CN108509805A - Data encrypting and deciphering and desensitization runtime engine and its working method - Google Patents

Data encrypting and deciphering and desensitization runtime engine and its working method Download PDF

Info

Publication number
CN108509805A
CN108509805A CN201810236550.1A CN201810236550A CN108509805A CN 108509805 A CN108509805 A CN 108509805A CN 201810236550 A CN201810236550 A CN 201810236550A CN 108509805 A CN108509805 A CN 108509805A
Authority
CN
China
Prior art keywords
desensitization
sql statement
sql
database
deciphering
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810236550.1A
Other languages
Chinese (zh)
Inventor
王浩
李键
邓双林
徐德意
邓远杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHENZHEN TYDIC INFORMATION TECHNOLOGY Co Ltd
Original Assignee
SHENZHEN TYDIC INFORMATION TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SHENZHEN TYDIC INFORMATION TECHNOLOGY Co Ltd filed Critical SHENZHEN TYDIC INFORMATION TECHNOLOGY Co Ltd
Priority to CN201810236550.1A priority Critical patent/CN108509805A/en
Publication of CN108509805A publication Critical patent/CN108509805A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/547Remote procedure calls [RPC]; Web services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a kind of data encrypting and decipherings and desensitization runtime engine, its working method and computer readable storage medium.The data encrypting and deciphering and desensitize runtime engine working method include:Step 10, the SDK clients for being integrated to operation system intercept SQL statement and judge whether to need to rewrite according to metadata configurations, and the SQL statement that need not be rewritten directly sends to database and asks, and the SQL statement rewritten request security service is needed to be rewritten;Step 20, security service obtain the SQL statement for needing to rewrite, and complete SQL statement according to metadata configurations and rewrite, SQL statement after rewriting are returned to SDK clients, SQL statement initiates to ask to database after SDK client calls are rewritten;Step 30, the request for being related to desensitization process, database spread function are returned the result as the operational components of RPC client call RPC computational services.The present invention bypasses the unavailable risk of business that transparent encryption gateway proxy pattern is brought by stability using client's SDK patterns.

