CN104821949B - SQL anti-tampering protection methods based on signature - Google Patents
SQL anti-tampering protection methods based on signature Download PDFInfo
- Publication number
- CN104821949B CN104821949B CN201510232967.7A CN201510232967A CN104821949B CN 104821949 B CN104821949 B CN 104821949B CN 201510232967 A CN201510232967 A CN 201510232967A CN 104821949 B CN104821949 B CN 104821949B
- Authority
- CN
- China
- Prior art keywords
- sql
- signature
- database
- fire wall
- sending
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of SQL anti-tampering protection methods based on signature, application program first first sends SQL signature to database or fire wall, waits database or after fire wall receives SQL signature, retransmits SQL instructions.Database or fire wall can carry out signature inspection before SQL is performed, if do not met, refuse SQL execution, and report database or fire wall are under attack.The inventive method adds the difficulty that hacker changes SQL packets, when first time sending signature, because not sending SQL statement also, can not in advance change and answer name;When sending SQL, signature can not be changed;Due to can not reversely obtain complete prime information from signing messages, become invalid using SQL packets are distorted.Of the invention and existing general encryption mechanism Lothrus apterus, the method by sending signature in advance further increases the technical difficulty that SQL is distorted, so as to reach the anti-tamper targets of SQL.
Description
Technical field
The invention belongs to technical field of network security, more particularly to a kind of SQL anti-tampering protection methods based on signature.
Background technology
When being interacted between application program and database with SQL, because belonging to not between application program and database
Same software systems, and communicated using procotol.During using open source software, hacker also will appreciate that procotol, from
And can be with the packet of communication interception, for example the packet of SQL instructions is included, and packet is modified, database side is only
It is legal to want SQL, be can carry out, the raw data packets phase one whether None- identified to packet sends with application program
Cause, cause data to be distorted very much, loss is brought to enterprise.
Under normal circumstances, the communication structure between application program and database/fire wall is as shown in Figure 1(Arrow represents
The flow direction of SQL instruction bags, dotted line represent SQL and instruct that wraps to carry out source and destination).After hacker's implant procedure, application program and
Communication structure between database/fire wall is as shown in Figure 2(Arrow represents the flow direction of SQL instruction bags, and dotted line represents SQL instructions
Bag carrys out source and destination).
Current solution is the method by encryption, after encryption, application program and database/fire wall it
Between communication structure it is as shown in Figure 3(Solid arrow represents the flow direction of SQL instruction bags, and dotted line represents source and the mesh of SQL instruction bags
Ground).Under existing encipherment scheme, after hacker's implant procedure, the communication structure between application program and database/fire wall is such as
Shown in Fig. 4(Arrow represents the flow direction of SQL instruction bags, and dotted line represents SQL and instructs that wraps to carry out source and destination).As long as backdoor programs
It is aware of the algorithm of encryption and decryption, it can be seen that it can equally carry out transparent SQL and distort, although adding difficulty, but still it is old
Great risk.
The content of the invention
In view of the above-mentioned deficiencies in the prior art, it is an object of the present invention to provide a kind of SQL anti-tampering protection sides based on signature
Method.
The purpose of the present invention is achieved through the following technical solutions:A kind of SQL anti-tampering protection sides based on signature
Method, comprise the following steps:
(1)Application program sends signing messages to database or fire wall;The signature refers to by specific algorithm, to one
String information obtains a feature string or numeral after being handled, and complete letter counter can not be released according to obtained feature string or numeral
Breath, same information obtain same feature string or numeral after processing;
(2)After database or fire wall receive SQL signature, application program sends SQL to database or fire wall and referred to
Order;
(3)After database or fire wall receive SQL instructions, signature inspection is carried out, SQL is performed if signatures match, such as
Fruit mismatches then refusal and performs SQL, and report database or fire wall are under attack.
The beneficial effects of the invention are as follows:The inventive method adds the difficulty that hacker changes SQL packets, is sent out in first time
When sending signature, because not sending SQL statement also, it can not in advance change and answer name;When sending SQL, signature can not be repaiied
Change;Due to can not reversely obtain complete prime information from signing messages, become invalid using SQL packets are distorted.Present invention side
Method more one layer of protection mechanism on existing scheme, are not to replace existing encryption mechanism completely.Even without existing
Encipherment scheme, also substantially increase the difficulty that SQL is distorted, improve the level of security of database.It is of the invention to lead to existing
Encryption mechanism Lothrus apterus, the method by sending signature in advance further increase the technical difficulty that SQL is distorted, so as to reach
The target anti-tamper to SQL.
Brief description of the drawings
Communication structures of the Fig. 1 between legacy application and database/fire wall;
Fig. 2 is the communication structure after hacker's implant procedure between application program and database/fire wall;
Fig. 3 is using the communication structure between the application program after encryption and database/fire wall;
Fig. 4 is the communication knot after hacker's implant procedure between application program and database/fire wall under existing encipherment scheme
Structure;
Fig. 5 is the communication structure that the present invention sends signing messages;
Fig. 6 is the communication structure that the present invention sends SQL instructions;
Interaction flows of the Fig. 7 between application program and database/fire wall,(a)For existing interactive step,(b)For
Using the interactive step after the present invention.
Embodiment
The present invention is described in further detail with specific embodiment below in conjunction with the accompanying drawings.The inventive method, which can use, appoints
What computer language is realized, and does not have particular/special requirement for software and hardware.
A kind of SQL anti-tampering protection methods based on signature of the present invention, comprise the following steps:
(1)Application program sends signing messages to database or fire wall, as shown in Figure 5(Arrow by procuration information
Flow direction, dotted line by procuration information carry out source and destination).When sending signing messages, important SQL information is also using journey
In the internal memory of sequence, hacker's backdoor programs can not know original SQL information, signing messages can only be hoped and halted.The application
Program refers to the program for receiving user's operation and instruction, such as a website, a program for being commercially used for data acquisition, refers to
Need the program or system to database transmission data.The signature refers to by specific algorithm, and a string of information are handled
After obtain a feature string or a numeral, counter can not release complete information, same information according to this data
Being bound to obtain same feature string or numeral, hash algorithm, CRC check code algorithm, SHA algorithms etc. after processing to make
, can also one section of irreversible algorithm of designed, designed for signature algorithm.The database is used for depositing business during permanent or prison, is
Unite data software systems and its data, include but are not limited to Oracle, DB2, Sybase, MySQL, SQL Server,
The existing software systems such as Cache.The fire wall refers to the software or hardware being built up between application program and database, to application
Content of Communication between program and database carries out safety inspection, forwards if by checking, otherwise declines.
(2)After database or fire wall receive SQL signature, application program sends SQL to database or fire wall and referred to
Order, as shown in Figure 6(Arrow represents the flow direction of SQL instruction bags, and dotted line represents SQL and instructs that wraps to carry out source and destination).Pass
The signing messages passed through, it can not change again.Even if the backdoor programs of hacker know the form of SQL bags, and modify, but by
In can not with signatures match, can abandoned in next step, tampered SQL statement will not be performed really.The SQL is should
With program and the language of database communication, English is comparatively close to, with the data for the mode operating database for being easier to understand.
(3)After database or fire wall receive SQL instructions, signature inspection is carried out, SQL is performed if signatures match, such as
Fruit mismatches then refusal and performs SQL, and report database or fire wall are under attack.
Using the interaction flow between application program after the present invention and database/fire wall, there occurs following change.Such as Fig. 7
It is shown,(a)For existing interactive step,(b)For using the interactive step after the present invention.Usurped when using the SQL based on signature is anti-
When changing guard method, application program can first send SQL signature to database or fire wall, wait database or fire wall to receive
After SQL signature, SQL instructions are retransmited.Database or fire wall can carry out signature inspection between SQL is performed, if be not inconsistent
Close, then refuse SQL execution, and report database or fire wall are under attack.
Claims (1)
- A kind of 1. SQL anti-tampering protection methods based on signature, it is characterised in that comprise the following steps:(1)Application program sends signing messages to database or fire wall;It is described signature refer to a string of information are handled after To a feature string or numeral, complete information counter can not be released according to obtained feature string or numeral, same information is through place Same feature string or numeral are obtained after reason;(2)After database or fire wall receive SQL signature, application program sends SQL instructions to database or fire wall;(3)After database or fire wall receive SQL instructions, signature inspection is carried out, SQL is performed if signatures match, if not Then refusal performs SQL for matching, and report database or fire wall are under attack.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510232967.7A CN104821949B (en) | 2015-05-08 | 2015-05-08 | SQL anti-tampering protection methods based on signature |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510232967.7A CN104821949B (en) | 2015-05-08 | 2015-05-08 | SQL anti-tampering protection methods based on signature |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104821949A CN104821949A (en) | 2015-08-05 |
CN104821949B true CN104821949B (en) | 2018-01-26 |
Family
ID=53732112
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510232967.7A Active CN104821949B (en) | 2015-05-08 | 2015-05-08 | SQL anti-tampering protection methods based on signature |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104821949B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017166037A1 (en) * | 2016-03-29 | 2017-10-05 | 深圳投之家金融信息服务有限公司 | Data tampering detection device and method |
CN106549930A (en) * | 2016-08-17 | 2017-03-29 | 北京安天电子设备有限公司 | A kind of method and system of opposing SQL injection attacks |
CN106940778B (en) * | 2017-03-10 | 2020-10-16 | 华东师范大学 | Method for cracking encrypted data in support library based on GPU parallel dictionary |
CN110225016B (en) * | 2019-05-31 | 2020-05-19 | 北京理工大学 | Data hidden transmission method based on block chain network |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101291216A (en) * | 2007-04-16 | 2008-10-22 | 华为技术有限公司 | P2P network system and authentication method thereof |
CN103310160A (en) * | 2013-06-20 | 2013-09-18 | 北京神州绿盟信息安全科技股份有限公司 | Method, system and device for preventing webpage from being tampered with |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9154488B2 (en) * | 2013-05-03 | 2015-10-06 | Citrix Systems, Inc. | Secured access to resources using a proxy |
-
2015
- 2015-05-08 CN CN201510232967.7A patent/CN104821949B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101291216A (en) * | 2007-04-16 | 2008-10-22 | 华为技术有限公司 | P2P network system and authentication method thereof |
CN103310160A (en) * | 2013-06-20 | 2013-09-18 | 北京神州绿盟信息安全科技股份有限公司 | Method, system and device for preventing webpage from being tampered with |
Also Published As
Publication number | Publication date |
---|---|
CN104821949A (en) | 2015-08-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
AU2012324025B2 (en) | A system and method for authenticating the legitimacy of a request for a resource by a user | |
CN111447276B (en) | Encryption continuous transmission method with key agreement function | |
CN104821949B (en) | SQL anti-tampering protection methods based on signature | |
CN111095256A (en) | Securely executing intelligent contract operations in a trusted execution environment | |
Trenwith et al. | Digital forensic readiness in the cloud | |
CN103634114B (en) | The verification method and system of intelligent code key | |
CN104935568A (en) | Interface authentication signature method facing cloud platform | |
US11489823B2 (en) | Network enclave attestation for network and compute devices | |
Xuan et al. | Research and implementation of Modbus TCP security enhancement protocol | |
CN104778141A (en) | Control system trusted architecture-based TPCM (Trusted Platform Control Module) and trusted detection technology | |
WO2009115903A1 (en) | Method and system to provide fine granular integrity to digital data | |
CN114499913B (en) | Encrypted message detection method and protection equipment | |
EP2859691B1 (en) | Method and system for maintaining data in a substantiated state | |
US20200322334A1 (en) | Authentication of network devices based on extensible access control protocols | |
CN109635593B (en) | Data integrity storage protection method based on electric power payment terminal in electric power system | |
US20200059478A1 (en) | Continuous hash verification | |
Patil et al. | Secured cloud architecture for cloud service provider | |
US11146594B2 (en) | Security incident blockchain | |
CN107070925A (en) | A kind of terminal applies and the anti-tamper method of background service communication packet | |
CN110233735B (en) | Comprehensive safety protection method and system for grid-connected power station industrial control system | |
Apirajitha et al. | On developing Block‐Chain based Secure Storage Model (BSSM) with auditing and integrity analysis in the cloud | |
US20220035924A1 (en) | Service trust status | |
Krentz et al. | Reducing trust assumptions with OSCORE, RISC-V, and Layer 2 one-time passwords | |
US12041168B2 (en) | Internet packet provenance to verify packet validity and control packet usage | |
AU2012101560B4 (en) | Transaction verification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
EXSB | Decision made by sipo to initiate substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20191014 Address after: 201799, room 1200, Qinghe Wan Road, Qingpu, Shanghai, 1008 Patentee after: Shanghai DragonNet Technology Co.,Ltd. Address before: 626, room 6, floor 5, building 391, West Lake international science and technology building, No. 310012 Wen two road, Zhejiang, Xihu District, Hangzhou, China Patentee before: Hangzhou common people softcom limited |
|
TR01 | Transfer of patent right |