CN106446196A - Autonomous controllable database data encryption and retrieval method and system based on random salt - Google Patents
Autonomous controllable database data encryption and retrieval method and system based on random salt Download PDFInfo
- Publication number
- CN106446196A CN106446196A CN201610866064.9A CN201610866064A CN106446196A CN 106446196 A CN106446196 A CN 106446196A CN 201610866064 A CN201610866064 A CN 201610866064A CN 106446196 A CN106446196 A CN 106446196A
- Authority
- CN
- China
- Prior art keywords
- data
- encryption
- clear
- subsystem
- field
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2458—Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Fuzzy Systems (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides an autonomous controllable database data encryption and retrieval method and system based on random salt. The system comprises a database internal processing subsystem and a data encryption subsystem. The database internal processing subsystem comprises an external interface calling module for calling the database encryption subsystem to encrypt/decrypt data, a database view decryption calling module for encrypting a plaintext database, a database trigger encryption calling module for encrypting the data when the data in the database calls a trigger, and an extension index interface encryption indexing module for generating indexes for the encrypted data. The data encryption subsystem comprises a strategy management module, a data encryption module and a data decryption module.
Description
Technical field
The invention belongs to field of information security technology, more particularly to a kind of autonomous controlled data storehouse based on random salt
Data encryption search method and system.
Background technology
As information technology is widely being used, increasing significant data is stored in the form of electronization and is located
Reason, although and the storage of this data and processing mode can improve convenience, but easily lead to data be stolen and
Distort.And it is attack database to steal in prior art with the modal mode of altered data, therefore how while ensureing data
The work efficiency of the safe database in storehouse is a current main direction of studying.This be due to:Solve database security
The maximally effective problem method of energy is exactly that the data for storing in data base are encrypted;But once all data are all carried out plus
It is difficult to after close effectively be retrieved, causes the work efficiency of data base drastically to decline.
Content of the invention
For there is a problem of in prior art that data base is difficult while ensureing safety and the ease for use of data, the present invention
Technical problem to be solved be provide a kind of more effectively and the efficient autonomous controlled data database data based on random salt is encrypted
Search method and system, to solve the problems, such as the leakage of data of data base, encryption data search problem, database performance problem.
In order to solve the above problems, the embodiment of the present invention proposes a kind of autonomous controlled data database data based on random salt
Encryption searching system, including:Data store internal processing subsystem data encryption subsystem;
Wherein the data store internal processing subsystem includes:For calling the data encryption subsystem to enter to data
The external interface calling module of row encryption/deciphering, the data base view deciphering for being encrypted to clear data storehouse table
Calling module, the database trigger for being used for during the data call trigger in data base being encrypted the data are encrypted
Calling module, the extension for being used for indexing encryption data generation index interface ciphering index module;Wherein,
Data base view deciphers calling module, for clear data storehouse table is copied to predeterminated position, and renaming this is bright
Literary database table and foundation and clear data storehouse table view of the same name, and the plaintext that will need in the clear data storehouse table to encrypt
Field is sent to the data encryption subsystem, and by the clear text field replace with data encryption subsystem determination with
The corresponding mask field of the clear text field, and the data in the clear text field are replaced with the data after encryption;
Extension index interface ciphering index module, for judging whether field to be checked is encrypted fields, if not
Encrypted fields, then executed after view query using the bitmap scan query expansion interface of data base, view be sent to data
Encryption subsystem is decrypted process;If encrypted fields, then according in data encryption subsystem store clear text field with
Corresponding relation between mask field determines the mask field in clear data storehouse, and by the clear text field in the clear data storehouse
Row in data be decrypted process;
Wherein the data encryption subsystem includes:
Policy management module, for login interface is provided so that user input encryption policy, the wherein encryption policy extremely
Include following at least one less:Need the clear text field of encryption, whether preserve clear data storehouse table;
Data encryption module, for the instruction according to the data store internal processing subsystem for receiving, to needing in data base
Clear text field to be encrypted is replaced by mask field, and the corresponding relation between clear text field and mask field is stored;
It is additionally operable to add the data in row of the algorithm of random salt to clear text field to be encrypted by MD5;
Data decryption module, for the instruction according to the data store internal processing subsystem for receiving, to adding in data base
Close data are decrypted.
Wherein, the data encryption subsystem also includes:
Authority management module, is managed for being authenticated to login account password and to encryption/decrypted rights;Wherein
The authority management module is close to login account using RSA rivest, shamir, adelman or external digital certificate interface authentication mode
Code is authenticated.
Wherein, the data store internal processing subsystem is also included for the logarithm when being modified to clear data storehouse table
According to the database trigger encryption calling module being encrypted, the database trigger encryption calling module is used for judging data
Whether storehouse have invoked trigger, if it is call data encryption subsystem to be encrypted data.
Meanwhile, the embodiment of the present invention also proposed a kind of autonomous controlled data database data encryption retrieval side based on random salt
Method, including:
Clear data storehouse list processing step, for copying to predeterminated position, and the renaming plaintext by clear data storehouse table
Database table and foundation and clear data storehouse table view of the same name, and the plaintext word that will need in the clear data storehouse table to encrypt
Section is sent to the data encryption subsystem, and the clear text field is replaced with data encryption subsystem determination with institute
The corresponding mask field of clear text field is stated, and the data in the clear text field are replaced with the data after encryption;
Searching step, for judging whether field to be checked is encrypted fields, if not encrypted fields, then using number
Execute after view query according to the bitmap scan query expansion interface in storehouse, view is sent to data encryption subsystem and is solved
Close process;If encrypted fields, then according to right between the clear text field for storing in data encryption subsystem and mask field
The mask field for determining in clear data storehouse should be related to, and the data in the mask field row in the clear data storehouse are solved
Close process;
Invocation step encrypted by trigger, and the major function of this functional module is to judge whether to call trigger, tactile when calling
When sending out device, the encrypting module of encryption and decryption software piece is called to be encrypted data by trigger.
Tactical management step, for login interface is provided so that user input encryption policy, the wherein encryption policy extremely
Include following at least one less:Need the clear text field of encryption, whether preserve clear data storehouse table;
Data encryption step, for the instruction according to the data store internal processing subsystem for receiving, to needing in data base
Clear text field to be encrypted is replaced by mask field, and the corresponding relation between clear text field and mask field is stored;
It is additionally operable to add the data in row of the algorithm of random salt to clear text field to be encrypted by MD5;
Data decryption step, for the instruction according to the data store internal processing subsystem for receiving, to adding in data base
Close data are decrypted.
Wherein methods described also includes:
Login authentication management module, is managed for being authenticated to login account password and to encryption/decrypted rights;
Wherein the authority management module is using RSA rivest, shamir, adelman or external digital certificate interface authentication mode to logging in account
Number password is authenticated.
The having the beneficial effect that of the technique scheme of the present invention:The embodiment of the present invention proposes a kind of based on random salt
Autonomous controlled data database data encryption search method and system, can be carried out at shielding to the preset field of clear data storehouse table
Reason, and the data in the preset field row are encrypted.While quickly can be obtained according to mask field in retrieval again
Corresponding clear text field, and the data in the bright text line are decrypted.Such scheme being capable of compromise between security and retrieval effect
Really.
Description of the drawings
Fig. 1 is the system structure topological diagram of the embodiment of the present invention.
Specific embodiment
For making the technical problem to be solved in the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing and tool
Body embodiment is described in detail.
The embodiment of the present invention proposes a kind of autonomous controlled data database data encryption searching system based on random salt, bag
Include:Data store internal processing subsystem data encryption subsystem;
Wherein the data store internal processing subsystem includes:For calling the data encryption subsystem to enter to data
The external interface calling module of row encryption/deciphering, the data base view deciphering for being encrypted to clear data storehouse table
Calling module, the database trigger for being used for during the data call trigger in data base being encrypted the data are encrypted
Calling module, the extension for being used for indexing encryption data generation index interface ciphering index module;Wherein,
Data base view deciphers calling module, for clear data storehouse table is copied to predeterminated position, and renaming this is bright
Literary database table and foundation and clear data storehouse table view of the same name, and the plaintext that will need in the clear data storehouse table to encrypt
Field is sent to the data encryption subsystem, and by the clear text field replace with data encryption subsystem determination with
The corresponding mask field of the clear text field, and the data in the clear text field are replaced with the data after encryption;
Extension index interface ciphering index module, for judging whether field to be checked is encrypted fields, if not
Encrypted fields, then executed after view query using the bitmap scan query expansion interface of data base, view be sent to data
Encryption subsystem is decrypted process;If encrypted fields, then according in data encryption subsystem store clear text field with
Corresponding relation between mask field determines the mask field in clear data storehouse, and by the clear text field in the clear data storehouse
Row in data be decrypted process;
Wherein the data encryption subsystem includes:
Policy management module, for login interface is provided so that user input encryption policy, the wherein encryption policy extremely
Include following at least one less:Need the clear text field of encryption, whether preserve clear data storehouse table;
Data encryption module, for the instruction according to the data store internal processing subsystem for receiving, to needing in data base
Clear text field to be encrypted is replaced by mask field, and the corresponding relation between clear text field and mask field is stored;
It is additionally operable to add the data in row of the algorithm of random salt to clear text field to be encrypted by MD5;
Data decryption module, for the instruction according to the data store internal processing subsystem for receiving, to adding in data base
Close data are decrypted.
Wherein, the data encryption subsystem also includes:
Authority management module, is managed for being authenticated to login account password and to encryption/decrypted rights;Wherein
The authority management module is close to login account using RSA rivest, shamir, adelman or external digital certificate interface authentication mode
Code is authenticated.
Wherein, the data store internal processing subsystem is also included for the logarithm when being modified to clear data storehouse table
According to the database trigger encryption calling module being encrypted, the database trigger encryption calling module is used for judging data
Whether storehouse have invoked trigger, if it is call data encryption subsystem to be encrypted data.
Meanwhile, the embodiment of the present invention also proposed a kind of autonomous controlled data database data encryption retrieval side based on random salt
Method, including:
Clear data storehouse list processing step, for copying to predeterminated position, and the renaming plaintext by clear data storehouse table
Database table and foundation and clear data storehouse table view of the same name, and the plaintext word that will need in the clear data storehouse table to encrypt
Section is sent to the data encryption subsystem, and the clear text field is replaced with data encryption subsystem determination with institute
The corresponding mask field of clear text field is stated, and the data in the clear text field are replaced with the data after encryption;
Searching step, for judging whether field to be checked is encrypted fields, if not encrypted fields, then using number
Execute after view query according to the bitmap scan query expansion interface in storehouse, view is sent to data encryption subsystem and is solved
Close process;If encrypted fields, then according to right between the clear text field for storing in data encryption subsystem and mask field
The mask field for determining in clear data storehouse should be related to, and the data in the mask field row in the clear data storehouse are solved
Close process;
Invocation step encrypted by trigger, and the major function of this functional module is to judge whether to call trigger, tactile when calling
When sending out device, the encrypting module of encryption and decryption software piece is called to be encrypted data by trigger.
Tactical management step, for login interface is provided so that user input encryption policy, the wherein encryption policy extremely
Include following at least one less:Need the clear text field of encryption, whether preserve clear data storehouse table;
Data encryption step, for the instruction according to the data store internal processing subsystem for receiving, to needing in data base
Clear text field to be encrypted is replaced by mask field, and the corresponding relation between clear text field and mask field is stored;
It is additionally operable to add the data in row of the algorithm of random salt to clear text field to be encrypted by MD5;
Data decryption step, for the instruction according to the data store internal processing subsystem for receiving, to adding in data base
Close data are decrypted.
Wherein methods described also includes:
Login authentication management module, is managed for being authenticated to login account password and to encryption/decrypted rights;
Wherein the authority management module is using RSA rivest, shamir, adelman or external digital certificate interface authentication mode to logging in account
Number password is authenticated.
As shown in Figure 1, illustrated with a specific example below, in the present example using existing towards enterprise
The analytical type database management language of level application, the software is to carry out two with advanced PostgreSQL database PostgreSQL as core
Secondary exploitation and encapsulation are formed, and integrated easy to learn, easy-to-use, handy administration interface and aid meet power industry to data base
Stability, safety and Jian Min that software product is required.In safety, high availability and the autgmentability for ensureing management software
Meanwhile, development teams are tried one's best and reduce the holistic cost of software, strengthen the ease for use of software.The database management language is according to process
Flow process and function are divided, and management system is divided into connection management system, Complied executing system, storage management system, affairs
Management system, the most of composition of system table five.Certainly, this is merely illustrative, and those skilled in that art are appreciated that this
The method of bright embodiment can be used in any database management language.
In the present example, by changing the kernel of data base management system (DBMS) calling database management language external
Encryption and decryption software piece the function such as realize retrieving the encryption and decryption of data base.This invention encryption function is strong, does not affect data base administration
System (DBMS) is normally used, and realizes the perfect seamless combination of encryption and decryption technology database management system.
Database management language part:Which is on the basis of existing data base management system, changes the interior of data base
Core is supporting calling for data base's encryption and decryption software piece.
Data base view deciphers calling module:
The view of data base management system (DBMS) is an empty table, the operation to data base, and system is needed according to view
The associated base table of defining operation and view.The principle of data base view is made full use of to realizing the mistake to encryption data in table
Filter, projection, aggregation, association and functional operation.
The main function of the module be when the encryption data for judging user needs to back up in plain text, clear data table
The path that specifies is copied to, name table of bearing the same name, set up and table view of the same name, call the encryption calling module of trigger to enter line number
According to encryption.When judging user's clear data, it is not necessary to when backup in plain text, direct renaming table, sets up and table is of the same name
View, in view, call the deciphering module of external encryption and decryption software piece to be decrypted data.Can realize to data base
The certain field encryption of table.
Database trigger encrypts calling module:
The major function of this functional module is to judge whether to call trigger, when trigger is called, is called by trigger
The encrypting module of encryption and decryption software piece is encrypted to data.The trigger of data base is invoked automatically when database manipulation occurs
Function.Trigger for " BEFORE " and " INSTEAD OF " this kind of row rank judges, when the result for returning is
During NULL, then it represents that ignore the operation to current line, if returning the row of non-NULL, for INSERT, UPDATE operation, touch
Sending out device calls the encrypting module of encryption and decryption software piece to be encrypted data.
Extension index interface ciphering index module
Data base management system (DBMS) extension index interface ciphering index module executes and encryption data is indexed.Data base
Management system (DBMS) has five classes to index, and it is the whole number of traversal that from the beginning puts in place that the most frequently used index is B-tree, Index Scan
According to all row of table, from the beginning to the end, therefore when data volume is very big, efficiency is not very high;Bitmap scan disposably will be full
The index entry of sufficient condition all takes out, and is ranked up in internal memory, then accesses table data according to the index entry for taking out.This is special
Profit is encrypted retrieval using bitmap scan machine.Voluntarily write index Create Index, Insert, Delete,
The respective handling code that Update sentence is executed and bitmap scan is executed.By the mechanism, it is possible to use self-defining
Extension encrypted indexes, when the index enters line retrieval to encryption data, as bitmap scan will disposably meet the index of condition
Item all takes out, and is ranked up in internal memory, solves a difficult problem for encrypted data retrieval, significantly improves searching ciphertext
Efficiency.
External interface calling module, main offer connects enciphering and deciphering algorithm, the interface of encryption and decryption software piece, realizes to encryption and decryption
Software transfer, the control of authority independently of data base, the interface of the other software of AES.The technology for realizing this purpose is closed
Key is that external program is called and external communication support.Support that external program is called in data base, first have to define communication and connect
Mouthful.External call is made data base encryption function and decryption function by interface, is written as an independent data base and adds solution
Close software, operates in above independent server;Authorization check process is limited to the authority of power user, is carried so as to reach
The effect of high database management language performance.
Data base encryption decryption portion:
Account authority management module
The major function of account and authority management module is used for the login account Password Management of user and the authority of encryption and decryption
Management.Authentication is using RSA rivest, shamir, adelman or external digital certificate interface authentication mode.
Strategy setting module
The functional module is that user-defined interface is arranged, and user's definition arranges the database object of encryption:User is set
The row of Custom Encryption.Whether user preserves the strategy configuration such as plaintext.
Data base encryption module
The functional module is encrypted using the data by the way of MD5 adds random salt to data base.When user INSERT,
During UPDATE data, corresponding row name is carried out renaming calculating process, such as identity card duplication of name calculating is processed and becomes big Sophora japonica L.
Deng.The data of respective column be encrypted array function calculate plus random salt after MD5 calculate mode carry out data encryption.Example
Such as:MD5 (f (X)+random salt)
As data are magnanimity inside data base, other AESs are taken, amount of calculation is too big.Therefore using MD5 add with
The mode of machine salt improves security performance.
Data base's deciphering module
When view proposes decoding request, being decrypted for data base's encryption and decryption software piece is called.Carry out MD5 deciphering letter
Number ciphertext data;Delivery desalts;Anti- encryption array function calculating.
The method of the present invention can include:
1st, authentication is logged in
Data base's encryption and decryption software piece passes through RSA authentication or UKRY certification etc., and otherwise refusal is logged in;
Determine encrypted object, corresponding encrypting database, table, row are selected by user, if preserve the policing option of plaintext.
For new user setup encryption policy;
2nd, encryption judges
Judge whether user needs encryption data:When user does not need encryption data, send and asked to data base accordingly
Management system (DBMS), executes the operation of data base, exits flow process.When user needs encryption data, send a request in plain text
Backup judgement is processed;
3rd, backup judges in plain text
After CIPHERING REQUEST judges to finish, data base's encryption and decryption software piece judges whether need backup in plain text in plain text for the first time;
If user needs plaintext, trigger is sent a request to, the path for copying to and specifying of the same name for plaintext view, to needing to add
The view renaming of close table, carries out shielding processing to the field name for needing encryption:For example:Field identity card becomes field Herba Marsileae Quadrifoliae
Fruit tree.
When user proposes the request such as insertion and renewal, plaintext backup request is judged;If user has plaintext backup request,
The order datas such as trigger transmission insertion and the renewal of data base are called to enter plaintext table, sending CIPHERING REQUEST is carried out to encrypting module
Encryption;If without plaintext backup policy, send CIPHERING REQUEST and encrypting module is encrypted to encrypting module;
4th, encryption
Judge through encryption, after backup judges in plain text, encrypting module, it is handled as follows:Encrypted fields are mated, encryption
What field was stored in data base's encryption and decryption software piece is the field in plain text, after mating to encrypted fields, to needs encryption
Title carries out shielding processing;Random salt and encrypted fields ID random salt linked database is generated in encryption and decryption software piece.To correlation
The plaintext of the numerical value of field enters after line function is processed plus random salt generates new data;The data being combined into afterwards carry out MD5
Process, the data value after encryption by the trigger of data base go to encrypt view, correlation is carried out by the mechanism of data base
Storage operation
5th, encryption data trigger is processed
With the data after mask field title and encryption, behaviour is sent by data base's encryption and decryption software piece through encryption
Make requested database encryption and decryption interface, encryption and decryption interface sends a request to database trigger, and trigger enters according to data mechanism
Row associative operation.Whole ciphering process is completed;
6th, ciphertext data view is processed
Include to filter when user proposes in data base's encryption and decryption software piece to inquire about select request, project, assemble, associating and
Functional operation etc., flow process is as follows:
User proposes inquiry request in encryption and decryption software piece, first judges whether the field that inquires about is encrypted fields, if not
Being encrypted fields, request being directly transmitted to data base's bitmap scan query expansion interface, bitmap scan query expansion is pressed
Mechanism according to data base is executed after view query, and data base view sends decoding request to data base's encryption and decryption interface interchange data
The decryption program of storehouse encryption and decryption software piece;After the encode MD5 deciphering of decryption program elder generation, delivery desalts, and carries out reverse encryption array function
Calculate returned data.If encrypted fields, field is carried out after mask function process, in encryption and decryption software piece inquiry random salt and
After encrypted fields ID random salt linked database, after the numerical value for processing through mask function has been added random salt, MD5 is carried out
Data base's bitmap scan query expansion interface is sent to after encryption, bitmap scan query expansion is according to data base's
Mechanism executes view query, view sends solution of the decoding request to data base's encryption and decryption interface interchange data base's encryption and decryption software piece
Close program;After the Encode MD5 deciphering of decryption program elder generation, delivery desalts, and carries out reverse encryption array function and calculates returned data.
The above is the preferred embodiment of the present invention, it is noted that for those skilled in the art
For, on the premise of without departing from principle of the present invention, some improvements and modifications can also be made, these improvements and modifications
Should be regarded as protection scope of the present invention.
Claims (5)
1. a kind of autonomous controlled data database data based on random salt encrypts searching system, it is characterised in that include:In data base
Portion's processing subsystem data encryption subsystem;
Wherein the data store internal processing subsystem includes:For calling the data encryption subsystem carrying out to data plus
The external interface calling module of close/deciphering, the data base view deciphering for being encrypted to clear data storehouse table are called
Module, the database trigger encryption for being used for during the data call trigger in data base being encrypted the data are called
Module, the extension for being used for indexing encryption data generation index interface ciphering index module;Wherein,
Data base view deciphers calling module, for clear data storehouse table is copied to predeterminated position, and the renaming plaintext number
According to Ku Biao and set up with clear data storehouse table view of the same name, and will need in the clear data storehouse table encrypt clear text field
Be sent to the data encryption subsystem, and the clear text field is replaced with data encryption subsystem determination with described
The corresponding mask field of clear text field, and the data in the clear text field are replaced with the data after encryption;
Extension index interface ciphering index module, for judging whether field to be checked is encrypted fields, if not encryption
Field, then executed after view query using the bitmap scan query expansion interface of data base, view be sent to data encryption
Subsystem is decrypted process;If encrypted fields, then according to the clear text field for storing in data encryption subsystem and shielding
Corresponding relation between field determines the mask field in clear data storehouse, and the row by the clear text field in the clear data storehouse
In title be decrypted process;
Wherein the data encryption subsystem includes:
Policy management module, for providing login interface so that user formulates encryption policy, the wherein encryption policy at least wraps
Include following at least one:Arranging needs the field of encryption, arranges whether preserve clear data;
Data encryption module, for according to the instruction of data store internal processing subsystem for receiving, to needing in data base plus
Close clear text field is replaced by mask field, and the corresponding relation between clear text field and mask field is stored;Also use
It is encrypted in the data in row of the algorithm of random salt to clear text field are added by MD5;
Data decryption module, for the instruction according to the data store internal processing subsystem for receiving, to encryption in data base
Data are decrypted.
2. the autonomous controlled data database data based on random salt according to claim 1 encrypts searching system, and its feature exists
In the data encryption subsystem also includes:
Authority management module, is managed for being authenticated to login account password and to encryption/decrypted rights;Wherein described
Authority management module is entered to login account password using RSA rivest, shamir, adelman or external digital certificate interface authentication mode
Row certification.
3. the autonomous controlled data database data based on random salt according to claim 1 encrypts searching system, and its feature exists
In the data store internal processing subsystem is also included for being encrypted to data when being modified to clear data storehouse table
Database trigger encryption calling module, database trigger encryption calling module is used for judging whether data base calls
Trigger, if it is calls the data encryption subsystem to be encrypted data.
4. a kind of autonomous controlled data database data based on random salt encrypts search method, it is characterised in that include:
Clear data storehouse list processing step, for copying to predeterminated position, and the renaming clear data by clear data storehouse table
Storehouse table and foundation and clear data storehouse table view of the same name, and the clear text field for needing in the clear data storehouse table to encrypt is sent out
Be sent to the data encryption subsystem, and the clear text field is replaced with data encryption subsystem determination with stated clearly
The corresponding mask field of word section, and the data in the clear text field are replaced with the data after encryption;
Searching step, for judging whether field to be checked is encrypted fields, if not encrypted fields, then using data base
Bitmap scan query expansion interface execute view query after, view is sent to data encryption subsystem and is decrypted place
Reason;If encrypted fields, then according to the corresponding pass between the clear text field for storing in data encryption subsystem and mask field
System determines the mask field in clear data storehouse, and the data in the mask field row in the clear data storehouse are decrypted place
Reason;
Retrieval judges step, for entering line retrieval judgement to ciphertext database table;Specifically include:Judge whether data base calls
Data are if it is encrypted by trigger.
Tactical management step, for providing login interface so that user input encryption policy, the wherein encryption policy are at least wrapped
Include following at least one:Need the clear text field of encryption, whether preserve clear data storehouse table;
Data encryption step, for according to the instruction of data store internal processing subsystem for receiving, to needing in data base plus
Close clear text field is replaced by mask field, and the corresponding relation between clear text field and mask field is stored;Also use
It is encrypted in the data in row of the algorithm of random salt to clear text field are added by MD5;
Data decryption step, for the instruction according to the data store internal processing subsystem for receiving, to encryption in data base
Data are decrypted.
5. the autonomous controlled data database data based on random salt according to claim 4 encrypts search method, and its feature exists
In also including:
Login authentication management module, is managed for being authenticated to login account password and to encryption/decrypted rights;Wherein
The authority management module is close to login account using RSA rivest, shamir, adelman or external digital certificate interface authentication mode
Code is authenticated.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610866064.9A CN106446196A (en) | 2016-09-29 | 2016-09-29 | Autonomous controllable database data encryption and retrieval method and system based on random salt |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610866064.9A CN106446196A (en) | 2016-09-29 | 2016-09-29 | Autonomous controllable database data encryption and retrieval method and system based on random salt |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106446196A true CN106446196A (en) | 2017-02-22 |
Family
ID=58171278
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610866064.9A Pending CN106446196A (en) | 2016-09-29 | 2016-09-29 | Autonomous controllable database data encryption and retrieval method and system based on random salt |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106446196A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107480552A (en) * | 2017-07-26 | 2017-12-15 | 北京北信源软件股份有限公司 | Database encryption method and device |
CN109684854A (en) * | 2018-11-20 | 2019-04-26 | 华中科技大学 | A kind of bottom data encryption method suitable for management information system in enterprise |
CN111984978A (en) * | 2020-08-13 | 2020-11-24 | 成都安恒信息技术有限公司 | High-expansibility password encryption storage method |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101504668A (en) * | 2009-03-24 | 2009-08-12 | 北京理工大学 | Cryptograph index supported database transparent encryption method |
-
2016
- 2016-09-29 CN CN201610866064.9A patent/CN106446196A/en active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101504668A (en) * | 2009-03-24 | 2009-08-12 | 北京理工大学 | Cryptograph index supported database transparent encryption method |
Non-Patent Citations (1)
Title |
---|
屈力: "密文数据库系统的研究与实现", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107480552A (en) * | 2017-07-26 | 2017-12-15 | 北京北信源软件股份有限公司 | Database encryption method and device |
CN109684854A (en) * | 2018-11-20 | 2019-04-26 | 华中科技大学 | A kind of bottom data encryption method suitable for management information system in enterprise |
CN109684854B (en) * | 2018-11-20 | 2022-02-11 | 华中科技大学 | Bottom data encryption method suitable for enterprise management information system |
CN111984978A (en) * | 2020-08-13 | 2020-11-24 | 成都安恒信息技术有限公司 | High-expansibility password encryption storage method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106934030B (en) | Ciphertext indexing method for database encryption and in-library encryption system | |
US10002152B2 (en) | Client computer for updating a database stored on a server via a network | |
Demertzis et al. | Fast searchable encryption with tunable locality | |
CN101639882B (en) | Database security system based on storage encryption | |
US9866375B2 (en) | Multi-level key management | |
US9158933B2 (en) | Protection of encryption keys in a database | |
CN107370730A (en) | A kind of log-on message processing method and equipment | |
CN102855448B (en) | A kind of Field-level database encryption device | |
Hang et al. | ENKI: access control for encrypted query processing | |
CN112989375B (en) | Hierarchical optimization encryption lossless privacy protection method | |
CN103870525A (en) | Secure search processing system and secure search processing method | |
CN104009987A (en) | Fine-grained cloud platform security access control method based on user identity capacity | |
CN106330934A (en) | Distributed database system authority management method and device | |
CN104036050A (en) | Complex query method for encrypted cloud data | |
EP1934713A2 (en) | System and method for protecting sensitive data | |
CN106874516A (en) | Efficient cipher text retrieval method based on KCB trees and Bloom filter in a kind of cloud storage | |
CN106446196A (en) | Autonomous controllable database data encryption and retrieval method and system based on random salt | |
CN105528556A (en) | Hybrid SQLite3 safety access method | |
CN106934301A (en) | A kind of safely outsourced data processing method of relevant database for supporting ciphertext data manipulation | |
CN106326666A (en) | Health record information management service system | |
CN105160272B (en) | A kind of safe encryption method and system based on autonomous controlled data library | |
CN114579998A (en) | Block chain assisted medical big data search mechanism and privacy protection method | |
Li | Research of key technologies on encrypting vector spatial data in oracle spatial | |
Kabir et al. | A dynamic searchable encryption scheme for secure cloud server operation reserving multi-keyword ranked search | |
CN106250453A (en) | The cipher text retrieval method of numeric type data based on cloud storage and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170222 |
|
RJ01 | Rejection of invention patent application after publication |