Monitoring video safety system | |
| KR102096639B1 (en) | Distributed Ledger for Integrity of Information Retrieval in Block Chain Using UUID | |
| CN114448633A (en) | File encryption method and device based on quantum key, electronic equipment and medium | |
| CN111698192B (en) | Method for monitoring transaction system, transaction device, monitoring device and system | |
| CN114285557A (en) | Communication encryption method, system and device | |
| CN105791301A (en) | Key distribution management method with information and key separated for multiple user groups | |
| KR20220036141A (en) | Security device and method for power control system | |
| CN110661803A (en) | Gate encryption control system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |