CN106446196A - Autonomous controllable database data encryption and retrieval method and system based on random salt - Google Patents

Autonomous controllable database data encryption and retrieval method and system based on random salt Download PDF

Info

Publication number
CN106446196A
CN106446196A CN201610866064.9A CN201610866064A CN106446196A CN 106446196 A CN106446196 A CN 106446196A CN 201610866064 A CN201610866064 A CN 201610866064A CN 106446196 A CN106446196 A CN 106446196A
Authority
CN
China
Prior art keywords
data
encryption
clear
subsystem
field
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610866064.9A
Other languages
Chinese (zh)
Inventor
杨利兵
王艳
缪燕
刘红超
刘浩
张学深
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Beijing Xuji Electric Co Ltd
Original Assignee
State Grid Corp of China SGCC
Beijing Xuji Electric Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Beijing Xuji Electric Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201610866064.9A priority Critical patent/CN106446196A/en
Publication of CN106446196A publication Critical patent/CN106446196A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Fuzzy Systems (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides an autonomous controllable database data encryption and retrieval method and system based on random salt. The system comprises a database internal processing subsystem and a data encryption subsystem. The database internal processing subsystem comprises an external interface calling module for calling the database encryption subsystem to encrypt/decrypt data, a database view decryption calling module for encrypting a plaintext database, a database trigger encryption calling module for encrypting the data when the data in the database calls a trigger, and an extension index interface encryption indexing module for generating indexes for the encrypted data. The data encryption subsystem comprises a strategy management module, a data encryption module and a data decryption module.

Description

Autonomous controlled data database data encryption search method and system based on random salt
Technical field
The invention belongs to field of information security technology, more particularly to a kind of autonomous controlled data storehouse based on random salt Data encryption search method and system.
Background technology
As information technology is widely being used, increasing significant data is stored in the form of electronization and is located Reason, although and the storage of this data and processing mode can improve convenience, but easily lead to data be stolen and Distort.And it is attack database to steal in prior art with the modal mode of altered data, therefore how while ensureing data The work efficiency of the safe database in storehouse is a current main direction of studying.This be due to:Solve database security The maximally effective problem method of energy is exactly that the data for storing in data base are encrypted;But once all data are all carried out plus It is difficult to after close effectively be retrieved, causes the work efficiency of data base drastically to decline.
Content of the invention
For there is a problem of in prior art that data base is difficult while ensureing safety and the ease for use of data, the present invention Technical problem to be solved be provide a kind of more effectively and the efficient autonomous controlled data database data based on random salt is encrypted Search method and system, to solve the problems, such as the leakage of data of data base, encryption data search problem, database performance problem.
In order to solve the above problems, the embodiment of the present invention proposes a kind of autonomous controlled data database data based on random salt Encryption searching system, including:Data store internal processing subsystem data encryption subsystem;
Wherein the data store internal processing subsystem includes:For calling the data encryption subsystem to enter to data The external interface calling module of row encryption/deciphering, the data base view deciphering for being encrypted to clear data storehouse table Calling module, the database trigger for being used for during the data call trigger in data base being encrypted the data are encrypted Calling module, the extension for being used for indexing encryption data generation index interface ciphering index module;Wherein,
Data base view deciphers calling module, for clear data storehouse table is copied to predeterminated position, and renaming this is bright Literary database table and foundation and clear data storehouse table view of the same name, and the plaintext that will need in the clear data storehouse table to encrypt Field is sent to the data encryption subsystem, and by the clear text field replace with data encryption subsystem determination with The corresponding mask field of the clear text field, and the data in the clear text field are replaced with the data after encryption;
Extension index interface ciphering index module, for judging whether field to be checked is encrypted fields, if not Encrypted fields, then executed after view query using the bitmap scan query expansion interface of data base, view be sent to data Encryption subsystem is decrypted process;If encrypted fields, then according in data encryption subsystem store clear text field with Corresponding relation between mask field determines the mask field in clear data storehouse, and by the clear text field in the clear data storehouse Row in data be decrypted process;
Wherein the data encryption subsystem includes:
Policy management module, for login interface is provided so that user input encryption policy, the wherein encryption policy extremely Include following at least one less:Need the clear text field of encryption, whether preserve clear data storehouse table;
Data encryption module, for the instruction according to the data store internal processing subsystem for receiving, to needing in data base Clear text field to be encrypted is replaced by mask field, and the corresponding relation between clear text field and mask field is stored; It is additionally operable to add the data in row of the algorithm of random salt to clear text field to be encrypted by MD5;
Data decryption module, for the instruction according to the data store internal processing subsystem for receiving, to adding in data base Close data are decrypted.
Wherein, the data encryption subsystem also includes:
Authority management module, is managed for being authenticated to login account password and to encryption/decrypted rights;Wherein The authority management module is close to login account using RSA rivest, shamir, adelman or external digital certificate interface authentication mode Code is authenticated.
Wherein, the data store internal processing subsystem is also included for the logarithm when being modified to clear data storehouse table According to the database trigger encryption calling module being encrypted, the database trigger encryption calling module is used for judging data Whether storehouse have invoked trigger, if it is call data encryption subsystem to be encrypted data.
Meanwhile, the embodiment of the present invention also proposed a kind of autonomous controlled data database data encryption retrieval side based on random salt Method, including:
Clear data storehouse list processing step, for copying to predeterminated position, and the renaming plaintext by clear data storehouse table Database table and foundation and clear data storehouse table view of the same name, and the plaintext word that will need in the clear data storehouse table to encrypt Section is sent to the data encryption subsystem, and the clear text field is replaced with data encryption subsystem determination with institute The corresponding mask field of clear text field is stated, and the data in the clear text field are replaced with the data after encryption;
Searching step, for judging whether field to be checked is encrypted fields, if not encrypted fields, then using number Execute after view query according to the bitmap scan query expansion interface in storehouse, view is sent to data encryption subsystem and is solved Close process;If encrypted fields, then according to right between the clear text field for storing in data encryption subsystem and mask field The mask field for determining in clear data storehouse should be related to, and the data in the mask field row in the clear data storehouse are solved Close process;
Invocation step encrypted by trigger, and the major function of this functional module is to judge whether to call trigger, tactile when calling When sending out device, the encrypting module of encryption and decryption software piece is called to be encrypted data by trigger.
Tactical management step, for login interface is provided so that user input encryption policy, the wherein encryption policy extremely Include following at least one less:Need the clear text field of encryption, whether preserve clear data storehouse table;
Data encryption step, for the instruction according to the data store internal processing subsystem for receiving, to needing in data base Clear text field to be encrypted is replaced by mask field, and the corresponding relation between clear text field and mask field is stored; It is additionally operable to add the data in row of the algorithm of random salt to clear text field to be encrypted by MD5;
Data decryption step, for the instruction according to the data store internal processing subsystem for receiving, to adding in data base Close data are decrypted.
Wherein methods described also includes:
Login authentication management module, is managed for being authenticated to login account password and to encryption/decrypted rights; Wherein the authority management module is using RSA rivest, shamir, adelman or external digital certificate interface authentication mode to logging in account Number password is authenticated.
The having the beneficial effect that of the technique scheme of the present invention:The embodiment of the present invention proposes a kind of based on random salt Autonomous controlled data database data encryption search method and system, can be carried out at shielding to the preset field of clear data storehouse table Reason, and the data in the preset field row are encrypted.While quickly can be obtained according to mask field in retrieval again Corresponding clear text field, and the data in the bright text line are decrypted.Such scheme being capable of compromise between security and retrieval effect Really.
Description of the drawings
Fig. 1 is the system structure topological diagram of the embodiment of the present invention.
Specific embodiment
For making the technical problem to be solved in the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing and tool Body embodiment is described in detail.
The embodiment of the present invention proposes a kind of autonomous controlled data database data encryption searching system based on random salt, bag Include:Data store internal processing subsystem data encryption subsystem;
Wherein the data store internal processing subsystem includes:For calling the data encryption subsystem to enter to data The external interface calling module of row encryption/deciphering, the data base view deciphering for being encrypted to clear data storehouse table Calling module, the database trigger for being used for during the data call trigger in data base being encrypted the data are encrypted Calling module, the extension for being used for indexing encryption data generation index interface ciphering index module;Wherein,
Data base view deciphers calling module, for clear data storehouse table is copied to predeterminated position, and renaming this is bright Literary database table and foundation and clear data storehouse table view of the same name, and the plaintext that will need in the clear data storehouse table to encrypt Field is sent to the data encryption subsystem, and by the clear text field replace with data encryption subsystem determination with The corresponding mask field of the clear text field, and the data in the clear text field are replaced with the data after encryption;
Extension index interface ciphering index module, for judging whether field to be checked is encrypted fields, if not Encrypted fields, then executed after view query using the bitmap scan query expansion interface of data base, view be sent to data Encryption subsystem is decrypted process;If encrypted fields, then according in data encryption subsystem store clear text field with Corresponding relation between mask field determines the mask field in clear data storehouse, and by the clear text field in the clear data storehouse Row in data be decrypted process;
Wherein the data encryption subsystem includes:
Policy management module, for login interface is provided so that user input encryption policy, the wherein encryption policy extremely Include following at least one less:Need the clear text field of encryption, whether preserve clear data storehouse table;
Data encryption module, for the instruction according to the data store internal processing subsystem for receiving, to needing in data base Clear text field to be encrypted is replaced by mask field, and the corresponding relation between clear text field and mask field is stored; It is additionally operable to add the data in row of the algorithm of random salt to clear text field to be encrypted by MD5;
Data decryption module, for the instruction according to the data store internal processing subsystem for receiving, to adding in data base Close data are decrypted.
Wherein, the data encryption subsystem also includes:
Authority management module, is managed for being authenticated to login account password and to encryption/decrypted rights;Wherein The authority management module is close to login account using RSA rivest, shamir, adelman or external digital certificate interface authentication mode Code is authenticated.
Wherein, the data store internal processing subsystem is also included for the logarithm when being modified to clear data storehouse table According to the database trigger encryption calling module being encrypted, the database trigger encryption calling module is used for judging data Whether storehouse have invoked trigger, if it is call data encryption subsystem to be encrypted data.
Meanwhile, the embodiment of the present invention also proposed a kind of autonomous controlled data database data encryption retrieval side based on random salt Method, including:
Clear data storehouse list processing step, for copying to predeterminated position, and the renaming plaintext by clear data storehouse table Database table and foundation and clear data storehouse table view of the same name, and the plaintext word that will need in the clear data storehouse table to encrypt Section is sent to the data encryption subsystem, and the clear text field is replaced with data encryption subsystem determination with institute The corresponding mask field of clear text field is stated, and the data in the clear text field are replaced with the data after encryption;
Searching step, for judging whether field to be checked is encrypted fields, if not encrypted fields, then using number Execute after view query according to the bitmap scan query expansion interface in storehouse, view is sent to data encryption subsystem and is solved Close process;If encrypted fields, then according to right between the clear text field for storing in data encryption subsystem and mask field The mask field for determining in clear data storehouse should be related to, and the data in the mask field row in the clear data storehouse are solved Close process;
Invocation step encrypted by trigger, and the major function of this functional module is to judge whether to call trigger, tactile when calling When sending out device, the encrypting module of encryption and decryption software piece is called to be encrypted data by trigger.
Tactical management step, for login interface is provided so that user input encryption policy, the wherein encryption policy extremely Include following at least one less:Need the clear text field of encryption, whether preserve clear data storehouse table;
Data encryption step, for the instruction according to the data store internal processing subsystem for receiving, to needing in data base Clear text field to be encrypted is replaced by mask field, and the corresponding relation between clear text field and mask field is stored; It is additionally operable to add the data in row of the algorithm of random salt to clear text field to be encrypted by MD5;
Data decryption step, for the instruction according to the data store internal processing subsystem for receiving, to adding in data base Close data are decrypted.
Wherein methods described also includes:
Login authentication management module, is managed for being authenticated to login account password and to encryption/decrypted rights; Wherein the authority management module is using RSA rivest, shamir, adelman or external digital certificate interface authentication mode to logging in account Number password is authenticated.
As shown in Figure 1, illustrated with a specific example below, in the present example using existing towards enterprise The analytical type database management language of level application, the software is to carry out two with advanced PostgreSQL database PostgreSQL as core Secondary exploitation and encapsulation are formed, and integrated easy to learn, easy-to-use, handy administration interface and aid meet power industry to data base Stability, safety and Jian Min that software product is required.In safety, high availability and the autgmentability for ensureing management software Meanwhile, development teams are tried one's best and reduce the holistic cost of software, strengthen the ease for use of software.The database management language is according to process Flow process and function are divided, and management system is divided into connection management system, Complied executing system, storage management system, affairs Management system, the most of composition of system table five.Certainly, this is merely illustrative, and those skilled in that art are appreciated that this The method of bright embodiment can be used in any database management language.
In the present example, by changing the kernel of data base management system (DBMS) calling database management language external Encryption and decryption software piece the function such as realize retrieving the encryption and decryption of data base.This invention encryption function is strong, does not affect data base administration System (DBMS) is normally used, and realizes the perfect seamless combination of encryption and decryption technology database management system.
Database management language part:Which is on the basis of existing data base management system, changes the interior of data base Core is supporting calling for data base's encryption and decryption software piece.
Data base view deciphers calling module:
The view of data base management system (DBMS) is an empty table, the operation to data base, and system is needed according to view The associated base table of defining operation and view.The principle of data base view is made full use of to realizing the mistake to encryption data in table Filter, projection, aggregation, association and functional operation.
The main function of the module be when the encryption data for judging user needs to back up in plain text, clear data table The path that specifies is copied to, name table of bearing the same name, set up and table view of the same name, call the encryption calling module of trigger to enter line number According to encryption.When judging user's clear data, it is not necessary to when backup in plain text, direct renaming table, sets up and table is of the same name View, in view, call the deciphering module of external encryption and decryption software piece to be decrypted data.Can realize to data base The certain field encryption of table.
Database trigger encrypts calling module:
The major function of this functional module is to judge whether to call trigger, when trigger is called, is called by trigger The encrypting module of encryption and decryption software piece is encrypted to data.The trigger of data base is invoked automatically when database manipulation occurs Function.Trigger for " BEFORE " and " INSTEAD OF " this kind of row rank judges, when the result for returning is During NULL, then it represents that ignore the operation to current line, if returning the row of non-NULL, for INSERT, UPDATE operation, touch Sending out device calls the encrypting module of encryption and decryption software piece to be encrypted data.
Extension index interface ciphering index module
Data base management system (DBMS) extension index interface ciphering index module executes and encryption data is indexed.Data base Management system (DBMS) has five classes to index, and it is the whole number of traversal that from the beginning puts in place that the most frequently used index is B-tree, Index Scan According to all row of table, from the beginning to the end, therefore when data volume is very big, efficiency is not very high;Bitmap scan disposably will be full The index entry of sufficient condition all takes out, and is ranked up in internal memory, then accesses table data according to the index entry for taking out.This is special Profit is encrypted retrieval using bitmap scan machine.Voluntarily write index Create Index, Insert, Delete, The respective handling code that Update sentence is executed and bitmap scan is executed.By the mechanism, it is possible to use self-defining Extension encrypted indexes, when the index enters line retrieval to encryption data, as bitmap scan will disposably meet the index of condition Item all takes out, and is ranked up in internal memory, solves a difficult problem for encrypted data retrieval, significantly improves searching ciphertext Efficiency.
External interface calling module, main offer connects enciphering and deciphering algorithm, the interface of encryption and decryption software piece, realizes to encryption and decryption Software transfer, the control of authority independently of data base, the interface of the other software of AES.The technology for realizing this purpose is closed Key is that external program is called and external communication support.Support that external program is called in data base, first have to define communication and connect Mouthful.External call is made data base encryption function and decryption function by interface, is written as an independent data base and adds solution Close software, operates in above independent server;Authorization check process is limited to the authority of power user, is carried so as to reach The effect of high database management language performance.
Data base encryption decryption portion:
Account authority management module
The major function of account and authority management module is used for the login account Password Management of user and the authority of encryption and decryption Management.Authentication is using RSA rivest, shamir, adelman or external digital certificate interface authentication mode.
Strategy setting module
The functional module is that user-defined interface is arranged, and user's definition arranges the database object of encryption:User is set The row of Custom Encryption.Whether user preserves the strategy configuration such as plaintext.
Data base encryption module
The functional module is encrypted using the data by the way of MD5 adds random salt to data base.When user INSERT, During UPDATE data, corresponding row name is carried out renaming calculating process, such as identity card duplication of name calculating is processed and becomes big Sophora japonica L. Deng.The data of respective column be encrypted array function calculate plus random salt after MD5 calculate mode carry out data encryption.Example Such as:MD5 (f (X)+random salt)
As data are magnanimity inside data base, other AESs are taken, amount of calculation is too big.Therefore using MD5 add with The mode of machine salt improves security performance.
Data base's deciphering module
When view proposes decoding request, being decrypted for data base's encryption and decryption software piece is called.Carry out MD5 deciphering letter Number ciphertext data;Delivery desalts;Anti- encryption array function calculating.
The method of the present invention can include:
1st, authentication is logged in
Data base's encryption and decryption software piece passes through RSA authentication or UKRY certification etc., and otherwise refusal is logged in;
Determine encrypted object, corresponding encrypting database, table, row are selected by user, if preserve the policing option of plaintext. For new user setup encryption policy;
2nd, encryption judges
Judge whether user needs encryption data:When user does not need encryption data, send and asked to data base accordingly Management system (DBMS), executes the operation of data base, exits flow process.When user needs encryption data, send a request in plain text Backup judgement is processed;
3rd, backup judges in plain text
After CIPHERING REQUEST judges to finish, data base's encryption and decryption software piece judges whether need backup in plain text in plain text for the first time; If user needs plaintext, trigger is sent a request to, the path for copying to and specifying of the same name for plaintext view, to needing to add The view renaming of close table, carries out shielding processing to the field name for needing encryption:For example:Field identity card becomes field Herba Marsileae Quadrifoliae Fruit tree.
When user proposes the request such as insertion and renewal, plaintext backup request is judged;If user has plaintext backup request, The order datas such as trigger transmission insertion and the renewal of data base are called to enter plaintext table, sending CIPHERING REQUEST is carried out to encrypting module Encryption;If without plaintext backup policy, send CIPHERING REQUEST and encrypting module is encrypted to encrypting module;
4th, encryption
Judge through encryption, after backup judges in plain text, encrypting module, it is handled as follows:Encrypted fields are mated, encryption What field was stored in data base's encryption and decryption software piece is the field in plain text, after mating to encrypted fields, to needs encryption Title carries out shielding processing;Random salt and encrypted fields ID random salt linked database is generated in encryption and decryption software piece.To correlation The plaintext of the numerical value of field enters after line function is processed plus random salt generates new data;The data being combined into afterwards carry out MD5 Process, the data value after encryption by the trigger of data base go to encrypt view, correlation is carried out by the mechanism of data base Storage operation
5th, encryption data trigger is processed
With the data after mask field title and encryption, behaviour is sent by data base's encryption and decryption software piece through encryption Make requested database encryption and decryption interface, encryption and decryption interface sends a request to database trigger, and trigger enters according to data mechanism Row associative operation.Whole ciphering process is completed;
6th, ciphertext data view is processed
Include to filter when user proposes in data base's encryption and decryption software piece to inquire about select request, project, assemble, associating and Functional operation etc., flow process is as follows:
User proposes inquiry request in encryption and decryption software piece, first judges whether the field that inquires about is encrypted fields, if not Being encrypted fields, request being directly transmitted to data base's bitmap scan query expansion interface, bitmap scan query expansion is pressed Mechanism according to data base is executed after view query, and data base view sends decoding request to data base's encryption and decryption interface interchange data The decryption program of storehouse encryption and decryption software piece;After the encode MD5 deciphering of decryption program elder generation, delivery desalts, and carries out reverse encryption array function Calculate returned data.If encrypted fields, field is carried out after mask function process, in encryption and decryption software piece inquiry random salt and After encrypted fields ID random salt linked database, after the numerical value for processing through mask function has been added random salt, MD5 is carried out Data base's bitmap scan query expansion interface is sent to after encryption, bitmap scan query expansion is according to data base's Mechanism executes view query, view sends solution of the decoding request to data base's encryption and decryption interface interchange data base's encryption and decryption software piece Close program;After the Encode MD5 deciphering of decryption program elder generation, delivery desalts, and carries out reverse encryption array function and calculates returned data.
The above is the preferred embodiment of the present invention, it is noted that for those skilled in the art For, on the premise of without departing from principle of the present invention, some improvements and modifications can also be made, these improvements and modifications Should be regarded as protection scope of the present invention.

Claims (5)

1. a kind of autonomous controlled data database data based on random salt encrypts searching system, it is characterised in that include:In data base Portion's processing subsystem data encryption subsystem;
Wherein the data store internal processing subsystem includes:For calling the data encryption subsystem carrying out to data plus The external interface calling module of close/deciphering, the data base view deciphering for being encrypted to clear data storehouse table are called Module, the database trigger encryption for being used for during the data call trigger in data base being encrypted the data are called Module, the extension for being used for indexing encryption data generation index interface ciphering index module;Wherein,
Data base view deciphers calling module, for clear data storehouse table is copied to predeterminated position, and the renaming plaintext number According to Ku Biao and set up with clear data storehouse table view of the same name, and will need in the clear data storehouse table encrypt clear text field Be sent to the data encryption subsystem, and the clear text field is replaced with data encryption subsystem determination with described The corresponding mask field of clear text field, and the data in the clear text field are replaced with the data after encryption;
Extension index interface ciphering index module, for judging whether field to be checked is encrypted fields, if not encryption Field, then executed after view query using the bitmap scan query expansion interface of data base, view be sent to data encryption Subsystem is decrypted process;If encrypted fields, then according to the clear text field for storing in data encryption subsystem and shielding Corresponding relation between field determines the mask field in clear data storehouse, and the row by the clear text field in the clear data storehouse In title be decrypted process;
Wherein the data encryption subsystem includes:
Policy management module, for providing login interface so that user formulates encryption policy, the wherein encryption policy at least wraps Include following at least one:Arranging needs the field of encryption, arranges whether preserve clear data;
Data encryption module, for according to the instruction of data store internal processing subsystem for receiving, to needing in data base plus Close clear text field is replaced by mask field, and the corresponding relation between clear text field and mask field is stored;Also use It is encrypted in the data in row of the algorithm of random salt to clear text field are added by MD5;
Data decryption module, for the instruction according to the data store internal processing subsystem for receiving, to encryption in data base Data are decrypted.
2. the autonomous controlled data database data based on random salt according to claim 1 encrypts searching system, and its feature exists In the data encryption subsystem also includes:
Authority management module, is managed for being authenticated to login account password and to encryption/decrypted rights;Wherein described Authority management module is entered to login account password using RSA rivest, shamir, adelman or external digital certificate interface authentication mode Row certification.
3. the autonomous controlled data database data based on random salt according to claim 1 encrypts searching system, and its feature exists In the data store internal processing subsystem is also included for being encrypted to data when being modified to clear data storehouse table Database trigger encryption calling module, database trigger encryption calling module is used for judging whether data base calls Trigger, if it is calls the data encryption subsystem to be encrypted data.
4. a kind of autonomous controlled data database data based on random salt encrypts search method, it is characterised in that include:
Clear data storehouse list processing step, for copying to predeterminated position, and the renaming clear data by clear data storehouse table Storehouse table and foundation and clear data storehouse table view of the same name, and the clear text field for needing in the clear data storehouse table to encrypt is sent out Be sent to the data encryption subsystem, and the clear text field is replaced with data encryption subsystem determination with stated clearly The corresponding mask field of word section, and the data in the clear text field are replaced with the data after encryption;
Searching step, for judging whether field to be checked is encrypted fields, if not encrypted fields, then using data base Bitmap scan query expansion interface execute view query after, view is sent to data encryption subsystem and is decrypted place Reason;If encrypted fields, then according to the corresponding pass between the clear text field for storing in data encryption subsystem and mask field System determines the mask field in clear data storehouse, and the data in the mask field row in the clear data storehouse are decrypted place Reason;
Retrieval judges step, for entering line retrieval judgement to ciphertext database table;Specifically include:Judge whether data base calls Data are if it is encrypted by trigger.
Tactical management step, for providing login interface so that user input encryption policy, the wherein encryption policy are at least wrapped Include following at least one:Need the clear text field of encryption, whether preserve clear data storehouse table;
Data encryption step, for according to the instruction of data store internal processing subsystem for receiving, to needing in data base plus Close clear text field is replaced by mask field, and the corresponding relation between clear text field and mask field is stored;Also use It is encrypted in the data in row of the algorithm of random salt to clear text field are added by MD5;
Data decryption step, for the instruction according to the data store internal processing subsystem for receiving, to encryption in data base Data are decrypted.
5. the autonomous controlled data database data based on random salt according to claim 4 encrypts search method, and its feature exists In also including:
Login authentication management module, is managed for being authenticated to login account password and to encryption/decrypted rights;Wherein The authority management module is close to login account using RSA rivest, shamir, adelman or external digital certificate interface authentication mode Code is authenticated.
CN201610866064.9A 2016-09-29 2016-09-29 Autonomous controllable database data encryption and retrieval method and system based on random salt Pending CN106446196A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610866064.9A CN106446196A (en) 2016-09-29 2016-09-29 Autonomous controllable database data encryption and retrieval method and system based on random salt

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610866064.9A CN106446196A (en) 2016-09-29 2016-09-29 Autonomous controllable database data encryption and retrieval method and system based on random salt

Publications (1)

Publication Number Publication Date
CN106446196A true CN106446196A (en) 2017-02-22

Family

ID=58171278

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610866064.9A Pending CN106446196A (en) 2016-09-29 2016-09-29 Autonomous controllable database data encryption and retrieval method and system based on random salt

Country Status (1)

Country Link
CN (1) CN106446196A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107480552A (en) * 2017-07-26 2017-12-15 北京北信源软件股份有限公司 Database encryption method and device
CN109684854A (en) * 2018-11-20 2019-04-26 华中科技大学 A kind of bottom data encryption method suitable for management information system in enterprise
CN111984978A (en) * 2020-08-13 2020-11-24 成都安恒信息技术有限公司 High-expansibility password encryption storage method

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101504668A (en) * 2009-03-24 2009-08-12 北京理工大学 Cryptograph index supported database transparent encryption method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101504668A (en) * 2009-03-24 2009-08-12 北京理工大学 Cryptograph index supported database transparent encryption method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
屈力: "密文数据库系统的研究与实现", 《中国优秀硕士学位论文全文数据库》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107480552A (en) * 2017-07-26 2017-12-15 北京北信源软件股份有限公司 Database encryption method and device
CN109684854A (en) * 2018-11-20 2019-04-26 华中科技大学 A kind of bottom data encryption method suitable for management information system in enterprise
CN109684854B (en) * 2018-11-20 2022-02-11 华中科技大学 Bottom data encryption method suitable for enterprise management information system
CN111984978A (en) * 2020-08-13 2020-11-24 成都安恒信息技术有限公司 High-expansibility password encryption storage method

Similar Documents

Publication Publication Date Title
CN106934030B (en) Ciphertext indexing method for database encryption and in-library encryption system
US10002152B2 (en) Client computer for updating a database stored on a server via a network
Demertzis et al. Fast searchable encryption with tunable locality
CN101639882B (en) Database security system based on storage encryption
US9866375B2 (en) Multi-level key management
US9158933B2 (en) Protection of encryption keys in a database
CN107370730A (en) A kind of log-on message processing method and equipment
CN102855448B (en) A kind of Field-level database encryption device
Hang et al. ENKI: access control for encrypted query processing
CN112989375B (en) Hierarchical optimization encryption lossless privacy protection method
CN103870525A (en) Secure search processing system and secure search processing method
CN104009987A (en) Fine-grained cloud platform security access control method based on user identity capacity
CN106330934A (en) Distributed database system authority management method and device
CN104036050A (en) Complex query method for encrypted cloud data
EP1934713A2 (en) System and method for protecting sensitive data
CN106874516A (en) Efficient cipher text retrieval method based on KCB trees and Bloom filter in a kind of cloud storage
CN106446196A (en) Autonomous controllable database data encryption and retrieval method and system based on random salt
CN105528556A (en) Hybrid SQLite3 safety access method
CN106934301A (en) A kind of safely outsourced data processing method of relevant database for supporting ciphertext data manipulation
CN106326666A (en) Health record information management service system
CN105160272B (en) A kind of safe encryption method and system based on autonomous controlled data library
CN114579998A (en) Block chain assisted medical big data search mechanism and privacy protection method
Li Research of key technologies on encrypting vector spatial data in oracle spatial
Kabir et al. A dynamic searchable encryption scheme for secure cloud server operation reserving multi-keyword ranked search
CN106250453A (en) The cipher text retrieval method of numeric type data based on cloud storage and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170222

RJ01 Rejection of invention patent application after publication