CN110149212B - Database security reinforcement method and device and electronic equipment - Google Patents

Database security reinforcement method and device and electronic equipment Download PDF

Info

Publication number
CN110149212B
CN110149212B CN201910474421.0A CN201910474421A CN110149212B CN 110149212 B CN110149212 B CN 110149212B CN 201910474421 A CN201910474421 A CN 201910474421A CN 110149212 B CN110149212 B CN 110149212B
Authority
CN
China
Prior art keywords
database
signature
access key
key
user side
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910474421.0A
Other languages
Chinese (zh)
Other versions
CN110149212A (en
Inventor
张力
范渊
刘博�
龙文洁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201910474421.0A priority Critical patent/CN110149212B/en
Publication of CN110149212A publication Critical patent/CN110149212A/en
Application granted granted Critical
Publication of CN110149212B publication Critical patent/CN110149212B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a database security reinforcement method, a database security reinforcement device and electronic equipment, wherein the database security reinforcement method comprises the following steps: acquiring a database authentication request sent by an authentication agent of a user side; determining a target access key corresponding to the access key in a key table of a database firewall according to the access key in the database authentication request; performing signature calculation on the target access key, the encrypted version and the access time by adopting a signature algorithm to obtain a protection end signature; and comparing the client signature with the protection terminal signature, and operating the database according to the comparison result. In the method, the information transmitted in the flow does not contain the access key, so that the risk of intercepting the access key is avoided, the security reinforcement of the database is realized by carrying out signature authentication on the database authentication request, the reliability is good, the database is not easy to bypass, the normal work is not influenced, and the technical problems that the existing database security reinforcement method is poor in reliability and not beneficial to the normal work are solved.

