WO2024087312A1 - Database access method, computing device and server - Google Patents

Database access method, computing device and server Download PDF

Info

Publication number
WO2024087312A1
WO2024087312A1 PCT/CN2022/135250 CN2022135250W WO2024087312A1 WO 2024087312 A1 WO2024087312 A1 WO 2024087312A1 CN 2022135250 W CN2022135250 W CN 2022135250W WO 2024087312 A1 WO2024087312 A1 WO 2024087312A1
Authority
WO
WIPO (PCT)
Prior art keywords
parameter value
ciphertext
access request
server
parameter
Prior art date
Application number
PCT/CN2022/135250
Other languages
French (fr)
Chinese (zh)
Inventor
吴晓晨
李阳
蒋志勇
Original Assignee
蚂蚁区块链科技(上海)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 蚂蚁区块链科技(上海)有限公司 filed Critical 蚂蚁区块链科技(上海)有限公司
Publication of WO2024087312A1 publication Critical patent/WO2024087312A1/en

Links

Images

Definitions

  • the embodiments of the present specification belong to the field of database technology, and more particularly, relate to a database access method, a computing device, and a server.
  • encrypted database operations involve components such as applications, database drivers, and database servers.
  • the applications and database drivers are deployed in computing devices, and the database servers are deployed in database servers.
  • the application is unaware of the encryption and decryption process and only provides the driver with the keys required for encryption.
  • the driver and the database server communicate through a specific encryption protocol.
  • the encryption protocol defines how Structured Query Language (SQL) statements such as insert, query, update, and delete are converted from plain text to ciphertext-based operations.
  • SQL Structured Query Language
  • the object of the present invention is to provide a database access method to save computing resources and storage resources on the computing device side.
  • a first aspect of the present specification provides a database access method, comprising:
  • the first access request includes a preset character used to replace a first parameter value of a first parameter, and the data table accessed by the first access request includes a ciphertext parameter value of the first parameter;
  • the server stores mode information of the data table, wherein the mode information includes an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter, wherein the response information is generated based on the mode information and the first access request, and wherein the response information is used to indicate that the first parameter value corresponds to a first encryption algorithm;
  • the first ciphertext parameter value is sent to the server for accessing the data table.
  • a second aspect of the present specification provides a database access method, which is executed by a database server and includes:
  • the server receiving a first access request from a computing device, the first access request including a preset character for replacing a first parameter value of a first parameter, the data table accessed by the first access request including the ciphertext parameter value of the first parameter, the server storing mode information of the data table, the mode information including an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter;
  • the response information being used to indicate that the first parameter value corresponds to a first encryption algorithm
  • the computing device receiving a first ciphertext parameter value from the computing device, the first ciphertext parameter value being obtained by encrypting the first parameter value based on the first encryption algorithm;
  • the data table is accessed based on the first access request and the first ciphertext parameter value.
  • a third aspect of the present specification provides a computing device, including:
  • a sending unit configured to send a first access request to a database server, wherein the first access request includes a preset character used to replace a first parameter value of a first parameter, and a data table accessed by the first access request includes a ciphertext parameter value of the first parameter;
  • a receiving unit configured to receive response information from the server, wherein the server stores mode information of the data table, wherein the mode information includes an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter, wherein the response information is generated based on the mode information and the first access request, and wherein the response information is used to indicate that the first parameter value corresponds to a first encryption algorithm;
  • an encryption unit configured to encrypt the first parameter value based on the first encryption algorithm to obtain a first ciphertext parameter value
  • the sending unit is further used to send the first ciphertext parameter value to the server for accessing the data table.
  • a fourth aspect of the present specification provides a database server, comprising:
  • a receiving unit configured to receive a first access request from a computing device, wherein the first access request includes a preset character for replacing a first parameter value of a first parameter, wherein a data table to be accessed by the first access request includes a ciphertext parameter value of the first parameter, wherein the server stores mode information of the data table, wherein the mode information includes an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter;
  • a determining unit configured to determine response information according to the first access request and the mode information, wherein the response information is used to indicate that the first parameter value corresponds to a first encryption algorithm
  • a sending unit configured to send the response information to the computing device
  • the receiving unit is further configured to receive a first ciphertext parameter value from the computing device, where the first ciphertext parameter value is obtained by encrypting the first parameter value based on the first encryption algorithm;
  • An access unit configured to access the data table based on the first access request and the first ciphertext parameter value.
  • a fifth aspect of the present specification provides a computer-readable storage medium having a computer program stored thereon, which, when executed in a computer, causes the computer to execute the method described in the first aspect or the second aspect.
  • a sixth aspect of the present specification provides a computer device, including a memory and a processor, wherein the memory stores executable code, and when the processor executes the executable code, the method described in the first aspect or the second aspect is implemented.
  • the server determines the encryption algorithm corresponding to the parameter value in the SQL statement based on the SQL statement and the schema, and sends the determination result to the driver end, so that the driver end does not need to store the schema or rewrite the SQL statement according to the schema, saving storage resources and computing resources.
  • FIG1 is a system structure diagram of an embodiment of this specification.
  • FIG2 is a flow chart of a database access method in an embodiment of the present specification
  • FIG3 is a flow chart of a method for performing a query operation on a database in an embodiment of this specification
  • FIG4 is an architecture diagram of a computing device according to an embodiment of the present specification.
  • FIG. 5 is an architecture diagram of a database server in an embodiment of this specification.
  • FIG1 is a system structure diagram in an embodiment of the present specification.
  • the system includes a computing device 101 and a server 102.
  • the computing device 101 is, for example, an application server for running an application.
  • a driver of a database is deployed in the computing device 101.
  • the application can send an access request to the server 102 by calling the driver to access the database.
  • the access to the database includes, for example, operations such as insert, query, update, and delete.
  • the server 102 includes an encrypted data table and a database schema corresponding to the encrypted data table. At least some of the columns in the encrypted data table involving privacy data include ciphertext data.
  • the database schema can be understood as the data model in the database, which can be used to describe the metadata of the data object in the database.
  • the database schema includes information related to the data table and the attributes of the data in the data table.
  • the schema may include information such as the table name, the number of columns in the data table, the column name, the plaintext column name corresponding to the ciphertext column, the encryption and decryption type corresponding to the ciphertext column, and the query type corresponding to the encryption and decryption type.
  • Table 1 is a schematic diagram of a plaintext data table.
  • Table 2 is a schematic diagram of a ciphertext data table corresponding to Table 1 and stored in the server.
  • ID-method1 is the plaintext column name corresponding to the ciphertext column
  • method1 in ID-method1 is the encryption algorithm type or identifier, which is used to indicate the method1 encryption algorithm, indicating that the ciphertext of the column is generated by encrypting the corresponding data in the plaintext data table using method1.
  • “0x8asasub” in the ID-method1 column in Table 2 is generated by encrypting "312" in the ID column in Table 1 using method1.
  • different encryption algorithms can be used to encrypt the same plaintext data in the ciphertext data table.
  • Table 2 for the ID column in the plaintext, three ciphertext columns are included, namely, ID-method1, ID-method2, and ID-method3. These three ciphertext columns respectively include ciphertexts obtained by encrypting the plaintext data in the ID column of the plaintext data table using different encryption algorithms.
  • method1 is suitable for equal value query
  • method2 is suitable for unequal value query
  • method3 is suitable for arithmetic calculation query, etc.
  • Unequal value query refers to the SQL statement that connects the parameter name to be queried with the parameter value of the parameter with an unequal sign, such as "select name from Customers where ID>312", and method2 can support unequal value comparison of ciphertext.
  • Arithmetic calculation query means that after calculating the parameter values in the SQL statement, the query is performed based on the calculation results.
  • method3 is a homomorphic encryption algorithm that supports homomorphic calculations between ciphertexts.
  • the server 102 stores a schema corresponding to Table 1 and Table 2, and the schema is shown in Table 3, for example:
  • the original columns in Table 3 are the columns in Table 1, such as the ID column and the Name column, and the ciphertext columns of the original columns in Table 3 represent the ciphertext columns corresponding to the original columns in Table 2, such as the ID-method1 column, the ID-method2 column, and the ID-method3 column corresponding to the ID column in Table 1.
  • Table 3 only schematically illustrates some items in the schema.
  • the schema may also include other attribute items related to the data table, such as the column length, character set, data type and other attributes of the original column, which are not shown in Table 3.
  • the driver synchronizes the schema of the data table shown in Table 3 from the server.
  • the driver perceives the SQL statement, and determines that the id parameter corresponds to the three encryption algorithms method1, method2 and method3 according to the schema table shown in Table 3, and determines that method1 should be used to encrypt the parameter value "312" according to the equivalent query type of the SQL statement.
  • the server can determine that the plaintext column name queried by the ciphertext SQL statement is "id", and because the SQL statement is an equal value query type, it can be determined that the ciphertext SQL statement corresponds to "method1".
  • the server can find the row including "0x8asasub" in the id-method1 column in Table 2, and return the ciphertext 0xggsqh23 in the name-method1 column in the row to the driver.
  • the driver After receiving the ciphertext 0xggsqh23 from the server, the driver can determine that the ciphertext 0xggsqh23 is obtained by encrypting the name plaintext using method1 based on the plaintext SQL statement and the schema table.
  • the driver can receive the decryption key corresponding to the name column and method1 from the application, use the decryption key to decrypt 0xggsqh23 based on the method1 algorithm to obtain the plaintext "Alice”, and return "Alice” to the application as the query result.
  • the driver side needs to synchronize and store the schema table from the server, which takes up a large amount of storage resources. At the same time, the driver side needs to rewrite the SQL statement according to the schema table, which has complex logic and is difficult to implement.
  • the embodiment of this specification provides a database access method, in which the server determines the encryption algorithm corresponding to the parameter value in the SQL statement based on the SQL statement and the schema, and sends the determination result to the driver end, so that the driver end does not need to store the schema or rewrite the SQL statement according to the schema, saving storage resources and computing resources.
  • FIG2 is a flowchart of a database access method in an embodiment of the present specification.
  • the method can be executed by the computing device 101 and the server 102 in FIG1 . More specifically, the computing device side can be executed by the driver end in the computing device. It can be understood that the method on the computing device side is not limited to being executed by the driver end, for example, it can also be executed by other modules, or it can be executed by a module included in the application program, and this is not limited.
  • step S201 the driver in the computing device receives the SQL1 statement from the application program.
  • the SQL1 statement may be a statement for indicating any database access operation such as insert, query, update, delete, etc.
  • the SQL1 statement includes at least the name of the data table to be accessed, the name of the parameter to be operated, and the corresponding parameter value of the parameter. For example, taking the operation of inserting a row in Table 1 as an example, the SQL1 statement may be "insert into Customers (ID, Name) values (314, Carl)", where Customers in SQL1 is the name of the data table to be accessed, (ID, Name) is the name of the parameter to be operated, and (314, Carl) is the parameter value of each parameter.
  • the SQL1 statement is used to insert a row of data in Table 1. In the data of the inserted row, the value of ID is 314 and the value of Name is Carl.
  • step S203 the driver rewrites the SQL1 statement to hide the plain text parameter value, and obtains the SQL2 statement.
  • the driver After receiving the SQL1 statement, the driver displays the SQL1 statement to the user to instruct the user to provide the location information of the parameter values (i.e., "314" and "Carl") in the SQL1 statement.
  • the driver can replace the plain text parameter values with preset characters (or placeholders, such as "?”) according to the location information to hide the plain text parameter values, thereby obtaining the SQL2 statement, "insert into Customers (ID, Name) values (?,?)”.
  • the embodiments of this specification are not limited to replacing the plain text parameter values with the same placeholders. For example, (314, Carl) can be replaced with (1,2) to use “1” and "2" to distinguish 314 from Carl.
  • the driver and the server access the database based on the binary protocol process.
  • the binary protocol process includes a preparation phase, an encryption phase, and an execution phase. Among them, steps S205-S209 in Figure 2 belong to the preparation phase, steps S211-S213 belong to the encryption phase, and step S215 belongs to the execution phase.
  • step S205 the driver sends the SQL2 statement to the server.
  • the driver sends the SQL2 statement to the server, so that the server cannot obtain the plain text parameter value in SQL1. While protecting the plain text data, the server can access the database based on the SQL2 statement.
  • step S207 the server determines response information according to the SQL2 statement and the schema, and the response information includes the encryption algorithm type corresponding to the plain text parameter value.
  • the server side After receiving the SQL2 statement, when the server determines that the SQL2 statement is, for example, an insert statement, according to Table 2, the server side needs to store multiple ciphertext parameter values corresponding to each parameter value to be inserted (including "314" and "Carl") and multiple columns in Table 2. Therefore, the response information on the server side should include the following information: three encryption algorithm types corresponding to the plaintext parameter value "314" of the parameter ID, namely "method1", "method2” and "method3"; and two encryption algorithm types corresponding to the plaintext parameter value "Carl” of the parameter Name, namely "method1" and "method2".
  • the response information may include the attribute information of the original column where each plaintext parameter value is located, and the attribute information includes an encryption attribute field, and the value of the encryption attribute field is, for example, a 16-bit binary number, which is used to indicate which encryption algorithms should be used to encrypt the corresponding plaintext parameter value.
  • the value of the i-th bit in the value of the encryption attribute field of the original column of the plaintext parameter value in the response information is 1, it indicates that the i-th encryption algorithm among the preset 16 encryption algorithms should be used to encrypt the plaintext parameter value.
  • the response information includes an ID column encryption attribute field, and the value of the encryption attribute field is, for example, 0000000000000111, which is used to indicate that the parameter value "314" of the parameter ID should be encrypted using the first encryption algorithm (for example, method1), the second encryption algorithm (for example, method2), and the third encryption algorithm (for example, method3).
  • the response information may also include an encryption attribute field of the Name column.
  • the value of the encryption attribute field is, for example, 0000000000000011, which is used to indicate that the parameter value "Carl” of the parameter Name should be encrypted using the first encryption algorithm (for example, method1) and the second encryption algorithm (for example, method2).
  • the response information is not limited to only including the encryption algorithm type corresponding to the plaintext parameter value.
  • the response information can also include at least part of the information such as the table name of the data table shown in Table 1, the column name of the original column where the plaintext parameter value is located, the column length of the original column where the plaintext parameter value is located, the character set of the original column where the plaintext parameter value is located, and the data type of the original column where the plaintext parameter value is located.
  • step S209 the server sends the response information to the driver.
  • step S211 the driver encrypts the plaintext parameter value according to the response information to obtain the ciphertext parameter value.
  • the driver After receiving the response information, the driver uses method1, method2 and method3 to encrypt the parameter value "314" according to the response information, and obtains three ciphertext parameter values corresponding to the three columns ID-method1, ID-method2 and ID-method3 in Table 2, and uses method1 and method2 to encrypt the parameter value "Carl”, and obtains two ciphertext parameter values corresponding to the two columns Name-method1 and Name-method2 in Table 2.
  • step S213 the driver sends the encrypted parameter value to the server.
