CN104252604B - Database based building block system type dynamic encryption method - Google Patents

Database based building block system type dynamic encryption method Download PDF

Info

Publication number
CN104252604B
CN104252604B CN201410439845.0A CN201410439845A CN104252604B CN 104252604 B CN104252604 B CN 104252604B CN 201410439845 A CN201410439845 A CN 201410439845A CN 104252604 B CN104252604 B CN 104252604B
Authority
CN
China
Prior art keywords
string
function
bloom
encrypted
int
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201410439845.0A
Other languages
Chinese (zh)
Other versions
CN104252604A (en
Inventor
罗喜召
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SUZHOU RUIDUN INFORMATION TECHNOLOGY Co Ltd
Original Assignee
SUZHOU RUIDUN INFORMATION TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SUZHOU RUIDUN INFORMATION TECHNOLOGY Co Ltd filed Critical SUZHOU RUIDUN INFORMATION TECHNOLOGY Co Ltd
Priority to CN201410439845.0A priority Critical patent/CN104252604B/en
Publication of CN104252604A publication Critical patent/CN104252604A/en
Application granted granted Critical
Publication of CN104252604B publication Critical patent/CN104252604B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a database based building block system type dynamic encryption method which includes the steps of (1) implementing a Bloom filter, (2) adding random character strings to plaintext, (3) encrypting and (4) decrypting. The database based building block system type dynamic encryption method has the advantages that searching and calculating of ciphertext can be carried out by the conventional query optimization technology of the database, excessive modification to codes of parts of existing application programs accessing to the database is avoided, database managers are prevented from getting plaintext information, and the like. Therefore, the database based building block system type dynamic encryption method has wide market prospect in popularization of the database based building block system type dynamic encryption.

Description

A kind of building block system dynamic encrypting method based on data base
Technical field
The present invention relates to data base encryption field, more particularly to a kind of building block system dynamic encryption side based on data base Method.
Background technology
In the epoch of this information explosion instantly, information security has become very popular topic.And present information peace Full technology, in terms of guarding network attack, that what is done is quite outstanding.Identity identifying technology, fire wall, router technology, peace Full monitoring and audit technique, ensure that information safety in a network to greatest extent.
However, powerful network security technology can not prevent the leakage of information.World-shaking prism event in 2013 Occur.So why Snowdon can get the fileinfo of secretThis must be with Snowdon system manager's duty before this Business has been contacted.
Even Net defence does not almost have leaky U.S. government, sensitive information can not be prevented from internal outflow, that How about the company information that Net defence does not have so strict safety is protectedAfter prism event, the country also there occurs many The safety time of information leakage is played, room record exposure, user profile leakage etc. is opened.
After cyber-defence is broken, how to continue the safety of guarantee informationWhat is how trusted gives authority data Very big system manager is being managedThe various events for occurring, allow the importance more and more higher of data safety.
Medium of the data base as data storage, its safety problem significant.The difficult point and emphasis of data base encryption exists In the retrieval technique for ciphertext, searching ciphertext technology mainly has 4 kinds now:Develop outside data base self-built indexing component, Enter line retrieval, full text searching ciphertext and transparent data encrypting and decrypting using homomorphic encryption algorithm to process to ciphertext.However, due to existing After having data base and encrypting the characteristics of ciphertext, the realization of data base encryption has no small challenge.It is primarily present problems with:
(1) operator and function in data base, does not support the inquiry to ciphertext and retrieval.
(2) search efficiency must is fulfilled for routine use requirement.
(3) using new encrypting database, as the few as possible change of code made by original system backstage connection data base.
(4) reasonable employment key, it is ensured that data base administrator cannot know sensitive information.
Used as last one barrier of protecting information safety, data base encryption has become more and more popular research class Topic.
The content of the invention
The invention mainly solves the technical problem of providing a kind of building block system dynamic encrypting method based on data base, pass through The developer's interface provided using PostgreSQL, realizes the Database Encryption Scheme for Enhanced similar to the operation of TDE transparent datas, There is extensive market prospect in popularization based on the building block system dynamic encrypting method of data base.
To solve above-mentioned technical problem, the present invention provides a kind of building block system dynamic encrypting method based on data base, including Following steps:
(1) realization of Broome wave filter:
A () self-defined structure B LOOM, states size asize of bit array, for representing cloth Shandong in structure body The function of bit array a of nurse wave filter, hash function number nfuncs used and all hash functions used of sensing refers to Pin funcs, the parameter of the incoming const char* types of these hash functions simultaneously export the result of unsigned int types, this In with typedef unsigned int (* hashfunc_t) (const char*) come state one point to needed for hash function Function pointer type hashfunc_t;
B () writes function BLOOM*bloom_create (int size, the int for creating Broome wave filter Nfuncs ...), determine bit array size, incoming nfuncs to determine the number of hash function according to incoming size, The parameter list of dynamic number is processed using var_start and var_end, all hash function pointers are obtained;
C () writes function int bloom_destroy (BLOOM*bloom) for destroying Broome wave filter, for complete Into after Broome filter operation, the internal memory in heap is destroyed in time, RAM leakage is prevented;
D () writes the function int bloom_add (BLOOM*bloom, const char*s) of addition element, for finger Add string elements s in fixed bloom;
(e) write check element whether belong to Broome wave filter function int bloom_check (BLOOM*bloom, Const char*s), using the function pointer that hash function is pointed in bloom, the cryptographic Hash of s is calculated successively and bit array is checked Upper corresponding numerical value, if 0, returns false;
(2) it is plaintext addition random string:
F function int RAND_bytes (unsigned char*buf, int num) that () is provided using OpenSSL are producing Raw 5 randoms number;
G the random number of generation is converted into corresponding 16 system character string by (), 1 length of generation is 10 Hex character strings;
(3) encrypt:
H () is using the code building Broome wave filter realized in step (1);
I () calculates length of the plaintext, generate length counter;
J () is attempted by behind in plain text and is generated final band encryption using the code building random string realized in step (2) Character string;
K API that () is provided using OpenSSL, the character string that encrypting step (j) is obtained;
L the character string combinations obtained in step (h), (j), (k) together, are formed final ciphertext by ();
(4) decrypt:
M () ignores the Broome filter segment of ciphertext, built-up sequence when encrypting according to step (3) extracts meter in plain text Number device and ciphertext, after decrypting ciphertext, intercept the length of the plaintext that plaintext enumerator is indicated, obtain final plaintext.
In a preferred embodiment of the present invention, two keys in step (3), (4), are set:Master key MasterKey With working key SessionKey, wherein master key MasterKey, it is common in code by developer and user #define Agreement, for cryptographic work key, working key SessionKey, for encryption data, by AES128 algorithms, with ciphertext Form is stored in and is specifically used in the data base of keeping key.
In a preferred embodiment of the present invention, new data type encrypted_string is also implanted into so that data Storehouse may be inserted into data, write the operator function for being applied to encrypted_string so that can be to the data of data base Inquired about.
In a preferred embodiment of the present invention, it is implanted into new data type encrypted_string and is applied to writing The step of operator function of encrypted_string, includes:
N () creates encrypted_string types;
O () adds encrypted_string type comparison functions;
P () is added to the function that encrypted_string provides index function;
Q () creates encrypted_string arithmetic operations symbol;
R () creates the necessary operator list of encrypted_string indexes.
The invention has the beneficial effects as follows:Building block system dynamic encrypting method of the present invention based on data base has and can utilize number Originally the Query Optimization Technique just having according to storehouse carries out the lookup and calculating of ciphertext, and does not need the original application journey of excessive change The code of sequence connection data base part, while the advantages of data base administrator cannot obtain cleartext information, based on data base's There is extensive market prospect in the popularization of building block system dynamic encrypting method.
Specific embodiment