Description

Data encrypting and deciphering and desensitization runtime engine and its working method
Technical field
The present invention relates to information system security technical field more particularly to a kind of data encrypting and deciphering and desensitization runtime engine, Working method and computer readable storage medium.
Background technology
User account information incident of leakage frequently occurs for domestic information system at present, largely have the data of sensitive information from It is exported in database.Information system stored in clear sensitive information is unsafe, and displaying is also dangerous to sensitive information in plain text 's.Data encryption storage, data desensitization displaying, are the safety measures for defending data leak important.Current data encryption storage with Desensitization needs to solve many technical barriers, including compatibility relation database and no-sql databases, supports ciphertext range query, thoroughly Bright encryption (i.e. support operation system does not have to excessive transformation), operation system integrate encryption and decryption data library and to keep stability, desensitize Business complexity.Domestic and international existing solution is as follows:
Transparent encryption is added that is, between database and operation system using gateway proxy pattern and is acted on behalf of layered data processing Encryption and decryption, Agent layer return to handling result to client.There is the Single Point of Faliure caused by performance bottleneck in Agent layer, therefore act on behalf of The stability of layer determines the stability of operation system.Agent layer stability directly influences the business system of multiple data databases System;
There are communications protocol to be adapted to hardly possible with no-sql databases in compatibility relation database for transparent encryption proxy gateway pattern Degree, it will be adapted to the communications protocol of the Sybases such as hive, hbase, mysql, oracle, agency and the communication between them;
Ciphertext range query is indexed using order-preserving Encryption Algorithm encrypted cipher text, but only numeric type is supported to encrypt range Inquiry, does not support character string range query.
Without including desensitization technology in existing transparent encryption technology, because desensitization is related to business desensitization logic, as work number exists It just desensitizes under some business scenario, spread function cannot complete these desensitization logics in the database merely, and desensitization logic is direct Overhead data library CPU.
Invention content
Therefore, the purpose of the present invention is to provide a kind of data encrypting and decipherings and desensitization runtime engine, working method and calculating Machine readable storage medium storing program for executing solves asking for the unavailable risk of business that existing transparent encryption gateway proxy pattern is brought by stability Topic.
To achieve the above object, the present invention provides a kind of data encrypting and decipherings and desensitization runtime engine, including:
SDK clients, for being integrated to operation system to intercept SQL statement and judge whether needs according to metadata configurations Rewrite, the SQL statement that need not be rewritten directly to database send ask, need the SQL statement rewritten ask security service into Row is rewritten;
Security service is completed SQL statement according to metadata configurations and is rewritten for obtaining the SQL statement for needing to rewrite, to SDK clients return to SQL statement after rewriting, and SQL statement initiates to ask to database after SDK client calls are rewritten;
Database spread function, when processing is related to the request of desensitization process, for as RPC client calls RPC fortune The operational components of service are calculated to return the result.
Wherein, further include metadata configurations management module, for configuring metadata, metadata includes types of databases desensitization Field, Encryption Algorithm, desensitization field rule configuration.
Wherein, the database spread function includes:
Community string index community function generates index cyphertext strings using word for word encrypting according to plaintext;
Numerical index function, is encrypted using order-preserving, according to numerical sequences such as numerical generation indexes;
Encryption function generates ciphertext according to plaintext;
Decryption function generates in plain text according to ciphertext;
Desensitize function, and desensitization text is exported according to plaintext.
The present invention also provides the working methods of a kind of data encrypting and deciphering and desensitization runtime engine, including:
Step 10, the SDK clients for being integrated to operation system intercept SQL statement and judge whether need according to metadata configurations It rewrites, the SQL statement that need not be rewritten directly sends to database and asks, and the SQL statement rewritten is needed to ask security service It is rewritten;
Step 20, security service obtain the SQL statement for needing to rewrite, and complete SQL statement according to metadata configurations and rewrite, to SDK clients return to SQL statement after rewriting, and SQL statement initiates to ask to database after SDK client calls are rewritten;
Step 30, the request for being related to desensitization process, database spread function is as RPC client call RPC operations The operational components of service return the result.
Wherein, further include step:Metadata is configured by metadata configurations management module, metadata includes types of databases Field, Encryption Algorithm, the desensitization field rule of desensitizing configure.
Wherein, in step 20, the security service obtain need to rewrite after SQL statement, according in metadata configurations Sensitive field definition judges the sensitive field encrypted, desensitized involved in SQL statement, prepares to rewrite SQL statement;Security service point SQL syntax tree is analysed, the sensitive field being related to is found, SQL is completed and rewrites.
Wherein, the SQL syntax tree is based on phoenix grammers, hive-sql grammers, relational database grammer using support SQL analysis engines.
Wherein, the database spread function includes:
Community string index community function generates index cyphertext strings using word for word encrypting according to plaintext;
Numerical index function, is encrypted using order-preserving, according to numerical sequences such as numerical generation indexes;
Encryption function generates ciphertext according to plaintext;
Decryption function generates in plain text according to ciphertext;
Desensitize function, and desensitization text is exported according to plaintext.
Wherein, ciphertext range query step includes:
Number, character string use order-preserving encryption, word for word Encryption Algorithm generation index data respectively, are stored in database index Row;
Basic query flow is inquired based on the two-stage, and the first stage is arranged using ciphertext index as querying condition, by querying condition After being converted by index data generating algorithm, querying condition is generated;
Second stage is the inquiry carried out based on first stage query result, and second stage is arranged using ciphertext as querying condition, It is inquired again with ciphertext row decipherment algorithm decryption condition.
The present invention also provides a kind of computer readable storage medium, the computer-readable recording medium storage has calculating Machine program, the computer program realize that data encrypting and deciphering described in any one of the above embodiments draws with desensitization operation when being executed by processor The working method held up.
To sum up, data encrypting and deciphering of the invention and desensitization runtime engine, working method and computer readable storage medium, make The unavailable risk of business that transparent encryption gateway proxy pattern is brought by stability is bypassed with client's SDK patterns;External desensitization fortune Calculation business is removed and the relevant cpu computing resources that desensitize from database.
Description of the drawings
Below in conjunction with the accompanying drawings, it is described in detail by the specific implementation mode to the present invention, technical scheme of the present invention will be made And other advantageous effects are apparent.
In attached drawing,
Fig. 1 is that data encrypting and deciphering of the present invention and the general frame operation logic for one preferred embodiment of runtime engine of desensitizing are illustrated Figure;
Fig. 2 is that data encrypting and deciphering of the present invention and database spread function operation in desensitization one preferred embodiment of runtime engine are former Manage schematic diagram;
Fig. 3 is the flow chart of data encrypting and deciphering of the present invention and one preferred embodiment of working method for the runtime engine that desensitizes.
Specific implementation mode
It is that data encrypting and deciphering of the present invention and the general frame for one preferred embodiment of runtime engine of desensitizing are run referring to Fig. 1 Principle schematic.The data encrypting and deciphering with desensitization runtime engine include mainly:SDK clients, security service and database expand Open up function.
SDK clients are integrated to operation system, can intercept SQL statement and judge whether to need to change according to metadata configurations It writes, the SQL statement that need not be rewritten directly sends to database and asks, and the SQL statement rewritten request security service is needed to carry out It rewrites;SDK clients can be sent to security service by http agreements and be asked.
Security service is used to obtain the SQL statement for needing to rewrite, and completes SQL statement according to metadata configurations and rewrites, to SDK Client returns to SQL statement after rewriting, and SQL statement initiates to ask to database after SDK client calls are rewritten;Security service obtains It takes SQL statement and obtains the sensitive field definition in metadata configurations, judge the sensitive words encrypted, desensitized involved in SQL statement Section prepares to rewrite SQL statement;SQL syntax tree is analyzed in security service, finds the sensitive field being related to, and completes SQL and rewrites.SQL languages Support may be used based on phoenix grammers, hive-sql grammers, the SQL analysis engines of relational database grammer in method tree.
SQL statement after security service returns to rewriting to SDK clients.SQL statement is to data after SDK client calls are rewritten Request is initiated in library, and is returned the result.
When being related to the request of desensitization process, can RPC computational service returned datas, data be passed through by database spread function Library spread function is returned the result for the operational components as RPC client call RPC computational services.
Whole service flow does not have proxy gateway, and SQL statement is still directly initiated to database from operation system after rewriting Request, will not be as there is a situation where stability problems, and operation system to be caused to be unable to processing business because of proxy mode for the prior art. Even rewriting engine failure in whole process, operation system is also impacted with the relevant business of sensitive field, is not related to The SQL statement of sensitive field still can be interacted normally with operation system.
The present invention can also include metadata configurations management module, and for configuring metadata, metadata can specifically include Types of databases desensitization field, Encryption Algorithm (AES, DES, national secret algorithm), desensitization field configuration.Security service, SDK clients The interrelated logic processing that metadata carries out SQL rewritings can be relied on.
It is that data encrypting and deciphering of the present invention extends letter with database in desensitization one preferred embodiment of runtime engine referring to Fig. 2 Number operation logic schematic diagram.Database spread function can respectively be developed self-defined according to hbase, hive, mysql, oracle Function.Hbase is based on phoeinx grammer custom function, and Hive is based on hive sql grammer custom function, and mysql is based on c ++ custom function, oracle are based on java c++ custom function.
RPC computational services may include:Operational components, according to it is default desensitization logic setting abnormal behaviour memory module, Such as system work number abnormal behaviour memory module, encryption, decryption, desensitization service, and number, character string ciphertext index service. With the relevant desensitization logic of business scenarios such as work number in operation system, such as system work number abnormal behaviour memory module, Ke Yiyou Operational components realize that operation is completed by residing in the unique host except database server, and database spread function is as fortune The client for calculating component, for calling and returning the result.In addition to system work number abnormal behaviour memory module, patrolled according to other desensitizations Volume, other corresponding abnormal behaviour memory modules can also be established.
The crypto-operation of consumption CPU is extracted by database spread function in operational components, in addition to can be by operational components Realize desensitization logic, it is close that RPC computational services can also further provide encryption, decryption, desensitization service, and number, character string Literary index service.
The present invention is relevant database, on no-sql databases encryption, decryption, desensitization amalgamation technological invention, industry Business system need not use proxy gateway, it is only necessary to which simply integrated SDK clients can complete sensitive data encryption, decryption, take off It is quick.
It is the stream of data encrypting and deciphering of the present invention and one preferred embodiment of working method for the runtime engine that desensitizes referring to Fig. 3 Cheng Tu.The working method of above-mentioned encryption and decryption and the runtime engine that desensitizes is further correspondingly provided in a preferred embodiment of the present invention, mainly Including:
Step 10, the SDK clients for being integrated to operation system intercept SQL statement and judge whether need according to metadata configurations It rewrites, the SQL statement that need not be rewritten directly sends to database and asks, and the SQL statement rewritten is needed to ask security service It is rewritten;Any SQL statement will pass through the scheme for acting on behalf of transfer and have obviously the step in proxy mode compared with prior art Advantage is immediate operand not with the relevant SQL statement of sensitive field according to library;
Step 20, security service obtain the SQL statement for needing to rewrite, and complete SQL statement according to metadata configurations and rewrite, to SDK clients return to SQL statement after rewriting, and SQL statement initiates to ask to database after SDK client calls are rewritten;The present invention Security service may be used distributed structure/architecture exploitation, it is extending transversely compare existing proxy mode can by database connect number be limited The shortcomings that processed, can have clear improvement in performance;Technology based on load balancing, the stabilization extending transversely for also increasing security service Property, to improve the availability that operation system is related to sensitive traffic;
Step 30, the request for being related to desensitization process, database spread function is as RPC client call RPC operations The operational components of service return the result.
In step 20, the security service obtain need to rewrite after SQL statement, according to the sensitive words in metadata configurations Duan Dingyi judges the sensitive field encrypted, desensitized involved in SQL statement, prepares to rewrite SQL statement;SQL languages are analyzed in security service Method tree finds the sensitive field being related to, and completes SQL and rewrites.SQL syntax tree is using support based on phoenix grammers, hive-sql The SQL analysis engines of grammer, relational database grammer.
In a preferred embodiment of the present invention, database spread function can specifically include:
(1) STR_IDX_ENCRYPT functions, community string index community function take each character to carry out MD5 using word for word encrypting, Ciphertext top N composition index cyphertext strings.Input parameter is in plain text, to export to index cyphertext strings respectively.Index is generated according to plaintext Cyphertext strings.
(2) NUM_IDX_ENCRYPT functions, numerical index function, are encrypted using order-preserving.Input parameter is numerical value respectively, Output is the numerical sequences such as index.According to numerical sequences such as numerical generation indexes.
(3) ENCRYPT functions, encryption function, input parameter are plaintext, 16 system key strings, Encryption Algorithm title respectively (DES, AES, state close etc.), exports as 16 system cyphertext strings of encrypted column.Ciphertext is generated according to plaintext.
(4) DECRYPT functions, decryption function, input parameter are 16 system cyphertext strings, 16 system key strings, decryption respectively Algorithm title (DES, AES, state close etc.) exports as in plain text.It is generated in plain text according to ciphertext.
(5) MASK functions, desensitize function, and input parameter is plaintext, desensitization rule ID, User ID respectively, is exported as desensitization Text afterwards.Desensitization text is exported according to plaintext.User ID determines whether user has permission and checks clear data, i.e. certain customers are quick Field is felt as it can be seen that certain customers' sensitivity field desensitizes.
The present invention establishes ciphertext index number and character string range query in library using the inquiry of two-stage index range.For reality Existing ciphertext range query, number, character string use order-preserving encryption, word for word Encryption Algorithm generation index data, are stored in number respectively According to library index column.Index column data cannot be decrypted, and range query is only used for.Equivalence inquiry, is based on ciphertext field.Substantially Querying flow is inquired based on the two-stage, and the first stage is rough range rope query text, and second stage is thick based on the first stage The result of slightly range query is accurately inquired:
First stage is arranged using ciphertext index as querying condition, and querying condition is pressed index data generating algorithm (i.e. character string Index function and numerical index function) after conversion, generate querying condition.If inquiry row are character string types, to inquire key For word Beijing, Index Algorithm is denoted as STR_IDX_ENCRYPT, i.e. querying condition is IDX like ' STR_NUM_IDX_ ENCRYPT (" Beijing ") % ' are if inquiry row are numeric type, querying condition IDX>=NUM_IDX_ENCRYPT (numbers Range initial value) and IDX<=NUM_IDX_ENCRYPT (digital scope end value).
Second stage is arranged using ciphertext as querying condition, is looked into again with ciphertext row decipherment algorithm (i.e. decryption function) decryption condition It askes.If inquiry row are character string types, by taking key word of the inquiry Beijing as an example, decipherment algorithm is denoted as DECRYPT, i.e. querying condition For DECRYPT (ciphertext row) Beijing like ' % ' if inquiry row are numeric types, this stage optionally, but can prevent the The inquiry of one stage is inaccurate.I.e. querying condition is DECRYPT (ciphertext row)>=digital scope initial value and<=digital scope knot Beam value.
Below by taking oracle database as an example, illustrated for core SQL statement CRUD transformation process, according to specific industry Business system scenarios are come the data encrypting and deciphering illustrated the present invention and runtime engine and the working method of desensitizing.
As shown in table 1 below, account Table A CCOUT includes account USERID fields, identity card IDCARD fields, and password is silent It is shy with strangers at not describing in this example.As shown in table 2 below, metadata configurations table META includes specified account Table A CCOUT IDCARD fields are needed to encrypt and be desensitized, and mark 1, which represents, is.
Account USERID Identity card IDCARD
D001 421081288812260001
D002 421081288812260002
1 account Table A CCOUT of table
Table name Field name Whether encrypt Whether desensitize Desensitization rule
ACCOUT IDCARD 1 1 38
2 metadata configurations table META of table
One, SQL, which is inserted into, rewrites
(1) operation system register account number inlet receives registration user and inputs account, inputs identity card real-name authentication, complete At most basic register account number logic.