  • the driver can send the three ciphertext parameter values and the two ciphertext parameter values to the server in a preset arrangement order, so that the server can determine the storage location of each ciphertext parameter value in the data table Customers shown in Table 2 according to the order.
  • the driver can mark the corresponding encryption algorithm type and parameter name for the three ciphertexts of "314" and the corresponding encryption algorithm type and parameter name for the two ciphertexts of "Carl” to indicate the storage location of each ciphertext parameter value in the data table Customers shown in Table 2.
  • the driver can bind the three ciphertexts of "314" to "1” and the two ciphertexts of "Carl” to "2", and send them to the server, so that the server can determine based on the binding that the three ciphertext parameter values bound to "1” are the three ciphertext parameter values corresponding to the parameter ID, and the two ciphertext parameter values bound to "2" are the two ciphertext parameter values corresponding to the parameter Name.
  • step S215 the server accesses the database according to the SQL statement and the ciphertext parameter value.
  • the server After receiving the three ciphertext parameter values of the plaintext parameter value "314" and the two ciphertext parameter values of the plaintext parameter value "Carl", the server performs an insert operation according to the SQL2 statement, inserts a new row into the data table shown in Table 2, and stores the three ciphertext parameter values of "314" in the ID-method1, ID-method2 and ID-method3 columns of the inserted row according to the arrangement order or position indication information of the three ciphertext parameter values, and similarly stores the two ciphertext parameter values of "Carl” in the Name-method1 and Name-method2 columns of the inserted row.
  • the access to the database is completed.
  • FIG. 2 describes the database access scheme in the embodiment of the present specification by taking the insert operation on the database as an example. It can be understood that the embodiment of the present specification is not limited to the insert operation on the database, but can be similarly applied to other database access operations. Other access operations to the database can be performed by a method flow similar to the method flow shown in FIG. 2. For example, for a write operation to rewrite a parameter value in a data table, the server can also return to the driver a plurality of encryption algorithms corresponding to the plaintext column where the parameter value is located according to the schema of the data table, so that the driver can obtain a plurality of ciphertext parameter values of the parameter value according to the plurality of encryption algorithms, thereby writing the plurality of ciphertext parameter values into the data table.
  • the server can also return to the driver a plurality of encryption algorithms corresponding to the plaintext column where the parameter value is located according to the schema of the data table, so that the driver can obtain a plurality of ciphertext parameter values of the parameter value according to the
  • the server can determine the encryption algorithm corresponding to the parameter value and the encryption algorithm corresponding to the query result according to the query type (equal value query type or unequal value query type, etc.) of the specific query operation, so that the driver encrypts the parameter value based on the encryption algorithm, and sends the ciphertext parameter value to the server for data query based on the ciphertext parameter value.
  • the query type equal value query type or unequal value query type, etc.
  • the driver in the computing device receives an SQL3 statement for querying data from the application.
  • the SQL3 statement is only an example of a query statement, and the embodiments of this specification may also include other types of query statements, such as unequal value query type, arithmetic calculation type, etc.
  • different query types correspond to different encryption algorithms, so as to facilitate data query in the encrypted database based on the query type.
  • the encryption algorithm corresponding to the query statement of the unequal value query type makes: the size relationship of the ciphertext of the two parameters is consistent with the size relationship of the two parameters, so that the unequal value query operation can be directly performed based on the ciphertext of the parameter.
  • step S303 the driver rewrites the SQL3 statement to hide the plain text parameter value, and obtains the SQL4 statement.
  • This step may refer to the above description of step S203 and will not be described again here.
  • step S305 the driver sends the SQL4 statement to the server.
  • step S307 the server determines response information according to the SQL4 statement and the schema.
  • the response information includes the type of encryption algorithm corresponding to the plain text parameter value and the type of encryption algorithm corresponding to the query result.
  • the server determines that the SQL4 statement is a query statement.
  • the server first determines that the parameter column corresponding to the parameter value in the SQL4 is the ID column in Table 1, and the query result column is the Name column in Table 1.
  • the server can determine from Table 3 that the encryption algorithms corresponding to the ID column include method1, method2 and method3, and the encryption algorithms corresponding to the Name column include method1 and method2.
  • the server determines that the query statement is a query statement of equal value type according to SQL4, so it can be determined that the encryption algorithm types corresponding to the ID column and the Name column in the SQL4 statement are both method1.
  • the server can generate a response message, which includes the encryption algorithm type (i.e., method1 type) of the parameter column (i.e., ID column) and the result column (i.e., Name column).
  • the response message can also include at least part of the information such as the table name of the data table shown in Table 1, the column names of the parameter column and the result column, the column lengths of the parameter column and the result column, the character sets of the parameter column and the result column, and the data types of the parameter column and the result column.
  • step S309 the server sends the response information to the driver.
  • step S311 the driver encrypts the plaintext parameter value according to the response information to obtain the ciphertext parameter value.
  • the driver After receiving the response information, the driver uses the method1 encryption algorithm to encrypt the plaintext parameter value "312" in SQL3 according to the encryption algorithm type of the parameter column, and obtains the ciphertext parameter value "0x8asasub".
  • step S313 the driver sends the encrypted parameter value to the server.
  • step S315 the server accesses the database according to the SQL4 statement and the ciphertext parameter value to obtain the ciphertext query result.
  • the server After receiving the ciphertext parameter value "0x8asasub", the server reads the ciphertext query result "0xggsqh23" in the Name-method1 column in the row including "0x8asasub” in the ID-method1 column according to the SQL4 statement.
  • step S317 the server returns the encrypted query result to the driver.
  • step S319 the driver decrypts the ciphertext query result according to the encryption algorithm type corresponding to the query result to obtain the plaintext query result.
  • the driver After receiving the ciphertext query result "0xggsqh23", the driver decrypts the ciphertext "0xggsqh23" based on the encryption algorithm type corresponding to the result column in the response information and the decryption algorithm included in the method1 encryption algorithm, thereby obtaining the corresponding plaintext "Alice” as the query result of the SQL3 statement.
  • the driver can return the query result "Alice” to the application.
  • the embodiments of this specification propose a database access method based on a binary encryption protocol, which realizes a lightweight driver end, and the encryption and decryption control process and schema information are stored by the database server.
  • the driver end only needs to obtain encryption and decryption related metadata (such as public key, private key, encryption and decryption algorithm) according to the protocol to complete the encryption and decryption of the data.
  • the driver end does not need to be completely transformed, and only needs to integrate the encryption and decryption algorithm.
  • the server can return the ciphertext query result and the encryption type corresponding to the query result according to the encryption type of the ciphertext column and the SQL operation type, so that the driver end can obtain the plaintext query result.
  • the driver end does not need to perceive the content of the SQL statement, but only needs to perform encryption and decryption operations based on the encryption and decryption type returned in the preparation stage and the encryption and decryption algorithm.
  • FIG4 is an architecture diagram of a computing device in an embodiment of this specification, including:
  • a sending unit 41 is used to send a first access request to a database server, wherein the first access request includes a preset character used to replace a first parameter value of a first parameter, and the data table accessed by the first access request includes a ciphertext parameter value of the first parameter;
  • a receiving unit 42 configured to receive response information from the server, wherein the server stores mode information of the data table, wherein the mode information includes an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter, wherein the response information is generated based on the mode information and the first access request, and wherein the response information is used to indicate that the first parameter value corresponds to a first encryption algorithm;
  • An encryption unit 43 configured to encrypt the first parameter value based on the first encryption algorithm to obtain a first ciphertext parameter value
  • the sending unit 41 is further used to send the first ciphertext parameter value to the server for accessing the database.
  • the first access request includes a query request
  • the database stores data to be queried corresponding to the query request in association with the first ciphertext parameter value
  • the data to be queried includes ciphertext data
  • the response information is further used to indicate that the query result of the query request corresponds to the second encryption algorithm.
  • the receiving unit is also used to receive the ciphertext data from the server;
  • the receiving device also includes: a decryption unit, configured to decrypt the ciphertext data based on the second encryption algorithm to obtain plaintext data.
  • a decryption unit configured to decrypt the ciphertext data based on the second encryption algorithm to obtain plaintext data.
  • the first access request includes a second access request for requesting to write data to a database
  • the response information is used to indicate a plurality of first encryption algorithms corresponding to the first parameter value
  • the sending unit is further used to send a plurality of first ciphertext parameter values respectively corresponding to the plurality of first encryption algorithms to the server.
  • the mode information also includes different query types corresponding to different encryption algorithm types, and the response information is generated based on the mode information and the query type of the first access request.
  • the receiving unit is also used to: receive a third access request from an application, the third access request including the first parameter value, receive position information of the first parameter value in the third access request provided by a user, and replace the first parameter value in the third access request with the preset character according to the position information to obtain the first access request.
  • FIG5 is an architecture diagram of a database server in an embodiment of this specification, including:
  • a receiving unit 51 is configured to receive a first access request from a computing device, wherein the first access request includes a preset character used to replace a first parameter value of a first parameter, wherein a data table accessed by the first access request includes a ciphertext parameter value of the first parameter, and wherein mode information of the data table is stored in the server, wherein the mode information includes an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter;
  • a determining unit 52 configured to determine response information according to the first access request and the mode information, wherein the response information is used to indicate that the first parameter value corresponds to a first encryption algorithm
  • a sending unit 53 configured to send the response information to the computing device
  • the receiving unit 51 is further configured to receive a first ciphertext parameter value from the computing device, where the first ciphertext parameter value is obtained by encrypting the first parameter value based on the first encryption algorithm;
  • the access unit 54 is configured to access a database based on the first access request and the first ciphertext parameter value.
  • the first access request includes a query request
  • the response information is further used to indicate that the query result of the query request corresponds to a second encryption algorithm
  • the database stores data to be queried corresponding to the query request in association with the first ciphertext parameter value
  • the data to be queried includes ciphertext data
  • the server further includes:
  • an acquiring unit configured to acquire the ciphertext data according to the first ciphertext parameter value and the first access request
  • a returning unit is used to return the ciphertext data to the computing device.
  • the first access request includes a second access request for writing data to the database
  • the response information is used to indicate multiple first encryption algorithms corresponding to the first parameter value
  • the receiving unit is specifically used to: receive multiple first ciphertext parameter values corresponding to the multiple first encryption algorithms from the computing device, and the access unit is specifically used to store the multiple first ciphertext parameter values in the database in association with the identifiers of the multiple first encryption algorithms.
  • the embodiments of this specification also provide a computer-readable storage medium on which a computer program is stored.
  • the computer program is executed in a computer, the computer is caused to execute the method shown in FIG. 2 or FIG. 3 .
  • a sixth aspect of the present specification provides a computer device, including a memory and a processor, wherein the memory stores executable code, and when the processor executes the executable code, the method shown in FIG. 2 or FIG. 3 is implemented.
  • a programmable logic device such as a field programmable gate array (FPGA)
  • FPGA field programmable gate array
  • HDL Hardware Description Language
  • the controller may be implemented in any suitable manner, for example, the controller may take the form of a microprocessor or processor and a computer readable medium storing a computer readable program code (e.g., software or firmware) executable by the (micro)processor, a logic gate, a switch, an application specific integrated circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include but are not limited to the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, and the memory controller may also be implemented as part of the control logic of the memory.
  • a computer readable program code e.g., software or firmware
  • the controller may be implemented in the form of a logic gate, a switch, an application specific integrated circuit, a programmable logic controller, and an embedded microcontroller by logically programming the method steps. Therefore, such a controller may be considered as a hardware component, and the means for implementing various functions included therein may also be considered as a structure within the hardware component. Or even, the means for implementing various functions may be considered as both a software module for implementing the method and a structure within the hardware component.
  • the systems, devices, modules or units described in the above embodiments may be implemented by computer chips or entities, or by products with certain functions.
  • a typical implementation device is a server system.
  • the computer that implements the functions of the above embodiments may be, for example, a personal computer, a laptop computer, a vehicle-mounted human-computer interaction device, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
  • one or more embodiments of the present specification provide method operation steps as described in the embodiments or flow charts, more or less operation steps may be included based on conventional or non-creative means.
  • the order of steps listed in the embodiments is only one way of executing the order of many steps, and does not represent the only execution order.
  • the device or terminal product in practice is executed, it can be executed in sequence or in parallel according to the method shown in the embodiments or the drawings (for example, a parallel processor or a multi-threaded processing environment, or even a distributed data processing environment).
  • each module can be implemented in the same or more software and/or hardware, or the module implementing the same function can be implemented by a combination of multiple sub-modules or sub-units, etc.
  • the device embodiments described above are only schematic.
  • the division of the units is only a logical function division. There may be other division methods in actual implementation.
  • multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed.
  • Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be through some interfaces, indirect coupling or communication connection of devices or units, which can be electrical, mechanical or other forms.
  • These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
  • These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
  • a computing device includes one or more processors (CPU), input/output interfaces, network interfaces, and memory.
  • processors CPU
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • Memory may include non-permanent storage in a computer-readable medium, in the form of random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash memory
  • Computer readable media include permanent and non-permanent, removable and non-removable media that can be implemented by any method or technology to store information.
  • Information can be computer readable instructions, data structures, program modules or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disk read-only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, graphene storage or other magnetic storage devices or any other non-transmission media that can be used to store information that can be accessed by a computing device.
  • computer readable media does not include temporary computer readable media (transitory media), such as modulated data signals and carrier waves.
  • one or more embodiments of the present specification may be provided as a method, system or computer program product. Therefore, one or more embodiments of the present specification may take the form of a complete hardware embodiment, a complete software embodiment or an embodiment combining software and hardware. Moreover, one or more embodiments of the present specification may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • One or more embodiments of the present specification may be described in the general context of computer-executable instructions executed by a computer, such as program modules.
  • program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types.
  • One or more embodiments of the present specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices connected through a communication network.
  • program modules may be located in local and remote computer storage media, including storage devices.

Abstract

A database access method, a computing device and a server. The method comprises: sending a first access request for a database to a database server, wherein the first access request comprises a preset character which is used for replacing a first parameter value of a first parameter, and a data table, access to which is requested by means of the first access request, comprises a ciphertext parameter value of the first parameter; receiving response information from the server, wherein mode information of the data table is stored in the server, the mode information comprises an identifier of an encryption algorithm corresponding to ciphertext data in the data table, the response information is generated on the basis of the mode information and the first access request, and the response information is used for indicating that the first parameter value corresponds to a first encryption algorithm; encrypting the first parameter value on the basis of the first encryption algorithm, so as to obtain a first ciphertext parameter value; and sending the first ciphertext parameter value to the server, so as to access the data table.

Description

一种数据库访问方法、计算设备和服务器A database access method, computing device and server
本申请要求于2022年10月28日提交中国国家知识产权局、申请号为202211337813.0、申请名称为“一种数据库访问方法、计算设备和服务器”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the State Intellectual Property Office of China on October 28, 2022, with application number 202211337813.0 and application name “A Database Access Method, Computing Device and Server”, the entire contents of which are incorporated by reference in this application.
技术领域Technical Field
本说明书实施例属于数据库技术领域,尤其涉及一种数据库访问方法、计算设备和服务器。The embodiments of the present specification belong to the field of database technology, and more particularly, relate to a database access method, a computing device, and a server.
背景技术Background technique
在加密数据库中,可以有选择地将敏感列所包含的敏感内容加密,从而可避免攻击行为对数据的泄漏和破坏。和非加密数据库类似,加密数据库操作涉及应用程序、数据库驱动端和数据库服务端等组件,其中,应用程序和数据库驱动端部署于计算设备中,数据库服务端部署于数据库服务器中。应用程序对加解密流程不感知,仅对驱动端提供加密所需的密钥。驱动端和数据库服务端之间通过特定的加密协议进行通信。加密协议定义了插入、查询、更新、删除等结构化查询语言(Structured Query Language,SQL)语句将如何从明文形式转化为基于密文的操作。In an encrypted database, sensitive content contained in sensitive columns can be selectively encrypted to avoid data leakage and destruction by attacks. Similar to non-encrypted databases, encrypted database operations involve components such as applications, database drivers, and database servers. The applications and database drivers are deployed in computing devices, and the database servers are deployed in database servers. The application is unaware of the encryption and decryption process and only provides the driver with the keys required for encryption. The driver and the database server communicate through a specific encryption protocol. The encryption protocol defines how Structured Query Language (SQL) statements such as insert, query, update, and delete are converted from plain text to ciphertext-based operations.
发明内容Summary of the invention
本发明的目的在于提供一种数据库访问方法,以节省计算设备侧的计算资源和存储资源。The object of the present invention is to provide a database access method to save computing resources and storage resources on the computing device side.
本说明书第一方面提供一种数据库访问方法,包括:A first aspect of the present specification provides a database access method, comprising:
向数据库服务器发送对数据库的第一访问请求,所述第一访问请求中包括用于代替第一参数的第一参数值的预设字符,所述第一访问请求请求访问的数据表中包括所述第一参数的密文参数值;Sending a first access request to a database server, wherein the first access request includes a preset character used to replace a first parameter value of a first parameter, and the data table accessed by the first access request includes a ciphertext parameter value of the first parameter;
从所述服务器接收响应信息,所述服务器中存储有所述数据表的模式信息,所述模式信息中包括所述第一参数的密文参数值对应的加密算法的标识,所述响应信息基于所述模式信息和所述第一访问请求生成,所述响应信息用于指示所述第一参数值对应于第一加密算法;receiving response information from the server, wherein the server stores mode information of the data table, wherein the mode information includes an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter, wherein the response information is generated based on the mode information and the first access request, and wherein the response information is used to indicate that the first parameter value corresponds to a first encryption algorithm;
基于所述第一加密算法对所述第一参数值加密,得到第一密文参数值;Encrypting the first parameter value based on the first encryption algorithm to obtain a first ciphertext parameter value;
将所述第一密文参数值发送给所述服务器,以用于访问所述数据表。The first ciphertext parameter value is sent to the server for accessing the data table.
本说明书第二方面提供一种数据库访问方法,由数据库服务器执行,包括:A second aspect of the present specification provides a database access method, which is executed by a database server and includes:
从计算设备接收第一访问请求,所述第一访问请求中包括用于代替第一参数的第一参数值的预设字符,所述第一访问请求请求访问的数据表中包括所述第一参数的密文参数值,所述服务器中存储有所述数据表的模式信息,所述模式信息中包括所述第一参数的密文参数值对应的加密算法的标识;receiving a first access request from a computing device, the first access request including a preset character for replacing a first parameter value of a first parameter, the data table accessed by the first access request including the ciphertext parameter value of the first parameter, the server storing mode information of the data table, the mode information including an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter;
根据所述第一访问请求和所述模式信息确定响应信息,所述响应信息用于指示所述第一参数值对应于第一加密算法;determining response information according to the first access request and the mode information, the response information being used to indicate that the first parameter value corresponds to a first encryption algorithm;
将所述响应信息发送给所述计算设备;sending the response information to the computing device;
从所述计算设备接收第一密文参数值,所述第一密文参数值通过基于所述第一加密算法对所述第一参数值加密而得到;receiving a first ciphertext parameter value from the computing device, the first ciphertext parameter value being obtained by encrypting the first parameter value based on the first encryption algorithm;
基于所述第一访问请求和所述第一密文参数值访问所述数据表。The data table is accessed based on the first access request and the first ciphertext parameter value.
本说明书第三方面提供一种计算设备,包括:A third aspect of the present specification provides a computing device, including:
发送单元,用于向数据库服务器发送对数据库的第一访问请求,所述第一访问请求中包括用于代替第一参数的第一参数值的预设字符,所述第一访问请求请求访问的数据表中包括所述第一参数的密文参数值;a sending unit, configured to send a first access request to a database server, wherein the first access request includes a preset character used to replace a first parameter value of a first parameter, and a data table accessed by the first access request includes a ciphertext parameter value of the first parameter;
接收单元,用于从所述服务器接收响应信息,所述服务器中存储有所述数据表的模式信息,所述模式信息中包括所述第一参数的密文参数值对应的加密算法的标识,所述响应信息基于所述模式信息和所述第一访问请求生成,所述响应信息用于指示所述第一参数值对应于第一加密算法;a receiving unit, configured to receive response information from the server, wherein the server stores mode information of the data table, wherein the mode information includes an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter, wherein the response information is generated based on the mode information and the first access request, and wherein the response information is used to indicate that the first parameter value corresponds to a first encryption algorithm;
加密单元,用于基于所述第一加密算法对所述第一参数值加密,得到第一密文参数值;an encryption unit, configured to encrypt the first parameter value based on the first encryption algorithm to obtain a first ciphertext parameter value;
所述发送单元还用于将所述第一密文参数值发送给所述服务器,以用于访问所述数据表。The sending unit is further used to send the first ciphertext parameter value to the server for accessing the data table.
本说明书第四方面提供一种数据库服务器,包括:A fourth aspect of the present specification provides a database server, comprising:
接收单元,用于从计算设备接收第一访问请求,所述第一访问请求中包括用于代替第一参数的第一参数值的预设字符,所述第一访问请求请求访问的数据表中包括所述第一参数的密文参数值,所述服务器中存储有所述数据表的模式信息,所述模式信息中包括所述第一参数的密文参数值对应的加密算法的标识;a receiving unit, configured to receive a first access request from a computing device, wherein the first access request includes a preset character for replacing a first parameter value of a first parameter, wherein a data table to be accessed by the first access request includes a ciphertext parameter value of the first parameter, wherein the server stores mode information of the data table, wherein the mode information includes an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter;
确定单元,用于根据所述第一访问请求和所述模式信息确定响应信息,所述响应信息用于指示所述第一参数值对应于第一加密算法;a determining unit, configured to determine response information according to the first access request and the mode information, wherein the response information is used to indicate that the first parameter value corresponds to a first encryption algorithm;
发送单元,用于将所述响应信息发送给所述计算设备;A sending unit, configured to send the response information to the computing device;
所述接收单元还用于从所述计算设备接收第一密文参数值,所述第一密文参数值通过基于所述第一加密算法对所述第一参数值加密而得到;The receiving unit is further configured to receive a first ciphertext parameter value from the computing device, where the first ciphertext parameter value is obtained by encrypting the first parameter value based on the first encryption algorithm;
访问单元,用于基于所述第一访问请求和所述第一密文参数值访问所述数据表。An access unit, configured to access the data table based on the first access request and the first ciphertext parameter value.
本说明书第五方面提供一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行第一方面或第二方面所述的方法。A fifth aspect of the present specification provides a computer-readable storage medium having a computer program stored thereon, which, when executed in a computer, causes the computer to execute the method described in the first aspect or the second aspect.
本说明书第六方面提供一种计算机设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现第一方面或第二方面所述的方法。A sixth aspect of the present specification provides a computer device, including a memory and a processor, wherein the memory stores executable code, and when the processor executes the executable code, the method described in the first aspect or the second aspect is implemented.
通过本说明书实施例提供的数据库访问方法,由服务器根据SQL语句和schema确定SQL语句中的参数值对应的加密算法,并将确定结果发送给驱动端,使得驱动端不需要存储schema,也不需要根据schema重写SQL语句,节省了存储资源和计算资源。Through the database access method provided in the embodiment of this specification, the server determines the encryption algorithm corresponding to the parameter value in the SQL statement based on the SQL statement and the schema, and sends the determination result to the driver end, so that the driver end does not need to store the schema or rewrite the SQL statement according to the schema, saving storage resources and computing resources.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本说明书实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本说明书中记载的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of this specification, the drawings required for use in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this specification. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying creative labor.
图1为本说明书实施例中的系统结构图;FIG1 is a system structure diagram of an embodiment of this specification;
图2为本说明书实施例中的一种数据库访问方法的流程图;FIG2 is a flow chart of a database access method in an embodiment of the present specification;
图3为本说明书实施例中的对数据库进行查询操作的方法流程图;FIG3 is a flow chart of a method for performing a query operation on a database in an embodiment of this specification;
图4为本说明书实施例中的一种计算设备的架构图;FIG4 is an architecture diagram of a computing device according to an embodiment of the present specification;
图5为本说明书实施例中的一种数据库服务器的架构图。FIG. 5 is an architecture diagram of a database server in an embodiment of this specification.
具体实施方式Detailed ways
为了使本技术领域的人员更好地理解本说明书中的技术方案,下面将结合本说明书实施例中的附图,对本说明书实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本说明书一部分实施例,而不是全部的实施例。基于本说明书中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都应当属于 本说明书保护的范围。In order to enable those skilled in the art to better understand the technical solutions in this specification, the technical solutions in the embodiments of this specification will be described clearly and completely below in conjunction with the drawings in the embodiments of this specification. Obviously, the described embodiments are only part of the embodiments of this specification, not all of the embodiments. Based on the embodiments in this specification, all other embodiments obtained by ordinary technicians in this field without creative work should fall within the scope of protection of this specification.
图1为本说明书实施例中的系统结构图。如图1中所示,系统中包括计算设备101和服务器102。计算设备101例如为用于运行应用程序的应用服务器,计算设备101中部署有数据库的驱动端,应用程序可通过调用驱动端向服务器102发送访问请求,以用于进行对数据库的访问。该对数据库的访问例如包括:插入、查询、更新、删除等操作。服务器102中包括加密数据表和与加密数据表对应的数据库模式(schema)。加密数据表中的至少部分涉及隐私数据的列中包括密文数据。FIG1 is a system structure diagram in an embodiment of the present specification. As shown in FIG1 , the system includes a computing device 101 and a server 102. The computing device 101 is, for example, an application server for running an application. A driver of a database is deployed in the computing device 101. The application can send an access request to the server 102 by calling the driver to access the database. The access to the database includes, for example, operations such as insert, query, update, and delete. The server 102 includes an encrypted data table and a database schema corresponding to the encrypted data table. At least some of the columns in the encrypted data table involving privacy data include ciphertext data.
数据库schema可以理解为数据库中的数据模式,可以用来描述数据对象在数据库中的元信息。具体是,数据库schema中包括与数据表及数据表中的数据的属性相关的信息,例如,schema中可包括表名、数据表中的列数、列名、密文列对应的明文列名、密文列对应的加解密类型、加解密类型对应的查询类型等信息。The database schema can be understood as the data model in the database, which can be used to describe the metadata of the data object in the database. Specifically, the database schema includes information related to the data table and the attributes of the data in the data table. For example, the schema may include information such as the table name, the number of columns in the data table, the column name, the plaintext column name corresponding to the ciphertext column, the encryption and decryption type corresponding to the ciphertext column, and the query type corresponding to the encryption and decryption type.
表1为明文数据表的示意图。Table 1 is a schematic diagram of a plaintext data table.
表1Table 1
Figure PCTCN2022135250-appb-000001
Figure PCTCN2022135250-appb-000001
其中,“Customers”为表名,“ID”和“Name”为数据表中两列的列名。Among them, "Customers" is the table name, and "ID" and "Name" are the column names of the two columns in the data table.
表2为服务器中存储的与表1对应的密文数据表的示意图。Table 2 is a schematic diagram of a ciphertext data table corresponding to Table 1 and stored in the server.
表2Table 2
Figure PCTCN2022135250-appb-000002
Figure PCTCN2022135250-appb-000002
在表2中,ID-method1中的“ID”为该密文列对应的明文列名,ID-method1中的“method1”为加密算法类型或标识,用于指示method1加密算法,表示该列的密文通过使用method1对明文数据表中的对应的数据进行加密而生成,例如,表2中的ID-method1列中的“0x8asasub”通过使用method1对表1中的ID列中的“312”进行加密而生成。In Table 2, "ID" in ID-method1 is the plaintext column name corresponding to the ciphertext column, and "method1" in ID-method1 is the encryption algorithm type or identifier, which is used to indicate the method1 encryption algorithm, indicating that the ciphertext of the column is generated by encrypting the corresponding data in the plaintext data table using method1. For example, "0x8asasub" in the ID-method1 column in Table 2 is generated by encrypting "312" in the ID column in Table 1 using method1.
为了便于在密文数据表中进行对数据的检索,在密文数据表中可使用不同的加密算法对同一个明文数据进行加密。例如,如表2中所示,针对明文中的ID列,包括ID-method1、ID-method2、ID-method3三个密文列,这三个密文列分别包括使用不同的加密算法对明文数据表中ID列中明文数据加密得到的密文。其中,method1例如适用于等值查询,method2适用于不等值查询,method3适用于算术计算查询等。其中,等值查询是指SQL语句中以等号连接待查询的参数名称与该参数的参数值,例如“select name from Customers where ID=312”,method1例如可支持密文的等值比较。不等值查询是指SQL语句中以不等号连接待查询的参数名称与该参数的参数值,例如“select name from Customers where ID>312”,method2例如可支持密文的不等值比较。算术计算查询表示对SQL语句中的参数值进行计算之后,根据计算结果进行查询,method3例如为同态加密算法,可支持密文之间的同态计算。In order to facilitate the retrieval of data in the ciphertext data table, different encryption algorithms can be used to encrypt the same plaintext data in the ciphertext data table. For example, as shown in Table 2, for the ID column in the plaintext, three ciphertext columns are included, namely, ID-method1, ID-method2, and ID-method3. These three ciphertext columns respectively include ciphertexts obtained by encrypting the plaintext data in the ID column of the plaintext data table using different encryption algorithms. Among them, method1 is suitable for equal value query, method2 is suitable for unequal value query, and method3 is suitable for arithmetic calculation query, etc. Among them, equal value query refers to the SQL statement that connects the parameter name to be queried with the parameter value of the parameter with an equal sign, such as "select name from Customers where ID=312", and method1 can support equal value comparison of ciphertext. Unequal value query refers to the SQL statement that connects the parameter name to be queried with the parameter value of the parameter with an unequal sign, such as "select name from Customers where ID>312", and method2 can support unequal value comparison of ciphertext. Arithmetic calculation query means that after calculating the parameter values in the SQL statement, the query is performed based on the calculation results. For example, method3 is a homomorphic encryption algorithm that supports homomorphic calculations between ciphertexts.
服务器102中存储有与表1和表2对应的schema,该schema中例如如表3所示:The server 102 stores a schema corresponding to Table 1 and Table 2, and the schema is shown in Table 3, for example:
表3table 3
表名Table Name CustomersCustomers
原始列数Original number of columns 22
原始列1的字段名称The field name of the original column 1 IDID
原始列1的密文列数The number of ciphertext columns of original column 1 33
原始列1的密文列1的字段名称Field name of ciphertext column 1 of original column 1 ID-method1ID-method1
原始列1的密文列1的加密算法Encryption algorithm for the ciphertext column 1 of the original column 1 Method1Method1
原始列1的密文列1的查询类型Query type of ciphertext column 1 of original column 1 等值查询Equivalence query
原始列1的密文列2的字段名称The field name of the ciphertext column 2 of the original column 1 ID-method2ID-method2
原始列1的密文列2的加密算法Encryption algorithm for ciphertext column 2 of original column 1 Method2Method2
原始列1的密文列2的查询类型Query type of ciphertext column 2 of original column 1 不等值查询Unequal value query
原始列1的密文列3的字段名称Field name of ciphertext column 3 of original column 1 ID-method3ID-method3
原始列1的密文列3的加密算法Encryption algorithm for ciphertext column 3 of original column 1 Method3Method3
原始列1的密文列3的查询类型Query type of ciphertext column 3 of original column 1 算术计算查询Arithmetic Calculation Query
 The
其中,表3中的原始列即为表1中的列,如ID列、Name列,表3中的原始列的密文列表示表2中的与原始列对应的密文列,例如与表1中的ID列对应的ID-method1列、ID-method2列、ID-method3列。Among them, the original columns in Table 3 are the columns in Table 1, such as the ID column and the Name column, and the ciphertext columns of the original columns in Table 3 represent the ciphertext columns corresponding to the original columns in Table 2, such as the ID-method1 column, the ID-method2 column, and the ID-method3 column corresponding to the ID column in Table 1.
可以理解,表3仅示意示出了schema中的部分项,实际中,schema中还可以包括数据表相关的其他属性项,如原始列的列长度、字符集、数据类型等属性,在表3中未示出。It can be understood that Table 3 only schematically illustrates some items in the schema. In practice, the schema may also include other attribute items related to the data table, such as the column length, character set, data type and other attributes of the original column, which are not shown in Table 3.
在相关技术中,驱动端从服务器同步有如表3所示的数据表的schema。应用程序在需要访问数据库时,以查询为例,应用程序将明文查询请求发送给驱动端,该明文查询请求例如为SQL语句“select name from Customers where id=312”。驱动端在接收到查询请求之后,感知该SQL语句,根据例如表3所示的schema表确定id参数对应于method1、method2和method3三种加密算法,根据该SQL语句的等值查询类型,确定应使用method1对参数值“312”进行加密。之后,驱动端使用method1加密算法对参数值“312”加密,得到密文参数值“0x8asasub”,将明文SQL语句改写为密文SQL语句“select name from Customers where id=0x8asasub”,将该密文SQL语句发送给服务器,服务器基于该密文SQL语句,可确定该密文SQL语句查询的明文列名为“id”,且由于该SQL语句为等值查询类型,因此可确定该密文SQL语句对应于“method1”。从而,服务器可在表2中的id-method1列中找到包括“0x8asasub”的行,将该行中的name-method1列中的密文0xggsqh23返回给驱动端。驱动端在从服务器接收到密文0xggsqh23之后,根据明文SQL语句和schema表可确定密文0xggsqh23是使用method1对name明文加密得到,驱动端可从应用程序接收与name列和method1对应的解密密钥,使用该解密密钥基于method1算法对0xggsqh23解密得到明文“Alice”,并将“Alice”作为查询结果返回给应用程序。In the related art, the driver synchronizes the schema of the data table shown in Table 3 from the server. When the application needs to access the database, for example, the application sends a plaintext query request to the driver, which is, for example, an SQL statement "select name from Customers where id = 312". After receiving the query request, the driver perceives the SQL statement, and determines that the id parameter corresponds to the three encryption algorithms method1, method2 and method3 according to the schema table shown in Table 3, and determines that method1 should be used to encrypt the parameter value "312" according to the equivalent query type of the SQL statement. Afterwards, the driver uses the method1 encryption algorithm to encrypt the parameter value "312" to obtain the ciphertext parameter value "0x8asasub", rewrites the plaintext SQL statement into the ciphertext SQL statement "select name from Customers where id=0x8asasub", and sends the ciphertext SQL statement to the server. Based on the ciphertext SQL statement, the server can determine that the plaintext column name queried by the ciphertext SQL statement is "id", and because the SQL statement is an equal value query type, it can be determined that the ciphertext SQL statement corresponds to "method1". Therefore, the server can find the row including "0x8asasub" in the id-method1 column in Table 2, and return the ciphertext 0xggsqh23 in the name-method1 column in the row to the driver. After receiving the ciphertext 0xggsqh23 from the server, the driver can determine that the ciphertext 0xggsqh23 is obtained by encrypting the name plaintext using method1 based on the plaintext SQL statement and the schema table. The driver can receive the decryption key corresponding to the name column and method1 from the application, use the decryption key to decrypt 0xggsqh23 based on the method1 algorithm to obtain the plaintext "Alice", and return "Alice" to the application as the query result.
在该相关技术中,驱动端需要从服务器同步并存储schema表,需要占用较大存储资源,同时,驱动端需要根据schema表重写SQL语句,逻辑复杂,实现难度大。In this related technology, the driver side needs to synchronize and store the schema table from the server, which takes up a large amount of storage resources. At the same time, the driver side needs to rewrite the SQL statement according to the schema table, which has complex logic and is difficult to implement.
本说明书实施例提供一种数据库访问方法,由服务器根据SQL语句和schema确定SQL语句中的参数值对应的加密算法,并将确定结果发送给驱动端,使得驱动端不需要存储schema,也不需要根据schema重写SQL语句,节省了存储资源和计算资源。The embodiment of this specification provides a database access method, in which the server determines the encryption algorithm corresponding to the parameter value in the SQL statement based on the SQL statement and the schema, and sends the determination result to the driver end, so that the driver end does not need to store the schema or rewrite the SQL statement according to the schema, saving storage resources and computing resources.
图2为本说明书实施例中的一种数据库访问方法的流程图。该方法可由图1中的计算设备101和服务器102执行,更具体地,计算设备侧可由计算设备中的驱动端执行。可以理解,计算设备侧的方法不限于由驱动端执行,例如,也可以由其他模块执行,或者可以由应用程序中包括的模块执行,对此不作限定。FIG2 is a flowchart of a database access method in an embodiment of the present specification. The method can be executed by the computing device 101 and the server 102 in FIG1 . More specifically, the computing device side can be executed by the driver end in the computing device. It can be understood that the method on the computing device side is not limited to being executed by the driver end, for example, it can also be executed by other modules, or it can be executed by a module included in the application program, and this is not limited.
如图2所示,首先,在步骤S201,计算设备中的驱动端从应用程序接收SQL1语句。As shown in FIG. 2 , first, in step S201 , the driver in the computing device receives the SQL1 statement from the application program.
该SQL1语句可以为用于指示进行插入、查询、更新、删除等操作中任一数据库访问操作的语句。该SQL1语句中至少包括待访问的数据表名、待进行操作的参数名及该参数对应参数值。例如,以在表1中插入一行的操作为例,该SQL1语句可以为“insert into Customers(ID,Name)values(314,Carl)”,其中SQL1中的Customers为待访问的数据表表名,(ID,Name)为待操作的参数名称,(314,Carl)为各个参数的参数值,该SQL1语句用于在表1 中插入一行数据,在该插入的一行的数据中,ID的值为314,Name的值为Carl。The SQL1 statement may be a statement for indicating any database access operation such as insert, query, update, delete, etc. The SQL1 statement includes at least the name of the data table to be accessed, the name of the parameter to be operated, and the corresponding parameter value of the parameter. For example, taking the operation of inserting a row in Table 1 as an example, the SQL1 statement may be "insert into Customers (ID, Name) values (314, Carl)", where Customers in SQL1 is the name of the data table to be accessed, (ID, Name) is the name of the parameter to be operated, and (314, Carl) is the parameter value of each parameter. The SQL1 statement is used to insert a row of data in Table 1. In the data of the inserted row, the value of ID is 314 and the value of Name is Carl.
在步骤S203,驱动端对SQL1语句进行改写,隐藏明文参数值,得到SQL2语句。In step S203, the driver rewrites the SQL1 statement to hide the plain text parameter value, and obtains the SQL2 statement.
驱动端在接收到SQL1语句之后,向用户显示该SQL1语句,以指示用户提供该SQL1语句中的参数值(即“314”和“Carl”)的位置信息。驱动端在获取由用户输入的参数值的位置信息之后,可根据该位置信息将该明文参数值替换为预设字符(或者占位符,例如“?”),以隐藏明文参数值,从而可得到SQL2语句,“insert into Customers(ID,Name)values(?,?)”。可以理解,本说明书实施例中不限于将明文参数值替换为相同的占位符,例如,可将(314,Carl)替换为(1,2),以使用“1”和“2”区分314和Carl。After receiving the SQL1 statement, the driver displays the SQL1 statement to the user to instruct the user to provide the location information of the parameter values (i.e., "314" and "Carl") in the SQL1 statement. After obtaining the location information of the parameter values input by the user, the driver can replace the plain text parameter values with preset characters (or placeholders, such as "?") according to the location information to hide the plain text parameter values, thereby obtaining the SQL2 statement, "insert into Customers (ID, Name) values (?,?)". It can be understood that the embodiments of this specification are not limited to replacing the plain text parameter values with the same placeholders. For example, (314, Carl) can be replaced with (1,2) to use "1" and "2" to distinguish 314 from Carl.
在本说明书实施例中,驱动端与服务器之间基于二进制协议流程进行数据库访问。该二进制协议流程中包括准备阶段、加密阶段和执行阶段。其中,图2中的步骤S205-步骤S209属于准备阶段,步骤S211-步骤S213属于加密阶段,步骤S215属于执行阶段。In the embodiment of this specification, the driver and the server access the database based on the binary protocol process. The binary protocol process includes a preparation phase, an encryption phase, and an execution phase. Among them, steps S205-S209 in Figure 2 belong to the preparation phase, steps S211-S213 belong to the encryption phase, and step S215 belongs to the execution phase.
在步骤S205,驱动端将SQL2语句发送给服务器。In step S205, the driver sends the SQL2 statement to the server.
驱动端通过将SQL2语句发送给服务器,使得服务器不能获取SQL1中的明文参数值,在保护明文数据的同时,使得服务器可基于SQL2语句进行数据库访问。The driver sends the SQL2 statement to the server, so that the server cannot obtain the plain text parameter value in SQL1. While protecting the plain text data, the server can access the database based on the SQL2 statement.
在步骤S207,服务器根据SQL2语句和schema确定响应信息,响应信息中包括明文参数值对应的加密算法类型。In step S207, the server determines response information according to the SQL2 statement and the schema, and the response information includes the encryption algorithm type corresponding to the plain text parameter value.
服务器在接收到SQL2语句之后,在确定SQL2语句例如为插入语句的情况下,根据表2,服务器侧需要存储待插入的每个参数值(包括“314”和“Carl”)与表2中的多列对应的多个密文参数值,因此,服务器侧的响应信息中应包括如下信息:参数ID的明文参数值“314”对应的三种加密算法类型,即“method1”、“method2”和“method3”;以及参数Name的明文参数值“Carl”对应的两种加密算法类型,即“method1”和“method2”。After receiving the SQL2 statement, when the server determines that the SQL2 statement is, for example, an insert statement, according to Table 2, the server side needs to store multiple ciphertext parameter values corresponding to each parameter value to be inserted (including "314" and "Carl") and multiple columns in Table 2. Therefore, the response information on the server side should include the following information: three encryption algorithm types corresponding to the plaintext parameter value "314" of the parameter ID, namely "method1", "method2" and "method3"; and two encryption algorithm types corresponding to the plaintext parameter value "Carl" of the parameter Name, namely "method1" and "method2".
具体是,在该响应信息中可以包括各个明文参数值所在的原始列的属性信息,该属性信息中包括加密属性字段,该加密属性字段的值例如为16位二进制数,用于指示对应的明文参数值应使用哪些加密算法进行加密。例如,对于SQL1语句中的某个明文参数值,如果响应信息中的该明文参数值的原始列的加密属性字段的值中的第i位的值为1,则指示应使用预设的16种加密算法中的第i种加密算法对该明文参数值进行加密。例如,与SQL1语句中的参数值对应地,在响应信息中包括ID列加密属性字段,该加密属性字段的值例如为0000000000000111,用于指示应使用第1种加密算法(例如method1)、第2种加密算法(例如method2)和第3种加密算法(例如method3)对参数ID的参数值“314”进行加密。类似地,与SQL1语句中的参数值“Carl”对应地,响应信息中还可以包括Name列的加密属性字段,该加密属性字段的值例如为0000000000000011,用于指示应使用第1种加密算法(例如method1)和第2种加密算法(例如method2)对参数Name的参数值“Carl”进行加密。Specifically, the response information may include the attribute information of the original column where each plaintext parameter value is located, and the attribute information includes an encryption attribute field, and the value of the encryption attribute field is, for example, a 16-bit binary number, which is used to indicate which encryption algorithms should be used to encrypt the corresponding plaintext parameter value. For example, for a plaintext parameter value in the SQL1 statement, if the value of the i-th bit in the value of the encryption attribute field of the original column of the plaintext parameter value in the response information is 1, it indicates that the i-th encryption algorithm among the preset 16 encryption algorithms should be used to encrypt the plaintext parameter value. For example, corresponding to the parameter value in the SQL1 statement, the response information includes an ID column encryption attribute field, and the value of the encryption attribute field is, for example, 0000000000000111, which is used to indicate that the parameter value "314" of the parameter ID should be encrypted using the first encryption algorithm (for example, method1), the second encryption algorithm (for example, method2), and the third encryption algorithm (for example, method3). Similarly, corresponding to the parameter value "Carl" in the SQL1 statement, the response information may also include an encryption attribute field of the Name column. The value of the encryption attribute field is, for example, 0000000000000011, which is used to indicate that the parameter value "Carl" of the parameter Name should be encrypted using the first encryption algorithm (for example, method1) and the second encryption algorithm (for example, method2).
可以理解,该响应信息不限于仅包括明文参数值对应的加密算法类型,例如,该响应信息中还可以包括表1所示数据表表名、明文参数值所在原始列的列名、明文参数值所在原始列的列长度、明文参数值所在原始列的字符集、明文参数值所在原始列的数据类型等信息中的至少部分信息。It can be understood that the response information is not limited to only including the encryption algorithm type corresponding to the plaintext parameter value. For example, the response information can also include at least part of the information such as the table name of the data table shown in Table 1, the column name of the original column where the plaintext parameter value is located, the column length of the original column where the plaintext parameter value is located, the character set of the original column where the plaintext parameter value is located, and the data type of the original column where the plaintext parameter value is located.
在步骤S209,服务器将响应信息发送给驱动端。In step S209, the server sends the response information to the driver.
在步骤S211,驱动端根据响应信息对明文参数值加密,得到密文参数值。In step S211, the driver encrypts the plaintext parameter value according to the response information to obtain the ciphertext parameter value.
驱动端在接收到响应信息之后,根据响应信息,使用method1、method2和method3对参数值“314”加密,得到与表2中的ID-method1、ID-method2和ID-method3三列分别对应的三个密文参数值,使用method1和method2对参数值“Carl”加密,得到与表2中的Name-method1和Name-method2两列分别对应的两个密文参数值。After receiving the response information, the driver uses method1, method2 and method3 to encrypt the parameter value "314" according to the response information, and obtains three ciphertext parameter values corresponding to the three columns ID-method1, ID-method2 and ID-method3 in Table 2, and uses method1 and method2 to encrypt the parameter value "Carl", and obtains two ciphertext parameter values corresponding to the two columns Name-method1 and Name-method2 in Table 2.
在步骤S213,驱动端将密文参数值发送给服务器。In step S213, the driver sends the encrypted parameter value to the server.
驱动端在得到“314”的三个密文参数值、以及“Carl”的两个密文参数值之后,可以 按照预设排列顺序将该三个密文参数值和两个密文参数值发送给服务器,以使得服务器可以根据该顺序确定各个密文参数值在表2所示的数据表Customers中的存储位置。或者,驱动端可以对“314”的三个密文分别标示对应的加密算法类型和参数名,对“Carl”的两个密文分别标示对应的加密算法类型和参数名,以指示各个密文参数值在表2所示的数据表Customers中的存储位置。在前述SQL2语句中以“1”代替“314”,以“2”代替“Carl”的实施方式中,驱动端可以将“314”的三个密文与“1”绑定、将“Carl”的两个密文与“2”绑定,并发送给服务器,从而服务器可基于该绑定确定与“1”绑定的三个密文参数值为参数ID对应的三个密文参数值,与“2”绑定的两个密文参数值为参数Name对应的两个密文参数值。After obtaining the three ciphertext parameter values of "314" and the two ciphertext parameter values of "Carl", the driver can send the three ciphertext parameter values and the two ciphertext parameter values to the server in a preset arrangement order, so that the server can determine the storage location of each ciphertext parameter value in the data table Customers shown in Table 2 according to the order. Alternatively, the driver can mark the corresponding encryption algorithm type and parameter name for the three ciphertexts of "314" and the corresponding encryption algorithm type and parameter name for the two ciphertexts of "Carl" to indicate the storage location of each ciphertext parameter value in the data table Customers shown in Table 2. In the implementation method in which "1" replaces "314" and "2" replaces "Carl" in the aforementioned SQL2 statement, the driver can bind the three ciphertexts of "314" to "1" and the two ciphertexts of "Carl" to "2", and send them to the server, so that the server can determine based on the binding that the three ciphertext parameter values bound to "1" are the three ciphertext parameter values corresponding to the parameter ID, and the two ciphertext parameter values bound to "2" are the two ciphertext parameter values corresponding to the parameter Name.
在步骤S215,服务器根据SQL语句和密文参数值访问数据库。In step S215, the server accesses the database according to the SQL statement and the ciphertext parameter value.
服务器在接收到明文参数值“314”的三个密文参数值、以及明文参数值“Carl”的两个密文参数值之后,根据SQL2语句,进行插入操作,在表2所示的数据表中插入新的一行,根据“314”的三个密文参数值的排列顺序或者位置指示信息,将该三个密文参数值分别存储到该插入的行中的ID-method1、ID-method2和ID-method3三列中,同样地将“Carl”的两个密文参数值存储到该插入的行中的Name-method1、Name-method2两列中。从而完成对数据库的访问。After receiving the three ciphertext parameter values of the plaintext parameter value "314" and the two ciphertext parameter values of the plaintext parameter value "Carl", the server performs an insert operation according to the SQL2 statement, inserts a new row into the data table shown in Table 2, and stores the three ciphertext parameter values of "314" in the ID-method1, ID-method2 and ID-method3 columns of the inserted row according to the arrangement order or position indication information of the three ciphertext parameter values, and similarly stores the two ciphertext parameter values of "Carl" in the Name-method1 and Name-method2 columns of the inserted row. Thus, the access to the database is completed.
图2中以对数据库的插入操作为例描述了本说明书实施例中的数据库访问方案,可以理解,本说明书实施例不限于应用于对数据库的插入操作,而可以类似地应用于其他数据库访问操作。对数据库的其他访问操作可通过与图2所示方法流程类似的方法流程进行。例如,对于对数据表中的某个参数值进行改写的写入操作,在服务器可同样地根据数据表的schema向驱动端返回该参数值所在明文列对应的多种加密算法,从而驱动端可根据多种加密算法得到该参数值的多个密文参数值,从而将该多个密文参数值写入到数据表中。对于基于数据表中的某个参数值查询数据表中的其他数据的查询操作,服务器可根据具体的查询操作的查询类型(等值查询类型或者不等值查询类型等)确定该参数值对应的加密算法以及查询结果对应的加密算法,从而使得驱动端基于该加密算法对参数值加密,并将密文参数值发送给服务器,以用于基于该密文参数值进行数据查询。FIG. 2 describes the database access scheme in the embodiment of the present specification by taking the insert operation on the database as an example. It can be understood that the embodiment of the present specification is not limited to the insert operation on the database, but can be similarly applied to other database access operations. Other access operations to the database can be performed by a method flow similar to the method flow shown in FIG. 2. For example, for a write operation to rewrite a parameter value in a data table, the server can also return to the driver a plurality of encryption algorithms corresponding to the plaintext column where the parameter value is located according to the schema of the data table, so that the driver can obtain a plurality of ciphertext parameter values of the parameter value according to the plurality of encryption algorithms, thereby writing the plurality of ciphertext parameter values into the data table. For a query operation based on a parameter value in the data table to query other data in the data table, the server can determine the encryption algorithm corresponding to the parameter value and the encryption algorithm corresponding to the query result according to the query type (equal value query type or unequal value query type, etc.) of the specific query operation, so that the driver encrypts the parameter value based on the encryption algorithm, and sends the ciphertext parameter value to the server for data query based on the ciphertext parameter value.
下文中将参考图3描述本说明书实施例中的对数据库进行查询操作的方法流程。The following will describe the method flow of querying a database in an embodiment of this specification with reference to FIG. 3 .
如图3所示,首先,在步骤S301,计算设备中的驱动端从应用程序接收用于查询数据的SQL3语句。如上文所述,SQL3语句例如为“select name from Customers where ID=312”,该SQL3语句用于从数据表中查询ID=312的姓名name,该SQL3语句为等值查询类型的查询语句。SQL3语句只是查询语句的一个示例,本说明书实施例中还可以包括其他各个类型的查询语句,如不等值查询类型、算术计算类型等。在加密数据库中,不同查询类型对应于不同的加密算法,以便于基于该查询类型在加密数据库中进行数据查询。例如,不等值查询类型的查询语句所对应的加密算法使得:两个参数的密文的大小关系与该两个参数的大小关系一致,从而可直接基于参数的密文进行不等值查询操作。As shown in FIG3 , first, in step S301, the driver in the computing device receives an SQL3 statement for querying data from the application. As described above, the SQL3 statement is, for example, "select name from Customers where ID=312", and the SQL3 statement is used to query the name of ID=312 from the data table, and the SQL3 statement is an equal value query type query statement. The SQL3 statement is only an example of a query statement, and the embodiments of this specification may also include other types of query statements, such as unequal value query type, arithmetic calculation type, etc. In the encrypted database, different query types correspond to different encryption algorithms, so as to facilitate data query in the encrypted database based on the query type. For example, the encryption algorithm corresponding to the query statement of the unequal value query type makes: the size relationship of the ciphertext of the two parameters is consistent with the size relationship of the two parameters, so that the unequal value query operation can be directly performed based on the ciphertext of the parameter.
在步骤S303,驱动端对SQL3语句进行改写,隐藏明文参数值,得到SQL4语句。In step S303, the driver rewrites the SQL3 statement to hide the plain text parameter value, and obtains the SQL4 statement.
该步骤可参考上文对步骤S203的描述,在此不再赘述。This step may refer to the above description of step S203 and will not be described again here.
在步骤S305,驱动端将SQL4语句发送给服务器。In step S305, the driver sends the SQL4 statement to the server.
在步骤S307,服务器根据SQL4语句和schema确定响应信息,该响应信息中包括明文参数值对应的加密算法的类型、查询结果对应的加密算法的类型。In step S307, the server determines response information according to the SQL4 statement and the schema. The response information includes the type of encryption algorithm corresponding to the plain text parameter value and the type of encryption algorithm corresponding to the query result.
服务器在接收到SQL4语句之后,在确定SQL4语句为查询语句的情况下,服务器侧首先确定的该SQL4中的参数值对应的参数列为表1中的ID列,查询结果列为表1中的Name列,服务器可从表3中确定ID列对应的加密算法包括method1、method2和method3,Name列对应的加密算法包括method1和method2。之后,服务器根据SQL4确定该查询语句为等值类型的查询语句,因此可确定SQL4语句中的ID列和Name列对应的加 密算法类型都为method1。从而,服务器可生成响应信息,该响应信息包括参数列(即ID列)和结果列(即Name列)的加密算法类型(即method1类型)。该响应信息中还可以包括表1所示数据表表名、参数列和结果列的列名、参数列和结果列的列长度、参数列和结果列的字符集、参数列和结果列的数据类型等信息中的至少部分信息。After receiving the SQL4 statement, the server determines that the SQL4 statement is a query statement. The server first determines that the parameter column corresponding to the parameter value in the SQL4 is the ID column in Table 1, and the query result column is the Name column in Table 1. The server can determine from Table 3 that the encryption algorithms corresponding to the ID column include method1, method2 and method3, and the encryption algorithms corresponding to the Name column include method1 and method2. After that, the server determines that the query statement is a query statement of equal value type according to SQL4, so it can be determined that the encryption algorithm types corresponding to the ID column and the Name column in the SQL4 statement are both method1. Therefore, the server can generate a response message, which includes the encryption algorithm type (i.e., method1 type) of the parameter column (i.e., ID column) and the result column (i.e., Name column). The response message can also include at least part of the information such as the table name of the data table shown in Table 1, the column names of the parameter column and the result column, the column lengths of the parameter column and the result column, the character sets of the parameter column and the result column, and the data types of the parameter column and the result column.
在步骤S309,服务器将响应信息发送给驱动端。In step S309, the server sends the response information to the driver.
在步骤S311,驱动端根据响应信息对明文参数值加密,得到密文参数值。In step S311, the driver encrypts the plaintext parameter value according to the response information to obtain the ciphertext parameter value.
驱动端在接收到响应信息之后,根据参数列的加密算法类型,使用method1加密算法对SQL3中的明文参数值“312”加密,得到密文参数值“0x8asasub”。After receiving the response information, the driver uses the method1 encryption algorithm to encrypt the plaintext parameter value "312" in SQL3 according to the encryption algorithm type of the parameter column, and obtains the ciphertext parameter value "0x8asasub".
在步骤S313,驱动端将密文参数值发送给服务器。In step S313, the driver sends the encrypted parameter value to the server.
在步骤S315,服务器根据SQL4语句和密文参数值访问数据库,得到密文查询结果。In step S315, the server accesses the database according to the SQL4 statement and the ciphertext parameter value to obtain the ciphertext query result.
服务器在接收到密文参数值“0x8asasub”之后,根据SQL4语句,在ID-method1列中的包括“0x8asasub”的行中,读取Name-method1列的密文查询结果“0xggsqh23”。After receiving the ciphertext parameter value "0x8asasub", the server reads the ciphertext query result "0xggsqh23" in the Name-method1 column in the row including "0x8asasub" in the ID-method1 column according to the SQL4 statement.
在步骤S317,服务器向驱动端返回密文查询结果。In step S317, the server returns the encrypted query result to the driver.
在步骤S319,驱动端根据查询结果对应的加密算法类型,对密文查询结果解密,得到明文查询结果。In step S319, the driver decrypts the ciphertext query result according to the encryption algorithm type corresponding to the query result to obtain the plaintext query result.
驱动端在接收到密文查询结果“0xggsqh23”之后,根据响应信息中的结果列对应的加密算法类型,基于method1加密算法中包括的解密算法对密文“0xggsqh23”解密,从而得到对应的明文“Alice”作为SQL3语句的查询结果。驱动端可将查询结果“Alice”返回给应用程序。After receiving the ciphertext query result "0xggsqh23", the driver decrypts the ciphertext "0xggsqh23" based on the encryption algorithm type corresponding to the result column in the response information and the decryption algorithm included in the method1 encryption algorithm, thereby obtaining the corresponding plaintext "Alice" as the query result of the SQL3 statement. The driver can return the query result "Alice" to the application.
本说明书实施例提出基于二进制加密协议的数据库访问方法,实现了轻量化的驱动端,加解密控制流程和schema信息由数据库服务器存储。驱动端根据协议仅需获得加解密相关的元数据(如公钥、私钥、加解密算法),完成数据的加解密。驱动端不需要进行完全的改造,仅需集成加解密算法。服务器通过记录密文列的加密类型,能够根据密文列的加密类型和SQL操作类型,返回密文查询结果及该查询结果对应的加密类型,以使得驱动端可获取明文查询结果。驱动端不需要感知SQL语句的内容,只需要根据准备阶段所返回的加解密类型,结合加解密算法进行加解密操作。The embodiments of this specification propose a database access method based on a binary encryption protocol, which realizes a lightweight driver end, and the encryption and decryption control process and schema information are stored by the database server. The driver end only needs to obtain encryption and decryption related metadata (such as public key, private key, encryption and decryption algorithm) according to the protocol to complete the encryption and decryption of the data. The driver end does not need to be completely transformed, and only needs to integrate the encryption and decryption algorithm. By recording the encryption type of the ciphertext column, the server can return the ciphertext query result and the encryption type corresponding to the query result according to the encryption type of the ciphertext column and the SQL operation type, so that the driver end can obtain the plaintext query result. The driver end does not need to perceive the content of the SQL statement, but only needs to perform encryption and decryption operations based on the encryption and decryption type returned in the preparation stage and the encryption and decryption algorithm.
图4为本说明书实施例中的一种计算设备的架构图,包括:FIG4 is an architecture diagram of a computing device in an embodiment of this specification, including:
发送单元41,用于向数据库服务器发送对数据库的第一访问请求,所述第一访问请求中包括用于代替第一参数的第一参数值的预设字符,所述第一访问请求请求访问的数据表中包括所述第一参数的密文参数值;A sending unit 41 is used to send a first access request to a database server, wherein the first access request includes a preset character used to replace a first parameter value of a first parameter, and the data table accessed by the first access request includes a ciphertext parameter value of the first parameter;
接收单元42,用于从所述服务器接收响应信息,所述服务器中存储有所述数据表的模式信息,所述模式信息中包括所述第一参数的密文参数值对应的加密算法的标识,所述响应信息基于所述模式信息和所述第一访问请求生成,所述响应信息用于指示所述第一参数值对应于第一加密算法;a receiving unit 42, configured to receive response information from the server, wherein the server stores mode information of the data table, wherein the mode information includes an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter, wherein the response information is generated based on the mode information and the first access request, and wherein the response information is used to indicate that the first parameter value corresponds to a first encryption algorithm;
加密单元43,用于基于所述第一加密算法对所述第一参数值加密,得到第一密文参数值;An encryption unit 43, configured to encrypt the first parameter value based on the first encryption algorithm to obtain a first ciphertext parameter value;
所述发送单元41还用于将所述第一密文参数值发送给所述服务器,以用于访问所述数据库。The sending unit 41 is further used to send the first ciphertext parameter value to the server for accessing the database.
在一种实施方式中,所述第一访问请求包括查询请求,所述数据库中与所述第一密文参数值关联地存储有所述查询请求对应的待查询数据,所述待查询数据包括密文数据,所述响应信息还用于指示所述查询请求的查询结果对应于第二加密算法,In one embodiment, the first access request includes a query request, the database stores data to be queried corresponding to the query request in association with the first ciphertext parameter value, the data to be queried includes ciphertext data, and the response information is further used to indicate that the query result of the query request corresponds to the second encryption algorithm.
所述接收单元还用于从所述服务器接收所述密文数据;The receiving unit is also used to receive the ciphertext data from the server;
所述接收设备还包括:解密单元,用于基于所述第二加密算法对所述密文数据解密,得到明文数据。The receiving device also includes: a decryption unit, configured to decrypt the ciphertext data based on the second encryption algorithm to obtain plaintext data.
在一种实施方式中,所述第一访问请求包括用于请求向数据库写入数据的第二访问请求,所述响应信息用于指示所述第一参数值对应的多个第一加密算法,In one embodiment, the first access request includes a second access request for requesting to write data to a database, and the response information is used to indicate a plurality of first encryption algorithms corresponding to the first parameter value.
所述发送单元还用于:将与所述多个第一加密算法分别对应的多个第一密文参数值发送给所述服务器。The sending unit is further used to send a plurality of first ciphertext parameter values respectively corresponding to the plurality of first encryption algorithms to the server.
在一种实施方式中,所述模式信息中还包括不同的加密算法类型对应的不同的查询类型,所述响应信息基于所述模式信息和所述第一访问请求的查询类型生成。In one implementation, the mode information also includes different query types corresponding to different encryption algorithm types, and the response information is generated based on the mode information and the query type of the first access request.
在一种实施方式中,所述接收单元还用于:从应用接收第三访问请求,所述第三访问请求包括所述第一参数值,接收由用户提供的所述第一参数值在所述第三访问请求中的位置信息,根据所述位置信息使用所述预设字符替换所述第三访问请求中的所述第一参数值,得到所述第一访问请求。In one embodiment, the receiving unit is also used to: receive a third access request from an application, the third access request including the first parameter value, receive position information of the first parameter value in the third access request provided by a user, and replace the first parameter value in the third access request with the preset character according to the position information to obtain the first access request.
图5为本说明书实施例中的一种数据库服务器的架构图,包括:FIG5 is an architecture diagram of a database server in an embodiment of this specification, including:
