CN102855448A - Field-level database encryption device - Google Patents
Field-level database encryption device Download PDFInfo
- Publication number
- CN102855448A CN102855448A CN2012102848016A CN201210284801A CN102855448A CN 102855448 A CN102855448 A CN 102855448A CN 2012102848016 A CN2012102848016 A CN 2012102848016A CN 201210284801 A CN201210284801 A CN 201210284801A CN 102855448 A CN102855448 A CN 102855448A
- Authority
- CN
- China
- Prior art keywords
- database
- encryption
- field
- data
- data base
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention is suitable for the field of information security and provides a field-level database encryption device, which comprises a user information storage unit, a database field encryption setting unit and a database access preprocessor, wherein the user information storage unit is used for storing database encryption symmetric keys which are encrypted through user public keys; the database field encryption setting unit is used for setting whether fields in a database are encrypted or not; and the database access preprocessor is used for conducting encryption conversion or decryption conversion to database access statements according to the decrypted database encryption symmetric keys and field encryption setting information in the database field encryption setting unit. By using the field-level database encryption device, a user can select different symmetric encryption algorithms supported by a database system according to demands for different encryption intensities, an application program does not need to conduct encryption or decryption operation to the database, all data encryption and decryption operations are completed by the database system, a full-text retrieval function of data items can be supported, and the original database access statements are not needed to be changed and can be directly and transparently used.
Description
Technical field
The invention belongs to information security field, relate in particular to a kind of field level data base encryption device.
Background technology
Database is the important method of data storage in the modern software system, and the data of storing in the database are the data of user's sensitivity often, and encrypting becomes the important means that protected data information is not revealed.
At present, for the data that are stored in the database, often adopt the mode of two kinds of different encryptions according to the difference of data character.
A kind of cipher mode is irreversible cipher mode.This mode is carried out the eigenwert that the computing of data hash obtains data to clear data, and eigenwert is stored in the database, and clear data is not stored.Because the data of storage are the eigenwert of save data only, so data are unreducible, have larger limitation, can only be used for some special data types, for example user cipher often all adopts this mode to store, and purpose is used for the eigenwert of authentication of users password.
Another cipher mode is reversible cipher mode, adopts cryptographic algorithm to be encrypted to clear data, and adopts the corresponding decipherment algorithm can be with data deciphering.This mode does not have a kind of limitation of mode, and various data can be encrypted and decipher.
At present, there are various symmetry algorithms and asymmetrical algorithm to realize encryption to database, but after the data encryption, bring a lot of harmful effects can for the operation of database access, comprise the speed of data deciphering, the retrieval of data field, the search of data, the share and access of data etc.
Particularly, there is following problem:
1, performance issue: often adopt the mode of client data deciphering in general the application, the data after encrypting are processed after database takes out, have a strong impact on the performance of database access, in the situation that data recording is larger, substantially can not use;
2, can not carry out full-text search: because database is deposited ciphertext, the general employing will be carried out full-text search after the ciphertext taking-up deciphering again, and efficient is slower than the direct retrieval of Database Systems, and is also very large to the expense of system;
3, different users can not share: since the data the key of user's special use be encrypted, in the occasion that data need to be shared, then can not encrypt data;
4, can not arrange field encryption: whether can not flexible choice to the encryption of Database field, cause the data encryption performance issue serious;
5, the application system accessing database is opaque: the operation that application system need to be encrypted and decipher data, and opaque.
Summary of the invention
The embodiment of the invention provides a kind of field level data base encryption device, in effectively to data database data encipherment protection, can keep the various functions of database manipulation.
The embodiment of the invention is achieved in that a kind of field level data base encryption device, and described device comprises:
User information storage unit is used for the data base encryption symmetric key of storage behind user's public-key encryption;
Whether Database field is encrypted setting unit, encrypt for the field that database is set; And
The database access preprocessor is used for the field encryption configuration information according to the data base encryption symmetric key after the deciphering and described Database field encryption setting unit, and database access statement is encrypted conversion or deciphering conversion.
Pass through the embodiment of the invention, the user can choose the different symmetric encipherment algorithm that Database Systems are supported according to the needs of different Cipher Strengths, application program does not need database is encrypted and decryption oprerations, all data encrypting and deciphering operations are finished by Database Systems, full-text search function that can the supported data item, original database access statement does not need to change processing, direct transparent use, the user only carried out the pre-process of database access statement before database manipulation.