Technical scheme in the embodiment of the present invention will be clearly and completely described below, it is clear that described enforcement Example is only a part of embodiment of the present invention, rather than the embodiment of whole.Based on the embodiment in the present invention, this area is common All other embodiment that technical staff is obtained under the premise of creative work is not made, belongs to the model of present invention protection Enclose.
A kind of building block system dynamic encrypting method based on data base, comprises the following steps:
(1) realization of Broome wave filter:
A () self-defined structure B LOOM, states size asize of bit array, for representing cloth Shandong in structure body The function of bit array a of nurse wave filter, hash function number nfuncs used and all hash functions used of sensing refers to Pin funcs, the parameter of the incoming const char* types of these hash functions simultaneously export the result of unsigned int types, this In with typedef unsigned int (* hashfunc_t) (const char*) come state one point to needed for hash function Function pointer type hashfunc_t;
B () writes function BLOOM*bloom_create (int size, the int for creating Broome wave filter Nfuncs ...), determine bit array size, incoming nfuncs to determine the number of hash function according to incoming size, The parameter list of dynamic number is processed using var_start and var_end, all hash function pointers are obtained;
C () writes function int bloom_destroy (BLOOM*bloom) for destroying Broome wave filter, for complete Into after Broome filter operation, the internal memory in heap is destroyed in time, RAM leakage is prevented;
D () writes the function int bloom_add (BLOOM*bloom, const char*s) of addition element, for finger Add string elements s in fixed bloom;
(e) write check element whether belong to Broome wave filter function int bloom_check (BLOOM*bloom, Const char*s), using the function pointer that hash function is pointed in bloom, the cryptographic Hash of s is calculated successively and bit array is checked Upper corresponding numerical value, if 0, returns false;
(2) it is plaintext addition random string:
Because each encrypted cipher text of security requirements phase isolog is different, therefore we are needed to plaintext addition random character String, reaches this purpose,
F function int RAND_bytes (unsigned char*buf, int num) that () is provided using OpenSSL are producing Raw 5 randoms number;
G the random number of generation is converted into corresponding 16 system character string by (), 1 length of generation is 10 Hex character strings;
(3) encrypt:
We can utilize the AES API that OpenSSL is provided realize the encryption of character string, by required other The enumerator of the Hex forms of cipher-text information, such as Broome wave filter and record length of the plaintext is combined, and forms final inserting Enter the ciphertext of data base,
H () is using the code building Broome wave filter realized in step (1);
I () calculates length of the plaintext, generate length counter;
J () is attempted by behind in plain text and is generated final band encryption using the code building random string realized in step (2) Character string;
K API that () is provided using OpenSSL, the character string that encrypting step (j) is obtained;
L the character string combinations obtained in step (h), (j), (k) together, are formed final ciphertext by ();
(4) decrypt:
M () ignores the Broome filter segment of ciphertext, built-up sequence when encrypting according to step (3) extracts meter in plain text Number device and ciphertext, after decrypting ciphertext, intercept the length of the plaintext that plaintext enumerator is indicated, obtain final plaintext.
Wherein, OpenSSL is the realization of increasing income using SSL widely.It is each used by SSL due to wherein realizing AES is planted, therefore OpenSSL is also the encryption function storehouse being widely used.Numerous cryptographic algorithms are supported in OpenSSL, And provide encapsulation and interface well.Cryptographic algorithm is broadly divided into following several classes:Symmetry algorithm, public key algorithm, hashing algorithm, Random number generating algorithm etc..OpenSSL codes are all write with C, therefore using OpenSSL developing encrypting-decrypting module, no Can be restricted by application platform.
Preferably, step (3), set two keys in (4):Master key MasterKey and working key SessionKey, wherein master key MasterKey, the joint agreement in code by developer and user #define, for adding Close working key, working key SessionKey, for encryption data, by AES128 algorithms, are stored in the form of ciphertext It is specifically used in the data base of keeping key.So, data base administrator is not aware that the value of MasterKey, solution of having no idea Close SessionKey, the cipher-text information also just having no idea in ciphertext data storehouse, and developer, although know MasterKey, But do not connect the authority of data base, obtain database information and do not know where to begin yet.Comprise the following steps:
(201) global variable of SessionKey, char sessionkey [21]={ 0 } are stated;
(202) function void getsessionkey (char*sessionkey) is write, is provided using PostgreSQL Libpg API, connect data base and obtain key ciphertext, and decryption obtains the key for encrypting and decrypting.Wherein pass through Getenv (" PG_CONN_KEY_STORAGE ") method, obtains being configured in connection key database in system environment variable Url, can be according to the purpose of own database environment configurations Connecting quantity to reach client;
(203) function char*encrypt (char*plain) and char*decrypt (char*cipher) is write, is used As key, the SessionKey for obtaining realizes that encrypting and decrypting is operated, as finally by the encryption/decryption of data base/application call Function.
Preferably, also it is implanted into new data type encrypted_string so that data base may be inserted into data, write It is applied to the operator function of encrypted_string so that the data of data base can be inquired about.
Preferably, it is implanted into new data type encrypted_string and writes and is applied to encrypted_string's The step of operator function, includes:
N () creates encrypted_string types;
O () adds encrypted_string type comparison functions;
P () is added to the function that encrypted_string provides index function;
Q () creates encrypted_string arithmetic operations symbol;
R () creates the necessary operator list of encrypted_string indexes.
The DLL provided using PostgreSQL, we can write required data type and function, by institute The function write naturally is incorporated in the original system of data base, makes full use of the original function of data base, in above-described embodiment Only by taking encrypted_string encryption data types as an example, demonstration how to develop and extending database function, other number According to type as example.
The present invention based on the beneficial effect of the building block system dynamic encrypting method of data base is:
First, it is by using OpenSSL AESs storehouse, realizing AES encryption, decryption (CBC patterns) and generating random number, real Referring now to same plaintext, the ciphertext after encrypting every time is different from;
2nd, by using Bloom Filter, augmenting portion space expense accelerates whole efficiency when ciphertext compares;
3rd, the interface provided using PostgreSQL, the function of extending database are implanted into new encryption data type and phase The operator answered, encryption data complete is incorporated in the system of legacy data storehouse, using the query optimization means of data base itself The purpose of efficient cryptogram search is reached.
Embodiments of the invention are the foregoing is only, the scope of the claims of the present invention is not thereby limited, it is every using this Equivalent structure or equivalent flow conversion that bright description is made, or directly or indirectly it is used in other related technology necks Domain, is included within the scope of the present invention.

Claims (4)

1. a kind of building block system dynamic encrypting method based on data base, it is characterised in that comprise the following steps:
(1)The realization of Broome wave filter:
(a)Self-defined structure B LOOM, state in structure body bit array size asize, for represent Broome filter The function pointer of bit array a of ripple device, hash function number nfuncs used and all hash functions used of sensing Funcs, the parameter of the incoming const char* types of these hash functions simultaneously export the result of unsigned int types, here State that with typedef unsigned int (* hashfunc_t) (const char *) is pointed to a required hash function Function pointer type hashfunc_t;
(b)Write create Broome wave filter function BLOOM * bloom_create (int size, int nfuncs, ...), determine bit array size, incoming nfuncs to determine the number of hash function according to incoming size, using var_ Start and var_end obtains all hash function pointers processing the parameter list of dynamic number;
(c)The function int bloom_destroy (BLOOM * bloom) for destroying Broome wave filter are write, for completing cloth After the nurse filter operation of Shandong, the internal memory in heap is destroyed in time, RAM leakage is prevented;
(d)The function int bloom_add (BLOOM * bloom, const char * s) of addition element are write, for finger Add string elements s in fixed bloom;
(e)Write check element whether belong to Broome wave filter function int bloom_check (BLOOM * bloom, Const char * s), using the function pointer that hash function is pointed in bloom, the cryptographic Hash of s is calculated successively and digit is checked Corresponding numerical value in group, if 0, returns false;
(2)For plaintext addition random string:
(f)5 are produced using the function int RAND_bytes (unsigned char * buf, int num) of OpenSSL offers Individual random number;
(g)The random number of generation is converted into into corresponding 16 system character string, 1 length of generation is 10 Hex character strings;
(3)Encryption:
(h)Using step(1)Realize generating Broome wave filter;
(i)Length of the plaintext is calculated, length counter is generated;
(j)Using step(2)The code building random string of middle realization, is attempted by behind in plain text and generates final band encrypted characters String;
(k)The API provided using OpenSSL, encrypting step(j)The character string for obtaining;
(l)By step(h)、(j)、(k)In the character string combinations that obtain together, form final ciphertext;
(4)Decryption:
(m)Ignore the Broome filter segment of ciphertext, according to step(3)Built-up sequence during encryption extracts plaintext enumerator And ciphertext, after decrypting ciphertext, the length of the plaintext that plaintext enumerator is indicated is intercepted, final plaintext is obtained.
2. the building block system dynamic encrypting method based on data base according to claim 1, it is characterised in that step(3)、 (4)In set two keys:Master key MasterKey and working key SessionKey, wherein master key MasterKey by The developer and user #define joint agreement in code, for cryptographic work key, working key SessionKey is used for Encryption data, by AES128 algorithms, is stored in the form of ciphertext and is specifically used in the data base of keeping key.
3. the building block system dynamic encrypting method based on data base according to claim 1, it is characterised in that be also implanted into new Data type encrypted_string so that data base may be inserted into data, writes and is applied to encrypted_string's Operator function so that the data of data base can be inquired about.
4. the building block system dynamic encrypting method based on data base according to claim 3, it is characterised in that the new number of implantation Include according to type encrypted_string and the step of writing the operator function for being applied to encrypted_string:
(n)Create encrypted_string types;
(o)Addition encrypted_string type comparison functions;
(p)It is added to the function that encrypted_string provides index function;
(q)Create encrypted_string arithmetic operations symbol;
(r)Create the necessary operator list of encrypted_string indexes.
CN201410439845.0A 2014-09-01 2014-09-01 Database based building block system type dynamic encryption method Expired - Fee Related CN104252604B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410439845.0A CN104252604B (en) 2014-09-01 2014-09-01 Database based building block system type dynamic encryption method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410439845.0A CN104252604B (en) 2014-09-01 2014-09-01 Database based building block system type dynamic encryption method

Publications (2)

Publication Number Publication Date
CN104252604A CN104252604A (en) 2014-12-31
CN104252604B true CN104252604B (en) 2017-04-26

Family

ID=52187487

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410439845.0A Expired - Fee Related CN104252604B (en) 2014-09-01 2014-09-01 Database based building block system type dynamic encryption method

Country Status (1)

Country Link
CN (1) CN104252604B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105591737A (en) * 2016-01-27 2016-05-18 浪潮(北京)电子信息产业有限公司 Data encryption, decryption and transmission methods and systems
CN106709373A (en) * 2017-01-18 2017-05-24 北京许继电气有限公司 Method for achieving encryption of self-defining function of self-controlled database
CN108280356B (en) * 2018-01-17 2020-07-14 吉浦斯信息咨询(深圳)有限公司 File decryption method and device, processing terminal and computer readable storage medium
CN112422494B (en) * 2020-08-06 2022-09-23 上海幻电信息科技有限公司 Data transmission method, data security verification method and data transmission system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101082923A (en) * 2007-07-18 2007-12-05 湖南大学 Expandable Bloom filter enquiring method and element inserting method thereof
CN101577721A (en) * 2008-12-05 2009-11-11 湖南大学 Method for splitting Broome filter by indexes and inserting, deleting and inquiring methods thereof
US7900194B1 (en) * 2004-03-25 2011-03-01 Verizon Corporate Services Group Inc. Kernel-based intrusion detection using bloom filters

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7926103B2 (en) * 2003-06-05 2011-04-12 Hewlett-Packard Development Company, L.P. System and method for preventing replay attacks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7900194B1 (en) * 2004-03-25 2011-03-01 Verizon Corporate Services Group Inc. Kernel-based intrusion detection using bloom filters
CN101082923A (en) * 2007-07-18 2007-12-05 湖南大学 Expandable Bloom filter enquiring method and element inserting method thereof
CN101577721A (en) * 2008-12-05 2009-11-11 湖南大学 Method for splitting Broome filter by indexes and inserting, deleting and inquiring methods thereof

Also Published As

Publication number Publication date
CN104252604A (en) 2014-12-31

Similar Documents

Publication Publication Date Title
TWI750223B (en) Blockchain encrypted radio frequency chip storage design method
CN103595525B (en) Desynchronization resistant lightweight RFID bidirectional authentication method
CN108667595B (en) Compression encryption method for big data file
CN103532701B (en) Encryption and decryption method for numeric type data
US8494154B2 (en) Cryptographic ignition key system
CN105262843A (en) Data anti-leakage protection method for cloud storage environment
CN104917617B (en) A kind of encryption group ranking obscures method
CN110413652B (en) Big data privacy retrieval method based on edge calculation
CN105306194B (en) For encrypted file and/or the multiple encryption method and system of communications protocol
CN108768990A (en) It is a kind of that encryption method can search for based on block chain
CN104252604B (en) Database based building block system type dynamic encryption method
CN105100115A (en) Data storage method for privacy protection based on encryption password and data fractionation
CN109815051A (en) The data processing method and system of block chain
CN109934001A (en) A kind of data ciphering method based on normal cloud model
CN113055376A (en) Block chain data protection system
CN114969128A (en) Secret query method, system and storage medium based on secure multi-party computing technology
CN107733936B (en) Encryption method for mobile data
CN110086633B (en) Ciphertext anti-tampering method in block chain technology
CN115033925B (en) Database security retrieval method
Gahi et al. Encrypted processes for oblivious data retrieval
CN100452026C (en) Data once writing method and database safety management method based on the same method
Faragallah et al. Multilevel security for relational databases
CN108376212A (en) Execute code security guard method, device and electronic device
Adak et al. Dynamic Data Masking by Two-Step Encryption
CN106789005A (en) Cryptosecurity storage system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20170426

Termination date: 20180901

CF01 Termination of patent right due to non-payment of annual fee