Description

Database security reinforcement method and device and electronic equipment
Technical Field
The invention relates to the technical field of network security, in particular to a database security reinforcing method and device and electronic equipment.
Background
After the application server is invaded (operation and maintenance violation), an invader can obtain the account number and the password of the application access database through means of code scanning, decompiling or packet capturing and the like. Current database firewalls cannot identify whether a Structured Query statement (SQL statement, a database Query and programming Language used to access data and Query, update, and manage a relational database system) was issued by an application system or by an intruder, resulting in the SQL statement of the intruder being executed, and therefore the intruder can generate greater damage.
In order to prevent an intruder from damaging the database, the existing database security reinforcement method generally protects the database by means of IP binding, account number authorization and account number verification. However, the way IP binding is easily bypassed; in the account number authorization mode, if the account number is illegally acquired, the SQL statement of the invader is still executed, and the protection effect cannot be achieved; in the account verification mode, if the account is stolen, fingerprint recognition or face recognition is easy to fail and interfere with normal work, so that the working efficiency is reduced.
In conclusion, the existing database security reinforcement method is poor in reliability and not beneficial to normal work.
Disclosure of Invention
The invention aims to provide a database security reinforcement method, a database security reinforcement device and electronic equipment, so as to solve the technical problems that the existing database security reinforcement method is poor in reliability and not beneficial to normal work.
The invention provides a database security reinforcing method, which is applied to a database firewall with an authentication agent, and comprises the following steps: acquiring a database authentication request sent by an authentication agent of a user side, wherein the database authentication request carries at least one of the following authentication information: an access key value, an encrypted version, an access time and a client signature; determining a target access key corresponding to the access key in a key table of the database firewall according to the access key in the authentication information; performing signature calculation on the target access key, the encrypted version and the access time by adopting a signature algorithm to obtain a protection terminal signature; and comparing the client signature with the protection terminal signature, and operating a database according to a comparison result.
Further, the authentication agent of the user side is obtained by downloading and registering the user on the database firewall through the console; when the authentication agent of the user side is registered, the authentication agent of the user side randomly generates a key pair of the user side, and stores the key pair and the encrypted version in a key table of the database firewall and the authentication agent of the user side respectively, wherein the key pair comprises: the access key value and the access key have a binding relationship with an authentication agent of the user terminal.
Further, the client signature is obtained by signature calculation of the access key, the encrypted version and the access time by the authentication agent of the client by using the signature algorithm.
Further, the signature algorithm includes: sign function.
Further, the database operation according to the comparison result includes: if the comparison result is that the client signature is the same as the protection end signature, allowing the database operation to be continued; and if the comparison result is that the client signature is not the same as the protection end signature, preventing the operation of the database.
The invention also provides a database security reinforcing device, which is applied to a database firewall with an authentication agent, and the device comprises: the system comprises an acquisition module, a database authentication request and a processing module, wherein the acquisition module is used for acquiring the database authentication request sent by an authentication agent of a user side, and the database authentication request carries at least one of the following authentication information: an access key value, an encrypted version, an access time and a client signature; a determining module, configured to determine, according to an access key value in the authentication information, a target access key corresponding to the access key value in a key table of the database firewall; the signature calculation module is used for performing signature calculation on the target access key, the encrypted version and the access time by adopting a signature algorithm to obtain a protection end signature; and the comparison module is used for comparing the client signature with the protection terminal signature and operating the database according to the comparison result.
Further, the authentication agent of the user side is obtained by downloading and registering the user on the database firewall through the console; when the authentication agent of the user side is registered, the authentication agent of the user side randomly generates a key pair of the user side, and stores the key pair and the encrypted version in a key table of the database firewall and the authentication agent of the user side respectively, wherein the key pair comprises: the access key value and the access key have a binding relationship with an authentication agent of the user terminal.
Further, the client signature is obtained by signature calculation of the access key, the encrypted version and the access time by the authentication agent of the client by using the signature algorithm.
The invention also provides an electronic device, comprising a memory and a processor, wherein the memory stores a computer program capable of running on the processor, and the processor executes the computer program to realize the steps of the method.
The invention also provides a computer-readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the method described above.
In the embodiment of the invention, a database firewall with an authentication agent is deployed to firstly acquire a database authentication request sent by the authentication agent of a user side; then, determining a target access key corresponding to the access key in a key table of a database firewall according to the access key in the authentication information in the database authentication request; further, signature calculation is carried out on the target access key, the encrypted version and the access time by adopting a signature algorithm to obtain a protection terminal signature; and finally, comparing the client signature with the protection terminal signature, and operating the database according to the comparison result. It can be known from the above description that, in the database security strengthening method of the present invention, the information transmitted in the flow only includes the access key value, the encrypted version, the access time, and the client signature, and the access key is not transmitted in the flow, so as to avoid the risk of intercepting the access key, after receiving the information, the database firewall will query the key table maintained by the firewall itself to obtain the target access key corresponding to the access key value, and further perform signature calculation on the target access key, the encrypted version, and the access time to obtain the protection end signature, and finally compare the client signature with the protection end signature, determine whether to continue the operation of the database according to the comparison result, that is, the security strengthening of the database is realized by performing signature authentication on the database authentication request, the reliability is good, the database is not easy to be bypassed, and the normal operation is not affected, the technical problems that the existing database security reinforcement method is poor in reliability and not beneficial to normal work are solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a database security reinforcing method according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a database security enforcement system according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a database security enforcement device according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the following embodiments, and it should be understood that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
For the convenience of understanding the embodiment, a detailed description will be given first of all to a database security strengthening method disclosed in the embodiment of the present invention.
The first embodiment is as follows:
in accordance with an embodiment of the present invention, there is provided an embodiment of a database security hardening method, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than that herein.
Fig. 1 is a flowchart of a database security strengthening method according to an embodiment of the present invention, which is applied to a database firewall deployed with an authentication agent, as shown in fig. 1, and includes the following steps:
step S102, a database authentication request sent by an authentication agent of a user side is obtained, wherein the database authentication request carries at least one of the following authentication information: an access key value, an encrypted version, an access time and a client signature;
in the embodiment of the present invention, the authentication agent is an entity part in the present invention, and as shown in fig. 2, the authentication agent is deployed in a database firewall, and the database firewall is a database security protection system developed autonomously or provided by a third party.
When a user side accesses a database, a database authentication request is sent to a database firewall through an authentication agent of the user side, the database authentication request carries authentication information, and the authentication information comprises: an access key, an encrypted version, an access time, and a client signature. Specifically, the client signature is actually obtained by calculating the relevant information by the authentication agent of the client using a signature algorithm, and the process of obtaining the client signature is described in detail below, which is not described herein again.
Step S104, determining a target access key corresponding to the access key in a key table of a database firewall according to the access key in the authentication information;
and after the database firewall obtains the authentication information, determining a target access key corresponding to the access key in a key table of the database firewall according to the access key in the authentication information. Specifically, referring to fig. 2, a Relational Database (RDS) is disposed on the database firewall, a key table is maintained in the relational database, a corresponding relationship between an access key value, an access key, and an encrypted version is stored in the key table, and after the authentication information is obtained, the database firewall can determine a target access key corresponding to the access key value in the key table according to the access key value in the authentication information.
Step S106, signature calculation is carried out on the target access key, the encrypted version and the access time by adopting a signature algorithm to obtain a protection end signature;
after the target access key is obtained, the database firewall further adopts a signature algorithm to perform signature calculation on the target access key, the encrypted version and the access time. Specifically, the target access key, the encrypted version and the access time are used as parameters to be input into a signature algorithm, and then the signature of the protection terminal can be output.
And step S108, comparing the client signature with the protection terminal signature, and operating the database according to the comparison result.
And after the protection end signature is obtained, comparing the protection end signature with the client signature in the authentication information, and finally determining whether to continue the operation of the database according to the comparison result. Namely, the security reinforcement of the database is realized by carrying out signature authentication on the database authentication request.
In the embodiment of the invention, a database firewall with an authentication agent is deployed to firstly acquire a database authentication request sent by the authentication agent of a user side; then, determining a target access key corresponding to the access key in a key table of a database firewall according to the access key in the authentication information in the database authentication request; further, signature calculation is carried out on the target access key, the encrypted version and the access time by adopting a signature algorithm to obtain a protection terminal signature; and finally, comparing the client signature with the protection terminal signature, and operating the database according to the comparison result. It can be known from the above description that in the database security strengthening method of the present invention, the information transmitted in the traffic only includes the access key value, the encrypted version, the access time, and the client signature, and the access key is not transmitted in the traffic, so as to avoid the risk of intercepting the access key, after receiving the information, the firewall of the database will query the key table maintained by the firewall itself to obtain the target access key corresponding to the access key value, and further perform signature calculation on the target access key, the encrypted version, and the access time to obtain the signature of the protection end, and finally, compare the signature of the client with the signature of the protection end, and determine whether to continue the operation of the database according to the comparison result, that is, the security strengthening of the database is realized by performing signature authentication on the database authentication request, the reliability is good, the database is not easy to be bypassed, and the normal operation is not affected, the technical problems that the existing database security reinforcement method is poor in reliability and not beneficial to normal work are solved.
The foregoing briefly introduces the database security enforcement method of the present invention, and the details of the related matters are described in detail below.
In an optional embodiment of the present invention, the authentication agent of the user side is obtained by downloading and registering the user on the database firewall through the console;
when the authentication agent of the user side is registered, the authentication agent of the user side randomly generates a key pair of the user side, and respectively stores the key pair and an encrypted version to a key table of a database firewall and the authentication agent of the user side, wherein the key pair comprises: the system comprises an access key value and an access key, wherein the key pair has a binding relation with an authentication agent of a user side.
Specifically, referring to fig. 2, when the user side needs to perform the database operation for the first time, the download registration of the authentication agent needs to be performed. Specifically, the user downloads the authentication agent on the database firewall through the console (specifically, a registration platform provided by the authentication agent), and then registers.
When the authentication agent of the user side is registered, the authentication agent of the user side randomly generates a pair of key pairs of the user side, the database firewall sends the information of the encrypted version to the authentication agent of the user side, and the key pairs and the encrypted version are respectively stored in the key table of the database firewall and the authentication agent of the user side.
Specifically, the key pair includes: the access key value and the access key, and the key pair is bound with the authentication agent of the user terminal. That is, the authentication agent of a user end has a unique pair of keys, which is not easy to be stolen.
In an optional embodiment of the present invention, the authentication agent whose client is signed as the client performs signature calculation on the access key, the encrypted version, and the access time by using a signature algorithm.
Specifically, after the authentication agent of the user side obtains the access key, the encrypted version and the access time, signature calculation is performed on the access key, the encrypted version and the access time by using a signature algorithm to obtain a client signature.
Wherein, the signature algorithm comprises: sign function. Of course, the signature algorithm may also be other algorithms, and the embodiment of the present invention does not specifically limit the signature algorithm.
The following describes in detail a specific process of performing the database operation according to the comparison result:
in an optional embodiment of the present invention, the performing the database operation according to the comparison result comprises:
if the comparison result is that the client signature and the protection terminal signature are the same, allowing the database operation to be continued;
and if the comparison result shows that the client signature is not the same as the protection end signature, the operation of the database is prevented.
In the invention, an authentication agent is added on a database firewall of an application system connected with a database. The authentication agent uses the key and signature algorithm to add a signature to the SQL statement sent to the database (i.e., the database authentication request in the present invention). And the database firewall authenticates the signature of the SQL, and blocks the signature if the signature does not pass. The method for safely reinforcing the database has good reliability, does not influence normal work, and can effectively protect the database.
Example two:
the embodiment of the invention also provides a database security reinforcing device, which is applied to a database firewall with an authentication agent, is mainly used for executing the database security reinforcing method provided by the embodiment of the invention, and the database security reinforcing device provided by the embodiment of the invention is specifically introduced below.
Fig. 3 is a schematic diagram of a database security strengthening device according to an embodiment of the present invention, as shown in fig. 3, the database security strengthening device mainly includes an obtaining module 10, a determining module 20, a signature calculating module 30, and a comparing module 40, where:
the acquisition module is used for acquiring a database authentication request sent by an authentication agent of a user side, wherein the database authentication request carries at least one of the following authentication information: an access key value, an encrypted version, an access time and a client signature;
the determining module is used for determining a target access key corresponding to the access key value in a key table of the database firewall according to the access key value in the authentication information;
the signature calculation module is used for performing signature calculation on the target access key, the encrypted version and the access time by adopting a signature algorithm to obtain a protection end signature;
and the comparison module is used for comparing the client signature with the protection terminal signature and operating the database according to the comparison result.
In the embodiment of the invention, a database firewall with an authentication agent is deployed to firstly acquire a database authentication request sent by the authentication agent of a user side; then, determining a target access key corresponding to the access key in a key table of a database firewall according to the access key in the authentication information in the database authentication request; further, signature calculation is carried out on the target access key, the encrypted version and the access time by adopting a signature algorithm to obtain a protection terminal signature; and finally, comparing the client signature with the protection terminal signature, and operating the database according to the comparison result. It can be known from the above description that in the database security strengthening method of the present invention, the information transmitted in the traffic only includes the access key value, the encrypted version, the access time, and the client signature, and the access key is not transmitted in the traffic, so as to avoid the risk of intercepting the access key, after receiving the information, the firewall of the database will query the key table maintained by the firewall itself to obtain the target access key corresponding to the access key value, and further perform signature calculation on the target access key, the encrypted version, and the access time to obtain the signature of the protection end, and finally, compare the signature of the client with the signature of the protection end, and determine whether to continue the operation of the database according to the comparison result, that is, the security strengthening of the database is realized by performing signature authentication on the database authentication request, the reliability is good, the database is not easy to be bypassed, and the normal operation is not affected, the technical problems that the existing database security reinforcement method is poor in reliability and not beneficial to normal work are solved.
Optionally, the authentication agent of the user side is obtained by downloading and registering the user on the database firewall through the console;
when the authentication agent of the user side is registered, the authentication agent of the user side randomly generates a key pair of the user side, and respectively stores the key pair and an encrypted version to a key table of a database firewall and the authentication agent of the user side, wherein the key pair comprises: the system comprises an access key value and an access key, wherein the key pair has a binding relation with an authentication agent of a user side.
Optionally, the client signature is obtained by signature calculation of the access key, the encrypted version and the access time by the authentication agent of the client using a signature algorithm.
Optionally, the signature algorithm comprises: sign function.
Optionally, the comparison module is further configured to:
if the comparison result is that the client signature and the protection terminal signature are the same, allowing the database operation to be continued;
and if the comparison result shows that the client signature is not the same as the protection end signature, the operation of the database is prevented.
For details in the second embodiment, reference may be made to the description in the first embodiment, and details are not repeated herein.
Example three:
an embodiment of the present invention provides an electronic device, and with reference to fig. 4, the electronic device includes: the processor 50, the memory 51, the bus 52 and the communication interface 53, wherein the processor 50, the communication interface 53 and the memory 51 are connected through the bus 52; the processor 50 is arranged to execute executable modules, such as computer programs, stored in the memory 51. The steps of the method as described in the method embodiments are implemented when the processor executes the calculations and the program.
The Memory 51 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 53 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used.
The bus 52 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 4, but that does not indicate only one bus or one type of bus.
The memory 51 is used for storing a program, and the processor 50 executes the program after receiving an execution instruction, and the method executed by the apparatus defined by the flow process disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 50, or implemented by the processor 50.
The processor 50 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 50. The Processor 50 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 51, and the processor 50 reads the information in the memory 51 and completes the steps of the method in combination with the hardware thereof.
In another embodiment, a computer readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the steps of the method described in embodiment 1 above is also provided.
The database security strengthening method, the database security strengthening device, and the computer program product of the electronic device provided in the embodiments of the present invention include a computer-readable storage medium storing a program code, where instructions included in the program code may be used to execute the method described in the foregoing method embodiments, and specific implementation may refer to the method embodiments, and will not be described herein again.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working process of the system and the apparatus described above may refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
In addition, in the description of the embodiments of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (8)

1. A database security reinforcement method is applied to a database firewall with an authentication agent deployed, and comprises the following steps:
acquiring a database authentication request sent by an authentication agent of a user side, wherein the authentication agent of the user side is obtained by downloading and registering a user on a database firewall through a console, and when the authentication agent of the user side is registered, the authentication agent of the user side randomly generates a key pair of the user side and respectively stores the key pair and an encrypted version to a key table of the database firewall and the authentication agent of the user side, and the key pair comprises: the system comprises an access key value and an access key, wherein the key pair has a binding relationship with an authentication agent of a user side, and the database authentication request carries at least one of the following authentication information: the access key, the encrypted version, the access time and the client signature;
determining a target access key corresponding to an access key value in a key table of the database firewall according to the access key value in the authentication information, wherein the key table is maintained through a relational database and stores a corresponding relation of the access key value, the access key and the encrypted version;
performing signature calculation on the target access key, the encrypted version and the access time by adopting a signature algorithm to obtain a protection end signature;
and comparing the client signature with the protection terminal signature, and operating a database according to a comparison result.
2. The method of claim 1, wherein the client signature is computed by an authentication agent of the client signing the access key, the encrypted version, and the access time using the signing algorithm.
3. The method according to claim 1 or 2, wherein the signature algorithm comprises: sign function.
4. The method of claim 1, wherein performing database operations based on the comparison comprises:
if the comparison result is that the client signature is the same as the protection end signature, allowing the database operation to be continued;
and if the comparison result is that the client signature is not the same as the protection end signature, preventing the operation of the database.
5. A database security enforcement device, for use in a database firewall with an authentication agent deployed therein, the device comprising:
an obtaining module, configured to obtain a database authentication request sent by an authentication agent of a user side, where the authentication agent of the user side is obtained by downloading and registering a user on a firewall of the database through a console, and when the authentication agent of the user side is registered, the authentication agent of the user side randomly generates a key pair of the user side and stores the key pair and an encrypted version in a key table of the firewall of the database and the authentication agent of the user side, where the key pair includes: the system comprises an access key value and an access key, wherein the key pair has a binding relationship with an authentication agent of a user side, and the database authentication request carries at least one of the following authentication information: the access key, the encrypted version, the access time and the client signature;
a determining module, configured to determine, according to an access key value in the authentication information, a target access key corresponding to the access key value in a key table of the firewall of the database, where the key table is maintained by a relational database and stores a corresponding relationship between the access key value, the access key, and the encrypted version;
the signature calculation module is used for performing signature calculation on the target access key, the encrypted version and the access time by adopting a signature algorithm to obtain a protection end signature;
and the comparison module is used for comparing the client signature with the protection terminal signature and operating the database according to the comparison result.
6. The apparatus of claim 5, wherein the client signature is computed by an authentication agent of the client signing the access key, the encrypted version, and the access time using the signing algorithm.
7. An electronic device comprising a memory, a processor, and a computer program stored on the memory and operable on the processor, wherein the processor implements the steps of the method of any of claims 1 to 4 when executing the computer program.
8. A computer-readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the method of any of claims 1 to 4.
CN201910474421.0A 2019-05-31 2019-05-31 Database security reinforcement method and device and electronic equipment Active CN110149212B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910474421.0A CN110149212B (en) 2019-05-31 2019-05-31 Database security reinforcement method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910474421.0A CN110149212B (en) 2019-05-31 2019-05-31 Database security reinforcement method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN110149212A CN110149212A (en) 2019-08-20
CN110149212B true CN110149212B (en) 2022-05-27

Family

ID=67589924

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910474421.0A Active CN110149212B (en) 2019-05-31 2019-05-31 Database security reinforcement method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN110149212B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4035333A4 (en) * 2019-09-24 2022-11-16 Magic Labs, Inc. Non-custodial tool for building decentralized computer applications
CN111695152B (en) * 2020-05-26 2023-05-12 东南大学 MySQL database protection method based on security agent
CN111935194B (en) * 2020-10-13 2020-12-25 南京云信达科技有限公司 Data interception method and device
CN112364360B (en) * 2020-11-11 2022-02-11 南京信息职业技术学院 Financial data safety management system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0119629D0 (en) * 2001-08-10 2001-10-03 Cryptomathic As Data certification method and apparatus
CN103310161B (en) * 2012-03-14 2016-08-03 北京海泰方圆科技股份有限公司 A kind of means of defence for Database Systems and system
CN105187431B (en) * 2015-09-17 2019-02-12 网易(杭州)网络有限公司 Login method, server, client and the communication system of third-party application
US9832024B2 (en) * 2015-11-13 2017-11-28 Visa International Service Association Methods and systems for PKI-based authentication
CN108809988A (en) * 2018-06-14 2018-11-13 北京中电普华信息技术有限公司 A kind of authentication method and system of request

Also Published As

Publication number Publication date
CN110149212A (en) 2019-08-20

Similar Documents

Publication Publication Date Title
CN110149212B (en) Database security reinforcement method and device and electronic equipment
US9055427B2 (en) Updating configuration parameters in a mobile terminal
US9443084B2 (en) Authentication in a network using client health enforcement framework
US8898759B2 (en) Application registration, authorization, and verification
CN107196950B (en) Verification method, verification device and server
US20140208386A1 (en) Adaptive Strike Count Policy
JP2001500293A (en) Electronic memory tampering prevention system
CN112235321B (en) Short message verification code anti-brushing method and device
WO2012083823A1 (en) Method and device for terminal network locking
CN110213375A (en) A kind of method, apparatus and electronic equipment of the IP access control based on cloud WAF
CN109992976B (en) Access credential verification method, device, computer equipment and storage medium
CN109684878B (en) Privacy information tamper-proofing method and system based on block chain technology
WO2020093722A1 (en) Block chain-based prescription data verification method and device, and server
CN112165475A (en) Anti-crawler method, anti-crawler device, website server and readable storage medium
CN110661779A (en) Block chain network-based electronic certificate management method, system, device and medium
CN112468497B (en) Block chain terminal equipment authorization authentication method, device, equipment and storage medium
CN111147625B (en) Method, device and storage medium for acquiring local external network IP address
US9846790B2 (en) Method for changing an operating mode of a mobile device
CN109858235B (en) Portable equipment and password obtaining method and device thereof
CN109218029B (en) Block chain-based network certificate trusted query method, device and storage medium
CN111371811A (en) Resource calling method, resource calling device, client and service server
CN111949363A (en) Service access management method, computer equipment, storage medium and system
CN115913679A (en) Access control method and system based on zero-trust gateway
KR20140112837A (en) Embedded system, authentication system comprising the same, method of authenticating the system
CN110392058B (en) Service protection method, system and terminal equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant