CN110971593A - Database secure network access method - Google Patents
Database secure network access method Download PDFInfo
- Publication number
- CN110971593A CN110971593A CN201911137433.0A CN201911137433A CN110971593A CN 110971593 A CN110971593 A CN 110971593A CN 201911137433 A CN201911137433 A CN 201911137433A CN 110971593 A CN110971593 A CN 110971593A
- Authority
- CN
- China
- Prior art keywords
- client
- server
- information
- database
- user name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/72—Signcrypting, i.e. digital signing and encrypting simultaneously
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to a database secure network access method, and belongs to the technical field of power system automation. The method comprises the following steps: 1) the server side reads database information, network information and a user name and password information base; the client reads the network information; 2) establishing a network link between a server and a client according to the network information; 3) the server side obtains a user name and a password input by the client side during login, and judges whether the client side has operation authority or not according to the user name and password information base; 4) and if the client side has the operation authority, the server side responds to a database operation request initiated by the client side. According to the invention, the deployment server reads the database information, and by establishing the network link between the server and the client, after the client is judged to have the operation authority, the operation request of the client to the database can be realized, and the safe access of the client to the local database is realized.
Description
Technical Field
The invention relates to a database secure network access method, and belongs to the technical field of power system automation.
Background
A large number of embedded devices are deployed in the transformer substation, and the embedded devices have the advantages of small occupied resources, high data processing speed and convenience in deployment. The local database is widely applied, such as the sqlites database, but the local database does not support network access, which brings inconvenience to remote maintenance. How to securely access the local database remotely becomes a problem that must be solved.
Disclosure of Invention
The invention aims to provide a database secure network access method to solve the problem that a local database cannot be safely and remotely accessed in the prior art.
In order to achieve the above object, the present invention provides a method for accessing a database secure network, comprising the following steps:
1) the server side reads database information, network information and a user name and password information base; the client reads the network information;
2) establishing a network link between a server and a client according to the network information;
3) the server side obtains a user name and a password input by the client side during login, and judges whether the client side has operation authority or not according to the user name and password information base;
4) and if the client side has the operation authority, the server side responds to a database operation request initiated by the client side.
The beneficial effects are that: according to the invention, the deployment server reads the database information, and by establishing the network link between the server and the client, after the client is judged to have the operation authority, the operation request of the client to the database can be realized, and the safe access of the client to the local database is realized.
Further, the server side in the step 1) also reads the private key certificate information of the server side and the public key certificate information of the client side; the client also reads the private key certificate information of the client and the public key certificate information of the server; step 2) after the network link is established, the server and the client mutually verify certificate information; if the verification is not passed, disconnecting the network link; if the verification is passed, step 3) is performed.
Further, the method for judging whether the client has the operation authority includes: searching and comparing the user name and the password in the user name and password information base, and if the comparison is successful, determining that the user has the operation authority; if the comparison is unsuccessful, the user is judged to have no operation authority.
Further, the user name and the password of the client login acquired by the server are encrypted by using a key M1, wherein the key M1 is byte information randomly generated by the client.
Further, the data operation request initiated by the client includes a write operation, and the server returns an execution result to the client after the write operation is executed.
Further, the data operation request initiated by the client includes a read operation, and the server performs structuring and encryption on the read data and then sends the data to the client.
Further, the structuring method comprises the following steps: defining the length and the array of all fields of a database table, serializing the position index of each field, finding the position index corresponding to the field when receiving data of one table field, and copying the data to the corresponding array position.
Further, the encryption is performed by using the SM4 cryptographic algorithm.
Further, before the step 4) of initiating a database operation request response to the server by the client, the method further includes: the client sends an information request to the server, the server sends the database information to the client, and the client initializes the database information.
Drawings
FIG. 1 is a diagram illustrating a database secure network access method in an embodiment of the database secure network access method of the present invention;
fig. 2 is a schematic diagram of structured data in an embodiment of the database secure network access method of the present invention.
Detailed Description
The embodiment of the database secure network access method comprises the following steps:
the method comprises the steps that a server is deployed on the embedded equipment, a client is deployed on the remote network equipment, and the remote network equipment can access the database in the embedded equipment by establishing a network link between the client and the server.
As shown in fig. 1, the database secure network access method of the present embodiment includes the following steps.
1) The server side reads the database information, reads the TCP network information, reads the user name and password information base and reads the certificate information, wherein the certificate information comprises the server side private key certificate information and the client side public key certificate information; the client reads TCP network information and certificate information, wherein the certificate information comprises client private key certificate information and server public key certificate information.
2) Establishing a TCP network link between a server and a client; after the TCP network link is established, the server side and the client side mutually verify the certificate, and the specific verification method comprises the following steps:
the client generates 16-byte information M1, and M1 is used for decrypting the client login information by a subsequent server; and the information M2 is generated by encrypting the information M1 through a national secret SM4 algorithm and a key MY 1;
adding 64 bytes of digital signature to the information M2 by using a client private key certificate, and encrypting the information M2 and the 64 bytes of digital signature by using a server public key;
the server side obtains information M2 and 64-byte digital signature through encryption of a server side private key certificate, and the legitimacy of the digital signature is verified by adopting a client side public key certificate; if the identity of the client is verified to be illegal, the TCP connection is disconnected; if the identity of the client is verified to be legal, a 64-byte digital signature is added to the information M2 by using a server private key certificate, the information M2 and the digital signature are encrypted by using a client public key, and the information M2 is stored;
the client side obtains information M2 and 64-byte digital signature through decryption of the client side private key certificate, the validity of the digital signature is verified by adopting the server side public key certificate, and if the identity of the server side is verified to be illegal, the TCP connection is disconnected; if the identity of the server side is verified to be legal, the following steps are continued.
3) The server side obtains a user name and a password logged in by the client side, and judges whether the client side has operation authority or not according to the user name and the password logged in by the client side.
In this embodiment, the login information sent by the client to the server is the login information encrypted by using the key M1, the server needs to first obtain the information M1 to decrypt the login information sent by the client, and the method for the server to obtain the information M1 is as follows:
adding 64-byte digital signature to the key MY1 by using a client private key certificate, and encrypting the key MY1 and the 64-byte digital signature by using a server public key;
the server side decrypts the acquired information M2 and 64-byte digital signature through the server side private key certificate, verifies the validity of the digital signature by adopting the client side public key certificate, and acquires a secret key MY 1;
through the SM4 algorithm, the private key is MY1, and the stored information M2 is decrypted to obtain information M1.
After the server side obtains the information M1, the server side can decrypt the login information sent by the client side, and after decryption, a user name and a password are obtained, and according to the user name and the password, the user operation authority can be determined. The method for determining the user authority by the server side comprises the following steps: searching and comparing the decrypted user name and password in a user name and password information base, and if the comparison is successful, determining that the user has the operation authority; if the comparison is unsuccessful, the user is judged to have no operation authority.
4) After the client side is judged to have the operation authority, the client side sends an information request, the server side sends database information to the client side, and the client side initializes the database information. The purpose of the client side initializing the database information in this embodiment is to obtain the database table structure information, and prepare for initializing the database data.
The client sends an access request SQL statement to the server, the server firstly stores and analyzes the SQL statement, and then the server locally executes the SQL statement. The server executes corresponding operation according to the specific operation request initiated by the client: if the client initiates a write operation request, the server returns an execution result; if the client initiates a read operation request, the data needing to be structurally read is sent to the client; all data are encrypted through a national secret algorithm before being sent to a network, a client receives a network message and can obtain the data only after being decrypted through the national secret algorithm, and the data of a database are obtained through unstructured data.
The structuring method in this embodiment is: defining the length and the array of all fields of the database table, serializing the position index of each field, finding the position index corresponding to the field when receiving data of one table field, copying the data to the corresponding array position, reading one piece of data, and sending the data to the client. The structured data is shown in fig. 2.
In order to improve the security of database access, the server and the client both read the certificate information, which aims to implement mutual certificate information verification between the server and the client.
In order to improve the security of database access, in this embodiment, the information M1 generated by the client is variable, and in order to analyze the user name and the password, the server needs to decrypt the user name and the password to obtain the information M1; in other embodiments, the information M1 may be fixed, so that the step of parsing to obtain M1 is not required.
In this embodiment, the SM4 algorithm is used for encryption, the SM2 algorithm is used for verifying identity information, and the SM3 algorithm is used for adding a check bit to login information sent by a client and database data sent by a server to the client.
Claims (9)
1. A method for secure network access to a database, comprising the steps of:
1) the server side reads database information, network information and a user name and password information base; the client reads the network information;
2) establishing a network link between a server and a client according to the network information;
3) the server side obtains a user name and a password input by the client side during login, and judges whether the client side has operation authority or not according to the user name and password information base;
4) and if the client side has the operation authority, the server side responds to a database operation request initiated by the client side.
2. The database secure network access method according to claim 1, wherein in step 1), the server also reads the server private key certificate information and the client public key certificate information; the client also reads the private key certificate information of the client and the public key certificate information of the server; step 2) after the network link is established, the server and the client mutually verify certificate information; if the verification is not passed, disconnecting the network link; if the verification is passed, step 3) is performed.
3. The method of claim 1, wherein the method of determining whether the client has an operation right comprises: searching and comparing the user name and the password in the user name and password information base, and if the comparison is successful, determining that the user has the operation authority; if the comparison is unsuccessful, the user is judged to have no operation authority.
4. The method for accessing the database secure network according to claim 1, wherein the user name and password of the client login acquired by the server are encrypted by using a key M1, and the key M1 is byte information randomly generated by the client.
5. The database secure network access method of claim 1, wherein the data operation request initiated by the client includes a write operation, and the server returns an execution result to the client after the write operation is executed.
6. The database secure network access method of claim 1, wherein the data operation request initiated by the client includes a read operation, and the server constructs and encrypts the read data and then sends the data to the client.
7. The database secure network access method of claim 6, wherein the structured method is: defining the length and the array of all fields of a database table, serializing the position index of each field, finding the position index corresponding to the field when receiving data of one table field, and copying the data to the corresponding array position.
8. The method of claim 6, wherein the encryption is performed using the SM4 cryptographic algorithm.
9. The database secure network access method of claim 1, wherein before the step 4) of initiating a database operation request response from the client to the server, the method further comprises: the client sends an information request to the server, the server sends the database information to the client, and the client initializes the database information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911137433.0A CN110971593B (en) | 2019-11-19 | 2019-11-19 | Database secure network access method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911137433.0A CN110971593B (en) | 2019-11-19 | 2019-11-19 | Database secure network access method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110971593A true CN110971593A (en) | 2020-04-07 |
CN110971593B CN110971593B (en) | 2022-04-08 |
Family
ID=70030933
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911137433.0A Active CN110971593B (en) | 2019-11-19 | 2019-11-19 | Database secure network access method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110971593B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112468303A (en) * | 2020-11-17 | 2021-03-09 | 天津南大通用数据技术股份有限公司 | Method, device and storage medium for strengthening network communication security of database |
CN112491614A (en) * | 2020-11-26 | 2021-03-12 | 许昌许继软件技术有限公司 | Online automatic validation method and system for configuration information of embedded equipment |
CN113542194A (en) * | 2020-04-16 | 2021-10-22 | 中国联合网络通信集团有限公司 | User behavior tracing method, device, equipment and storage medium |
CN114760129A (en) * | 2022-04-11 | 2022-07-15 | 平安国际智慧城市科技股份有限公司 | Data access method, device, equipment and storage medium |
CN115292332A (en) * | 2022-10-09 | 2022-11-04 | 北京珞安科技有限责任公司 | Firewall operation data storage method, system, storage medium and client |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101741860A (en) * | 2009-11-27 | 2010-06-16 | 华中科技大学 | Computer remote security control method |
US20110055567A1 (en) * | 2009-08-28 | 2011-03-03 | Sundaram Ganapathy S | Secure Key Management in Multimedia Communication System |
CN103001976A (en) * | 2012-12-28 | 2013-03-27 | 中国科学院计算机网络信息中心 | Safe network information transmission method |
CN103051618A (en) * | 2012-12-19 | 2013-04-17 | 北京江南天安科技有限公司 | Terminal authentication equipment and network authentication method |
CN103428221A (en) * | 2013-08-26 | 2013-12-04 | 百度在线网络技术(北京)有限公司 | Safety logging method, system and device of mobile application |
CN108683498A (en) * | 2018-05-14 | 2018-10-19 | 国网江西省电力有限公司电力科学研究院 | A kind of cloud terminal management-control method based on changeable key national secret algorithm |
-
2019
- 2019-11-19 CN CN201911137433.0A patent/CN110971593B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110055567A1 (en) * | 2009-08-28 | 2011-03-03 | Sundaram Ganapathy S | Secure Key Management in Multimedia Communication System |
CN101741860A (en) * | 2009-11-27 | 2010-06-16 | 华中科技大学 | Computer remote security control method |
CN103051618A (en) * | 2012-12-19 | 2013-04-17 | 北京江南天安科技有限公司 | Terminal authentication equipment and network authentication method |
CN103001976A (en) * | 2012-12-28 | 2013-03-27 | 中国科学院计算机网络信息中心 | Safe network information transmission method |
CN103428221A (en) * | 2013-08-26 | 2013-12-04 | 百度在线网络技术(北京)有限公司 | Safety logging method, system and device of mobile application |
CN108683498A (en) * | 2018-05-14 | 2018-10-19 | 国网江西省电力有限公司电力科学研究院 | A kind of cloud terminal management-control method based on changeable key national secret algorithm |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113542194A (en) * | 2020-04-16 | 2021-10-22 | 中国联合网络通信集团有限公司 | User behavior tracing method, device, equipment and storage medium |
CN112468303A (en) * | 2020-11-17 | 2021-03-09 | 天津南大通用数据技术股份有限公司 | Method, device and storage medium for strengthening network communication security of database |
CN112491614A (en) * | 2020-11-26 | 2021-03-12 | 许昌许继软件技术有限公司 | Online automatic validation method and system for configuration information of embedded equipment |
CN112491614B (en) * | 2020-11-26 | 2023-08-11 | 许昌许继软件技术有限公司 | Configuration information online automatic validation method and system for embedded equipment |
CN114760129A (en) * | 2022-04-11 | 2022-07-15 | 平安国际智慧城市科技股份有限公司 | Data access method, device, equipment and storage medium |
CN115292332A (en) * | 2022-10-09 | 2022-11-04 | 北京珞安科技有限责任公司 | Firewall operation data storage method, system, storage medium and client |
Also Published As
Publication number | Publication date |
---|---|
CN110971593B (en) | 2022-04-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110971593B (en) | Database secure network access method | |
CN109347835B (en) | Information transmission method, client, server, and computer-readable storage medium | |
US9847882B2 (en) | Multiple factor authentication in an identity certificate service | |
CN110519260B (en) | Information processing method and information processing device | |
CN106656907B (en) | Method, device, terminal equipment and system for authentication | |
CN108173662B (en) | Equipment authentication method and device | |
CN103685282B (en) | A kind of identity identifying method based on single-sign-on | |
KR101753859B1 (en) | Server and method for managing smart home environment thereby, method for joining smart home environment and method for connecting communication session with smart device | |
CN111740844A (en) | SSL communication method and device based on hardware cryptographic algorithm | |
CN110990827A (en) | Identity information verification method, server and storage medium | |
CN100512201C (en) | Method for dealing inserted-requested message of business in groups | |
CN101764693B (en) | Authentication method, system, client and network equipment | |
CN108809633B (en) | Identity authentication method, device and system | |
CN111159684B (en) | Safety protection system and method based on browser | |
CN108881222A (en) | Strong identity authentication system and method based on PAM framework | |
CN102946314A (en) | Client-side user identity authentication method based on browser plug-in | |
CN111526007B (en) | Random number generation method and system | |
CN111327629B (en) | Identity verification method, client and server | |
CN105656862A (en) | Authentication method and device | |
CN111614621A (en) | Internet of things communication method and system | |
CN112565265A (en) | Authentication method, authentication system and communication method between terminal devices of Internet of things | |
CN115632880B (en) | Reliable data transmission and storage method and system based on state cryptographic algorithm | |
CN109218251B (en) | Anti-replay authentication method and system | |
CN105657699A (en) | Safe data transmission method | |
CN108551391B (en) | Authentication method based on USB-key |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |