CN111639349B - Data encryption processing method and device and storage medium - Google Patents
Data encryption processing method and device and storage medium Download PDFInfo
- Publication number
- CN111639349B CN111639349B CN202010404627.9A CN202010404627A CN111639349B CN 111639349 B CN111639349 B CN 111639349B CN 202010404627 A CN202010404627 A CN 202010404627A CN 111639349 B CN111639349 B CN 111639349B
- Authority
- CN
- China
- Prior art keywords
- data
- column
- sensitive
- onion
- statement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 22
- 241000234282 Allium Species 0.000 claims abstract description 112
- 235000002732 Allium cepa var. cepa Nutrition 0.000 claims abstract description 112
- 238000012545 processing Methods 0.000 claims abstract description 13
- 238000012216 screening Methods 0.000 claims description 41
- 238000000034 method Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 11
- 238000001914 filtration Methods 0.000 claims description 4
- 238000004422 calculation algorithm Methods 0.000 description 12
- 238000003780 insertion Methods 0.000 description 11
- 230000037431 insertion Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012966 insertion method Methods 0.000 description 1
- 230000001131 transforming effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Mathematical Physics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a data encryption processing method, a data encryption processing device and a storage medium, which are used for improving the security of data access in data hosting service. The data encryption processing method comprises the following steps: receiving and analyzing an original data table creating statement sent by a client, wherein the original data table creating statement carries a sensitive column identifier and a first data operation type required to be supported; generating a key for corresponding first sensitive column data according to the sensitive column identification; encrypting the first sensitive column data by using the generated key to obtain a corresponding first ciphertext; generating a first onion column aiming at first sensitive column data according to the first data operation type; and sending the modified data table creation statement to a data hosting server according to the first ciphertext and the first onion column.
Description
Technical Field
The present invention relates to the field of database encryption security technologies, and in particular, to a data encryption processing method, apparatus, and storage medium.
Background
With the development of cloud database technology, the problem of data security has been receiving wide attention. The use of the data hosting service of the third party means that all data needs to be handed to and stored by the other party, and the problem of data leakage is inevitable. For the data encryption problem of the database hosting service, transparent encryption of an I/O layer is adopted. The scheme encrypts the data at an I/O layer when the data is read and written to the disk, ensures that the data files on the disk are all ciphertexts, can prevent the data leakage caused by the loss of the disk or the direct theft of the data files, but cannot prevent the data from being obtained through the database server because the data accessed in the database server can be automatically decrypted into the plaintext, and even a database administrator who is not trusted by a third party can randomly access the data, thereby causing great risk. Therefore, how to improve the security of data access in the data hosting service becomes one of the technical problems to be solved urgently in the prior art.
Disclosure of Invention
The embodiment of the invention provides a data encryption processing method, a data encryption processing device and a storage medium, which are used for improving the security of data access in data hosting service.
In a first aspect, an embodiment of the present invention provides a data encryption processing method, including:
receiving and analyzing an original data table creating statement, wherein the original data table creating statement carries a sensitive column identifier and a first data operation type required to be supported;
generating a key for the corresponding first sensitive column according to the sensitive column identification;
encrypting the first sensitive column data by using the generated key to obtain a corresponding first ciphertext;
generating a first onion column for a first sensitive column according to the first data operation type;
and sending the reconstructed data table creation statement to a data hosting server according to the first ciphertext and the first onion column.
In one embodiment, generating a first onion column for a first sensitive column in accordance with the first data operation type that needs to be supported includes:
determining an operation level of a first onion column according to the first data operation type required to be supported;
aiming at each operation level of the first onion column, respectively generating a key corresponding to the operation level; and are
And according to the operation levels of the first onion column, encrypting the first sensitive column by using the key corresponding to each operation level respectively to obtain the first onion column.
In an implementation manner, the data encryption processing method provided in the embodiment of the present invention further includes:
receiving an original data query statement, wherein the first data statement carries a second data operation type aiming at a data table;
if the data table contains a second sensitive column and the data table operation relates to a second sensitive column data operation, judging whether the data table operation supports the second data operation type;
if the data table operation supports the second data operation type, an onion operation level adjustment command is sent to a data hosting server according to an operation level corresponding to the second data operation type, so that an onion column is adjusted to an operable level corresponding to the second data operation type;
encrypting second sensitive column data contained in the original data query statement by using the stored onion column key to obtain a modified data query statement, and sending the modified data query statement to the data hosting server;
receiving first screening data which are returned by the data hosting server aiming at the modified data query statement and meet the condition;
and decrypting the second sensitive column data contained in the first screening data by using the key corresponding to the second sensitive column and then sending the second sensitive column data to the requester.
In one embodiment, if the second data operation type is not supported by a data table operation, the method further comprises:
splitting clauses which do not relate to a second sensitive column data operation from the original data query statement and sending the clauses to the data hosting server;
receiving second screening data which are returned by the data hosting server aiming at the clauses and meet the conditions;
and for the second screening data, decrypting the second sensitive column by using a key corresponding to the second sensitive column, executing a clause related to the data operation of the second sensitive column to obtain third screening data meeting the condition, and sending the third screening data to the requester.
In a second aspect, the present invention further provides a data encryption processing apparatus, including:
the system comprises a first receiving unit, a first processing unit and a second receiving unit, wherein the first receiving unit is used for receiving and analyzing an original data table creating statement, and the original data table creating statement carries a sensitive column identifier and a first data operation type required to be supported;
the key generation unit is used for generating a key aiming at the corresponding first sensitive column according to the sensitive column identification;
the encryption unit is used for encrypting the first sensitive column data by using the generated key to obtain a corresponding first ciphertext;
the onion column generating unit is used for generating a first onion column aiming at a first sensitive column according to the first data operation type;
and the sending unit is used for sending the modified data table creation statement to the data hosting server according to the first ciphertext and the first onion column.
In an embodiment, the onion column generating unit is specifically configured to determine an operation level of a first onion column according to the first data operation type to be supported; aiming at each operation level of the first onion column, respectively generating a key corresponding to the operation level; and according to the operation levels of the first onion columns, encrypting the first sensitive columns respectively by using the keys corresponding to each operation level to obtain the first onion columns.
In one implementation manner, the data encryption processing apparatus provided by the embodiment of the present invention further includes a determining unit, an encrypting unit, a second receiving unit, and a decrypting unit, where:
the first receiving unit is further configured to receive an original data query statement, where the first data statement carries a second data operation type for a data table;
the judging unit is used for judging whether the data table operation supports the second data operation type or not if the data table contains a second sensitive column and the data table operation relates to the second sensitive column data operation;
the sending unit is further configured to send an onion operation level adjustment command to a data hosting server according to an operation level corresponding to the second data operation type if the data table operation supports the second data operation type, so as to adjust an onion column to an operable level corresponding to the second data operation type; decrypting second sensitive column data contained in the first screening data by using a key corresponding to the second sensitive column and then sending the second sensitive column data to a requester;
the encryption unit is used for encrypting second sensitive line data contained in the original data query statement by using the stored onion line key to obtain a modified data query statement and sending the modified data query statement to the data escrow server;
and the second receiving unit is used for receiving the first screening data which is returned by the data hosting server aiming at the modified data query statement and meets the condition.
In an implementation manner, the data encryption processing apparatus provided in the embodiment of the present invention further includes a splitting unit, where:
the splitting unit is configured to split a clause that does not involve a second sensitive column data operation from the original data query statement and send the clause to the data hosting server;
the second receiving unit is further configured to receive second filtering data that satisfies the condition and is returned by the data hosting server for the clause;
the sending unit is further configured to decrypt the second sensitive column with the key corresponding to the second sensitive column for the second filtered data, execute a clause related to data operation of the second sensitive column, and send third filtered data that meets the condition to the requester.
In a third aspect, an embodiment of the present invention provides a computing apparatus, including: a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program, when executed by the processor, implementing the steps of the method of any one of the above.
In a fourth aspect, an embodiment of the present invention provides a computer storage medium having a computer program stored thereon, where the computer program is executed by a processor to implement the steps of any one of the above methods.
By adopting the technical scheme, the invention at least has the following advantages:
according to the data encryption processing method, the data encryption processing device and the storage medium, the sensitive data columns which need to be strictly protected by the user are encrypted by using an encryption algorithm and then stored, the onion columns which can support different data operation types are created for the sensitive columns, the onion columns are encrypted at different operation levels, and the data table creation statements are sent to the data hosting server according to the encrypted sensitive column ciphertext data and the onion columns corresponding to the encrypted sensitive column ciphertext data, so that the data stored in the data hosting server are the sensitive column ciphertext data, and the data access safety in the data hosting service is improved.
Drawings
FIG. 1 is a schematic diagram of an application scenario according to an embodiment of the present invention;
FIG. 2 is a flow chart of a data encryption processing method according to an embodiment of the present invention;
FIG. 3 is a flow chart of a data insertion method according to an embodiment of the present invention;
FIG. 4 is a flow chart illustrating a data query method according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a data encryption processing apparatus according to an embodiment of the present invention.
Detailed Description
To further explain the technical means and effects of the present invention adopted to achieve the intended purpose, the present invention will be described in detail with reference to the accompanying drawings and preferred embodiments.
It should be noted that the terms "first", "second", and the like in the description and the claims of the embodiments of the present invention and in the drawings described above are used for distinguishing similar objects and not necessarily for describing a particular order or sequence. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein.
Reference herein to "a plurality or a number" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
In the embodiment of the invention, in order to improve the data scheme security in the data hosting service, the proxy server is arranged at the user side and connected with the data hosting server. The data encryption processing method provided by the embodiment of the invention can be applied to the proxy server. Fig. 1 is a schematic view of an application scenario of the data encryption processing method according to the embodiment of the present invention. A user accesses the proxy server, the proxy server and the data hosting server through the client. According to the data encryption processing method provided by the embodiment of the invention, a user does not sense the operation of the proxy server, the user can normally execute the SQL (structured query language) sentence adding, deleting, modifying and checking operation, the proxy server is responsible for generating and storing the key, the SQL encryption modification and the data decryption operation are returned, and the sensitive column data stored in the data hosting server is the ciphertext all the time.
As shown in fig. 2, which is a schematic diagram of an implementation flow of a data encryption processing method according to an embodiment of the present invention, the method includes the following steps:
and S21, receiving and analyzing the original data table creating statement sent by the client.
In specific implementation, when a user needs to create a data table in a data hosting server, a table creating statement is constructed, and an original data table creating statement is sent to a proxy server through a client, wherein the original data table creating statement carries a sensitive column identifier and a first data operation type which needs to be supported. The proxy server parses the received original data table creation statement.
For example, the user sends a standardized TABLE building statement "CREATE TABLE entries (name text, score inter, score support order)" through the client, specifies that score is listed as a sensitive column, and in the standardized TABLE building statement, the user further specifies the operation type that the created data TABLE needs to support, in this example, the data type that the data TABLE needs to support is "score support order", that is, the ordering operation of the score column is supported. The proxy server receives the statement for analysis, and determines that the score is a sensitive column.
And S22, generating a key for the corresponding first sensitive column data according to the sensitive column identification.
In this step, the proxy server generates a key for the sensitive column, which continues the above example, that is, the proxy server generates a key for the "score" column.
It should be noted that, in practical implementation, the sensitive columns may include at least one column, that is, a user may designate several columns as the sensitive columns according to actual needs.
And S23, encrypting the first sensitive column data by using the generated key to obtain a corresponding first ciphertext.
In this step, the proxy server encrypts the first sensitive column data by using the generated key to obtain a corresponding first ciphertext.
Continuing with the above example, where the proxy server uses the generated key to encrypt the score column using an encryption algorithm, in particular, the proxy server may use AES (advanced encryption standard) or other symmetric encryption algorithm to encrypt the score column data.
And S24, generating a first onion column aiming at the first sensitive column data according to the first data operation type.
In specific implementation, the proxy server determines the operation level of the first onion column according to the first data operation type required to be supported; aiming at each operation level of the first onion column, respectively generating a key corresponding to the operation level; and according to the operation levels of the first onion column, the first sensitive column is encrypted by using the key corresponding to each operation level respectively to obtain the first onion column.
Continuing the above example, after analyzing the original data table creation statement, the proxy server first generates a key for the original score column, encrypts the score column data using a symmetric encryption algorithm, such as AES, and then adds a new onion column, where the column name may be combined similarly as in the example by the original column name plus a supported operation, such as score _ order. And then respectively generating keys for the onions with multiple operation levels, wherein in specific implementation, the operation levels of the onions are divided in multiple ways, the design principle of the onion columns follows the principle that the innermost layer is plaintext and the operable range of the outer layer is smaller, and the outermost layer can be non-homomorphic symmetric encryption, so that the safety when the sensitive columns are not operated is improved. For example, in one embodiment, there may be sequentially from low to high: plaintext-ciphertext that supports cross-column comparison-ciphertext that supports local column comparison-ciphertext that does not enable a comparison operation.
The onion column operation level information and the corresponding key are stored in the proxy server and are used in the subsequent data reading process.
And S25, sending the modified data table creation statement to the data hosting server according to the first ciphertext and the first onion column.
In this step, the proxy server reconstructs the original data table creation statement to obtain an reconstructed data table creation statement according to the first ciphertext and the first onion column.
For example, the original data TABLE creation statement "CREATE TABLE students (name text, score integer, score support order)" in the above example is modified into a modified data TABLE creation statement "CREATE TABLE students (name text, score integer, share order integer)" and sent to the data hosting server, and the data hosting server CREATEs a data TABLE according to the received modified data TABLE creation statement.
In the above process, for the rewriting of the table building statement, the key points are the sensitive column and the operation type specifying mode required to be supported, and the proxy server constructs the rule of the onion column. In the above example, the user indicates that score is listed as a sensitive column and should support a sorting operation by adding a score support order clause through a table building statement, that is, the created data table needs to support a size comparison operation of a ciphertext.
As shown in fig. 3, it is a schematic flow chart of inserting data in the created data table, and includes the following steps:
and S31, the proxy server receives the original data insertion statement sent by the client.
For example, when a user needs to INSERT data INTO the created data table, the original data insertion statements "INSERT intra students (name, score) volumes ('Alice', 92), ('Bob', 87)" are sent to the proxy server through the client.
S32, the proxy server analyzes the received original data insertion statement.
In specific implementation, the proxy server parses the received original data insertion statement, finds out that score is a sensitive column through analysis, and owns an attached onion column score _ order, and first encrypts the values 92 and 87 by using the key of the sensitive column by using an encryption algorithm.
And S33, the proxy server generates an onion column corresponding to the sensitive column according to the operation level information of the onion column.
In this step, the proxy server may use a semi-homomorphic algorithm supporting sorting, and encrypt the data of the score column for multiple times by using the key corresponding to each operation level according to the operation level information of the onion column, to obtain the onion column corresponding to the score column.
And S34, the proxy server reconstructs the original data insertion statement according to the ciphertext corresponding to the sensitive column and the onion column to obtain the reconstructed data insertion statement.
In specific implementation, the proxy server replaces plaintext data in the score column with the ciphertext obtained in step S32, and adds the onion column data to obtain a modified data insertion statement, for example, INSERT entries (name, score, score _ order) VALUES ('Alice', @ # # #, ('Bob', $, &).
And S35, the proxy server sends the modified data insertion statement to the data hosting server.
In this step, the proxy server sends the modified data insertion statement to the data hosting server, and the data hosting server inserts corresponding data into the data table according to the received modified data insertion statement.
In the above data encryption processing method, for a sensitive data column which needs to be strictly protected by a user, data is encrypted and stored by using a symmetric encryption algorithm such as AES, SM4, etc., and a key thereof is generated by a proxy server and is stored by the proxy server; the plaintext storage can be used directly and normally for non-sensitive information. During specific implementation, a user specifies the common operation type of the sensitive column, an onion column is created for the sensitive column, and the encryption algorithm and the key of the onion column are generated by the proxy server; for onion columns, multi-level encryption is used, the higher the level, the higher the security, but the smaller the operable range; generating specific onion layer adjustment functions by the proxy server, and creating the onion adjustment functions in the hosted database server; when the onion columns are used for carrying out specific operation, if the current level can be met, the operation is directly carried out, if the current level cannot meet the operation, the proxy server sends statements and parameters to the data hosting server, an onion adjusting function is called to adjust the onion columns to a proper operation level, and then the operation is carried out; before writing data into the sensitive columns, the proxy server encrypts the sensitive columns by using a symmetric encryption algorithm, encrypts the onion columns to corresponding levels by using corresponding algorithms respectively, and stores the onion columns together; when the client sends the SQL sentence, the SQL sentence is analyzed by the proxy server and sent to the hosting database server after being rewritten; for a DDL (data definition language) statement, only in the process of table building, the table building statement needs to be reconstructed according to a sensitive column specified by a user and then sent to a data hosting server. For DML (data manipulation language) statements, in addition to the above-described checking of the onion level and the operation type, it is necessary to emphatically analyze the execution of conditional clauses.
Based on the created data table and the inserted data, the embodiment of the invention also provides a processing method for any data table operation containing encrypted data.
As shown in fig. 4, which is a schematic diagram of a data query flow provided by an embodiment of the present invention, the data query flow includes the following steps:
and S41, the proxy server receives the original data query statement sent by the client.
In specific implementation, when a user needs to query data in a data table, an original data query statement is sent to the proxy server through the client, and the original data query statement carries a second data operation type aiming at any data table.
For example, the user sends the original data query statement "SELECT name," score FROM students WHERE name ═ Bob' AND secret <90 "to the proxy server through the client.
S42, the proxy server analyzes the received original data query statement.
S43, the proxy server determines whether any data table contains the second sensitive column data, if yes, step S44 is executed, otherwise, step S413 is executed.
S44, the proxy server judges whether the current data table operation relates to the second sensitive column data operation, if so, the step S45 is executed, otherwise, the step S413 is executed.
S45, judging whether the current data table operation supports the second data operation type, if so, executing the step S46, otherwise, executing the step S410.
Continuing with the above example, the proxy server parses the received original data query statement in step S42 to obtain that the original data query statement includes the sensitive column "score" and supports the ciphertext sorting operation, and the data table operation type included in the original data query statement is the size comparison operation, so that the received original data query statement is the ciphertext operation type supported by the data table.
In another embodiment, the original data query statement received by the proxy server is "SELECT name," score FROM students name "Bob" AND secret "90," AND the proxy server parses the received original data query statement, wherein the original data query statement contains a sensitive column "score" AND supports a ciphertext sorting operation, AND a data table operation type contained in the original data query statement is an equivalence judgment operation, so that the original data query statement is a ciphertext operation type that is not supported by the data table.
And S46, sending an onion operation level adjustment command to the data hosting server according to the operation level corresponding to the second data operation type, so as to adjust the onion column to the operable level corresponding to the second data operation type.
And if the data table operation is an operation type supported by the data table, generating an onion operation level adjustment command according to the onion column operation level information stored in the data table and the key corresponding to each operation level, and sending the onion operation level adjustment command to the data hosting server. The onion column is adjusted to an operable level corresponding to the second data operation type, in this example, the score column is adjusted to an operation level supporting self-ordering.
Taking the example of dividing the onion column into 3 operation levels, assuming that ciphertext supporting cross-column comparison, ciphertext supporting local column comparison and ciphertext incapable of performing comparison operation are sequentially arranged from outside to inside, in specific implementation, the operation type of the database table can be determined to be the ciphertext supporting the local column comparison according to an original data query statement, namely ciphertext operation of a second operation level is required, the proxy server can generate an onion column operation level adjustment command according to a key of a first operation level, namely the key supporting the ciphertext supporting cross-column comparison, and send the onion column operation level adjustment command to the data hosting server, and the data hosting server executes the received onion column operation level adjustment command and adjusts the onion column to be operable in the second operation level.
And S47, encrypting second sensitive column data contained in the original data query statement by using the stored onion column key to obtain a modified data query statement, and sending the modified data query statement to the data hosting server.
In this step, the proxy server encrypts the second sensitive column data included in the original data query statement by using the second operation level and the third operation level key of the onion column to obtain a second query statement. In this example, i.e. the proxy server encrypts the score <90 value 90 into a comparable ciphertext form, rewriting the query statement: SELECT name, score FROM students name ═ Bob' AND concrete _ order <; to the data hosting server.
And S48, the proxy server receives the first screening data which is returned by the data hosting server aiming at the modified data query statement and meets the condition.
In specific implementation, the data hosting server executes the received modified data query statement to screen out first screening data meeting the conditions from the data table and sends the first screening data to the proxy server.
It should be noted that, in specific implementation, the first filtering data returned by the data hosting server to the proxy server may be sensitive column ciphertext data meeting the condition. That is, according to the embodiment of the present invention, the onion column may be used as a query condition, and the returned data is ciphertext data whose sensitive column satisfies the condition, rather than data whose onion column satisfies the condition. Of course, in specific implementation, data that the onion columns satisfy the condition may also be returned, which is not limited in this embodiment of the present invention.
And S49, decrypting the second sensitive column data contained in the first screening data by using the key corresponding to the second sensitive column, and sending the decrypted second sensitive column data to the requester, and ending the process.
In this step, the proxy server decrypts the second sensitive column data included in the first screening data by using the key corresponding to the second sensitive column stored in the proxy server, and then sends the decrypted second sensitive column data to the user.
And S410, splitting clauses which do not relate to the second sensitive column data operation from the original data query statement and sending the clauses to the data hosting server.
In this step, the proxy server splits the received original data query statement, separates out clauses which do not relate to the second sensitive column, and sends the clauses to the data hosting server. In this example, the proxy server separates the clause "SELECT name, concrete FROM students WHERE name ═ Bob '" and sends the clause "SELECT name, concrete FROM students WHERE name ═ Bob'" to the hosting server.
And S411, receiving second screening data which are returned by the data hosting server aiming at the clauses and meet the conditions.
In specific implementation, after receiving the query clause sent by the proxy server, the data hosting server queries the second screening data meeting the condition in the data table and returns the second screening data to the proxy server. The second screening data comprises sensitive data ciphertext.
And S412, for the second screening data, decrypting the second sensitive column by using the key corresponding to the second sensitive column, executing a clause related to data operation of the second sensitive column to obtain third screening data meeting the condition, and sending the third screening data to the requester, wherein the process is ended.
In this step, the proxy server decrypts the sensitive column data ciphertext included in the second screening data of the key corresponding to the sensitive column stored in the proxy server, and executes the query clause related to the sensitive column operation in the original data query statement, that is, the query clause related to the sensitive column operation is used to further screen the decrypted second screening data to obtain third screening data, and the obtained third screening data is sent to the user.
And S413, sending the original data query statement to a data hosting server.
The data hosting server executes the received original data query sentence to obtain corresponding screening data, and then the screening data are returned to the proxy server and returned to the user by the proxy server.
In the process, if the query data statement does not relate to the query statement of any sensitive column, the SQL statement is directly sent to the hosted database server without any modification; if the data query statement relates to a sensitive column and the data table supports a corresponding operation type, the data query statement is rewritten by the proxy server and a corresponding operation is performed in an encrypted form at the data hosting server. If the number of the data query statements is multiple, the proxy server separates the data query statements which can be directly sent and need to be rewritten, and then only rewrites the part which needs to be rewritten; if the data query statement relates to the sensitive column, but the data table does not support the corresponding operation type, the proxy server separates out the part which can be directly executed and sends the part to the data hosting server for execution, the sensitive column is obtained to the proxy server in a whole column, and then the proxy server performs the remaining condition judgment on the sensitive column after decryption.
In embodiments of the invention, it is also possible to set a trigger or manually update the onion string to re-encrypt it back to the highest security level, the key of which is re-generated by the proxy server.
According to the data encryption processing method provided by the embodiment of the invention, firstly, a data table is required to be established, a table establishing statement is constructed by a user, and a sensitive column and an operation type required to be supported are indicated through the statement; the proxy server receives a standardized query statement for creating a data table sent by a user client and analyzes the standardized query statement; in the proxy server, generating a key for the sensitive column, and generating a corresponding onion column and the key thereof according to the required operation type, wherein all related information is stored in the proxy server; the design principle of the onion column conforms to the principle that the innermost layer is a plaintext, and the operable range of the outer layer is smaller, but the outermost layer is a non-homomorphic symmetric encryption, so that the safety when the sensitive column is not operated is improved; after the data table is established, when data are written into the data table, a user does not need to pay attention to the particularity of the sensitive columns and the onion columns, and only operates in a normal data insertion mode; after receiving new data, the proxy server firstly determines whether the written target column is a sensitive column, and if so, acquires an encryption algorithm and a key thereof and simultaneously acquires an onion column and an algorithm key thereof; calculating the value of the transformed ciphertext aiming at the sensitive column and the attached onion column in the proxy server, transforming a standardized query statement inserted into data, and then sending the standardized query statement to the data hosting server; and after the data hosting server receives the standardized query statement from the proxy server, corresponding operation is executed without changing.
According to the data encryption processing method provided by the embodiment of the invention, aiming at the database hosting service scene containing sensitive data, the data table structure and the data query statement in the database are modified by building the proxy server, so that the computing resources of the hosting server can be fully utilized under the condition that the hosting server side does not decrypt, and the database operation is not influenced. For the query operation supporting homomorphic calculation, after the proxy server rewrites the query statement (if necessary, onion operation level adjustment is carried out), the final result is directly calculated by the hosting database server, then the result data is returned, the proxy server decrypts the result and returns the decrypted result to the client. For the query operation which does not support homomorphic calculation temporarily, the proxy server can rewrite the query statement, separate the clauses related to the sensitive column operation, the hosting server executes the query behavior unrelated to the sensitive column, and after the hosting server returns the result, the proxy server decrypts the sensitive column and then executes the operation aiming at the sensitive column. In the same whole process, the sensitive columns do not need to be decrypted at the hosting server side, the computing resources of the hosting server are guaranteed to be utilized to the maximum extent, and the query that homomorphic operation is not supported temporarily is realized by depending on the statement splitting of the proxy server, so that the full coverage of database operation is achieved.
Based on the same technical concept, an embodiment of the present invention further provides a data encryption processing apparatus, as shown in fig. 5, including:
a first receiving unit 51, configured to receive and analyze an original data table creation statement, where the original data table creation statement carries a sensitive column identifier and a first data operation type that needs to be supported;
a key generating unit 52, configured to generate a key for a corresponding first sensitive column according to the sensitive column identifier;
the encrypting unit 53 is configured to encrypt the first sensitive column data by using the generated key to obtain a corresponding first ciphertext;
an onion column generating unit 54, configured to generate a first onion column for the first sensitive column according to the first data operation type;
and a sending unit 55, configured to send the modified data table creation statement to the data hosting server according to the first ciphertext and the first onion column.
In an embodiment, the onion column generation unit is specifically configured to determine an operation level of a first onion column according to the first data operation type that needs to be supported; aiming at each operation level of the first onion column, respectively generating a key corresponding to the operation level; and according to the operation levels of the first onion column, the first sensitive column is encrypted by using the key corresponding to each operation level respectively to obtain the first onion column.
In one implementation manner, the data encryption processing apparatus provided by the embodiment of the present invention further includes a determining unit, an encrypting unit, a second receiving unit, and a decrypting unit, where:
the first receiving unit is further configured to receive an original data query statement, where the first data statement carries a second data operation type for a data table;
the judging unit is used for judging whether the data table operation supports the second data operation type or not if the data table contains a second sensitive column and the data table operation relates to the second sensitive column data operation;
the sending unit is further configured to send an onion operation level adjustment command to the data hosting server according to the operation level corresponding to the second data operation type if the data table operation supports the second data operation type, so as to adjust an onion column to the operable level corresponding to the second data operation type; decrypting second sensitive column data contained in the first screening data by using a key corresponding to the second sensitive column and then sending the second sensitive column data to a requester;
the encryption unit is used for encrypting second sensitive line data contained in the original data query statement by using the stored onion line key to obtain a modified data query statement and sending the modified data query statement to the data escrow server;
and a second receiving unit, configured to receive the first screening data that meets the condition and is returned by the data hosting server for the modified data query statement.
In an implementation manner, the data encryption processing apparatus provided in the embodiment of the present invention further includes a splitting unit, where:
the splitting unit is configured to split a clause that does not involve a second sensitive column data operation from the original data query statement and send the clause to the data hosting server;
the second receiving unit is further configured to receive second filtering data that satisfies the condition and is returned by the data hosting server for the clause;
the sending unit is further configured to decrypt the second sensitive column by using a key corresponding to the second sensitive column for the second screening data, and execute a clause related to data operation of the second sensitive column to obtain third screening data meeting the condition, and send the third screening data to the requesting party.
Based on the same technical concept, an embodiment of the present invention further provides a computing apparatus, including: the data encryption processing method comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the computer program realizes the steps of any data encryption processing method when being executed by the processor.
Based on the same technical concept, an embodiment of the present invention further provides a computer storage medium, where a computer program is stored on the computer storage medium, and when the computer program is executed by a processor, the steps of any one of the data encryption processing methods are implemented.
While the invention has been described in connection with specific embodiments thereof, it is to be understood that it is intended by the appended drawings and description that the invention may be embodied in other specific forms without departing from the spirit or scope of the invention.
Claims (8)
1. A data encryption processing method, comprising:
receiving and analyzing an original data table creating statement sent by a client, wherein the original data table creating statement carries a sensitive column identifier and a first data operation type required to be supported;
generating a key for corresponding first sensitive column data according to the sensitive column identification;
encrypting the first sensitive column data by using the generated key to obtain a corresponding first ciphertext;
generating a first onion column aiming at first sensitive column data according to the first data operation type;
sending a modified data table creation statement to a data hosting server according to the first ciphertext and the first onion column;
further comprising:
receiving an original data query statement sent by a client, wherein the original data query statement carries a second data operation type aiming at any data table;
if any data table contains second sensitive line data and the data table operation relates to the second sensitive line data operation, judging whether the data table operation supports the second data operation type;
if the current data table operation supports the second data operation type, an operation level adjustment command of an onion column is sent to a data hosting server according to an operation level corresponding to the second data operation type, so that the onion column is adjusted to an operable level corresponding to the second data operation type;
encrypting second sensitive column data contained in the original data query statement by using the stored onion column key to obtain a modified data query statement, and sending the modified data query statement to the data hosting server;
receiving first screening data which are returned by the data hosting server aiming at the modified data query statement and meet the condition;
and decrypting the second sensitive column data contained in the first screening data by using the key corresponding to the second sensitive column data and then sending the decrypted second sensitive column data to the client.
2. The method of claim 1, wherein generating a first onion column for a first sensitive column in accordance with the first data operation type that needs to be supported comprises:
determining an operation level of a first onion column according to the first data operation type required to be supported;
aiming at each operation level of the first onion column, respectively generating a key corresponding to the operation level; and are
And according to the operation levels of the first onion column, respectively encrypting the data of the first sensitive column by using the key corresponding to each operation level to obtain the first onion column.
3. The method of claim 1, wherein if the current spreadsheet operation does not support the second type of data operation, the method further comprises:
splitting clauses which do not relate to a second sensitive column data operation from the original data query statement and sending the clauses to the data hosting server;
receiving second screening data which are returned by the data hosting server aiming at the clauses and meet the conditions;
and for the second screening data, decrypting the second sensitive column data by using a key corresponding to the second sensitive column data, executing a clause related to the second sensitive column data operation, and sending third screening data meeting the condition to the requester.
4. A data encryption processing apparatus, characterized by comprising:
the system comprises a first receiving unit, a first processing unit and a second receiving unit, wherein the first receiving unit is used for receiving and analyzing an original data table creating statement, and the original data table creating statement carries a sensitive column identifier and a first data operation type required to be supported;
the key generation unit is used for generating a key aiming at the corresponding first sensitive column according to the sensitive column identification;
the encryption unit is used for encrypting the first sensitive column data by using the generated key to obtain a corresponding first ciphertext;
the onion column generating unit is used for generating a first onion column aiming at a first sensitive column according to the first data operation type;
the sending unit is used for sending the modified data table creation statement to the data hosting server according to the first ciphertext and the first onion column;
the device also comprises a judging unit, an encrypting unit, a second receiving unit and a decrypting unit, wherein:
the first receiving unit is further configured to receive an original data query statement, where the first data statement carries a second data operation type for a data table;
the judging unit is used for judging whether the data table operation supports the second data operation type or not if the data table contains a second sensitive column and the data table operation relates to the second sensitive column data operation;
the sending unit is further configured to send an onion operation level adjustment command to the data hosting server according to the operation level corresponding to the second data operation type if the data table operation supports the second data operation type, so as to adjust an onion column to the operable level corresponding to the second data operation type; decrypting the second sensitive column data contained in the first screening data by using a key corresponding to the second sensitive column and then sending the second sensitive column data to the requester;
the encryption unit is used for encrypting second sensitive column data contained in the original data query statement by using the stored onion column key to obtain a modified data query statement and sending the modified data query statement to the data escrow server;
and the second receiving unit is used for receiving the first screening data which is returned by the data hosting server aiming at the modified data query statement and meets the condition.
5. The apparatus of claim 4,
the onion column generation unit is specifically configured to determine an operation level of a first onion column according to the first data operation type required to be supported; aiming at each operation level of the first onion column, respectively generating a key corresponding to the operation level; and according to the operation levels of the first onion column, the first sensitive column is encrypted by using the key corresponding to each operation level respectively to obtain the first onion column.
6. The apparatus of claim 4, further comprising a splitting unit, wherein:
the splitting unit is configured to split a clause that does not involve a second sensitive column data operation from the original data query statement and send the clause to the data hosting server;
the second receiving unit is further configured to receive second filtering data that satisfies the condition and is returned by the data hosting server for the clause;
the sending unit is further configured to decrypt the second sensitive column by using a key corresponding to the second sensitive column for the second screening data, and execute a clause related to data operation of the second sensitive column to obtain third screening data meeting the condition, and send the third screening data to the requesting party.
7. A computing device, the computing device comprising: memory, processor and computer program stored on the memory and executable on the processor, which computer program, when executed by the processor, carries out the steps of the method according to any one of claims 1 to 3.
8. A computer storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the method according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010404627.9A CN111639349B (en) | 2020-05-14 | 2020-05-14 | Data encryption processing method and device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010404627.9A CN111639349B (en) | 2020-05-14 | 2020-05-14 | Data encryption processing method and device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111639349A CN111639349A (en) | 2020-09-08 |
| CN111639349B true CN111639349B (en) | 2022-09-06 |
Family
ID=72330220
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010404627.9A Active CN111639349B (en) | 2020-05-14 | 2020-05-14 | Data encryption processing method and device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111639349B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114416773B (en) * | 2021-12-30 | 2023-01-06 | 联通智网科技股份有限公司 | Data processing method, device, storage medium and server |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104657413A (en) * | 2013-11-22 | 2015-05-27 | Sap欧洲公司 | Encrypted in-memory column-store |
| CN105610793A (en) * | 2015-12-18 | 2016-05-25 | 江苏大学 | Outsourced data encrypted storage and cryptograph query system and application method therefor |
| CN105787387A (en) * | 2016-03-07 | 2016-07-20 | 南京邮电大学 | Database encryption method and encryption database query method |
| CN109409129A (en) * | 2018-10-23 | 2019-03-01 | 杭州弗兰科信息安全科技有限公司 | It is a kind of to rewrite the database homomorphic cryptography method realized based on SQL |
| CN109815719A (en) * | 2019-01-21 | 2019-05-28 | 广东电网有限责任公司信息中心 | A kind of database security encryption system that can search for |
| CN110750797A (en) * | 2019-09-27 | 2020-02-04 | 南京大学 | Cloud database encryption method based on combined encryption |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7743069B2 (en) * | 2004-09-03 | 2010-06-22 | Sybase, Inc. | Database system providing SQL extensions for automated encryption and decryption of column data |
| US7797342B2 (en) * | 2004-09-03 | 2010-09-14 | Sybase, Inc. | Database system providing encrypted column support for applications |
| US9087212B2 (en) * | 2012-01-25 | 2015-07-21 | Massachusetts Institute Of Technology | Methods and apparatus for securing a database |
| US10162858B2 (en) * | 2013-07-31 | 2018-12-25 | Sap Se | Local versus remote optimization in encrypted query processing |
-
2020
- 2020-05-14 CN CN202010404627.9A patent/CN111639349B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104657413A (en) * | 2013-11-22 | 2015-05-27 | Sap欧洲公司 | Encrypted in-memory column-store |
| CN105610793A (en) * | 2015-12-18 | 2016-05-25 | 江苏大学 | Outsourced data encrypted storage and cryptograph query system and application method therefor |
| CN105787387A (en) * | 2016-03-07 | 2016-07-20 | 南京邮电大学 | Database encryption method and encryption database query method |
| CN109409129A (en) * | 2018-10-23 | 2019-03-01 | 杭州弗兰科信息安全科技有限公司 | It is a kind of to rewrite the database homomorphic cryptography method realized based on SQL |
| CN109815719A (en) * | 2019-01-21 | 2019-05-28 | 广东电网有限责任公司信息中心 | A kind of database security encryption system that can search for |
| CN110750797A (en) * | 2019-09-27 | 2020-02-04 | 南京大学 | Cloud database encryption method based on combined encryption |
Non-Patent Citations (3)
| Title |
|---|
| Crypt-JDBC模型:洋葱加密算法的优化改进;陈鹤等;《计算机科学与探索》;20170831;第11卷(第08期);全文 * |
| 基于CryptDB的选择加密策略研究;张成果等;《计算机技术与发展》;20170331;第27卷(第03期);参见第2节 * |
| 基于代理的密文数据库的设计与实现;张剑强等;《计算机工程与应用》;20020915(第18期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111639349A (en) | 2020-09-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11108753B2 (en) | Securing files using per-file key encryption | |
| Grubbs et al. | Breaking web applications built on top of encrypted data | |
| JP5679018B2 (en) | Database encryption system, method and program | |
| JP6048414B2 (en) | Database apparatus, method and program | |
| US8930691B2 (en) | Dynamic symmetric searchable encryption | |
| US10235539B2 (en) | Server device, recording medium, and concealed search system | |
| US10339336B2 (en) | Method and apparatus for encrypting database columns | |
| CN112800088A (en) | Database ciphertext retrieval system and method based on bidirectional security index | |
| US8769302B2 (en) | Encrypting data and characterization data that describes valid contents of a column | |
| JP2009510616A (en) | System and method for protecting sensitive data in a database | |
| WO2019120038A1 (en) | Encrypted storage of data | |
| CN109802832A (en) | A kind of processing method of data file, system, big data processing server and computer storage medium | |
| KR102446985B1 (en) | Key management mechanism for cryptocurrency wallet | |
| US10043015B2 (en) | Method and apparatus for applying a customer owned encryption | |
| CN117454414A (en) | Dynamic searchable encryption method and system based on distributed storage | |
| CN111639349B (en) | Data encryption processing method and device and storage medium | |
| US8499357B1 (en) | Signing a library file to verify a callback function | |
| KR102132685B1 (en) | Apparatus and method for order-revealing encryption | |
| CN113204776B (en) | Method, device, equipment and storage medium for realizing column encryption | |
| CN115694921A (en) | Data storage method, device and medium | |
| CN115455463A (en) | Hidden SQL query method based on homomorphic encryption | |
| KR102123435B1 (en) | Encryption method for supporting equality query in multi-client environment and apparatus using the same | |
| Tian et al. | A trusted control model of cloud storage | |
| US11829498B2 (en) | Real-time dynamic blockchain securitization platform | |
| KR101944741B1 (en) | Apparatus and method for encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A data encryption processing method, device, and storage medium Granted publication date: 20220906 Pledgee: Jinan Rural Commercial Bank Co.,Ltd. Pledgor: HIGHGO BASE SOFTWARE Co.,Ltd. Registration number: Y2024980029581 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right |