CN100449563C - Method for controlling database safety access - Google Patents

Method for controlling database safety access Download PDF

Info

Publication number
CN100449563C
CN100449563C CNB2007100733290A CN200710073329A CN100449563C CN 100449563 C CN100449563 C CN 100449563C CN B2007100733290 A CNB2007100733290 A CN B2007100733290A CN 200710073329 A CN200710073329 A CN 200710073329A CN 100449563 C CN100449563 C CN 100449563C
Authority
CN
China
Prior art keywords
database
access
program
voucher
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CNB2007100733290A
Other languages
Chinese (zh)
Other versions
CN101030242A (en
Inventor
尹立东
王东卫
杭小林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maikelong Electronics Co Ltd Shenzhen City
Original Assignee
Maikelong Electronics Co Ltd Shenzhen City
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maikelong Electronics Co Ltd Shenzhen City filed Critical Maikelong Electronics Co Ltd Shenzhen City
Priority to CNB2007100733290A priority Critical patent/CN100449563C/en
Publication of CN101030242A publication Critical patent/CN101030242A/en
Application granted granted Critical
Publication of CN100449563C publication Critical patent/CN100449563C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A method for controlling databank to be called safety includes setting intermediate program between client end and databank, ensuring that access evidence used connect with databank at each time is not the same in databank access process by dynamically generating and revising databank access evidence and making access evidence used at this time of access be invalid immediately after databank is successfully connected on this time.

Description

A kind of method of control data database safety access
Technical field
The present invention relates to the database security visit, relate in particular to a kind of method that realizes the control data database safety access by dynamic generation and modification database access voucher.
Background technology
When if the software of exploitation must use the database access voucher to connect database, the database access voucher comprises the title or the another name of database server, the title of the server of installation database or IP, database-name, database user name, the database user password, the access rights of database user, the agreement that visit is used, the port numbers that visit is used etc., in order to guarantee the security of database access voucher, the way that the software developer takes at present has following several, the database access voucher is encrypted read the deciphering use in the log-on message of depositing in client configuration file or client in program; The database access voucher directly write in the source program or will the database access voucher encrypt after write in the source program again in program deciphering and use.
Above-mentioned any mode no matter, all have a fatal defective, that be exactly the database access voucher be static relatively, can obtain the database access voucher by the following method, thereby utilize the database access voucher that gets access to, invade database and destroy or steal capsule information:
1. find access credentials to encrypt configuration file or the log-on message of depositing, and decode out the database access voucher;
2. by decompiling software program is carried out decompiling, or program follows the tracks of software program is analyzed, obtain the database access voucher in the program of leaving in;
3. pass through to grasp the packet when software connects database in the network, analyze and decode out the database access voucher.
Summary of the invention
The method that the purpose of this invention is to provide a kind of control data database safety access, be used for overcoming the defective that above-mentioned prior art exists, dynamically arranging of fulfillment database access credentials, guarantee that the access credentials that software connection data Kucheng merit is used lost efficacy immediately, and can be in conjunction with the feature of disparate databases self, realizing closing under the specified conditions user uses the database access voucher to connect database function, have only the designated software of use to activate and use the database access voucher to connect database function, thereby effectively control is to the unauthorized access of database.
The solution of the present invention is obtained client-side program and database access credential verification by the database access voucher and interlude two parts are set are formed.It is to read this client random character factor R that the database access voucher obtains the client-side program major function 1With access parameter C 1, C 2... .., C n(access parameter C 1, C 2..., C nComprise role of the title of server of the title of additional information, database server of this client ip and machine name and this client or another name, installation database or IP, database-name, database user name, database user etc.), with R 1With access parameter C 1, C 2..., C nCarry out coding encrypting together and generate M 1, and with M 1Pass to access credentials verification setting interlude, and, dynamically generate the database access voucher according to the database intermediate accesses voucher that access credentials verification setting interlude returns.It is to handle access credentials to obtain request that the database access voucher is set and the checking that client sends that the database access credential verification is provided with the interlude major function, obtains client with access credentials and connects, at client random character factor R 1With access parameter C 1, C 2..., C n, in conjunction with interlude random character factor R 2, R 3With interlude parameter preset S 1, S 2..., S m, dynamically produce and revise access parameter C 1, C 2..., C nThe database access voucher, and the database intermediate accesses voucher in the processing procedure returned to access credentials obtain client.
The method that the present invention proposes is by dynamic generation and revises the purpose that the database access voucher is realized the control data database safety access that described method comprises the following steps:
(1), obtains client-side program A in client installation database access credentials;
(2), access credentials verification setting interlude B is installed between client and database;
(3), carry out database start-up routine A when connecting, program A reads this client features factor R 1With access parameter C n(n gets 1,2,3 ...), F is a coding method, can be to R 1, C nEncode, produce a M 1, M 1=F (R 1, C n), send M to program B 1Requests verification and the database access voucher is set;
(4), after program B listens to the checking request of program A, A connects with program, the M that fetch program A sends 1, according to the algorithm for inversion F of coding method F -1Obtain R 1, C n, R 1, C n=F -1(M 1), and checking M 1Whether be legal data, if not, do not do any processing, close connection;
(5), verify and pass through that program B reads interlude parameter preset S m(m gets 1,2,3 ...), with S mFor variable carries out G 1Cryptographic calculation generates K 1, K 1=G 1(S m), access credentials verification setting interlude reads an interlude characterization factor R then 2, with R 2, K 1For variable carries out G 2Cryptographic calculation generates intermediate accesses voucher K 2, K 2=G 2(R 2, K 1), then again with R 1, K 2, C nFor variable carries out G 3Cryptographic calculation generates K 3, K 3=G 3(R 1, K 2, C n), according to the client parameters C nK is set 3An access credentials for database locks other processes simultaneously to parameters C nThe modification of database access voucher, and with intermediate accesses voucher K 2Return to program A;
(6), program A receives K 2After, equally with R 1, K 2, C nFor variable carries out G 3Cryptographic calculation generates K 3, client is with K 3Connect for the database access voucher carries out database, and will connect the X as a result of database 1Issue program B by program A;
(7), program B receives X 1Or monitored parameters C nAfter the successful connection of database, make access credentials K immediately 3Lost efficacy, and discharged other processes access parameter C nThe modification of database access voucher.
The method of control data database safety access provided by the present invention, because the method that has adopted the database access voucher to dynamically arrange, can really reach the purpose of control data database safety access, this technology encapsulates easily simultaneously, can in different software, use easily, and the database access voucher generating algorithm of using in this technology is decoded difficulty.
Brief Description Of Drawings
The present invention will be described in detail below in conjunction with the drawings and specific embodiments, wherein
Fig. 1 is the schematic diagram of control data database safety access;
Fig. 2 is the process flow diagram of control data database safety access;
Fig. 3 obtains the client-side program process flow diagram for access credentials;
Fig. 4 is an access credentials verification setting interlude process flow diagram.
Embodiment
The principle of control data database safety access of the present invention at first, is installed client-side program A in client as shown in Figure 1, and interlude B is installed between client and database; When client need connect database, send request interrogation signal M by program A to program B earlier 1Program B receives M 1After, generate intermediate accesses voucher K through encryption 2With final access credentials K 3, and with intermediate accesses voucher K 2Pass to program A, monitor the connection of client simultaneously to database; Program A receives K 2After, same encryption generates access credentials K 3Client is used K 3Connect database, and the X as a result that connects database 1Be dealt into program B by program A; Program B receives X 1Or monitor client after the successful connection of database, make K immediately 3Lost efficacy.
Shown in Fig. 2-4, idiographic flow of the present invention is as follows:
(1) obtains client-side program A in client installation database access credentials;
(2) access credentials verification setting interlude B is installed between client and database;
When (3) client used the inventive method that database is connected, start-up routine A read this client random character factor R 1With access parameter C n(n gets 1,2,3 ...); Follow operation coding method F, F can be with C nAnd R 1Encode together and produce a M 1, M 1=F (R 1, C n), such as, with R 1, C nEncrypt the back and be combined into a character string M by specific format 1A kind of F realize; Then to program B requests verification and send M 1, wait for return data storehouse intermediate accesses voucher;
(4), after program B listens to the checking request of program A, A connects with program; The M that fetch program A sends 1, be the algorithm for inversion F of F -1Obtain R 1, C n, R 1, C n=F -1(M 1), checking M 1Whether be legal data, such as realize checking M at the F that mentions in the step (3) 1Whether be the character string of the sort of specific format, if not, do not do any processing, close connection;
(5), verify and pass through that program B reads interlude parameter preset S m(m gets 1,2,3 ...), with S mFor variable carries out G 1Cryptographic calculation generates K 1, K 1=G 1(S m); Access credentials verification setting interlude reads an interlude random character factor R then 2, with R 2, K 1For variable carries out G 2Cryptographic calculation generates intermediate accesses voucher K 2, K 2=G 2(R 2, K 1), then again with R 1, K 2, C nFor variable carries out G 3Cryptographic calculation generates K 3, K 3=G 3(R 1, K 2, C n), according to C nK is set 3An access credentials for database locks other processes simultaneously to C nThe modification of the database access voucher of access parameter, and with K 2Return to program A;
(6), program A receives K 2After, equally with R 1, K 2, C nFor variable carries out G 3Cryptographic calculation generates access credentials K 3, client is used K 3Carry out database and connect, and will connect the X as a result of database 1Issue program B by program A;
(7), program B receives X in the default time 1Or monitored parameters C nAfter the successful connection of database, make access credentials K immediately 3Lost efficacy, and discharged other processes access parameter C nThe modification of database access voucher, close and connect and subprocess, write down this interaction process state simultaneously to journal file; If program B does not still receive X after exceeding the default time 1Do not monitored parameters C yet nTo successful connections of database, program B does aforesaid operations equally, but record this time connects off-state and is " pressures " in journal file, represents that this disconnection connection is that the interlude pressure is carried out.
In above-mentioned embodiment, characterization factor R 1, R 2, R 3Can be respectively one or more, can be that random number also can be and the combination of other any values, depends on security needs in the realization fully; Same cryptographic algorithm G 1, G 2, G 3, G 4Can also be more, the algorithm of F also can be various.And default interlude parameter S mIt can be one or for empty, its form can be simple numeral, symbol, character string or one section program, can carry out encryption, also can not carry out encryption; Dui Ying access parameter C with it nAlso can be sky, but need correspondingly they to be arranged to default value or to deposit in S in program mIn.
In other two embodiments of the present invention, program B can carry out the adjustment of tactic according to the needs of efficient on to the modification concurrency of database access credentials, and concrete grammar is as follows:
(1), still use process handles, when a plurality of requests are provided with the database access parameters C simultaneously nThe needing of database access voucher the time, only allow the Request Processing process of first arrival parameters C that conducts interviews nThe setting of database access voucher, other Request Processing processes with identical access parameter also are defaulted as access credentials with the identical access credentials K of first process 3, K 2Arrive the R of request with first 1Pass to corresponding access credentials together and obtain client software, but on the processing time or allow simultaneously to do on the number of processes of identical access credentials with restriction, expired in the time of safety to guarantee that access credentials is obtained the access credentials that client software calculates, thus the security of access credentials and the efficiency of program run guaranteed.
(2), compare, add thread process, when a Request Processing process or thread set up access parameter C with above-mentioned (one) described mode nThe database access voucher after, at the appointed time or the identical access parameter request processing thread that starts in the specified quantity also the default database access credentials be K 3, and K 2Arrive the R of request with first 1Pass to corresponding access credentials together and obtain client software.
The method that the present invention proposes passes through to dynamically arrange database access voucher control data database safety access compared with prior art has the following advantages:
(1) safe and reliable
Dynamically arrange the database access voucher, guaranteed that effectively the database access voucher that just successfully connects the database use lost efficacy immediately, can not invade data base management system (DBMS) even got access to the access credentials that connects use by some means, database is operated by the hacker.
(2) technology encapsulates easily, can use in different software easily
The present invention is easy to be packaged into access credentials and obtains client utility and access credentials verification setting interlude, and after their exploitation encapsulation finish, can directly be arranged in any software, and interface bring any additional work amount simply can for the exploitation of software.
(3) database access voucher generating algorithm is decoded difficulty
The content of carrying out data packets for transmission among the present invention in employed important intermediate variable and the network all has randomness, and the generation of random factor is dispersed in client and interlude end, has increased the difficulty of decoding greatly.In addition, being transferred to the database access voucher that access credentials obtains in the client utility is an intermediate accesses voucher, need carry out G again 3Cryptographic calculation just can obtain final data storehouse access credentials, simultaneously with cryptographic calculation G 1, G 2Be arranged in the interlude end, make and decode cryptographic algorithm, it almost is impossible becoming; Adding cryptographic algorithm that all access credentials produces does not all need reversiblely, and it is extremely difficult especially that cryptographic algorithm is decrypted.
Being provided with fully dynamically of database access voucher of the present invention really fundamentally solved the unsafe problems that connects the access credentials of database in the network; The verification setting interlude has increased authentication policy to database access, is the another guarantee of database access safety.As another embodiment of the invention, interlude B can be arranged on database side, also interlude can be arranged on client, or the three is installed on same the machine.
Under design of the present invention multiple variation can also be arranged, these variations all should drop in the scope of the present invention.

