CN104821949B - SQL anti-tampering protection methods based on signature - Google Patents

SQL anti-tampering protection methods based on signature Download PDF

Info

Publication number
CN104821949B
CN104821949B CN201510232967.7A CN201510232967A CN104821949B CN 104821949 B CN104821949 B CN 104821949B CN 201510232967 A CN201510232967 A CN 201510232967A CN 104821949 B CN104821949 B CN 104821949B
Authority
CN
China
Prior art keywords
sql
signature
database
fire wall
sending
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510232967.7A
Other languages
Chinese (zh)
Other versions
CN104821949A (en
Inventor
楼方鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai DragonNet Technology Co.,Ltd.
Original Assignee
Hangzhou Common People Softcom Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Common People Softcom Ltd filed Critical Hangzhou Common People Softcom Ltd
Priority to CN201510232967.7A priority Critical patent/CN104821949B/en
Publication of CN104821949A publication Critical patent/CN104821949A/en
Application granted granted Critical
Publication of CN104821949B publication Critical patent/CN104821949B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of SQL anti-tampering protection methods based on signature, application program first first sends SQL signature to database or fire wall, waits database or after fire wall receives SQL signature, retransmits SQL instructions.Database or fire wall can carry out signature inspection before SQL is performed, if do not met, refuse SQL execution, and report database or fire wall are under attack.The inventive method adds the difficulty that hacker changes SQL packets, when first time sending signature, because not sending SQL statement also, can not in advance change and answer name;When sending SQL, signature can not be changed;Due to can not reversely obtain complete prime information from signing messages, become invalid using SQL packets are distorted.Of the invention and existing general encryption mechanism Lothrus apterus, the method by sending signature in advance further increases the technical difficulty that SQL is distorted, so as to reach the anti-tamper targets of SQL.

Description

SQL anti-tampering protection methods based on signature
Technical field
The invention belongs to technical field of network security, more particularly to a kind of SQL anti-tampering protection methods based on signature.
Background technology
When being interacted between application program and database with SQL, because belonging to not between application program and database Same software systems, and communicated using procotol.During using open source software, hacker also will appreciate that procotol, from And can be with the packet of communication interception, for example the packet of SQL instructions is included, and packet is modified, database side is only It is legal to want SQL, be can carry out, the raw data packets phase one whether None- identified to packet sends with application program Cause, cause data to be distorted very much, loss is brought to enterprise.
Under normal circumstances, the communication structure between application program and database/fire wall is as shown in Figure 1(Arrow represents The flow direction of SQL instruction bags, dotted line represent SQL and instruct that wraps to carry out source and destination).After hacker's implant procedure, application program and Communication structure between database/fire wall is as shown in Figure 2(Arrow represents the flow direction of SQL instruction bags, and dotted line represents SQL instructions Bag carrys out source and destination).
Current solution is the method by encryption, after encryption, application program and database/fire wall it Between communication structure it is as shown in Figure 3(Solid arrow represents the flow direction of SQL instruction bags, and dotted line represents source and the mesh of SQL instruction bags Ground).Under existing encipherment scheme, after hacker's implant procedure, the communication structure between application program and database/fire wall is such as Shown in Fig. 4(Arrow represents the flow direction of SQL instruction bags, and dotted line represents SQL and instructs that wraps to carry out source and destination).As long as backdoor programs It is aware of the algorithm of encryption and decryption, it can be seen that it can equally carry out transparent SQL and distort, although adding difficulty, but still it is old Great risk.
The content of the invention
In view of the above-mentioned deficiencies in the prior art, it is an object of the present invention to provide a kind of SQL anti-tampering protection sides based on signature Method.
The purpose of the present invention is achieved through the following technical solutions:A kind of SQL anti-tampering protection sides based on signature Method, comprise the following steps:
(1)Application program sends signing messages to database or fire wall;The signature refers to by specific algorithm, to one String information obtains a feature string or numeral after being handled, and complete letter counter can not be released according to obtained feature string or numeral Breath, same information obtain same feature string or numeral after processing;
(2)After database or fire wall receive SQL signature, application program sends SQL to database or fire wall and referred to Order;
(3)After database or fire wall receive SQL instructions, signature inspection is carried out, SQL is performed if signatures match, such as Fruit mismatches then refusal and performs SQL, and report database or fire wall are under attack.
The beneficial effects of the invention are as follows:The inventive method adds the difficulty that hacker changes SQL packets, is sent out in first time When sending signature, because not sending SQL statement also, it can not in advance change and answer name;When sending SQL, signature can not be repaiied Change;Due to can not reversely obtain complete prime information from signing messages, become invalid using SQL packets are distorted.Present invention side Method more one layer of protection mechanism on existing scheme, are not to replace existing encryption mechanism completely.Even without existing Encipherment scheme, also substantially increase the difficulty that SQL is distorted, improve the level of security of database.It is of the invention to lead to existing Encryption mechanism Lothrus apterus, the method by sending signature in advance further increase the technical difficulty that SQL is distorted, so as to reach The target anti-tamper to SQL.
Brief description of the drawings
Communication structures of the Fig. 1 between legacy application and database/fire wall;
Fig. 2 is the communication structure after hacker's implant procedure between application program and database/fire wall;
Fig. 3 is using the communication structure between the application program after encryption and database/fire wall;
Fig. 4 is the communication knot after hacker's implant procedure between application program and database/fire wall under existing encipherment scheme Structure;
Fig. 5 is the communication structure that the present invention sends signing messages;
Fig. 6 is the communication structure that the present invention sends SQL instructions;
Interaction flows of the Fig. 7 between application program and database/fire wall,(a)For existing interactive step,(b)For Using the interactive step after the present invention.
Embodiment
The present invention is described in further detail with specific embodiment below in conjunction with the accompanying drawings.The inventive method, which can use, appoints What computer language is realized, and does not have particular/special requirement for software and hardware.
A kind of SQL anti-tampering protection methods based on signature of the present invention, comprise the following steps:
(1)Application program sends signing messages to database or fire wall, as shown in Figure 5(Arrow by procuration information Flow direction, dotted line by procuration information carry out source and destination).When sending signing messages, important SQL information is also using journey In the internal memory of sequence, hacker's backdoor programs can not know original SQL information, signing messages can only be hoped and halted.The application Program refers to the program for receiving user's operation and instruction, such as a website, a program for being commercially used for data acquisition, refers to Need the program or system to database transmission data.The signature refers to by specific algorithm, and a string of information are handled After obtain a feature string or a numeral, counter can not release complete information, same information according to this data Being bound to obtain same feature string or numeral, hash algorithm, CRC check code algorithm, SHA algorithms etc. after processing to make , can also one section of irreversible algorithm of designed, designed for signature algorithm.The database is used for depositing business during permanent or prison, is Unite data software systems and its data, include but are not limited to Oracle, DB2, Sybase, MySQL, SQL Server, The existing software systems such as Cache.The fire wall refers to the software or hardware being built up between application program and database, to application Content of Communication between program and database carries out safety inspection, forwards if by checking, otherwise declines.
(2)After database or fire wall receive SQL signature, application program sends SQL to database or fire wall and referred to Order, as shown in Figure 6(Arrow represents the flow direction of SQL instruction bags, and dotted line represents SQL and instructs that wraps to carry out source and destination).Pass The signing messages passed through, it can not change again.Even if the backdoor programs of hacker know the form of SQL bags, and modify, but by In can not with signatures match, can abandoned in next step, tampered SQL statement will not be performed really.The SQL is should With program and the language of database communication, English is comparatively close to, with the data for the mode operating database for being easier to understand.
(3)After database or fire wall receive SQL instructions, signature inspection is carried out, SQL is performed if signatures match, such as Fruit mismatches then refusal and performs SQL, and report database or fire wall are under attack.
Using the interaction flow between application program after the present invention and database/fire wall, there occurs following change.Such as Fig. 7 It is shown,(a)For existing interactive step,(b)For using the interactive step after the present invention.Usurped when using the SQL based on signature is anti- When changing guard method, application program can first send SQL signature to database or fire wall, wait database or fire wall to receive After SQL signature, SQL instructions are retransmited.Database or fire wall can carry out signature inspection between SQL is performed, if be not inconsistent Close, then refuse SQL execution, and report database or fire wall are under attack.

Claims (1)

  1. A kind of 1. SQL anti-tampering protection methods based on signature, it is characterised in that comprise the following steps:
    (1)Application program sends signing messages to database or fire wall;It is described signature refer to a string of information are handled after To a feature string or numeral, complete information counter can not be released according to obtained feature string or numeral, same information is through place Same feature string or numeral are obtained after reason;
    (2)After database or fire wall receive SQL signature, application program sends SQL instructions to database or fire wall;
    (3)After database or fire wall receive SQL instructions, signature inspection is carried out, SQL is performed if signatures match, if not Then refusal performs SQL for matching, and report database or fire wall are under attack.
CN201510232967.7A 2015-05-08 2015-05-08 SQL anti-tampering protection methods based on signature Active CN104821949B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510232967.7A CN104821949B (en) 2015-05-08 2015-05-08 SQL anti-tampering protection methods based on signature

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510232967.7A CN104821949B (en) 2015-05-08 2015-05-08 SQL anti-tampering protection methods based on signature

Publications (2)

Publication Number Publication Date
CN104821949A CN104821949A (en) 2015-08-05
CN104821949B true CN104821949B (en) 2018-01-26

Family

ID=53732112

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510232967.7A Active CN104821949B (en) 2015-05-08 2015-05-08 SQL anti-tampering protection methods based on signature

Country Status (1)

Country Link
CN (1) CN104821949B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017166037A1 (en) * 2016-03-29 2017-10-05 深圳投之家金融信息服务有限公司 Data tampering detection device and method
CN106549930A (en) * 2016-08-17 2017-03-29 北京安天电子设备有限公司 A kind of method and system of opposing SQL injection attacks
CN106940778B (en) * 2017-03-10 2020-10-16 华东师范大学 Method for cracking encrypted data in support library based on GPU parallel dictionary
CN110225016B (en) * 2019-05-31 2020-05-19 北京理工大学 Data hidden transmission method based on block chain network

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101291216A (en) * 2007-04-16 2008-10-22 华为技术有限公司 P2P network system and authentication method thereof
CN103310160A (en) * 2013-06-20 2013-09-18 北京神州绿盟信息安全科技股份有限公司 Method, system and device for preventing webpage from being tampered with

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9154488B2 (en) * 2013-05-03 2015-10-06 Citrix Systems, Inc. Secured access to resources using a proxy

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101291216A (en) * 2007-04-16 2008-10-22 华为技术有限公司 P2P network system and authentication method thereof
CN103310160A (en) * 2013-06-20 2013-09-18 北京神州绿盟信息安全科技股份有限公司 Method, system and device for preventing webpage from being tampered with

Also Published As

Publication number Publication date
CN104821949A (en) 2015-08-05

Similar Documents

Publication Publication Date Title
AU2012324025B2 (en) A system and method for authenticating the legitimacy of a request for a resource by a user
CN111447276B (en) Encryption continuous transmission method with key agreement function
CN104821949B (en) SQL anti-tampering protection methods based on signature
CN111095256A (en) Securely executing intelligent contract operations in a trusted execution environment
Trenwith et al. Digital forensic readiness in the cloud
CN103634114B (en) The verification method and system of intelligent code key
CN104935568A (en) Interface authentication signature method facing cloud platform
US11489823B2 (en) Network enclave attestation for network and compute devices
Xuan et al. Research and implementation of Modbus TCP security enhancement protocol
CN104778141A (en) Control system trusted architecture-based TPCM (Trusted Platform Control Module) and trusted detection technology
WO2009115903A1 (en) Method and system to provide fine granular integrity to digital data
CN114499913B (en) Encrypted message detection method and protection equipment
EP2859691B1 (en) Method and system for maintaining data in a substantiated state
US20200322334A1 (en) Authentication of network devices based on extensible access control protocols
CN109635593B (en) Data integrity storage protection method based on electric power payment terminal in electric power system
US20200059478A1 (en) Continuous hash verification
Patil et al. Secured cloud architecture for cloud service provider
US11146594B2 (en) Security incident blockchain
CN107070925A (en) A kind of terminal applies and the anti-tamper method of background service communication packet
CN110233735B (en) Comprehensive safety protection method and system for grid-connected power station industrial control system
Apirajitha et al. On developing Block‐Chain based Secure Storage Model (BSSM) with auditing and integrity analysis in the cloud
US20220035924A1 (en) Service trust status
Krentz et al. Reducing trust assumptions with OSCORE, RISC-V, and Layer 2 one-time passwords
US12041168B2 (en) Internet packet provenance to verify packet validity and control packet usage
AU2012101560B4 (en) Transaction verification

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
EXSB Decision made by sipo to initiate substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20191014

Address after: 201799, room 1200, Qinghe Wan Road, Qingpu, Shanghai, 1008

Patentee after: Shanghai DragonNet Technology Co.,Ltd.

Address before: 626, room 6, floor 5, building 391, West Lake international science and technology building, No. 310012 Wen two road, Zhejiang, Xihu District, Hangzhou, China

Patentee before: Hangzhou common people softcom limited

TR01 Transfer of patent right