Description of drawings
Fig. 1 is the structural drawing of the field level data base encryption device that provides of the embodiment of the invention;
Fig. 2 is the processing flow chart that application program that the embodiment of the invention provides conducts interviews to database;
Fig. 3 is the process flow diagram that SQL statement is processed that the embodiment of the invention provides.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, is not intended to limit the present invention.
In embodiments of the present invention; adopt user's public keys that the database encrypted symmetric key is encrypted; database access statement by application programs carries out the encryption and decryption conversion, in effectively to data database data encipherment protection, keeps the various functions of database manipulation.
Fig. 1 shows the structure of the field level data base encryption device that the embodiment of the invention provides, and for convenience of description and understand, only shows the part relevant with the embodiment of the invention.
The data base encryption symmetric key Kdb that user information storage unit 11 storages are encrypted through user's public keys Kup.
In embodiments of the present invention, utilize data base encryption symmetric key Kdb to the field encryption in the database, the data base encryption symmetric key is by data base administrator or the unified setting of application management person, and other staff can not revise.
In the embodiment of the invention, can adopt Advanced Encryption Standard (Advanced Encryption Standard, AES) cryptographic algorithm supported of the Database Systems such as cryptographic algorithm arranges data base encryption symmetric key Kdb, and the system manager can arrange a string password as key by the Web interface.
When the system manager arranges data base encryption symmetric key Kdb, use each user's public keys Kup that database encrypted symmetric key Kdb is encrypted, store in the user information storage unit 11.
Application program is when the encrypted symmetric key Kdb of usage data storehouse, data base encryption symmetric key Kdb deciphering after utilizing user's private key Kus to encrypt, just can obtain data base encryption symmetric key Kdb, then can carry out the encryption and decryption operation of follow-up Database field.
Each database is comprised of several tables of data, and each tables of data is comprised of several data fields.Whether Database field is encrypted setting unit 12 and is encrypted for the field that database is set.The encryption setting of field is finished by the system manager, can be by the front-end interface setting.
In embodiments of the present invention, set up a database field encryption setting unit in each database, whether the field that associated databases is set encrypts.
Fig. 2 shows the treatment scheme that application program conducts interviews to database, and details are as follows:
In step S201, user's private key Kus decrypts data base encryption symmetric key Kdb;
In step S202, calling data access preprocessor;
In embodiments of the present invention, application program passes to data access preprocessor 13 with the data base encryption symmetric key Kdb after the deciphering when calling data access preprocessor 13;
In step S203, the database access statement accessing database after usage data access preprocessor 13 is processed operates accordingly.
Database in the embodiment of the invention is generally data base management system (DBMS) (Data Base Management System, DBMS), can adopt MySQL, application program adopts supertext pre-service language (Hypertext Preprocessor, PHP), user side is by browser access, and database structure query language (Structured Query Language, SQL) is generally adopted in database access.
In embodiments of the present invention, database access preprocessor 13 is general SQL handling procedures, encrypt setting unit 12 set Database fields encryption configuration informations according to Database field SQL statement is carried out pre-service, form the SQL statement that satisfies the encryption and decryption needs.
In order to improve handling property, database access preprocessor 13 is realized by C++.
When the data in the user accesses data storehouse, application program is obtained private key for user Kus by user's log-on message, user's private key Kus is decrypted the data base encryption symmetric key Kdb after user's public-key cryptography Kup encrypts that utilizes that preserves in the user information storage unit 11, obtains the plaintext of data base encryption symmetric key Kdb.
Application program is for each SQL statement, calling data storehouse access preprocessor 13, the plaintext of data base encryption symmetric key Kdb is passed to database access preprocessor 13, database access preprocessor 13 is encrypted configuration information according to plaintext and Database field according to storehouse encrypted symmetric key Kdb, SQL statement is carried out encryption and decryption to be processed, return SQL statement after the processing to application program, application program conducts interviews to database according to the SQL statement after processing.
As shown in Figure 3, database access preprocessor 13 carries out the encryption and decryption conversion process according to the kind of the SQL statement of application program to SQL statement:
If SQL statement is reading statement, database access preprocessor 13 Query Database field encryption setting units 12 then, check which field encryption in the database, then utilize data base encryption symmetric key Kdb that SQL statement is converted to the deciphering statement, return application program;
If SQL statement is write statement, database access preprocessor 13 Query Database field encryption setting units 12 then, check which field needs to encrypt in the database, then utilizes data base encryption symmetric key Kdb that SQL statement is converted to encryption sentence, returns application program;
If SQL statement is other data base administration statement, then 13 pairs of SQL statement of database access preprocessor keep, and do not process, and return application program.
Below specify by example, suppose that certain customer data base has a user information storage unit 11, the user is called bizapp_users, the field encryption configuration information of this database is as shown in the table:
| Sequence number | Field name | Data type | Length | Whether encrypt |
| 1 | id | Int | No | |
| 2 | name | Varchar | 50 | Be |
| 3 | password | Varchar | 100 | Be |
| 4 | Varchar | 200 | No |
1. if be the SQL statement of Select inquiry class, it is an operation of reading to database, then this SQL statement is converted to the deciphering statement:
For example, Select name, mobilephone, email, address FROM bizapp_users WHERE name=' thomas ';
SELECT AES_decrypt(name,‘dbpassword’),AES_decrypt(mobilephone,‘dbpassword’),AES_decrypt(UNHEX(email),‘dbpassword’),address
FROM bizapp_users;
WHERE AES_decrypt(UNHEX(name),‘dbpassword’)=‘thomas’;
2. if the SQL statement of Insert operation, then database access preprocessor 13 is converted to this SQL statement the SQL statement of encryption:
For example, INSERT INTO`bizapp_users`
SET‘name’=‘thomas’,‘password’=‘123456a’,‘email’=‘gzh@liming.com’;
This statement is a statement that inserts record, and the data in the database are carried out write operation, and the field that then will need to encrypt is encrypted processing.If identical when encrypt arranging with upper routine SELECT, then this SQL statement should be converted to:
INSERT
INTO`bizapp_users`
SET
`id`=’0’,
`name`=HEX(AES_ENCRYPT('thomas','dbpassword')),
`password`=HEX(AES_ENCRYPT('123456a','dbpassword')),
`email`='gzh@liming.com';
3. if the UPDATE statement is assumed to be:
UPDATE`bizapp_users`SET
`name`='martin',
`password`='123456a',
`email`='martin@liming.com'
WHERE
`name`=′jason';
Above-mentioned SQL statement is UPDATE statement with good conditionsi, and the expression formula behind the WHERE is a process that reads, and uses decryption function, and other statements are to upgrade in the data to data storehouse, uses encryption function.So database access preprocessor 13 is converted to this statement:
UPDATE`bizapp_users`SET
`name`=HEX(AES_ENCRYPT('martin','dbpassword')),
`password`=HEX(AES_ENCRYPT('123456a','dbpassword')),
`email`='martin@liming.com'
WHERE
AES_DECRYPT(UNHEX(`name`),'dbpassword')=′jason';
4. if other operation, then database access preprocessor 13 is judged the field that whether has encryption in the SQL statement, if do not have then directly return original statement to application program, if there is the field of encrypting, then analyzes the field of encrypting and in SQL statement, read or write.If read, then field name is decrypted conversion, if write, then field contents is encrypted operation.
As shown in the table:
The embodiment of the invention is by revising the realization of bottom class, and application programs does not need to carry out any modification, directly uses original code to call and gets final product.
As one embodiment of the present of invention, the overall situation can also be set encrypt switch, be used for that database is set and whether encrypt.When database is set for encryption, inquire about all data fields and encrypt setting unit, the data of all encrypted fields are carried out encryption and decryption process.
In embodiments of the present invention, user information storage unit 11 and Database field are encrypted setting unit 12 and are adopted the tables of data mode.
Pass through the embodiment of the invention, the user can choose the different symmetric encipherment algorithm that Database Systems are supported according to the needs of different Cipher Strengths, application program does not need database is encrypted and decryption oprerations, all data encrypting and deciphering operations are finished by Database Systems, full-text search function that can the supported data item, original database access statement does not need to change processing, direct transparent use, the user only carried out the pre-process of database access statement before database manipulation.
The above only is preferred embodiment of the present invention, not in order to limiting the present invention, all any modifications of doing within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.
Claims (4)
1. a field level data base encryption device is characterized in that, described device comprises:
User information storage unit is used for the data base encryption symmetric key of storage behind user's public-key encryption;
Whether Database field is encrypted setting unit, encrypt for the field that database is set; And
The database access preprocessor is used for the field encryption configuration information according to the data base encryption symmetric key after the deciphering and described Database field encryption setting unit, and database access statement is encrypted conversion or deciphering conversion.
2. field level data base encryption device as claimed in claim 1 is characterized in that, the cryptographic algorithm setting that described data base encryption symmetric key adopts Database Systems to support.
3. field level data base encryption device as claimed in claim 1 is characterized in that, described device also comprises:
Whether the overall situation is encrypted switch, be used for that database is set and encrypt.
4. field level data base encryption device as claimed in claim 1 is characterized in that, described user information storage unit and Database field are encrypted setting unit and adopted the tables of data mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210284801.6A CN102855448B (en) | 2012-08-10 | 2012-08-10 | A kind of Field-level database encryption device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210284801.6A CN102855448B (en) | 2012-08-10 | 2012-08-10 | A kind of Field-level database encryption device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102855448A true CN102855448A (en) | 2013-01-02 |
| CN102855448B CN102855448B (en) | 2016-02-10 |
Family
ID=47402028
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210284801.6A Expired - Fee Related CN102855448B (en) | 2012-08-10 | 2012-08-10 | A kind of Field-level database encryption device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102855448B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105302822A (en) * | 2014-06-27 | 2016-02-03 | 中兴通讯股份有限公司 | Method for reading and writing data in database and application response apparatus |
| CN106484378A (en) * | 2015-08-28 | 2017-03-08 | 阿里巴巴集团控股有限公司 | Data processing method and device that a kind of nothing is landed |
| CN106934298A (en) * | 2017-03-06 | 2017-07-07 | 戴林 | A kind of Universal Database transparent encryption system |
| CN106971119A (en) * | 2017-02-24 | 2017-07-21 | 江苏信源久安信息科技有限公司 | The key data in database safe read-write authentication method of trusted identity |
| CN107579987A (en) * | 2017-09-22 | 2018-01-12 | 郑州云海信息技术有限公司 | A kind of encryption of server high in the clouds diagnostic system rule base two level, access method and system |
| CN107871082A (en) * | 2016-11-15 | 2018-04-03 | 平安科技(深圳)有限公司 | The method of data encryption and control extension terminal in oracle database |
| CN109960942A (en) * | 2019-03-27 | 2019-07-02 | 厦门商集网络科技有限责任公司 | Database data encipher-decipher method and its system based on database connection pool |
| CN110048830A (en) * | 2018-01-15 | 2019-07-23 | 北京京东尚科信息技术有限公司 | A kind of data encryption and decryption method and encrypting and decrypting device |
| CN111740826A (en) * | 2020-07-20 | 2020-10-02 | 腾讯科技(深圳)有限公司 | Encryption method, decryption method, device and equipment based on encryption proxy gateway |
| CN113434535A (en) * | 2021-08-25 | 2021-09-24 | 阿里云计算有限公司 | Data processing method, communication system, device, product and storage medium |
| CN114491580A (en) * | 2021-12-30 | 2022-05-13 | 深圳市恒创智达信息技术有限公司 | Database sensitive information encryption method and device |
| CN115085903A (en) * | 2022-06-16 | 2022-09-20 | 平安普惠企业管理有限公司 | Data encryption and decryption method, device, equipment and medium based on encryption algorithm |
| CN116796355A (en) * | 2023-08-24 | 2023-09-22 | 江苏数兑科技有限公司 | Data security protection and leakage prevention production method for data warehouse |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020129260A1 (en) * | 2001-03-08 | 2002-09-12 | Bruce Benfield | Method and system for integrating encryption functionality into a database system |
| EP1667396A1 (en) * | 2004-12-02 | 2006-06-07 | Protegrity Corporation | Database system with second preprocessor and method for accessing a database |
| US20080027952A1 (en) * | 2002-07-02 | 2008-01-31 | Gelb Elizabeth A | System and method for data capture and reporting |
| CN101504706A (en) * | 2009-03-03 | 2009-08-12 | 中国科学院软件研究所 | Database information encryption method and system |
| CN101504668A (en) * | 2009-03-24 | 2009-08-12 | 北京理工大学 | Cryptograph index supported database transparent encryption method |
-
2012
- 2012-08-10 CN CN201210284801.6A patent/CN102855448B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020129260A1 (en) * | 2001-03-08 | 2002-09-12 | Bruce Benfield | Method and system for integrating encryption functionality into a database system |
| US20080027952A1 (en) * | 2002-07-02 | 2008-01-31 | Gelb Elizabeth A | System and method for data capture and reporting |
| EP1667396A1 (en) * | 2004-12-02 | 2006-06-07 | Protegrity Corporation | Database system with second preprocessor and method for accessing a database |
| CN101504706A (en) * | 2009-03-03 | 2009-08-12 | 中国科学院软件研究所 | Database information encryption method and system |
| CN101504668A (en) * | 2009-03-24 | 2009-08-12 | 北京理工大学 | Cryptograph index supported database transparent encryption method |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105302822B (en) * | 2014-06-27 | 2020-07-31 | 中兴通讯股份有限公司 | Method for reading and writing data of database and application response device |
| CN105302822A (en) * | 2014-06-27 | 2016-02-03 | 中兴通讯股份有限公司 | Method for reading and writing data in database and application response apparatus |
| CN106484378A (en) * | 2015-08-28 | 2017-03-08 | 阿里巴巴集团控股有限公司 | Data processing method and device that a kind of nothing is landed |
| CN107871082A (en) * | 2016-11-15 | 2018-04-03 | 平安科技(深圳)有限公司 | The method of data encryption and control extension terminal in oracle database |
| CN106971119A (en) * | 2017-02-24 | 2017-07-21 | 江苏信源久安信息科技有限公司 | The key data in database safe read-write authentication method of trusted identity |
| CN106934298A (en) * | 2017-03-06 | 2017-07-07 | 戴林 | A kind of Universal Database transparent encryption system |
| CN107579987A (en) * | 2017-09-22 | 2018-01-12 | 郑州云海信息技术有限公司 | A kind of encryption of server high in the clouds diagnostic system rule base two level, access method and system |
| CN110048830A (en) * | 2018-01-15 | 2019-07-23 | 北京京东尚科信息技术有限公司 | A kind of data encryption and decryption method and encrypting and decrypting device |
| CN110048830B (en) * | 2018-01-15 | 2023-04-07 | 北京京东尚科信息技术有限公司 | Data encryption and decryption method and encryption and decryption device |
| CN109960942A (en) * | 2019-03-27 | 2019-07-02 | 厦门商集网络科技有限责任公司 | Database data encipher-decipher method and its system based on database connection pool |
| CN109960942B (en) * | 2019-03-27 | 2021-04-27 | 厦门商集网络科技有限责任公司 | Database data encryption and decryption method and system based on database connection pool |
| CN111740826A (en) * | 2020-07-20 | 2020-10-02 | 腾讯科技(深圳)有限公司 | Encryption method, decryption method, device and equipment based on encryption proxy gateway |
| CN113434535A (en) * | 2021-08-25 | 2021-09-24 | 阿里云计算有限公司 | Data processing method, communication system, device, product and storage medium |
| CN114491580A (en) * | 2021-12-30 | 2022-05-13 | 深圳市恒创智达信息技术有限公司 | Database sensitive information encryption method and device |
| CN115085903A (en) * | 2022-06-16 | 2022-09-20 | 平安普惠企业管理有限公司 | Data encryption and decryption method, device, equipment and medium based on encryption algorithm |
| CN116796355A (en) * | 2023-08-24 | 2023-09-22 | 江苏数兑科技有限公司 | Data security protection and leakage prevention production method for data warehouse |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102855448B (en) | 2016-02-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102855448B (en) | A kind of Field-level database encryption device | |
| US9946895B1 (en) | Data obfuscation | |
| CN106971121B (en) | Data processing method, device, server and storage medium | |
| EP2929481B1 (en) | Secure cloud database platform | |
| CN102402664B (en) | Data access control device and data access control method | |
| US8769302B2 (en) | Encrypting data and characterization data that describes valid contents of a column | |
| US20090240956A1 (en) | Transparent encryption using secure encryption device | |
| KR101371608B1 (en) | Database Management System and Encrypting Method thereof | |
| CN102902932B (en) | The using method of the outside encrypting and deciphering system of the database based on SQL rewrite | |
| US8997248B1 (en) | Securing data | |
| US10594490B2 (en) | Filtering encrypted data using indexes | |
| US9152811B2 (en) | Transparent real-time access to encrypted non-relational data | |
| CN106022155A (en) | Method and server for security management in database | |
| CN103294958B (en) | Kernel-level virtual polymerization and parallel encryption method for class-oriented Linux system | |
| EP2511848A2 (en) | Multiple independent encryption domains | |
| WO2019114137A1 (en) | Password calling method, server, and storage medium | |
| Singh et al. | Database security using encryption | |
| CN103279715A (en) | Database data encryption and decryption method and device | |
| US20110107109A1 (en) | Storage system and method for managing data security thereof | |
| CN110113162A (en) | A kind of sensitive information processing system, method and its equipment | |
| WO2019223098A1 (en) | File reading and writing method and device | |
| US9218296B2 (en) | Low-latency, low-overhead hybrid encryption scheme | |
| Sreekumari | Privacy-preserving keyword search schemes over encrypted cloud data: an extensive analysis | |
| CN105119917B (en) | Strengthen the method and system of Information Security | |
| US20230252166A1 (en) | Searching encrypted data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160210 Termination date: 20170810 |