Claims (8)

1, a kind of method of control data database safety access is characterized in that: by dynamic generation and modification database access voucher, realize the purpose of control data database safety access, described method comprises the following steps:
(1), obtains client-side program A in client installation database access credentials;
(2), access credentials verification setting interlude B is installed between client and database;
(3), carry out database start-up routine A when connecting, program A reads a client features factor R 1And parameters C n(n gets 1,2,3 ...), pass through a coding method F then to characterization factor R 1And parameters C nEncode, produce an interrogation signal M 1, M 1=F (R 1, C n), program A sends interrogation signal M to program B 1, requests verification and the database access voucher is set;
(4), after program B listens to the checking request of program A, A connects with program, the interrogation signal M that fetch program A sends 1, according to the algorithm for inversion F of coding method F -1Obtain R 1, C n, R 1, C n=F -1(M 1), and authentication-access signal M 1Whether be legal data, if not, do not do any processing, close connection;
(5), verify and pass through that program B reads interlude parameter preset S m(m gets 1,2,3 ...), with S mFor variable carries out G 1Cryptographic calculation generates K 1, K 1=G 1(S m), access credentials verification setting interlude reads an interlude characterization factor R then 2, with R 2, K 1For variable carries out G 2Cryptographic calculation generates intermediate accesses voucher K 2, K 2=G 2(R 2, K 1), then again with R 1, K 2, C nFor variable carries out G 3Cryptographic calculation generates K 3, K 3=G 3(R 1, K 2, C n), according to the client parameters C nK is set 3An access credentials for database locks other processes simultaneously to parameters C nThe modification of database access voucher, and with intermediate accesses voucher K 2Return to program A;
(6), program A receives K 2After, equally with R 1, K 2, C nFor variable carries out G 3Cryptographic calculation generates K 3, client is with K 3Connect for the database access voucher carries out database, and will connect the X as a result of database 1Issue program B by program A;
(7), program B receives X 1Or monitored parameters C nAfter the successful connection of database, make access credentials K immediately 3Lost efficacy, and allowed other process parameters C nThe database access voucher make amendment.
2, the method for control data database safety access as claimed in claim 1 is characterized in that: the described access credentials K that makes of step (7) 3The inefficacy step is: read an interlude characterization factor R again 3, and with R 3, K 2, C nFor variable carries out G 4Cryptographic calculation generates K 4, K 4=G 4(R 3, K 2, C n), with K 4Be arranged to parameters C nNew database access voucher.
3, the method for control data database safety access as claimed in claim 1 is characterized in that: characterization factor R 1, R 2, R 3Be random number.
4, the method for control data database safety access as claimed in claim 1 is characterized in that: interlude parameter preset S mCharacter string for encryption.
5, the method for control data database safety access as claimed in claim 1 or 2 is characterized in that: cryptographic algorithm G 1, G 2, G 3, G 4Be irreversible.
6, the method for control data database safety access as claimed in claim 1 is characterized in that: program A is with characterization factor R 1Carry out in network, transmitting after the encryption.
7, the method for control data database safety access as claimed in claim 1 is characterized in that: program B is the interlude of a multi-process.
8, the method for control data database safety access as claimed in claim 1 is characterized in that: the concrete installation site of program B can be database server, independent intermediate server or client.
CNB2007100733290A 2007-02-12 2007-02-12 Method for controlling database safety access Active CN100449563C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2007100733290A CN100449563C (en) 2007-02-12 2007-02-12 Method for controlling database safety access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2007100733290A CN100449563C (en) 2007-02-12 2007-02-12 Method for controlling database safety access

Publications (2)

Publication Number Publication Date
CN101030242A CN101030242A (en) 2007-09-05
CN100449563C true CN100449563C (en) 2009-01-07

Family

ID=38715581

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2007100733290A Active CN100449563C (en) 2007-02-12 2007-02-12 Method for controlling database safety access

Country Status (1)

Country Link
CN (1) CN100449563C (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101673217B (en) * 2009-08-26 2013-03-27 用友软件股份有限公司 Method for realizing remote program call and system thereof
CN102426592B (en) * 2011-10-31 2014-10-08 北京人大金仓信息技术股份有限公司 Method for initializing database based on dynamic password
CN103092763A (en) * 2013-02-25 2013-05-08 用友软件股份有限公司 Connection leak automatic analysis device and connection leak automatic analysis method
CN104732160B (en) * 2015-02-03 2018-04-13 武汉风奥软件技术有限公司 A kind of control method for preventing from divulging a secret inside database information
CN105631346A (en) * 2015-12-25 2016-06-01 深圳市华讯方舟软件技术有限公司 Spark database electronic coded lock safe and convenient to use and operation method thereof
CN106021497B (en) * 2016-05-23 2021-06-08 中国银联股份有限公司 Database access password management method
CN106330860A (en) * 2016-08-08 2017-01-11 西安工程大学 Security interface of security access database and transaction process thereof
CN106326769B (en) * 2016-08-24 2019-02-22 东北林业大学 A kind of field monitoring information processing unit
CN106302498B (en) * 2016-08-25 2019-05-14 杭州汉领信息科技有限公司 A kind of database access firewall system based on login parameters
CN109409120B (en) * 2017-08-18 2021-12-10 中国科学院信息工程研究所 Spark-oriented access control method and system
CN108537062B (en) * 2018-04-24 2022-03-22 山东华软金盾软件股份有限公司 Dynamic encryption method for database data
CN109831435B (en) * 2019-01-31 2021-06-01 广州银云信息科技有限公司 Database operation method, system, proxy server and storage medium
CN111506553B (en) * 2019-01-31 2023-07-04 阿里巴巴集团控股有限公司 Function setting method and device for database
CN114006716A (en) * 2021-01-04 2022-02-01 北京八分量信息科技有限公司 Block chain authority management method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567811A (en) * 2004-06-30 2005-01-19 蒋正华 An information transmission encryption method
US20060123239A1 (en) * 2004-12-07 2006-06-08 Emin Martinian Biometric based user authentication with syndrome codes
US20070016743A1 (en) * 2005-07-14 2007-01-18 Ironkey, Inc. Secure storage device with offline code entry

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567811A (en) * 2004-06-30 2005-01-19 蒋正华 An information transmission encryption method
US20060123239A1 (en) * 2004-12-07 2006-06-08 Emin Martinian Biometric based user authentication with syndrome codes
US20070016743A1 (en) * 2005-07-14 2007-01-18 Ironkey, Inc. Secure storage device with offline code entry

Also Published As

Publication number Publication date
CN101030242A (en) 2007-09-05

Similar Documents

Publication Publication Date Title
CN100449563C (en) Method for controlling database safety access
CN101479984B (en) Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks
EP2020797B1 (en) Client-server Opaque token passing apparatus and method
CN101005361B (en) Server and software protection method and system
TW201814511A (en) Nuts
CN112632164B (en) Universal cross-chain programming interface method for realizing trusted authority access
CN104935568A (en) Interface authentication signature method facing cloud platform
CN109495426B (en) Data access method and device and electronic equipment
TW201215070A (en) Key Management Systems and methods for shared secret ciphers
CN111415157A (en) Block chain-based data asset safety circulation method
CN105430014B (en) A kind of single-point logging method and its system
CN100514333C (en) Data base safety access method and system
CN102111349A (en) Security certificate gateway
WO2023123530A1 (en) Industrial control defense method and system employing trusted computation
CN101222335A (en) Cascade connection authentication method and device between application systems
KR100850506B1 (en) System and method for secure web service using double enforcement of user authentication
CN114301624A (en) Block chain-based tamper-proof system applied to financial business
CN116633576A (en) Safe and reliable NC-Link agent, control method, equipment and terminal
Chaudhary et al. Secure authentication and reliable cloud storage scheme for iot-edge-cloud integration
CN107172078B (en) Security management and control method and system of core framework platform based on application service
Chen et al. Design of web service single sign-on based on ticket and assertion
CN109412754A (en) A kind of data storage, distribution and access method encoding cloud
CN112751668A (en) Low-cost Internet of things data encryption communication system
Renault et al. Toward a security model for the future network of information
Kandil et al. Mobile agents' authentication using a proposed light Kerberos system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant