CN110971593A - Database secure network access method - Google Patents

Database secure network access method Download PDF

Info

Publication number
CN110971593A
CN110971593A CN201911137433.0A CN201911137433A CN110971593A CN 110971593 A CN110971593 A CN 110971593A CN 201911137433 A CN201911137433 A CN 201911137433A CN 110971593 A CN110971593 A CN 110971593A
Authority
CN
China
Prior art keywords
client
server
information
database
user name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911137433.0A
Other languages
Chinese (zh)
Other versions
CN110971593B (en
Inventor
李瑞山
慕宗君
方伟
马国强
牛津文
邵春梅
王向宇
卜银娜
董鹏涛
王卫东
牛雪鹏
陈哲
李江林
闫文敬
闫启祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xuji Group Co Ltd
XJ Electric Co Ltd
Xuchang XJ Software Technology Co Ltd
Original Assignee
Xuji Group Co Ltd
XJ Electric Co Ltd
Xuchang XJ Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xuji Group Co Ltd, XJ Electric Co Ltd, Xuchang XJ Software Technology Co Ltd filed Critical Xuji Group Co Ltd
Priority to CN201911137433.0A priority Critical patent/CN110971593B/en
Publication of CN110971593A publication Critical patent/CN110971593A/en
Application granted granted Critical
Publication of CN110971593B publication Critical patent/CN110971593B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/72Signcrypting, i.e. digital signing and encrypting simultaneously
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to a database secure network access method, and belongs to the technical field of power system automation. The method comprises the following steps: 1) the server side reads database information, network information and a user name and password information base; the client reads the network information; 2) establishing a network link between a server and a client according to the network information; 3) the server side obtains a user name and a password input by the client side during login, and judges whether the client side has operation authority or not according to the user name and password information base; 4) and if the client side has the operation authority, the server side responds to a database operation request initiated by the client side. According to the invention, the deployment server reads the database information, and by establishing the network link between the server and the client, after the client is judged to have the operation authority, the operation request of the client to the database can be realized, and the safe access of the client to the local database is realized.

Description

Database secure network access method
Technical Field
The invention relates to a database secure network access method, and belongs to the technical field of power system automation.
Background
A large number of embedded devices are deployed in the transformer substation, and the embedded devices have the advantages of small occupied resources, high data processing speed and convenience in deployment. The local database is widely applied, such as the sqlites database, but the local database does not support network access, which brings inconvenience to remote maintenance. How to securely access the local database remotely becomes a problem that must be solved.
Disclosure of Invention
The invention aims to provide a database secure network access method to solve the problem that a local database cannot be safely and remotely accessed in the prior art.
In order to achieve the above object, the present invention provides a method for accessing a database secure network, comprising the following steps:
1) the server side reads database information, network information and a user name and password information base; the client reads the network information;
2) establishing a network link between a server and a client according to the network information;
3) the server side obtains a user name and a password input by the client side during login, and judges whether the client side has operation authority or not according to the user name and password information base;
4) and if the client side has the operation authority, the server side responds to a database operation request initiated by the client side.
The beneficial effects are that: according to the invention, the deployment server reads the database information, and by establishing the network link between the server and the client, after the client is judged to have the operation authority, the operation request of the client to the database can be realized, and the safe access of the client to the local database is realized.
Further, the server side in the step 1) also reads the private key certificate information of the server side and the public key certificate information of the client side; the client also reads the private key certificate information of the client and the public key certificate information of the server; step 2) after the network link is established, the server and the client mutually verify certificate information; if the verification is not passed, disconnecting the network link; if the verification is passed, step 3) is performed.
Further, the method for judging whether the client has the operation authority includes: searching and comparing the user name and the password in the user name and password information base, and if the comparison is successful, determining that the user has the operation authority; if the comparison is unsuccessful, the user is judged to have no operation authority.
Further, the user name and the password of the client login acquired by the server are encrypted by using a key M1, wherein the key M1 is byte information randomly generated by the client.
Further, the data operation request initiated by the client includes a write operation, and the server returns an execution result to the client after the write operation is executed.
Further, the data operation request initiated by the client includes a read operation, and the server performs structuring and encryption on the read data and then sends the data to the client.
Further, the structuring method comprises the following steps: defining the length and the array of all fields of a database table, serializing the position index of each field, finding the position index corresponding to the field when receiving data of one table field, and copying the data to the corresponding array position.
Further, the encryption is performed by using the SM4 cryptographic algorithm.
Further, before the step 4) of initiating a database operation request response to the server by the client, the method further includes: the client sends an information request to the server, the server sends the database information to the client, and the client initializes the database information.
Drawings
FIG. 1 is a diagram illustrating a database secure network access method in an embodiment of the database secure network access method of the present invention;
fig. 2 is a schematic diagram of structured data in an embodiment of the database secure network access method of the present invention.
Detailed Description
The embodiment of the database secure network access method comprises the following steps:
the method comprises the steps that a server is deployed on the embedded equipment, a client is deployed on the remote network equipment, and the remote network equipment can access the database in the embedded equipment by establishing a network link between the client and the server.
As shown in fig. 1, the database secure network access method of the present embodiment includes the following steps.
1) The server side reads the database information, reads the TCP network information, reads the user name and password information base and reads the certificate information, wherein the certificate information comprises the server side private key certificate information and the client side public key certificate information; the client reads TCP network information and certificate information, wherein the certificate information comprises client private key certificate information and server public key certificate information.
2) Establishing a TCP network link between a server and a client; after the TCP network link is established, the server side and the client side mutually verify the certificate, and the specific verification method comprises the following steps:
the client generates 16-byte information M1, and M1 is used for decrypting the client login information by a subsequent server; and the information M2 is generated by encrypting the information M1 through a national secret SM4 algorithm and a key MY 1;
adding 64 bytes of digital signature to the information M2 by using a client private key certificate, and encrypting the information M2 and the 64 bytes of digital signature by using a server public key;
the server side obtains information M2 and 64-byte digital signature through encryption of a server side private key certificate, and the legitimacy of the digital signature is verified by adopting a client side public key certificate; if the identity of the client is verified to be illegal, the TCP connection is disconnected; if the identity of the client is verified to be legal, a 64-byte digital signature is added to the information M2 by using a server private key certificate, the information M2 and the digital signature are encrypted by using a client public key, and the information M2 is stored;
the client side obtains information M2 and 64-byte digital signature through decryption of the client side private key certificate, the validity of the digital signature is verified by adopting the server side public key certificate, and if the identity of the server side is verified to be illegal, the TCP connection is disconnected; if the identity of the server side is verified to be legal, the following steps are continued.
3) The server side obtains a user name and a password logged in by the client side, and judges whether the client side has operation authority or not according to the user name and the password logged in by the client side.
In this embodiment, the login information sent by the client to the server is the login information encrypted by using the key M1, the server needs to first obtain the information M1 to decrypt the login information sent by the client, and the method for the server to obtain the information M1 is as follows:
adding 64-byte digital signature to the key MY1 by using a client private key certificate, and encrypting the key MY1 and the 64-byte digital signature by using a server public key;
the server side decrypts the acquired information M2 and 64-byte digital signature through the server side private key certificate, verifies the validity of the digital signature by adopting the client side public key certificate, and acquires a secret key MY 1;
through the SM4 algorithm, the private key is MY1, and the stored information M2 is decrypted to obtain information M1.
After the server side obtains the information M1, the server side can decrypt the login information sent by the client side, and after decryption, a user name and a password are obtained, and according to the user name and the password, the user operation authority can be determined. The method for determining the user authority by the server side comprises the following steps: searching and comparing the decrypted user name and password in a user name and password information base, and if the comparison is successful, determining that the user has the operation authority; if the comparison is unsuccessful, the user is judged to have no operation authority.
4) After the client side is judged to have the operation authority, the client side sends an information request, the server side sends database information to the client side, and the client side initializes the database information. The purpose of the client side initializing the database information in this embodiment is to obtain the database table structure information, and prepare for initializing the database data.
The client sends an access request SQL statement to the server, the server firstly stores and analyzes the SQL statement, and then the server locally executes the SQL statement. The server executes corresponding operation according to the specific operation request initiated by the client: if the client initiates a write operation request, the server returns an execution result; if the client initiates a read operation request, the data needing to be structurally read is sent to the client; all data are encrypted through a national secret algorithm before being sent to a network, a client receives a network message and can obtain the data only after being decrypted through the national secret algorithm, and the data of a database are obtained through unstructured data.
The structuring method in this embodiment is: defining the length and the array of all fields of the database table, serializing the position index of each field, finding the position index corresponding to the field when receiving data of one table field, copying the data to the corresponding array position, reading one piece of data, and sending the data to the client. The structured data is shown in fig. 2.
In order to improve the security of database access, the server and the client both read the certificate information, which aims to implement mutual certificate information verification between the server and the client.
In order to improve the security of database access, in this embodiment, the information M1 generated by the client is variable, and in order to analyze the user name and the password, the server needs to decrypt the user name and the password to obtain the information M1; in other embodiments, the information M1 may be fixed, so that the step of parsing to obtain M1 is not required.
In this embodiment, the SM4 algorithm is used for encryption, the SM2 algorithm is used for verifying identity information, and the SM3 algorithm is used for adding a check bit to login information sent by a client and database data sent by a server to the client.

Claims (9)

1. A method for secure network access to a database, comprising the steps of:
1) the server side reads database information, network information and a user name and password information base; the client reads the network information;
2) establishing a network link between a server and a client according to the network information;
3) the server side obtains a user name and a password input by the client side during login, and judges whether the client side has operation authority or not according to the user name and password information base;
4) and if the client side has the operation authority, the server side responds to a database operation request initiated by the client side.
2. The database secure network access method according to claim 1, wherein in step 1), the server also reads the server private key certificate information and the client public key certificate information; the client also reads the private key certificate information of the client and the public key certificate information of the server; step 2) after the network link is established, the server and the client mutually verify certificate information; if the verification is not passed, disconnecting the network link; if the verification is passed, step 3) is performed.
3. The method of claim 1, wherein the method of determining whether the client has an operation right comprises: searching and comparing the user name and the password in the user name and password information base, and if the comparison is successful, determining that the user has the operation authority; if the comparison is unsuccessful, the user is judged to have no operation authority.
4. The method for accessing the database secure network according to claim 1, wherein the user name and password of the client login acquired by the server are encrypted by using a key M1, and the key M1 is byte information randomly generated by the client.
5. The database secure network access method of claim 1, wherein the data operation request initiated by the client includes a write operation, and the server returns an execution result to the client after the write operation is executed.
6. The database secure network access method of claim 1, wherein the data operation request initiated by the client includes a read operation, and the server constructs and encrypts the read data and then sends the data to the client.
7. The database secure network access method of claim 6, wherein the structured method is: defining the length and the array of all fields of a database table, serializing the position index of each field, finding the position index corresponding to the field when receiving data of one table field, and copying the data to the corresponding array position.
8. The method of claim 6, wherein the encryption is performed using the SM4 cryptographic algorithm.
9. The database secure network access method of claim 1, wherein before the step 4) of initiating a database operation request response from the client to the server, the method further comprises: the client sends an information request to the server, the server sends the database information to the client, and the client initializes the database information.
CN201911137433.0A 2019-11-19 2019-11-19 Database secure network access method Active CN110971593B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911137433.0A CN110971593B (en) 2019-11-19 2019-11-19 Database secure network access method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911137433.0A CN110971593B (en) 2019-11-19 2019-11-19 Database secure network access method

Publications (2)

Publication Number Publication Date
CN110971593A true CN110971593A (en) 2020-04-07
CN110971593B CN110971593B (en) 2022-04-08

Family

ID=70030933

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911137433.0A Active CN110971593B (en) 2019-11-19 2019-11-19 Database secure network access method

Country Status (1)

Country Link
CN (1) CN110971593B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112468303A (en) * 2020-11-17 2021-03-09 天津南大通用数据技术股份有限公司 Method, device and storage medium for strengthening network communication security of database
CN112491614A (en) * 2020-11-26 2021-03-12 许昌许继软件技术有限公司 Online automatic validation method and system for configuration information of embedded equipment
CN113542194A (en) * 2020-04-16 2021-10-22 中国联合网络通信集团有限公司 User behavior tracing method, device, equipment and storage medium
CN114760129A (en) * 2022-04-11 2022-07-15 平安国际智慧城市科技股份有限公司 Data access method, device, equipment and storage medium
CN115292332A (en) * 2022-10-09 2022-11-04 北京珞安科技有限责任公司 Firewall operation data storage method, system, storage medium and client

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741860A (en) * 2009-11-27 2010-06-16 华中科技大学 Computer remote security control method
US20110055567A1 (en) * 2009-08-28 2011-03-03 Sundaram Ganapathy S Secure Key Management in Multimedia Communication System
CN103001976A (en) * 2012-12-28 2013-03-27 中国科学院计算机网络信息中心 Safe network information transmission method
CN103051618A (en) * 2012-12-19 2013-04-17 北京江南天安科技有限公司 Terminal authentication equipment and network authentication method
CN103428221A (en) * 2013-08-26 2013-12-04 百度在线网络技术(北京)有限公司 Safety logging method, system and device of mobile application
CN108683498A (en) * 2018-05-14 2018-10-19 国网江西省电力有限公司电力科学研究院 A kind of cloud terminal management-control method based on changeable key national secret algorithm

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110055567A1 (en) * 2009-08-28 2011-03-03 Sundaram Ganapathy S Secure Key Management in Multimedia Communication System
CN101741860A (en) * 2009-11-27 2010-06-16 华中科技大学 Computer remote security control method
CN103051618A (en) * 2012-12-19 2013-04-17 北京江南天安科技有限公司 Terminal authentication equipment and network authentication method
CN103001976A (en) * 2012-12-28 2013-03-27 中国科学院计算机网络信息中心 Safe network information transmission method
CN103428221A (en) * 2013-08-26 2013-12-04 百度在线网络技术(北京)有限公司 Safety logging method, system and device of mobile application
CN108683498A (en) * 2018-05-14 2018-10-19 国网江西省电力有限公司电力科学研究院 A kind of cloud terminal management-control method based on changeable key national secret algorithm

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113542194A (en) * 2020-04-16 2021-10-22 中国联合网络通信集团有限公司 User behavior tracing method, device, equipment and storage medium
CN112468303A (en) * 2020-11-17 2021-03-09 天津南大通用数据技术股份有限公司 Method, device and storage medium for strengthening network communication security of database
CN112491614A (en) * 2020-11-26 2021-03-12 许昌许继软件技术有限公司 Online automatic validation method and system for configuration information of embedded equipment
CN112491614B (en) * 2020-11-26 2023-08-11 许昌许继软件技术有限公司 Configuration information online automatic validation method and system for embedded equipment
CN114760129A (en) * 2022-04-11 2022-07-15 平安国际智慧城市科技股份有限公司 Data access method, device, equipment and storage medium
CN115292332A (en) * 2022-10-09 2022-11-04 北京珞安科技有限责任公司 Firewall operation data storage method, system, storage medium and client

Also Published As

Publication number Publication date
CN110971593B (en) 2022-04-08

Similar Documents

Publication Publication Date Title
CN110971593B (en) Database secure network access method
CN109347835B (en) Information transmission method, client, server, and computer-readable storage medium
US9847882B2 (en) Multiple factor authentication in an identity certificate service
CN110519260B (en) Information processing method and information processing device
CN106656907B (en) Method, device, terminal equipment and system for authentication
CN108173662B (en) Equipment authentication method and device
CN103685282B (en) A kind of identity identifying method based on single-sign-on
KR101753859B1 (en) Server and method for managing smart home environment thereby, method for joining smart home environment and method for connecting communication session with smart device
CN111740844A (en) SSL communication method and device based on hardware cryptographic algorithm
CN110990827A (en) Identity information verification method, server and storage medium
CN100512201C (en) Method for dealing inserted-requested message of business in groups
CN101764693B (en) Authentication method, system, client and network equipment
CN108809633B (en) Identity authentication method, device and system
CN111159684B (en) Safety protection system and method based on browser
CN108881222A (en) Strong identity authentication system and method based on PAM framework
CN102946314A (en) Client-side user identity authentication method based on browser plug-in
CN111526007B (en) Random number generation method and system
CN111327629B (en) Identity verification method, client and server
CN105656862A (en) Authentication method and device
CN111614621A (en) Internet of things communication method and system
CN112565265A (en) Authentication method, authentication system and communication method between terminal devices of Internet of things
CN115632880B (en) Reliable data transmission and storage method and system based on state cryptographic algorithm
CN109218251B (en) Anti-replay authentication method and system
CN105657699A (en) Safe data transmission method
CN108551391B (en) Authentication method based on USB-key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant