CN104252604B - Database based building block system type dynamic encryption method - Google Patents
Database based building block system type dynamic encryption method Download PDFInfo
- Publication number
- CN104252604B CN104252604B CN201410439845.0A CN201410439845A CN104252604B CN 104252604 B CN104252604 B CN 104252604B CN 201410439845 A CN201410439845 A CN 201410439845A CN 104252604 B CN104252604 B CN 104252604B
- Authority
- CN
- China
- Prior art keywords
- string
- function
- bloom
- encrypted
- int
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a database based building block system type dynamic encryption method which includes the steps of (1) implementing a Bloom filter, (2) adding random character strings to plaintext, (3) encrypting and (4) decrypting. The database based building block system type dynamic encryption method has the advantages that searching and calculating of ciphertext can be carried out by the conventional query optimization technology of the database, excessive modification to codes of parts of existing application programs accessing to the database is avoided, database managers are prevented from getting plaintext information, and the like. Therefore, the database based building block system type dynamic encryption method has wide market prospect in popularization of the database based building block system type dynamic encryption.
Description
Technical field
The present invention relates to data base encryption field, more particularly to a kind of building block system dynamic encryption side based on data base
Method.
Background technology
In the epoch of this information explosion instantly, information security has become very popular topic.And present information peace
Full technology, in terms of guarding network attack, that what is done is quite outstanding.Identity identifying technology, fire wall, router technology, peace
Full monitoring and audit technique, ensure that information safety in a network to greatest extent.
However, powerful network security technology can not prevent the leakage of information.World-shaking prism event in 2013
Occur.So why Snowdon can get the fileinfo of secretThis must be with Snowdon system manager's duty before this
Business has been contacted.
Even Net defence does not almost have leaky U.S. government, sensitive information can not be prevented from internal outflow, that
How about the company information that Net defence does not have so strict safety is protectedAfter prism event, the country also there occurs many
The safety time of information leakage is played, room record exposure, user profile leakage etc. is opened.
After cyber-defence is broken, how to continue the safety of guarantee informationWhat is how trusted gives authority data
Very big system manager is being managedThe various events for occurring, allow the importance more and more higher of data safety.
Medium of the data base as data storage, its safety problem significant.The difficult point and emphasis of data base encryption exists
In the retrieval technique for ciphertext, searching ciphertext technology mainly has 4 kinds now:Develop outside data base self-built indexing component,
Enter line retrieval, full text searching ciphertext and transparent data encrypting and decrypting using homomorphic encryption algorithm to process to ciphertext.However, due to existing
After having data base and encrypting the characteristics of ciphertext, the realization of data base encryption has no small challenge.It is primarily present problems with:
(1) operator and function in data base, does not support the inquiry to ciphertext and retrieval.
(2) search efficiency must is fulfilled for routine use requirement.
(3) using new encrypting database, as the few as possible change of code made by original system backstage connection data base.
(4) reasonable employment key, it is ensured that data base administrator cannot know sensitive information.
Used as last one barrier of protecting information safety, data base encryption has become more and more popular research class
Topic.
The content of the invention
The invention mainly solves the technical problem of providing a kind of building block system dynamic encrypting method based on data base, pass through
The developer's interface provided using PostgreSQL, realizes the Database Encryption Scheme for Enhanced similar to the operation of TDE transparent datas,
There is extensive market prospect in popularization based on the building block system dynamic encrypting method of data base.
To solve above-mentioned technical problem, the present invention provides a kind of building block system dynamic encrypting method based on data base, including
Following steps:
(1) realization of Broome wave filter:
A () self-defined structure B LOOM, states size asize of bit array, for representing cloth Shandong in structure body
The function of bit array a of nurse wave filter, hash function number nfuncs used and all hash functions used of sensing refers to
Pin funcs, the parameter of the incoming const char* types of these hash functions simultaneously export the result of unsigned int types, this
In with typedef unsigned int (* hashfunc_t) (const char*) come state one point to needed for hash function
Function pointer type hashfunc_t;
B () writes function BLOOM*bloom_create (int size, the int for creating Broome wave filter
Nfuncs ...), determine bit array size, incoming nfuncs to determine the number of hash function according to incoming size,
The parameter list of dynamic number is processed using var_start and var_end, all hash function pointers are obtained;
C () writes function int bloom_destroy (BLOOM*bloom) for destroying Broome wave filter, for complete
Into after Broome filter operation, the internal memory in heap is destroyed in time, RAM leakage is prevented;
D () writes the function int bloom_add (BLOOM*bloom, const char*s) of addition element, for finger
Add string elements s in fixed bloom;
(e) write check element whether belong to Broome wave filter function int bloom_check (BLOOM*bloom,
Const char*s), using the function pointer that hash function is pointed in bloom, the cryptographic Hash of s is calculated successively and bit array is checked
Upper corresponding numerical value, if 0, returns false;
(2) it is plaintext addition random string:
F function int RAND_bytes (unsigned char*buf, int num) that () is provided using OpenSSL are producing
Raw 5 randoms number;
G the random number of generation is converted into corresponding 16 system character string by (), 1 length of generation is 10 Hex character strings;
(3) encrypt:
H () is using the code building Broome wave filter realized in step (1);
I () calculates length of the plaintext, generate length counter;
J () is attempted by behind in plain text and is generated final band encryption using the code building random string realized in step (2)
Character string;
K API that () is provided using OpenSSL, the character string that encrypting step (j) is obtained;
L the character string combinations obtained in step (h), (j), (k) together, are formed final ciphertext by ();
(4) decrypt:
M () ignores the Broome filter segment of ciphertext, built-up sequence when encrypting according to step (3) extracts meter in plain text
Number device and ciphertext, after decrypting ciphertext, intercept the length of the plaintext that plaintext enumerator is indicated, obtain final plaintext.
In a preferred embodiment of the present invention, two keys in step (3), (4), are set:Master key MasterKey
With working key SessionKey, wherein master key MasterKey, it is common in code by developer and user #define
Agreement, for cryptographic work key, working key SessionKey, for encryption data, by AES128 algorithms, with ciphertext
Form is stored in and is specifically used in the data base of keeping key.
In a preferred embodiment of the present invention, new data type encrypted_string is also implanted into so that data
Storehouse may be inserted into data, write the operator function for being applied to encrypted_string so that can be to the data of data base
Inquired about.
In a preferred embodiment of the present invention, it is implanted into new data type encrypted_string and is applied to writing
The step of operator function of encrypted_string, includes:
N () creates encrypted_string types;
O () adds encrypted_string type comparison functions;
P () is added to the function that encrypted_string provides index function;
Q () creates encrypted_string arithmetic operations symbol;
R () creates the necessary operator list of encrypted_string indexes.
The invention has the beneficial effects as follows:Building block system dynamic encrypting method of the present invention based on data base has and can utilize number
Originally the Query Optimization Technique just having according to storehouse carries out the lookup and calculating of ciphertext, and does not need the original application journey of excessive change
The code of sequence connection data base part, while the advantages of data base administrator cannot obtain cleartext information, based on data base's
There is extensive market prospect in the popularization of building block system dynamic encrypting method.
Specific embodiment
Technical scheme in the embodiment of the present invention will be clearly and completely described below, it is clear that described enforcement
Example is only a part of embodiment of the present invention, rather than the embodiment of whole.Based on the embodiment in the present invention, this area is common
All other embodiment that technical staff is obtained under the premise of creative work is not made, belongs to the model of present invention protection
Enclose.
A kind of building block system dynamic encrypting method based on data base, comprises the following steps:
(1) realization of Broome wave filter:
A () self-defined structure B LOOM, states size asize of bit array, for representing cloth Shandong in structure body
The function of bit array a of nurse wave filter, hash function number nfuncs used and all hash functions used of sensing refers to
Pin funcs, the parameter of the incoming const char* types of these hash functions simultaneously export the result of unsigned int types, this
In with typedef unsigned int (* hashfunc_t) (const char*) come state one point to needed for hash function
Function pointer type hashfunc_t;
B () writes function BLOOM*bloom_create (int size, the int for creating Broome wave filter
Nfuncs ...), determine bit array size, incoming nfuncs to determine the number of hash function according to incoming size,
The parameter list of dynamic number is processed using var_start and var_end, all hash function pointers are obtained;
C () writes function int bloom_destroy (BLOOM*bloom) for destroying Broome wave filter, for complete
Into after Broome filter operation, the internal memory in heap is destroyed in time, RAM leakage is prevented;
D () writes the function int bloom_add (BLOOM*bloom, const char*s) of addition element, for finger
Add string elements s in fixed bloom;
(e) write check element whether belong to Broome wave filter function int bloom_check (BLOOM*bloom,
Const char*s), using the function pointer that hash function is pointed in bloom, the cryptographic Hash of s is calculated successively and bit array is checked
Upper corresponding numerical value, if 0, returns false;
(2) it is plaintext addition random string:
Because each encrypted cipher text of security requirements phase isolog is different, therefore we are needed to plaintext addition random character
String, reaches this purpose,
F function int RAND_bytes (unsigned char*buf, int num) that () is provided using OpenSSL are producing
Raw 5 randoms number;
G the random number of generation is converted into corresponding 16 system character string by (), 1 length of generation is 10 Hex character strings;
(3) encrypt:
We can utilize the AES API that OpenSSL is provided realize the encryption of character string, by required other
The enumerator of the Hex forms of cipher-text information, such as Broome wave filter and record length of the plaintext is combined, and forms final inserting
Enter the ciphertext of data base,
H () is using the code building Broome wave filter realized in step (1);
I () calculates length of the plaintext, generate length counter;
J () is attempted by behind in plain text and is generated final band encryption using the code building random string realized in step (2)
Character string;
K API that () is provided using OpenSSL, the character string that encrypting step (j) is obtained;
L the character string combinations obtained in step (h), (j), (k) together, are formed final ciphertext by ();
(4) decrypt:
M () ignores the Broome filter segment of ciphertext, built-up sequence when encrypting according to step (3) extracts meter in plain text
Number device and ciphertext, after decrypting ciphertext, intercept the length of the plaintext that plaintext enumerator is indicated, obtain final plaintext.
Wherein, OpenSSL is the realization of increasing income using SSL widely.It is each used by SSL due to wherein realizing
AES is planted, therefore OpenSSL is also the encryption function storehouse being widely used.Numerous cryptographic algorithms are supported in OpenSSL,
And provide encapsulation and interface well.Cryptographic algorithm is broadly divided into following several classes:Symmetry algorithm, public key algorithm, hashing algorithm,
Random number generating algorithm etc..OpenSSL codes are all write with C, therefore using OpenSSL developing encrypting-decrypting module, no
Can be restricted by application platform.
Preferably, step (3), set two keys in (4):Master key MasterKey and working key
SessionKey, wherein master key MasterKey, the joint agreement in code by developer and user #define, for adding
Close working key, working key SessionKey, for encryption data, by AES128 algorithms, are stored in the form of ciphertext
It is specifically used in the data base of keeping key.So, data base administrator is not aware that the value of MasterKey, solution of having no idea
Close SessionKey, the cipher-text information also just having no idea in ciphertext data storehouse, and developer, although know MasterKey,
But do not connect the authority of data base, obtain database information and do not know where to begin yet.Comprise the following steps:
(201) global variable of SessionKey, char sessionkey [21]={ 0 } are stated;
(202) function void getsessionkey (char*sessionkey) is write, is provided using PostgreSQL
Libpg API, connect data base and obtain key ciphertext, and decryption obtains the key for encrypting and decrypting.Wherein pass through
Getenv (" PG_CONN_KEY_STORAGE ") method, obtains being configured in connection key database in system environment variable
Url, can be according to the purpose of own database environment configurations Connecting quantity to reach client;
(203) function char*encrypt (char*plain) and char*decrypt (char*cipher) is write, is used
As key, the SessionKey for obtaining realizes that encrypting and decrypting is operated, as finally by the encryption/decryption of data base/application call
Function.
Preferably, also it is implanted into new data type encrypted_string so that data base may be inserted into data, write
It is applied to the operator function of encrypted_string so that the data of data base can be inquired about.
Preferably, it is implanted into new data type encrypted_string and writes and is applied to encrypted_string's
The step of operator function, includes:
N () creates encrypted_string types;
O () adds encrypted_string type comparison functions;
P () is added to the function that encrypted_string provides index function;
Q () creates encrypted_string arithmetic operations symbol;
R () creates the necessary operator list of encrypted_string indexes.
The DLL provided using PostgreSQL, we can write required data type and function, by institute
The function write naturally is incorporated in the original system of data base, makes full use of the original function of data base, in above-described embodiment
Only by taking encrypted_string encryption data types as an example, demonstration how to develop and extending database function, other number
According to type as example.
The present invention based on the beneficial effect of the building block system dynamic encrypting method of data base is:
First, it is by using OpenSSL AESs storehouse, realizing AES encryption, decryption (CBC patterns) and generating random number, real
Referring now to same plaintext, the ciphertext after encrypting every time is different from;
2nd, by using Bloom Filter, augmenting portion space expense accelerates whole efficiency when ciphertext compares;
3rd, the interface provided using PostgreSQL, the function of extending database are implanted into new encryption data type and phase
The operator answered, encryption data complete is incorporated in the system of legacy data storehouse, using the query optimization means of data base itself
The purpose of efficient cryptogram search is reached.
Embodiments of the invention are the foregoing is only, the scope of the claims of the present invention is not thereby limited, it is every using this
Equivalent structure or equivalent flow conversion that bright description is made, or directly or indirectly it is used in other related technology necks
Domain, is included within the scope of the present invention.
Claims (4)
1. a kind of building block system dynamic encrypting method based on data base, it is characterised in that comprise the following steps:
(1)The realization of Broome wave filter:
(a)Self-defined structure B LOOM, state in structure body bit array size asize, for represent Broome filter
The function pointer of bit array a of ripple device, hash function number nfuncs used and all hash functions used of sensing
Funcs, the parameter of the incoming const char* types of these hash functions simultaneously export the result of unsigned int types, here
State that with typedef unsigned int (* hashfunc_t) (const char *) is pointed to a required hash function
Function pointer type hashfunc_t;
(b)Write create Broome wave filter function BLOOM * bloom_create (int size, int nfuncs,
...), determine bit array size, incoming nfuncs to determine the number of hash function according to incoming size, using var_
Start and var_end obtains all hash function pointers processing the parameter list of dynamic number;
(c)The function int bloom_destroy (BLOOM * bloom) for destroying Broome wave filter are write, for completing cloth
After the nurse filter operation of Shandong, the internal memory in heap is destroyed in time, RAM leakage is prevented;
(d)The function int bloom_add (BLOOM * bloom, const char * s) of addition element are write, for finger
Add string elements s in fixed bloom;
(e)Write check element whether belong to Broome wave filter function int bloom_check (BLOOM * bloom,
Const char * s), using the function pointer that hash function is pointed in bloom, the cryptographic Hash of s is calculated successively and digit is checked
Corresponding numerical value in group, if 0, returns false;
(2)For plaintext addition random string:
(f)5 are produced using the function int RAND_bytes (unsigned char * buf, int num) of OpenSSL offers
Individual random number;
(g)The random number of generation is converted into into corresponding 16 system character string, 1 length of generation is 10 Hex character strings;
(3)Encryption:
(h)Using step(1)Realize generating Broome wave filter;
(i)Length of the plaintext is calculated, length counter is generated;
(j)Using step(2)The code building random string of middle realization, is attempted by behind in plain text and generates final band encrypted characters
String;
(k)The API provided using OpenSSL, encrypting step(j)The character string for obtaining;
(l)By step(h)、(j)、(k)In the character string combinations that obtain together, form final ciphertext;
(4)Decryption:
(m)Ignore the Broome filter segment of ciphertext, according to step(3)Built-up sequence during encryption extracts plaintext enumerator
And ciphertext, after decrypting ciphertext, the length of the plaintext that plaintext enumerator is indicated is intercepted, final plaintext is obtained.
2. the building block system dynamic encrypting method based on data base according to claim 1, it is characterised in that step(3)、
(4)In set two keys:Master key MasterKey and working key SessionKey, wherein master key MasterKey by
The developer and user #define joint agreement in code, for cryptographic work key, working key SessionKey is used for
Encryption data, by AES128 algorithms, is stored in the form of ciphertext and is specifically used in the data base of keeping key.
3. the building block system dynamic encrypting method based on data base according to claim 1, it is characterised in that be also implanted into new
Data type encrypted_string so that data base may be inserted into data, writes and is applied to encrypted_string's
Operator function so that the data of data base can be inquired about.
4. the building block system dynamic encrypting method based on data base according to claim 3, it is characterised in that the new number of implantation
Include according to type encrypted_string and the step of writing the operator function for being applied to encrypted_string:
(n)Create encrypted_string types;
(o)Addition encrypted_string type comparison functions;
(p)It is added to the function that encrypted_string provides index function;
(q)Create encrypted_string arithmetic operations symbol;
(r)Create the necessary operator list of encrypted_string indexes.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410439845.0A CN104252604B (en) | 2014-09-01 | 2014-09-01 | Database based building block system type dynamic encryption method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410439845.0A CN104252604B (en) | 2014-09-01 | 2014-09-01 | Database based building block system type dynamic encryption method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104252604A CN104252604A (en) | 2014-12-31 |
CN104252604B true CN104252604B (en) | 2017-04-26 |
Family
ID=52187487
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410439845.0A Expired - Fee Related CN104252604B (en) | 2014-09-01 | 2014-09-01 | Database based building block system type dynamic encryption method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104252604B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105591737A (en) * | 2016-01-27 | 2016-05-18 | 浪潮(北京)电子信息产业有限公司 | Data encryption, decryption and transmission methods and systems |
CN106709373A (en) * | 2017-01-18 | 2017-05-24 | 北京许继电气有限公司 | Method for achieving encryption of self-defining function of self-controlled database |
CN108280356B (en) * | 2018-01-17 | 2020-07-14 | 吉浦斯信息咨询(深圳)有限公司 | File decryption method and device, processing terminal and computer readable storage medium |
CN112422494B (en) * | 2020-08-06 | 2022-09-23 | 上海幻电信息科技有限公司 | Data transmission method, data security verification method and data transmission system |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101082923A (en) * | 2007-07-18 | 2007-12-05 | 湖南大学 | Expandable Bloom filter enquiring method and element inserting method thereof |
CN101577721A (en) * | 2008-12-05 | 2009-11-11 | 湖南大学 | Method for splitting Broome filter by indexes and inserting, deleting and inquiring methods thereof |
US7900194B1 (en) * | 2004-03-25 | 2011-03-01 | Verizon Corporate Services Group Inc. | Kernel-based intrusion detection using bloom filters |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7926103B2 (en) * | 2003-06-05 | 2011-04-12 | Hewlett-Packard Development Company, L.P. | System and method for preventing replay attacks |
-
2014
- 2014-09-01 CN CN201410439845.0A patent/CN104252604B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7900194B1 (en) * | 2004-03-25 | 2011-03-01 | Verizon Corporate Services Group Inc. | Kernel-based intrusion detection using bloom filters |
CN101082923A (en) * | 2007-07-18 | 2007-12-05 | 湖南大学 | Expandable Bloom filter enquiring method and element inserting method thereof |
CN101577721A (en) * | 2008-12-05 | 2009-11-11 | 湖南大学 | Method for splitting Broome filter by indexes and inserting, deleting and inquiring methods thereof |
Also Published As
Publication number | Publication date |
---|---|
CN104252604A (en) | 2014-12-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TWI750223B (en) | Blockchain encrypted radio frequency chip storage design method | |
CN103595525B (en) | Desynchronization resistant lightweight RFID bidirectional authentication method | |
CN108667595B (en) | Compression encryption method for big data file | |
CN103532701B (en) | Encryption and decryption method for numeric type data | |
US8494154B2 (en) | Cryptographic ignition key system | |
CN105262843A (en) | Data anti-leakage protection method for cloud storage environment | |
CN104917617B (en) | A kind of encryption group ranking obscures method | |
CN110413652B (en) | Big data privacy retrieval method based on edge calculation | |
CN105306194B (en) | For encrypted file and/or the multiple encryption method and system of communications protocol | |
CN108768990A (en) | It is a kind of that encryption method can search for based on block chain | |
CN104252604B (en) | Database based building block system type dynamic encryption method | |
CN105100115A (en) | Data storage method for privacy protection based on encryption password and data fractionation | |
CN109815051A (en) | The data processing method and system of block chain | |
CN109934001A (en) | A kind of data ciphering method based on normal cloud model | |
CN113055376A (en) | Block chain data protection system | |
CN114969128A (en) | Secret query method, system and storage medium based on secure multi-party computing technology | |
CN107733936B (en) | Encryption method for mobile data | |
CN110086633B (en) | Ciphertext anti-tampering method in block chain technology | |
CN115033925B (en) | Database security retrieval method | |
Gahi et al. | Encrypted processes for oblivious data retrieval | |
CN100452026C (en) | Data once writing method and database safety management method based on the same method | |
Faragallah et al. | Multilevel security for relational databases | |
CN108376212A (en) | Execute code security guard method, device and electronic device | |
Adak et al. | Dynamic Data Masking by Two-Step Encryption | |
CN106789005A (en) | Cryptosecurity storage system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170426 Termination date: 20180901 |
|
CF01 | Termination of patent right due to non-payment of annual fee |