接收单元51,用于从计算设备接收第一访问请求,所述第一访问请求中包括用于代替第一参数的第一参数值的预设字符,所述第一访问请求请求访问的数据表中包括所述第一参数的密文参数值,所述服务器中存储有所述数据表的模式信息,所述模式信息中包括所述第一参数的密文参数值对应的加密算法的标识;A receiving unit 51 is configured to receive a first access request from a computing device, wherein the first access request includes a preset character used to replace a first parameter value of a first parameter, wherein a data table accessed by the first access request includes a ciphertext parameter value of the first parameter, and wherein mode information of the data table is stored in the server, wherein the mode information includes an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter;
确定单元52,用于根据所述第一访问请求和所述模式信息确定响应信息,所述响应信息用于指示所述第一参数值对应于第一加密算法;a determining unit 52, configured to determine response information according to the first access request and the mode information, wherein the response information is used to indicate that the first parameter value corresponds to a first encryption algorithm;
发送单元53,用于将所述响应信息发送给所述计算设备;A sending unit 53, configured to send the response information to the computing device;
所述接收单元51还用于从所述计算设备接收第一密文参数值,所述第一密文参数值通过基于所述第一加密算法对所述第一参数值加密而得到;The receiving unit 51 is further configured to receive a first ciphertext parameter value from the computing device, where the first ciphertext parameter value is obtained by encrypting the first parameter value based on the first encryption algorithm;
访问单元54,用于基于所述第一访问请求和所述第一密文参数值访问数据库。The access unit 54 is configured to access a database based on the first access request and the first ciphertext parameter value.
在一种实施方式中,所述第一访问请求包括查询请求,所述响应信息还用于指示所述查询请求的查询结果对应于第二加密算法,所述数据库中与所述第一密文参数值关联地存储有所述查询请求对应的待查询数据,所述待查询数据包括密文数据,所述服务器还包括:In one implementation, the first access request includes a query request, the response information is further used to indicate that the query result of the query request corresponds to a second encryption algorithm, the database stores data to be queried corresponding to the query request in association with the first ciphertext parameter value, the data to be queried includes ciphertext data, and the server further includes:
获取单元,用于根据所述第一密文参数值和所述第一访问请求获取所述密文数据;an acquiring unit, configured to acquire the ciphertext data according to the first ciphertext parameter value and the first access request;
返回单元,用于将所述密文数据返回给所述计算设备。A returning unit is used to return the ciphertext data to the computing device.
在一种实施方式中,所述第一访问请求包括用于向所述数据库写入数据的第二访问请求,所述响应信息用于指示所述第一参数值对应的多个第一加密算法,所述接收单元具体用于:从所述计算设备接收与所述多个第一加密算法分别对应的多个第一密文参数值,所述访问单元具体用于,在所述数据库中与所述多个第一加密算法的标识分别关联地存储所述多个第一密文参数值。In one embodiment, the first access request includes a second access request for writing data to the database, the response information is used to indicate multiple first encryption algorithms corresponding to the first parameter value, and the receiving unit is specifically used to: receive multiple first ciphertext parameter values corresponding to the multiple first encryption algorithms from the computing device, and the access unit is specifically used to store the multiple first ciphertext parameter values in the database in association with the identifiers of the multiple first encryption algorithms.
本说明书实施例还提供一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行如图2或图3所示的方法。The embodiments of this specification also provide a computer-readable storage medium on which a computer program is stored. When the computer program is executed in a computer, the computer is caused to execute the method shown in FIG. 2 or FIG. 3 .
本说明书第六方面提供一种计算机设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现如图2或图3所示的方法。A sixth aspect of the present specification provides a computer device, including a memory and a processor, wherein the memory stores executable code, and when the processor executes the executable code, the method shown in FIG. 2 or FIG. 3 is implemented.
在20世纪90年代,对于一个技术的改进可以很明显地区分是硬件上的改进(例如,对二极管、晶体管、开关等电路结构的改进)还是软件上的改进(对于方法流程的改进)。然而,随着技术的发展,当今的很多方法流程的改进已经可以视为硬件电路结构的直接改进。设计人员几乎都通过将改进的方法流程编程到硬件电路中来得到相应的硬件电路结构。因此,不能说一个方法流程的改进就不能用硬件实体模块来实现。例如,可编程逻辑器件(Programmable Logic Device,PLD)(例如现场可编程门阵列(Field Programmable Gate Array,FPGA))就是这样一种集成电路,其逻辑功能由用户对器件编程来确定。由设计人员自行编程来把一个数字系统“集成”在一片PLD上,而不需要请芯片制造厂商来设计和制作专用的集成电路芯片。而且,如今,取代手工地制作集成电路芯片,这种编程也多半改用“逻辑编译器(logic compiler)”软件来实现,它与程序开发撰写时所用的软件编译器相类似,而要编译之前的原始代码也得用特定的编程语言来撰写,此称之为硬件描述语言(Hardware Description Language,HDL),而HDL也并非仅有一种,而是有许多种, 如ABEL(Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL(Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language)等,目前最普遍使用的是VHDL(Very-High-Speed Integrated Circuit Hardware Description Language)与Verilog。本领域技术人员也应该清楚,只需要将方法流程用上述几种硬件描述语言稍作逻辑编程并编程到集成电路中,就可以很容易得到实现该逻辑方法流程的硬件电路。In the 1990s, it was very clear whether the improvement of a technology was hardware improvement (for example, improvement of the circuit structure of diodes, transistors, switches, etc.) or software improvement (improvement of the method flow). However, with the development of technology, many of the improvements of the method flow today can be regarded as direct improvements of the hardware circuit structure. Designers almost always obtain the corresponding hardware circuit structure by programming the improved method flow into the hardware circuit. Therefore, it cannot be said that the improvement of a method flow cannot be implemented with hardware entity modules. For example, a programmable logic device (PLD) (such as a field programmable gate array (FPGA)) is such an integrated circuit whose logical function is determined by the user's programming of the device. Designers can "integrate" a digital system on a PLD by programming themselves, without having to ask chip manufacturers to design and make dedicated integrated circuit chips. Moreover, nowadays, instead of manually making integrated circuit chips, this kind of programming is mostly implemented by "logic compiler" software, which is similar to the software compiler used when developing programs. The original code before compilation must also be written in a specific programming language, which is called Hardware Description Language (HDL). There is not only one kind of HDL, but many kinds. Such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., and the most commonly used ones are VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. Those skilled in the art should also know that it is only necessary to program the method flow slightly in the above-mentioned hardware description languages and program it into the integrated circuit, and then it is easy to obtain the hardware circuit that realizes the logical method flow.
控制器可以按任何适当的方式实现,例如,控制器可以采取例如微处理器或处理器以及存储可由该(微)处理器执行的计算机可读程序代码(例如软件或固件)的计算机可读介质、逻辑门、开关、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程逻辑控制器和嵌入微控制器的形式,控制器的例子包括但不限于以下微控制器:ARC 625D、Atmel AT91SAM、Microchip PIC18F26K20以及Silicone Labs C8051F320,存储器控制器还可以被实现为存储器的控制逻辑的一部分。本领域技术人员也知道,除了以纯计算机可读程序代码方式实现控制器以外,完全可以通过将方法步骤进行逻辑编程来使得控制器以逻辑门、开关、专用集成电路、可编程逻辑控制器和嵌入微控制器等的形式来实现相同功能。因此这种控制器可以被认为是一种硬件部件,而对其内包括的用于实现各种功能的装置也可以视为硬件部件内的结构。或者甚至,可以将用于实现各种功能的装置视为既可以是实现方法的软件模块又可以是硬件部件内的结构。The controller may be implemented in any suitable manner, for example, the controller may take the form of a microprocessor or processor and a computer readable medium storing a computer readable program code (e.g., software or firmware) executable by the (micro)processor, a logic gate, a switch, an application specific integrated circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include but are not limited to the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, and the memory controller may also be implemented as part of the control logic of the memory. It is also known to those skilled in the art that in addition to implementing the controller in a purely computer readable program code manner, the controller may be implemented in the form of a logic gate, a switch, an application specific integrated circuit, a programmable logic controller, and an embedded microcontroller by logically programming the method steps. Therefore, such a controller may be considered as a hardware component, and the means for implementing various functions included therein may also be considered as a structure within the hardware component. Or even, the means for implementing various functions may be considered as both a software module for implementing the method and a structure within the hardware component.
上述实施例阐明的系统、装置、模块或单元,具体可以由计算机芯片或实体实现,或者由具有某种功能的产品来实现。一种典型的实现设备为服务器系统。当然,本申请不排除随着未来计算机技术的发展,实现上述实施例功能的计算机例如可以为个人计算机、膝上型计算机、车载人机交互设备、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任何设备的组合。The systems, devices, modules or units described in the above embodiments may be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a server system. Of course, the present application does not exclude that with the development of computer technology in the future, the computer that implements the functions of the above embodiments may be, for example, a personal computer, a laptop computer, a vehicle-mounted human-computer interaction device, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
虽然本说明书一个或多个实施例提供了如实施例或流程图所述的方法操作步骤,但基于常规或者无创造性的手段可以包括更多或者更少的操作步骤。实施例中列举的步骤顺序仅仅为众多步骤执行顺序中的一种方式,不代表唯一的执行顺序。在实际中的装置或终端产品执行时,可以按照实施例或者附图所示的方法顺序执行或者并行执行(例如并行处理器或者多线程处理的环境,甚至为分布式数据处理环境)。术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、产品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、产品或者设备所固有的要素。在没有更多限制的情况下,并不排除在包括所述要素的过程、方法、产品或者设备中还存在另外的相同或等同要素。例如若使用到第一,第二等词语用来表示名称,而并不表示任何特定的顺序。Although one or more embodiments of the present specification provide method operation steps as described in the embodiments or flow charts, more or less operation steps may be included based on conventional or non-creative means. The order of steps listed in the embodiments is only one way of executing the order of many steps, and does not represent the only execution order. When the device or terminal product in practice is executed, it can be executed in sequence or in parallel according to the method shown in the embodiments or the drawings (for example, a parallel processor or a multi-threaded processing environment, or even a distributed data processing environment). The term "include", "include" or any other variant thereof is intended to cover non-exclusive inclusion, so that the process, method, product or equipment including a series of elements includes not only those elements, but also includes other elements that are not explicitly listed, or also includes elements inherent to such process, method, product or equipment. In the absence of more restrictions, it is not excluded that there are other identical or equivalent elements in the process, method, product or equipment including the elements. For example, if the words first, second, etc. are used to represent the name, they do not represent any specific order.
为了描述的方便,描述以上装置时以功能分为各种模块分别描述。当然,在实施本说明书一个或多个时可以把各模块的功能在同一个或多个软件和/或硬件中实现,也可以将实现同一功能的模块由多个子模块或子单元的组合实现等。以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。For the convenience of description, the above devices are described in various modules according to their functions. Of course, when implementing one or more of the present specification, the functions of each module can be implemented in the same or more software and/or hardware, or the module implementing the same function can be implemented by a combination of multiple sub-modules or sub-units, etc. The device embodiments described above are only schematic. For example, the division of the units is only a logical function division. There may be other division methods in actual implementation. For example, multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be through some interfaces, indirect coupling or communication connection of devices or units, which can be electrical, mechanical or other forms.
本发明是参照根据本发明实施例的方法、装置(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器 以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to the flowcharts and/or block diagrams of the methods, devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and/or box in the flowchart and/or block diagram, as well as the combination of the processes and/or boxes in the flowchart and/or block diagram, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computing device includes one or more processors (CPU), input/output interfaces, network interfaces, and memory.
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。Memory may include non-permanent storage in a computer-readable medium, in the form of random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁盘存储、石墨烯存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer readable media include permanent and non-permanent, removable and non-removable media that can be implemented by any method or technology to store information. Information can be computer readable instructions, data structures, program modules or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disk read-only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, graphene storage or other magnetic storage devices or any other non-transmission media that can be used to store information that can be accessed by a computing device. As defined in this article, computer readable media does not include temporary computer readable media (transitory media), such as modulated data signals and carrier waves.
本领域技术人员应明白,本说明书一个或多个实施例可提供为方法、系统或计算机程序产品。因此,本说明书一个或多个实施例可采用完全硬件实施例、完全软件实施例或结合软件和硬件方面的实施例的形式。而且,本说明书一个或多个实施例可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。It should be understood by those skilled in the art that one or more embodiments of the present specification may be provided as a method, system or computer program product. Therefore, one or more embodiments of the present specification may take the form of a complete hardware embodiment, a complete software embodiment or an embodiment combining software and hardware. Moreover, one or more embodiments of the present specification may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
本说明书一个或多个实施例可以在由计算机执行的计算机可执行指令的一般上下文中描述,例如程序模块。一般地,程序模块包括执行特定任务或实现特定抽象数据类型的例程、程序、对象、组件、数据结构等等。也可以在分布式计算环境中实践本说明书一个或多个实施例,在这些分布式计算环境中,由通过通信网络而被连接的远程处理设备来执行任务。在分布式计算环境中,程序模块可以位于包括存储设备在内的本地和远程计算机存储介质中。One or more embodiments of the present specification may be described in the general context of computer-executable instructions executed by a computer, such as program modules. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types. One or more embodiments of the present specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices connected through a communication network. In a distributed computing environment, program modules may be located in local and remote computer storage media, including storage devices.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本说明书的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不必须针对的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任一个或多个实施例或示例中以合适的方式结合。此外,在不相互矛盾的情况下,本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。Each embodiment in this specification is described in a progressive manner, and the same and similar parts between the embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the partial description of the method embodiment. In the description of this specification, the description of the reference terms "one embodiment", "some embodiments", "example", "specific example", or "some examples" means that the specific features, structures, materials or characteristics described in conjunction with the embodiment or example are included in at least one embodiment or example of this specification. In this specification, the schematic representation of the above terms does not necessarily target the same embodiment or example. Moreover, the specific features, structures, materials or characteristics described can be combined in any one or more embodiments or examples in a suitable manner. In addition, those skilled in the art can combine and combine the different embodiments or examples described in this specification and the features of different embodiments or examples without contradiction.
以上所述仅为本说明书一个或多个实施例的实施例而已,并不用于限制本说明书一个或多个实施例。对于本领域技术人员来说,本说明书一个或多个实施例可以有各种更改和变化。凡在本说明书的精神和原理之内所作的任何修改、等同替换、改进等,均应包含在权利要求范围之内。The above description is only an example of one or more embodiments of the present specification and is not intended to limit one or more embodiments of the present specification. For those skilled in the art, one or more embodiments of the present specification may have various changes and variations. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present specification shall be included in the scope of the claims.

Claims (13)

  1. 一种数据库访问方法,包括:A database access method, comprising:
    向数据库服务器发送对数据库的第一访问请求,所述第一访问请求中包括用于代替第一参数的第一参数值的预设字符,所述第一访问请求请求访问的数据表中包括所述第一参数的密文参数值;Sending a first access request to a database server, wherein the first access request includes a preset character used to replace a first parameter value of a first parameter, and the data table accessed by the first access request includes a ciphertext parameter value of the first parameter;
    从所述服务器接收响应信息,所述服务器中存储有所述数据表的模式信息,所述模式信息中包括所述第一参数的密文参数值对应的加密算法的标识,所述响应信息基于所述模式信息和所述第一访问请求生成,所述响应信息用于指示所述第一参数值对应于第一加密算法;receiving response information from the server, wherein the server stores mode information of the data table, wherein the mode information includes an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter, wherein the response information is generated based on the mode information and the first access request, and wherein the response information is used to indicate that the first parameter value corresponds to a first encryption algorithm;
    基于所述第一加密算法对所述第一参数值加密,得到第一密文参数值;Encrypting the first parameter value based on the first encryption algorithm to obtain a first ciphertext parameter value;
    将所述第一密文参数值发送给所述服务器,以用于访问所述数据表。The first ciphertext parameter value is sent to the server for accessing the data table.
  2. 根据权利要求1所述的方法,所述第一访问请求包括查询请求,所述数据表中与所述第一密文参数值关联地存储有所述查询请求对应的待查询数据,所述待查询数据包括密文数据,所述响应信息还用于指示所述查询请求的查询结果对应于第二加密算法,所述方法还包括:According to the method of claim 1, the first access request includes a query request, the data table stores data to be queried corresponding to the query request in association with the first ciphertext parameter value, the data to be queried includes ciphertext data, the response information is further used to indicate that the query result of the query request corresponds to a second encryption algorithm, and the method further includes:
    从所述服务器接收所述密文数据;receiving the ciphertext data from the server;
    基于所述第二加密算法对所述密文数据解密,得到明文数据。The ciphertext data is decrypted based on the second encryption algorithm to obtain plaintext data.
  3. 根据权利要求1所述的方法,所述第一访问请求包括用于请求向所述数据表写入数据的第二访问请求,所述响应信息用于指示所述第一参数值对应的多个第一加密算法,According to the method of claim 1, the first access request includes a second access request for requesting to write data to the data table, and the response information is used to indicate a plurality of first encryption algorithms corresponding to the first parameter value.
    所述将所述第一密文参数值发送给所述服务器包括:将与所述多个第一加密算法分别对应的多个第一密文参数值发送给所述服务器。The sending the first ciphertext parameter value to the server includes: sending a plurality of first ciphertext parameter values respectively corresponding to the plurality of first encryption algorithms to the server.
  4. 根据权利要求2所述的方法,所述模式信息中还包括不同的加密算法对应的不同的查询类型,所述响应信息基于所述模式信息和所述查询请求的查询类型生成。According to the method according to claim 2, the mode information also includes different query types corresponding to different encryption algorithms, and the response information is generated based on the mode information and the query type of the query request.
  5. 根据权利要求2所述的方法,还包括:从应用接收第三访问请求,所述第三访问请求包括所述第一参数值,接收由用户提供的所述第一参数值在所述第三访问请求中的位置信息,根据所述位置信息使用所述预设字符替换所述第三访问请求中的所述第一参数值,得到所述第一访问请求。The method according to claim 2 further includes: receiving a third access request from an application, the third access request including the first parameter value, receiving position information of the first parameter value in the third access request provided by a user, and replacing the first parameter value in the third access request with the preset character according to the position information to obtain the first access request.
  6. 根据权利要求5所述的方法,所述方法由所述应用所在计算设备中的数据库驱动端执行。The method according to claim 5 is executed by a database driver in the computing device where the application is located.
  7. 一种数据库访问方法,由数据库服务器执行,包括:A database access method, executed by a database server, comprising:
    从计算设备接收第一访问请求,所述第一访问请求中包括用于代替第一参数的第一参数值的预设字符,所述第一访问请求请求访问的数据表中包括所述第一参数的密文参数值,所述服务器中存储有所述数据表的模式信息,所述模式信息中包括所述第一参数的密文参数值对应的加密算法的标识;receiving a first access request from a computing device, the first access request including a preset character for replacing a first parameter value of a first parameter, the data table accessed by the first access request including the ciphertext parameter value of the first parameter, the server storing mode information of the data table, the mode information including an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter;
    根据所述第一访问请求和所述模式信息确定响应信息,所述响应信息用于指示所述第一参数值对应于第一加密算法;determining response information according to the first access request and the mode information, the response information being used to indicate that the first parameter value corresponds to a first encryption algorithm;
    将所述响应信息发送给所述计算设备;sending the response information to the computing device;
    从所述计算设备接收第一密文参数值,所述第一密文参数值通过基于所述第一加密算法对所述第一参数值加密而得到;receiving a first ciphertext parameter value from the computing device, the first ciphertext parameter value being obtained by encrypting the first parameter value based on the first encryption algorithm;
    基于所述第一访问请求和所述第一密文参数值访问所述数据表。The data table is accessed based on the first access request and the first ciphertext parameter value.
  8. 根据权利要求7所述的方法,所述第一访问请求包括查询请求,所述响应信息还用于指示所述查询请求的查询结果对应于第二加密算法,所述数据表中与所述第一密文参数值关联地存储有所述查询请求对应的待查询数据,所述待查询数据包括密文数据,所述方法还包括:According to the method of claim 7, the first access request includes a query request, the response information is further used to indicate that the query result of the query request corresponds to a second encryption algorithm, the data table stores data to be queried corresponding to the query request in association with the first ciphertext parameter value, and the data to be queried includes ciphertext data, and the method further includes:
    根据所述第一密文参数值和所述第一访问请求获取所述密文数据;Acquire the ciphertext data according to the first ciphertext parameter value and the first access request;
    将所述密文数据返回给所述计算设备。The ciphertext data is returned to the computing device.
  9. 根据权利要求7所述的方法,所述第一访问请求包括用于向所述数据表写入数据的第二访问请求,所述响应信息用于指示所述第一参数值对应的多个第一加密算法,所述从所述计算设备接收第一密文参数值包括:从所述计算设备接收与所述多个第一加密算法分别对应的多个第一密文参数值;所述基于所述第一访问请求和所述第一密文参数值访问所述数据表包括:在所述数据表中与所述多个第一加密算法的标识分别关联地存储所述多个第一密文参数值。According to the method of claim 7, the first access request includes a second access request for writing data to the data table, the response information is used to indicate multiple first encryption algorithms corresponding to the first parameter value, and the receiving of the first ciphertext parameter value from the computing device includes: receiving multiple first ciphertext parameter values corresponding to the multiple first encryption algorithms respectively from the computing device; the accessing the data table based on the first access request and the first ciphertext parameter value includes: storing the multiple first ciphertext parameter values in the data table in association with the identifiers of the multiple first encryption algorithms respectively.
  10. 一种计算设备,包括:A computing device comprising:
    发送单元,用于向数据库服务器发送对数据库的第一访问请求,所述第一访问请求中包括用于代替第一参数的第一参数值的预设字符,所述第一访问请求请求访问的数据表中包括所述第一参数的密文参数值;a sending unit, configured to send a first access request to a database server, wherein the first access request includes a preset character used to replace a first parameter value of a first parameter, and a data table accessed by the first access request includes a ciphertext parameter value of the first parameter;
    接收单元,用于从所述服务器接收响应信息,所述服务器中存储有所述数据表的模式信息,所述模式信息中包括所述第一参数的密文参数值对应的加密算法的标识,所述响应信息基于所述模式信息和所述第一访问请求生成,所述响应信息用于指示所述第一参数值对应于第一加密算法;a receiving unit, configured to receive response information from the server, wherein the server stores mode information of the data table, wherein the mode information includes an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter, wherein the response information is generated based on the mode information and the first access request, and wherein the response information is used to indicate that the first parameter value corresponds to a first encryption algorithm;
    加密单元,用于基于所述第一加密算法对所述第一参数值加密,得到第一密文参数值;an encryption unit, configured to encrypt the first parameter value based on the first encryption algorithm to obtain a first ciphertext parameter value;
    所述发送单元还用于将所述第一密文参数值发送给所述服务器,以用于访问所述数据表。The sending unit is further used to send the first ciphertext parameter value to the server for accessing the data table.
  11. 一种数据库服务器,包括:A database server, comprising:
    接收单元,用于从计算设备接收第一访问请求,所述第一访问请求中包括用于代替第一参数的第一参数值的预设字符,所述第一访问请求请求访问的数据表中包括所述第一参数的密文参数值,所述服务器中存储有所述数据表的模式信息,所述模式信息中包括所述第一参数的密文参数值对应的加密算法的标识;a receiving unit, configured to receive a first access request from a computing device, wherein the first access request includes a preset character for replacing a first parameter value of a first parameter, wherein a data table to be accessed by the first access request includes a ciphertext parameter value of the first parameter, wherein the server stores mode information of the data table, wherein the mode information includes an identifier of an encryption algorithm corresponding to the ciphertext parameter value of the first parameter;
    确定单元,用于根据所述第一访问请求和所述模式信息确定响应信息,所述响应信息用于指示所述第一参数值对应于第一加密算法;a determining unit, configured to determine response information according to the first access request and the mode information, wherein the response information is used to indicate that the first parameter value corresponds to a first encryption algorithm;
    发送单元,用于将所述响应信息发送给所述计算设备;A sending unit, configured to send the response information to the computing device;
    所述接收单元还用于从所述计算设备接收第一密文参数值,所述第一密文参数值通过基于所述第一加密算法对所述第一参数值加密而得到;The receiving unit is further configured to receive a first ciphertext parameter value from the computing device, where the first ciphertext parameter value is obtained by encrypting the first parameter value based on the first encryption algorithm;
    访问单元,用于基于所述第一访问请求和所述第一密文参数值访问所述数据表。An access unit, configured to access the data table based on the first access request and the first ciphertext parameter value.
  12. 一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行权利要求1-9中任一项的所述的方法。A computer-readable storage medium having a computer program stored thereon, which, when executed in a computer, causes the computer to execute the method described in any one of claims 1 to 9.
  13. 一种计算机设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现权利要求1-9中任一项所述的方法。A computer device comprises a memory and a processor, wherein the memory stores executable code, and when the processor executes the executable code, the method according to any one of claims 1 to 9 is implemented.
PCT/CN2022/135250 2022-10-28 2022-11-30 Database access method, computing device and server WO2024087312A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211337813.0A CN115687391A (en) 2022-10-28 2022-10-28 Database access method, computing device and server
CN202211337813.0 2022-10-28

Publications (1)

Publication Number Publication Date
WO2024087312A1 true WO2024087312A1 (en) 2024-05-02

Family

ID=85046290

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/135250 WO2024087312A1 (en) 2022-10-28 2022-11-30 Database access method, computing device and server

Country Status (2)

Country Link
CN (1) CN115687391A (en)
WO (1) WO2024087312A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180293257A1 (en) * 2015-12-31 2018-10-11 Huawei Technologies Co., Ltd. Method for accessing distributed database and distributed data service apparatus
CN110413676A (en) * 2019-07-25 2019-11-05 中国工商银行股份有限公司 The access method and its device of database, electronic equipment and medium
CN111431876A (en) * 2020-03-13 2020-07-17 深圳壹账通智能科技有限公司 Method and device for accessing database, computer equipment and storage medium
CN114462059A (en) * 2021-12-30 2022-05-10 济南超级计算技术研究院 Table field level encryption and security access control method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180293257A1 (en) * 2015-12-31 2018-10-11 Huawei Technologies Co., Ltd. Method for accessing distributed database and distributed data service apparatus
CN110413676A (en) * 2019-07-25 2019-11-05 中国工商银行股份有限公司 The access method and its device of database, electronic equipment and medium
CN111431876A (en) * 2020-03-13 2020-07-17 深圳壹账通智能科技有限公司 Method and device for accessing database, computer equipment and storage medium
CN114462059A (en) * 2021-12-30 2022-05-10 济南超级计算技术研究院 Table field level encryption and security access control method and system

Also Published As

Publication number Publication date
CN115687391A (en) 2023-02-03

Similar Documents

Publication Publication Date Title
EP3644574B1 (en) Key management method and apparatus
JP4685782B2 (en) Method and apparatus for encrypting database columns
US10963542B2 (en) Blockchain-based image processing method and apparatus
US8769302B2 (en) Encrypting data and characterization data that describes valid contents of a column
CN109145240B (en) Page access method, device and system based on code scanning operation
US11902425B2 (en) Encrypted search with a public key
WO2019095854A1 (en) Traceable multi-party data processing method, apparatus and device
WO2022156588A1 (en) Data management method, device, and system
Avni et al. SSSDB: database with private information search
US11461551B1 (en) Secure word search
WO2021225630A1 (en) Encrypted search over encrypted data with reduced volume leakage
US11947684B2 (en) Searching encrypted data
WO2024087312A1 (en) Database access method, computing device and server
EP2775420A1 (en) Semantic search over encrypted data
CN110945506B (en) Searchable encryption supporting hybrid indexes
CN116010992A (en) Data processing method and device, readable storage medium and electronic equipment
JP6732887B2 (en) Method and system for database queries
WO2024087313A1 (en) Database access method and apparatus
WO2024066013A1 (en) Privacy information retrieval implementation
WO2024077734A1 (en) Method and client for realizing construction of confusion set
WO2024066015A1 (en) Implementing privacy information retrieval
CN115189974B (en) Multi-organization access control method and device based on block chain
WO2024066008A1 (en) Method and system for implementing retrieval of privacy information, and server and client
US20240104224A1 (en) Privacy-preserving search using homomorphic encryption
US20230318809A1 (en) Multi-key information retrieval