(2) operation system generate INSERT SQL to database send grammer, INSERT INTO ACCOUT (USERID, IDCARD)VAL(,)
(3) whether SDK clients judge in SQL to include ACCOUT according to the configuration in metadata configurations table META for the first time Table needs encryption, if including, SDK client request security services SQL rewrites.If do not included that SQL does not rewrite, no The SQL for being related to sensitive field directly sends request to database.The step any SQL statement in proxy mode compared with prior art The scheme for acting on behalf of transfer, which will be passed through, obvious advantage, i.e., be immediate operand not with the relevant SQL statement of sensitive field according to library.
(4) ACCOUT table id CARD fields need encryption in second of judgement rewriting SQL of security service.If so, INSERT SQL statements be rewritten as INSERT INTO ACCOUT (USERID, IDCARD) VAL (, ENCRYPT (, ' key String ')).It is not processed if not, returning to original SQL.Security service of the present invention is developed using distributed structure/architecture, phase extending transversely More existing proxy mode can be connected the shortcomings that number is limited by database, can be had clear improvement in performance.Based on load balancing Technology, the stability extending transversely for also increasing security service, to improve the availability that operation system is related to sensitive traffic.
Two, SQL paging queries are rewritten
(1) operation system inquires account information, and when checking information, ID card information needs displaying of desensitizing.
(2) operation system generates SELECT SQL and sends grammer to database, and SELECT SQL statements are
(3) whether SDK clients include ACCOUT table needs according in the configuration determination SQL in metadata configurations table META Encryption, if including, SDK client request security services SQL rewrites.If do not included that SQL does not rewrite, it is not related to quick The SQL for feeling field directly sends request to database.Since IDCARD fields encrypted storage before this, after also to desensitize, therefore need It first to decrypt and desensitize afterwards.
(4) encryption of ACCOUT table id CARD fields needs and desensitization process in SQL are rewritten in second of judgement of security service, are taken off Quick rule is 38.If so, SELECT SQL statements are rewritten as
System user ID determines that whether IDCARD desensitizes displaying, can limit the user scope for checking the information that desensitizes.Pass through Other measures such as desensitization information inspection audit, can reach and meet operation system differentiation desensitization requirement, and can realize desensitization letter Cease checking monitoring.
Three, SQL character strings range query is rewritten
(1) operation system range query identity card is started with province number and is inquired.
(2) operation system generates SELECT SQL and sends grammer to database, and SELECT SQL statements are
(3) whether SDK clients include ACCOUT table needs according in the configuration determination SQL in metadata configurations table META Encryption, if including, SDK client request security services SQL rewrites.If do not included that SQL does not rewrite, it is not related to quick The SQL for feeling field directly sends request to database.Since IDCARD fields encrypted storage before this, after also to desensitize, therefore need It first to decrypt and desensitize afterwards.
(4) encryption of ACCOUT table id CARD fields needs and desensitization process in SQL are rewritten in second of judgement of security service, are taken off Quick rule is 38.If so, SELECT SQL statements are rewritten as
SQL is added the prompt of Oracle grammers and carries out first stage rough query context in rewriting, arranged according to IDCARD_IDX Search index data, accurately inquiry is based on decrypting IDCARD on first stage rough query result then into line range second stage Inquiry.
Four, database spread function desensitization implementation process.
With operation system limitation system user inquire account table data instance, daily frequent operation, and it is improper when Between section be judged as that the system user of abnormal behaviour, the system user of abnormal behaviour then need desensitization to show:
(1) RPC computational services intrinsic call operational components carry out online streaming according to system user account table inquiry log Audit analysis, analytical conclusions are stored in system work number abnormal behaviour memory module, as shown in Figure 2.
(2) oracle database (or other types database) spread function calls RPC computational services, judges system user Whether desensitization shows identity card IDCARD fields.If desensitization, function returns to desensitization content.If without desensitization, function returns In plain text.
(3) whether RPC computational services searching system user from system work number abnormal behaviour memory module, which desensitizes, shows number According to, and return to RPC and call end, i.e. oracle database spread function.
The desensitization logic of above system work number abnormal behaviour memory module is only used for illustrating, according to other desensitization logic, Other corresponding abnormal behaviour memory modules can be established.
It will be understood by those skilled in the art that realizing the work of the data encrypting and deciphering and desensitization runtime engine of above-described embodiment All or part of step can be completed by hardware in method, and relevant hardware can also be controlled by program and is completed, this It invents and provides a kind of computer readable storage medium in a preferred embodiment, the computer-readable recording medium storage has meter Calculation machine program, the computer program realize the work of above-mentioned data encrypting and deciphering and the runtime engine that desensitizes when being executed by processor Method.As an example, computer readable storage medium can be USB flash disk, mobile hard disk, read-only memory, random access memory, Magnetic disc or CD etc..
To sum up, data encrypting and deciphering of the invention makes with desensitization runtime engine, working method and computer readable storage medium The unavailable risk of business that transparent encryption gateway proxy pattern is brought by stability is bypassed with client's SDK patterns;Use the two-stage Ciphertext index number and character string range query in library are established in index range inquiry;Use client's SDK pattern compatibility relation data Library and no-sql databases;External desensitization operation business is removed and the relevant cpu computing resources that desensitize, i.e. RPC fortune from database Calculate service.
The above for those of ordinary skill in the art can according to the technique and scheme of the present invention and technology Other various corresponding change and deformations are made in design, and all these change and distortions should all belong to the appended right of the present invention It is required that protection domain.

Claims (10)

1. a kind of data encrypting and deciphering and desensitization runtime engine, which is characterized in that including:
SDK clients, for being integrated to operation system to intercept SQL statement and judge whether to need to change according to metadata configurations It writes, the SQL statement that need not be rewritten directly sends to database and asks, and the SQL statement rewritten request security service is needed to carry out It rewrites;
Security service is completed SQL statement according to metadata configurations and is rewritten for obtaining the SQL statement for needing to rewrite, to SDK visitors Family end returns to SQL statement after rewriting, and SQL statement initiates to ask to database after SDK client calls are rewritten;
Database spread function, when processing is related to the request of desensitization process, for being taken as RPC client call RPC operations The operational components of business return the result.
2. data encrypting and deciphering as described in claim 1 and desensitization runtime engine, which is characterized in that further include metadata configurations pipe Module is managed, for configuring metadata, metadata includes types of databases desensitization field, Encryption Algorithm, desensitization field rule configuration.
3. data encrypting and deciphering as described in claim 1 and desensitization runtime engine, which is characterized in that the database spread function Including:
Community string index community function generates index cyphertext strings using word for word encrypting according to plaintext;
Numerical index function, is encrypted using order-preserving, according to numerical sequences such as numerical generation indexes;
Encryption function generates ciphertext according to plaintext;
Decryption function generates in plain text according to ciphertext;
Desensitize function, and desensitization text is exported according to plaintext.
4. the working method of a kind of data encrypting and deciphering and desensitization runtime engine, which is characterized in that including:
Step 10, the SDK clients for being integrated to operation system intercept SQL statement and judge whether to need to change according to metadata configurations It writes, the SQL statement that need not be rewritten directly sends to database and asks, and the SQL statement rewritten request security service is needed to carry out It rewrites;
Step 20, security service obtain the SQL statement for needing to rewrite, and complete SQL statement according to metadata configurations and rewrite, to SDK Client returns to SQL statement after rewriting, and SQL statement initiates to ask to database after SDK client calls are rewritten;
Step 30, the request for being related to desensitization process, database spread function is as RPC client call RPC computational services Operational components return the result.
5. the working method of data encrypting and deciphering as claimed in claim 4 and desensitization runtime engine, which is characterized in that further include step Suddenly:Metadata is configured by metadata configurations management module, metadata includes types of databases desensitization field, Encryption Algorithm, takes off Quick field rule configuration.
6. the working method of data encrypting and deciphering as claimed in claim 4 and desensitization runtime engine, which is characterized in that step 20 In, the security service obtain need to rewrite after SQL statement, according to the sensitive field definition in metadata configurations, judge SQL The sensitive field encrypted, desensitized involved in sentence prepares to rewrite SQL statement;SQL syntax tree is analyzed in security service, finds and is related to Sensitive field, complete SQL rewrite.
7. the working method of data encrypting and deciphering as claimed in claim 6 and desensitization runtime engine, which is characterized in that the SQL Syntax tree is using SQL analysis engine of the support based on phoenix grammers, hive-sql grammers, relational database grammer.
8. the working method of data encrypting and deciphering as claimed in claim 4 and desensitization runtime engine, which is characterized in that the data Library spread function includes:
Community string index community function generates index cyphertext strings using word for word encrypting according to plaintext;
Numerical index function, is encrypted using order-preserving, according to numerical sequences such as numerical generation indexes;
Encryption function generates ciphertext according to plaintext;
Decryption function generates in plain text according to ciphertext;
Desensitize function, and desensitization text is exported according to plaintext.
9. the working method of data encrypting and deciphering as claimed in claim 4 and desensitization runtime engine, which is characterized in that ciphertext range Query steps include:
Number, character string use order-preserving encryption, word for word Encryption Algorithm generation index data respectively, are stored in database index row;
Basic query flow is inquired based on the two-stage, and the first stage is arranged using ciphertext index as querying condition, and querying condition is pressed rope After argument is converted according to generating algorithm, querying condition is generated;
Second stage is the inquiry carried out based on first stage query result, and second stage is arranged using ciphertext as querying condition, and use is close Literary row decipherment algorithm decryption condition is inquired again.
10. a kind of computer readable storage medium, the computer-readable recording medium storage has computer program, feature to exist In realizing data encrypting and deciphering as described in any one of claim 4 to 9 when the computer program is executed by processor and take off The working method of quick runtime engine.
CN201810236550.1A 2018-03-21 2018-03-21 Data encrypting and deciphering and desensitization runtime engine and its working method Pending CN108509805A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810236550.1A CN108509805A (en) 2018-03-21 2018-03-21 Data encrypting and deciphering and desensitization runtime engine and its working method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810236550.1A CN108509805A (en) 2018-03-21 2018-03-21 Data encrypting and deciphering and desensitization runtime engine and its working method

Publications (1)

Publication Number Publication Date
CN108509805A true CN108509805A (en) 2018-09-07

Family

ID=63377907

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810236550.1A Pending CN108509805A (en) 2018-03-21 2018-03-21 Data encrypting and deciphering and desensitization runtime engine and its working method

Country Status (1)

Country Link
CN (1) CN108509805A (en)

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109522320A (en) * 2018-11-12 2019-03-26 杭州弗兰科信息安全科技有限公司 A kind of optimization method for serving database homomorphic cryptography
CN109902514A (en) * 2019-03-07 2019-06-18 杭州比智科技有限公司 A kind of data desensitization control system, method, server and storage medium
CN110598440A (en) * 2019-08-08 2019-12-20 中腾信金融信息服务(上海)有限公司 Distributed automatic encryption and decryption system
CN110874364A (en) * 2019-11-19 2020-03-10 北京启迪区块链科技发展有限公司 Query statement processing method, device, equipment and storage medium
CN110958218A (en) * 2019-10-16 2020-04-03 平安国际智慧城市科技股份有限公司 Data transmission method based on multi-network communication and related equipment
CN111177788A (en) * 2020-01-07 2020-05-19 北京启明星辰信息安全技术有限公司 Hive dynamic desensitization method and dynamic desensitization system
CN111475524A (en) * 2020-03-05 2020-07-31 平安科技(深圳)有限公司 Data processing method and device based on interceptor and computer equipment
CN111767300A (en) * 2020-05-11 2020-10-13 全球能源互联网研究院有限公司 A dynamic desensitization method and device for penetration of power data inside and outside the network
CN111859426A (en) * 2020-07-21 2020-10-30 西安电子科技大学 A universal encrypted database connector and its setting method
CN112199723A (en) * 2020-10-16 2021-01-08 深圳无域科技技术有限公司 PKI system, PKI control method, and data security system
CN112417476A (en) * 2020-11-24 2021-02-26 广州华熙汇控小额贷款有限公司 Desensitization method and data desensitization system for sensitive data
CN112732745A (en) * 2021-01-14 2021-04-30 国网上海市电力公司 Data storage method and device based on cloud server, server and storage medium
CN112800474A (en) * 2021-03-19 2021-05-14 北京安华金和科技有限公司 Data desensitization method and device, storage medium and electronic device
CN112906024A (en) * 2021-03-03 2021-06-04 江苏保旺达软件技术有限公司 Data desensitization method, device, storage medium and server
CN113064925A (en) * 2021-03-15 2021-07-02 深圳依时货拉拉科技有限公司 Big data query method, system and computer readable storage medium
CN113196269A (en) * 2018-12-05 2021-07-30 甲骨文国际公司 Selective and complete query rewrite
CN113407997A (en) * 2021-06-30 2021-09-17 平安国际智慧城市科技股份有限公司 Data desensitization method and device, computer equipment and storage medium
CN113449320A (en) * 2021-06-25 2021-09-28 郑州信源信息技术股份有限公司 Desensitization method and system for sensitive data of database
CN113742362A (en) * 2021-09-03 2021-12-03 西安电子科技大学 Ciphertext query calculation method oriented to secret database
CN113836171A (en) * 2021-09-27 2021-12-24 北京金山云网络技术有限公司 Data desensitization method and device, electronic equipment and readable storage medium
CN113886392A (en) * 2021-10-11 2022-01-04 四川新网银行股份有限公司 Method and system for writing distributed link tracking TraceID into database
CN114139199A (en) * 2021-11-30 2022-03-04 平安付科技服务有限公司 Data desensitization method, apparatus, device and medium
WO2022048464A1 (en) * 2020-09-01 2022-03-10 华为技术有限公司 Data masking method, data masking apparatus and storage device
CN114169003A (en) * 2021-12-08 2022-03-11 四川启睿克科技有限公司 Dynamic desensitization method and system based on syntax tree analysis and result set rewriting
CN114500121A (en) * 2022-04-18 2022-05-13 北京安华金和科技有限公司 Data desensitization method and device based on security protocol
CN115495769A (en) * 2022-11-16 2022-12-20 江苏曼荼罗软件股份有限公司 Data desensitization method, system, readable storage medium and device
CN115659391A (en) * 2022-10-08 2023-01-31 郑州云智信安安全技术有限公司 Numerical value desensitization method and device supporting database statistical function
CN116915387A (en) * 2023-09-14 2023-10-20 山东三未信安信息科技有限公司 Extensible database transparent encryption device and method
CN117113422A (en) * 2023-10-24 2023-11-24 中电科网络安全科技股份有限公司 Database encryption method, device, equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140380051A1 (en) * 2013-06-21 2014-12-25 International Business Machines Corporation Secure data access using sql query rewrites
CN104881280A (en) * 2015-05-13 2015-09-02 南京邮电大学 Multi-search supporting design method for encrypted database middleware
CN106548085A (en) * 2015-09-17 2017-03-29 中国移动通信集团甘肃有限公司 A kind of processing method and processing device of data
CN106778288A (en) * 2015-11-24 2017-05-31 阿里巴巴集团控股有限公司 A kind of method and system of data desensitization

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140380051A1 (en) * 2013-06-21 2014-12-25 International Business Machines Corporation Secure data access using sql query rewrites
CN104881280A (en) * 2015-05-13 2015-09-02 南京邮电大学 Multi-search supporting design method for encrypted database middleware
CN106548085A (en) * 2015-09-17 2017-03-29 中国移动通信集团甘肃有限公司 A kind of processing method and processing device of data
CN106778288A (en) * 2015-11-24 2017-05-31 阿里巴巴集团控股有限公司 A kind of method and system of data desensitization

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
何国平: "数据库透明加密中间件的研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
姚华: "常见数据库加密技术对比", 《计算机与网络》 *
江堂碧: "支持挖掘的流式数据脱敏关键技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109522320A (en) * 2018-11-12 2019-03-26 杭州弗兰科信息安全科技有限公司 A kind of optimization method for serving database homomorphic cryptography
CN109522320B (en) * 2018-11-12 2022-08-02 杭州弗兰科信息安全科技有限公司 Optimization method for serving homomorphic encryption of database
CN113196269A (en) * 2018-12-05 2021-07-30 甲骨文国际公司 Selective and complete query rewrite
CN113196269B (en) * 2018-12-05 2022-05-27 甲骨文国际公司 Selective and complete query rewriting
CN109902514A (en) * 2019-03-07 2019-06-18 杭州比智科技有限公司 A kind of data desensitization control system, method, server and storage medium
CN110598440A (en) * 2019-08-08 2019-12-20 中腾信金融信息服务(上海)有限公司 Distributed automatic encryption and decryption system
CN110958218A (en) * 2019-10-16 2020-04-03 平安国际智慧城市科技股份有限公司 Data transmission method based on multi-network communication and related equipment
CN110874364A (en) * 2019-11-19 2020-03-10 北京启迪区块链科技发展有限公司 Query statement processing method, device, equipment and storage medium
CN111177788A (en) * 2020-01-07 2020-05-19 北京启明星辰信息安全技术有限公司 Hive dynamic desensitization method and dynamic desensitization system
CN111475524B (en) * 2020-03-05 2024-05-28 平安科技(深圳)有限公司 Data processing method and device based on interceptor and computer equipment
CN111475524A (en) * 2020-03-05 2020-07-31 平安科技(深圳)有限公司 Data processing method and device based on interceptor and computer equipment
CN111767300A (en) * 2020-05-11 2020-10-13 全球能源互联网研究院有限公司 A dynamic desensitization method and device for penetration of power data inside and outside the network
CN111859426A (en) * 2020-07-21 2020-10-30 西安电子科技大学 A universal encrypted database connector and its setting method
CN111859426B (en) * 2020-07-21 2023-04-07 西安电子科技大学 Universal encrypted database connector and setting method thereof
WO2022048464A1 (en) * 2020-09-01 2022-03-10 华为技术有限公司 Data masking method, data masking apparatus and storage device
CN112199723A (en) * 2020-10-16 2021-01-08 深圳无域科技技术有限公司 PKI system, PKI control method, and data security system
CN112417476A (en) * 2020-11-24 2021-02-26 广州华熙汇控小额贷款有限公司 Desensitization method and data desensitization system for sensitive data
CN112732745B (en) * 2021-01-14 2024-10-18 国网上海市电力公司 Cloud server-based data storage method and device, server and storage medium
CN112732745A (en) * 2021-01-14 2021-04-30 国网上海市电力公司 Data storage method and device based on cloud server, server and storage medium
CN112906024A (en) * 2021-03-03 2021-06-04 江苏保旺达软件技术有限公司 Data desensitization method, device, storage medium and server
CN113064925A (en) * 2021-03-15 2021-07-02 深圳依时货拉拉科技有限公司 Big data query method, system and computer readable storage medium
CN112800474A (en) * 2021-03-19 2021-05-14 北京安华金和科技有限公司 Data desensitization method and device, storage medium and electronic device
CN113449320A (en) * 2021-06-25 2021-09-28 郑州信源信息技术股份有限公司 Desensitization method and system for sensitive data of database
CN113407997A (en) * 2021-06-30 2021-09-17 平安国际智慧城市科技股份有限公司 Data desensitization method and device, computer equipment and storage medium
CN113742362A (en) * 2021-09-03 2021-12-03 西安电子科技大学 Ciphertext query calculation method oriented to secret database
CN113836171A (en) * 2021-09-27 2021-12-24 北京金山云网络技术有限公司 Data desensitization method and device, electronic equipment and readable storage medium
CN113886392A (en) * 2021-10-11 2022-01-04 四川新网银行股份有限公司 Method and system for writing distributed link tracking TraceID into database
CN114139199A (en) * 2021-11-30 2022-03-04 平安付科技服务有限公司 Data desensitization method, apparatus, device and medium
CN114169003A (en) * 2021-12-08 2022-03-11 四川启睿克科技有限公司 Dynamic desensitization method and system based on syntax tree analysis and result set rewriting
CN114500121B (en) * 2022-04-18 2022-06-28 北京安华金和科技有限公司 Data desensitization method and device based on security protocol
CN114500121A (en) * 2022-04-18 2022-05-13 北京安华金和科技有限公司 Data desensitization method and device based on security protocol
CN115659391A (en) * 2022-10-08 2023-01-31 郑州云智信安安全技术有限公司 Numerical value desensitization method and device supporting database statistical function
CN115659391B (en) * 2022-10-08 2023-09-01 郑州云智信安安全技术有限公司 Numerical desensitization method and device supporting database statistical function
CN115495769A (en) * 2022-11-16 2022-12-20 江苏曼荼罗软件股份有限公司 Data desensitization method, system, readable storage medium and device
CN115495769B (en) * 2022-11-16 2023-03-10 江苏曼荼罗软件股份有限公司 Data desensitization method, system, readable storage medium and device
CN116915387A (en) * 2023-09-14 2023-10-20 山东三未信安信息科技有限公司 Extensible database transparent encryption device and method
CN117113422A (en) * 2023-10-24 2023-11-24 中电科网络安全科技股份有限公司 Database encryption method, device, equipment and medium

Similar Documents

Publication Publication Date Title
CN108509805A (en) Data encrypting and deciphering and desensitization runtime engine and its working method
US10862870B2 (en) Privacy as a service by offloading user identification and network protection to a third party
Bertino et al. Big data security and privacy
Yan et al. Confidentiality support over financial grade consortium blockchain
US20200213284A1 (en) Vaultless Tokenization Engine
US9361085B2 (en) Systems and methods for intercepting, processing, and protecting user data through web application pattern detection
AU2009288767B2 (en) An appliance, system, method and corresponding software components for encrypting and processing data
US20230289464A1 (en) Data access method and device, storage medium, and electronic device
US20170034136A1 (en) Methods and Systems For Proxying Data
US11170128B2 (en) Information security using blockchains
JP2002523816A (en) Access control using attributes contained in public key certificates
Mahindrakar et al. Automating GDPR compliance using policy integrated blockchain
US11658978B2 (en) Authentication using blockchains
KR101111162B1 (en) System and Method for Securing DBMS with Data Obfuscation
Macedo et al. A practical framework for privacy-preserving NoSQL databases
Tang et al. Securing android applications via edge assistant third-party library detection
Uddin et al. Horus: A security assessment framework for android crypto wallets
CN113282959A (en) Service data processing method and device and electronic equipment
CN114448648A (en) Sensitive credential management method and system based on RPA
CN117459327B (en) Cloud data transparent encryption protection method, system and device
KR20200047992A (en) Method for simultaneously processing encryption and de-identification of privacy information, server and cloud computing service server for the same
CN118153081A (en) Data encryption management system and data encryption method
CN108319821A (en) A kind of software activation method and device
US11138319B2 (en) Light-weight context tracking and repair for preventing integrity and confidentiality violations
CN113906405A (en) Modifying data items

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180907