CN112398861B - Encryption system and method for sensitive data in web configuration system - Google Patents

Encryption system and method for sensitive data in web configuration system Download PDF

Info

Publication number
CN112398861B
CN112398861B CN202011293850.7A CN202011293850A CN112398861B CN 112398861 B CN112398861 B CN 112398861B CN 202011293850 A CN202011293850 A CN 202011293850A CN 112398861 B CN112398861 B CN 112398861B
Authority
CN
China
Prior art keywords
sql
sensitive data
executed
sentences
injection attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011293850.7A
Other languages
Chinese (zh)
Other versions
CN112398861A (en
Inventor
朱亮亮
邱泽晶
李文庆
郭松
冯澎湃
胡文博
余梦
邵雪松
杨斌
黄奇峰
王忠东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Jiangsu Electric Power Co ltd Marketing Service Center
Wuhan Energy Efficiency Evaluation Co Ltd Of State Grid Electric Power Research Institute
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
State Grid Electric Power Research Institute
Original Assignee
State Grid Jiangsu Electric Power Co ltd Marketing Service Center
Wuhan Energy Efficiency Evaluation Co Ltd Of State Grid Electric Power Research Institute
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
State Grid Electric Power Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Jiangsu Electric Power Co ltd Marketing Service Center, Wuhan Energy Efficiency Evaluation Co Ltd Of State Grid Electric Power Research Institute, State Grid Corp of China SGCC, State Grid Jiangsu Electric Power Co Ltd, State Grid Electric Power Research Institute filed Critical State Grid Jiangsu Electric Power Co ltd Marketing Service Center
Priority to CN202011293850.7A priority Critical patent/CN112398861B/en
Publication of CN112398861A publication Critical patent/CN112398861A/en
Application granted granted Critical
Publication of CN112398861B publication Critical patent/CN112398861B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Abstract

The invention discloses a quick encryption system for sensitive data in a web configuration system, wherein a safety login module completes user access authentication and blacklist filtering of the encryption system, an SQL injection attack identification and sensitive data screening module performs SQL injection attack identification on an SQL sentence to be executed and adds a user account number corresponding to the SQL injection attack identification and sensitive data screening module into a user blacklist, the SQL injection attack identification and sensitive data screening module also performs sensitive data screening on the SQL sentence to be executed by utilizing a typical field in the SQL sentence, and an ECC data encryption module encrypts the screened sensitive SQL data by utilizing an elliptic curve password code. The invention can realize the rapid data encryption of the Web system and improve the system performance.

Description

Encryption system and method for sensitive data in web configuration system
Technical Field
The invention relates to the technical field of smart power grids, in particular to an encryption system and method for sensitive data in a web configuration system.
Background
The energy utilization control system at the client side in the intelligent power grid is used as a link for connecting the client with the intelligent energy service platform, is an important means for supporting the ubiquitous power internet of things at the client side, and is an execution unit for implementing various comprehensive energy services such as demand response, energy efficiency improvement and the like. The energy consumption control system at the client side has various application scenes, insufficient recognition of common requirements such as data acquisition monitoring, requirement response and the like, high development cost, and poor transportability and reusability. The method has the advantages that a standardized flow and an application mode built by the energy utilization control system based on the configuration development engine framework are provided for users by using the WEB-based configuration development platform system and the application environment, the problems of low development efficiency and high construction cost of the energy utilization control system in the current mode are solved, and the rapid deployment and efficient landing implementation of the energy utilization control system on the client side of the power system are supported.
The configuration system based on the WEB has the advantages that the service functions are completely modularized, a reliable service cloud platform is utilized, a client side energy utilization control system meeting the requirements of users can be spliced at will through the mutual combination of the components according to specific application scenes and requirements, and the client side energy utilization control system is displayed to the users in a WEB mode. An energy-consumption control system in a smart grid bears a large amount of sensitive data, however, a WEB-based application program usually judges and filters the legality of user input data at a client, so that an attacker can add an additional SQL (Structured Query Language) statement to an original Query statement to realize illegal operation, and cheat a database server to execute operations such as unauthorized Query. In order to prevent sensitive data in a database from being stolen, tampered and deleted, a sensitive data encryption method for a Web system needs to be designed.
Disclosure of Invention
The invention aims to provide an encryption system and method for sensitive data in a Web configuration system, which can realize the rapid encryption of the data of a Web system and improve the system performance.
To achieve the object, the present invention provides an encryption system for sensitive data in a web configuration system, which is characterized in that: the system comprises a security login module, an SQL injection attack identification and sensitive data screening module and an ECC data encryption module;
the security login module is used for completing user access authentication and blacklist filtering of the encryption system, and transmitting SQL sentences to be executed, which are transmitted by a user through the access authentication and the blacklist filtering, to the SQL injection attack identification and sensitive data screening module;
the SQL injection attack identification and sensitive data screening module is used for carrying out SQL injection attack identification on an SQL sentence to be executed and adding a user account number corresponding to the identified SQL injection attack into a user blacklist, the SQL injection attack identification and sensitive data screening module is also used for screening sensitive data of the SQL sentence to be executed by utilizing a typical field in the SQL sentence, and the ECC data encryption module is used for encrypting the screened sensitive SQL data by utilizing elliptic curve cipher coding.
The invention has the beneficial effects that:
the invention identifies the transmission data, only carries out intrusion detection on the non-sensitive data to identify the malicious attacker, and reduces the encryption and decryption operation times of the server; meanwhile, sensitive data are encrypted by using a lightweight improved ECC (error correction code) encryption algorithm, so that the safety of the sensitive data is ensured, and the time consumption of encryption and decryption operations is reduced; therefore, the data of the Web system is quickly encrypted, and the system performance is improved.
Drawings
FIG. 1 is a schematic view of the structure of the present invention;
FIG. 2 is a flow chart of a method for encrypting sensitive data of Web configuration software;
FIG. 3 is a user access authentication flow diagram;
FIG. 4 is a SQL injection attack identification policy framework;
FIG. 5 is a flow diagram of a SQL injection attack identification policy;
FIG. 6 is a sensitive data screening policy flow diagram;
figure 7 is a flow chart of an improved ECC encryption algorithm.
The system comprises a 1-secure login module, a 2-SQL injection attack identification and sensitive data screening module and a 3-ECC data encryption module.
Detailed Description
The invention is described in further detail below with reference to the following figures and specific examples:
the encryption system for sensitive data in a web configuration system designed by the invention comprises a secure login module 1, an SQL injection attack recognition and sensitive data screening module 2 and an ECC data encryption module 3, as shown in fig. 1, wherein the secure login module 1 is used for completing user access authentication and blacklist filtering of the encryption system, and transmitting SQL statements to be executed, which are transmitted by a user through the access authentication and the blacklist filtering, to the SQL injection attack recognition and sensitive data screening module 2, the SQL injection attack recognition and sensitive data screening module 2 is used for performing SQL injection attack recognition on the SQL statements to be executed, and adding a user account number corresponding to the SQL injection attack to the user blacklist, the SQL injection attack recognition and sensitive data screening module 2 further screens out the sensitive data on the SQL statements to be executed by using typical fields in the SQL statements, and the ECC data encryption module 3 is used for encrypting the sensitive SQL data of the SQL data by using Elliptic Curve Cryptography (ECC).
In the above technical solution, the specific method for the secure login module 1 to complete the user access authentication and the blacklist filtering of the encryption system is as follows:
and obtaining a verification code from the safe login module 1 by using the reserved mobile phone number, performing user access authentication of an encryption system through the verification code, and filtering a user account and an IP (Internet protocol) by using a user blacklist through the safe login module 1.
In the above technical solution, the specific method for the SQL injection attack recognition and sensitive data screening module 2 to perform SQL injection attack recognition on the SQL statement to be executed is as follows:
the SQL injection attack recognition and sensitive data screening module 2 standardizes the SQL sentences to be executed: firstly, converting an SQL statement to be executed with coding or interference characters into a normal statement or a corresponding character string; classifying the SQL sentences to be executed which are converted into normal sentences or corresponding character strings, and clarifying the operation types of the SQL sentences to be executed and the database table names used by the SQL sentences; cutting the SQL sentence to be executed, and deleting the character string input by the user in the SQL sentence to be executed; and (3) carrying out similarity calculation on the SQL sentence to be executed with the character string input by the user deleted and the sentence in the SQL sentence template library, wherein the SQL sentence template library is in a classical SQL sentence format, if the similarity is greater than a preset similarity threshold, the SQL sentence to be executed is transmitted to a server for execution, otherwise, an alarm short message is sent to the user reserved mobile phone, and the account number and the IP address of the user reserved mobile phone are added into a blacklist (the source address of the illegal sentence is added into the blacklist).
In the above technical solution, the specific method for the SQL injection attack recognition and sensitive data screening module 2 to screen the sensitive data of the to-be-executed SQL statement by using the typical field in the SQL statement is as follows:
and establishing a sensitive data set according to fields containing sensitive data in a database table of the server, for example, field names storing information such as account number passwords, certificate numbers, transactions, telephone numbers and the like, scanning the SQL sentences to be executed, if the field names in the sensitive data set are contained, encrypting the SQL sentences, and if the field names in the sensitive data set are not contained, directly sending the SQL sentences to the server for execution.
In the above technical solution, the specific method for the ECC data encryption module 3 to encrypt the screened sensitive SQL data by using elliptic curve cryptography is as follows:
randomly generating an elliptic curve E, selecting a point on the ellipse as a base point G, selecting a private key K, generating a public key K = kG, generating a random number r, and encoding a plaintext M to a point M on the elliptic curve E by using an elliptic curve plaintext embedding algorithm, namely calculating the coordinate of the point M on the elliptic curve;
expanding a random number r by a double-base-chain representation method, controlling a base chain number, namely the number of nonzero elements in the expansion, so that the addition and point multiplication operation times of a midpoint in the subsequent scalar multiplication calculation are greatly reduced, estimating an optimal base chain number by using a random number division method in an ECC data encryption module 3, calculating the scalar multiplication of a random integer r and a public key K and the scalar multiplication of the random integer r and a base point G, and calculating by using the scalar multiplication of the random integer r and the public key K and the scalar multiplication of the random integer r and the base point G to obtain a corresponding ciphertext C 1 And ciphertext C 2
In the above technical scheme, NAF (non adjacent form) encoding is carried out on a random number r, and r is n Denotes the integer, s, of the random number r after NAF coding t Leading coefficients for the t-th term (coefficient terms of the expanded radix chain);
Figure BDA0002784779150000051
wherein n represents an n-bit integer of the random number r after NAF coding;
the pre-calculation scale limit weight is set to limit the calculation amount of the subsequent calculation, namely the point addition and the point multiplication operation times psi, and the calculation formula is as follows:
Figure BDA0002784779150000052
wherein r is a random integer, EB is a substrate {2,3,5,7},
Figure BDA0002784779150000053
means to average and round down the basis;
encoding NAF according to pre-calculated scale limiting weight to obtain integer r with length n n Partitioning, i.e. expansion of the random number r, in order to reduce the computational effort of subsequent scalar multiplication calculations;
Figure BDA0002784779150000054
Figure BDA0002784779150000055
wherein the content of the first and second substances,
Figure BDA0002784779150000056
represents r after division n The term "t" of the expansion of (1),
Figure BDA0002784779150000057
represents r after division n Is of an expanded type
Figure BDA0002784779150000058
An item;
the maximum length of the radix chain (the number of the control radix chain, i.e. the number of non-zero elements in the expansion formula) is
Figure BDA0002784779150000059
For the
Figure BDA00027847791500000510
Is the optimal multi-radix chain of
Figure BDA00027847791500000511
Wherein pi is a multiplication symbol, gamma is an exponential coefficient corresponding to the substrate EB, and s i EB is the leading coefficient of item i, belonging to the set of basal EBs;
calculating a scalar multiplication of the random integer r and the public key K and a scalar multiplication of the random integer r and the base point G;
Figure BDA0002784779150000061
Figure BDA0002784779150000062
wherein d represents the number of radix chains,
Figure BDA0002784779150000063
represents r after division n Item t of the expansion;
computing ciphertext C 1 And C 2
C 1 = M ten rK
C 2 =rG。
A method for encrypting sensitive data in a web configuration system, as shown in fig. 2, includes the following steps:
step 1: the security login module 1 completes user access authentication and blacklist filtering of an encryption system, and transmits SQL sentences to be executed, which are transmitted by users through the access authentication and the blacklist filtering, to the SQL injection attack identification and sensitive data screening module 2;
step 2: the SQL injection attack recognition and sensitive data screening module 2 performs SQL injection attack recognition on an SQL sentence to be executed, adds a user account number corresponding to the identified SQL injection attack into a user blacklist, and performs sensitive data screening on the SQL sentence to be executed by using a typical field in the SQL sentence;
and the ECC data encryption module 3 encrypts the screened sensitive SQL data by using elliptic curve cryptography.
In step 1 of the above technical solution, the specific method for the secure login module 1 to complete the user access authentication and blacklist filtering of the encryption system is as follows:
and obtaining a verification code from the secure login module 1 by using the reserved mobile phone number, performing user access authentication of the encryption system through the verification code, and filtering the user account and the IP by using the user blacklist through the secure login module 1.
And in consideration of the application scene that the energy utilization control system at the client side is relatively fixed in the intelligent power grid, the login operation is completed by using the reserved mobile phone number. A complete user access authentication process is shown in fig. 3, where a user inputs a reserved mobile phone number to send a login request to a server, the server queries whether the number has an access right according to the mobile phone number and a user right mapping table, and then sends a login verification code to the user through a mobile operator, where three pieces of information, including an account number, a password, and a verification code, are required for the user to login. And verifying whether the IP address of the user is in the blacklist or not, and refusing the login of the user using the IP address in the blacklist. After the user logs in, the server inquires historical login information, and if the IP address of the user changes, alarm information is sent to the user.
In step 2 of the above technical solution, the specific method for the SQL injection attack recognition and sensitive data screening module 2 to perform SQL injection attack recognition on the SQL statement to be executed is as follows:
the SQL injection attack recognition and sensitive data screening module 2 standardizes the SQL sentences to be executed, and firstly converts the SQL sentences to be executed with coding or interfering characters into normal sentences or corresponding character strings (namely converts the SQL sentences with escape characters into standard SQL sentences); then, classifying the SQL sentences to be executed which are converted into normal sentences or corresponding character strings, and clarifying the operation types of the SQL sentences to be executed and the database table names used by the SQL sentences; cutting the SQL sentence to be executed, and deleting the character string input by the user in the SQL sentence to be executed; and performing similarity calculation on the SQL sentence to be executed with the user input character string deleted and the sentences in the SQL sentence template library, if the similarity is greater than a preset similarity threshold, transmitting the SQL sentence to be executed to a server for execution, and otherwise, sending an alarm short message to the user reserved mobile phone and adding the account number and the IP address of the user reserved mobile phone into a blacklist.
The specific method for the SQL injection attack recognition and sensitive data screening module 2 to screen the sensitive data of the SQL sentences to be executed by using the typical fields in the SQL sentences is as follows:
and establishing a sensitive data set according to fields containing sensitive data in a database table of the server, scanning the SQL sentence to be executed, if the field name in the sensitive data set is contained, encrypting the SQL sentence, otherwise, directly sending the SQL sentence to the server for execution.
As shown in fig. 4, the SQL injection attack recognition is divided into two parts, namely, an SQL statement standardization module and an injection attack recognition module based on SQL statement similarity. As shown in fig. 5, the SQL injection attack recognition strategy flow first converts an SQL statement with coding or interference characters into a normal statement or a corresponding character string; then, classifying the SQL sentences, and clarifying the operation types and the database table names used by the SQL sentences; cutting the SQL statement and deleting the character string input by the user in the SQL statement; and performing similarity calculation on the standardized SQL sentences and the sentences in an SQL sentence template library, wherein the SQL template library stores the classical SQL sentence format. The similarity is calculated as follows:
η=∑op·tn,op,tn=(0,1)
and matching the SQL sentence to be executed with the current sentence in the template library, wherein if the table to be operated is the non-sensitive data table tn is 1, the op is 1 if the execution action is the same, and otherwise, the op is 0.
If the similarity is larger than the threshold value, transmitting the SQL statement to a server for execution, otherwise, sending an alarm short message to the user reserved mobile phone and adding the account number and the IP address of the user reserved mobile phone into a blacklist.
As shown in fig. 6, the sensitive data screening strategy flow chart has the following steps: firstly, a sensitive data set is established according to fields containing sensitive data in a database table in a server, for example, field names storing information such as account number and password, certificate number, transaction, telephone number and the like. And scanning the SQL sentence to be executed, if the field name in the sensitive data set is contained, encrypting the SQL sentence, otherwise, directly sending the SQL sentence to the server for execution.
In step 3 of the above technical solution, the specific method for the ECC data encryption module 3 to encrypt the screened sensitive SQL data by using elliptic curve cryptography is as shown in fig. 7:
randomly generating an elliptic curve E, selecting a point on the ellipse as a base point G, selecting a private key K, generating a public key K = kG, generating a random number r, and encoding a plaintext M to a point M on the elliptic curve E by using an elliptic curve plaintext embedding algorithm, namely calculating the coordinate of the point M on the elliptic curve;
expanding a random number r by a double-base-chain representation method, controlling a base chain number, namely the number of nonzero elements in the expansion, estimating an optimal base chain number by using a random number division method in an ECC data encryption module 3, calculating scalar multiplication of a random integer r and a public key K, scalar multiplication of the random integer r and a base point G, and calculating a corresponding ciphertext C by using the scalar multiplication of the random integer r and the public key K and the scalar multiplication of the random integer r and the base point G 1 And ciphertext C 2
Details not described in this specification are within the skill of the art that are well known to those skilled in the art.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims (8)

1. An encryption system for sensitive data in a web-configured system, comprising: the system comprises a security login module (1), an SQL injection attack recognition and sensitive data screening module (2) and an ECC data encryption module (3);
the security login module (1) is used for completing user access authentication and blacklist filtering of an encryption system, and transmitting SQL sentences to be executed, which are transmitted by users through the access authentication and the blacklist filtering, to the SQL injection attack identification and sensitive data screening module (2);
the SQL injection attack identification and sensitive data screening module (2) is used for carrying out SQL injection attack identification on an SQL sentence to be executed and adding a user account number corresponding to the identified SQL injection attack into a user blacklist, the SQL injection attack identification and sensitive data screening module (2) also carries out sensitive data screening on the SQL sentence to be executed by utilizing a typical field in the SQL sentence, and the ECC data encryption module (3) is used for encrypting the screened sensitive SQL data by utilizing elliptic curve password coding;
the specific method for the SQL injection attack recognition and sensitive data screening module (2) to perform the SQL injection attack recognition on the SQL statement to be executed is as follows:
the SQL injection attack recognition and sensitive data screening module (2) standardizes SQL sentences to be executed: converting the SQL sentence to be executed with the coding or interference characters into a normal sentence or a corresponding character string; classifying the SQL sentences to be executed which are converted into normal sentences or corresponding character strings, and clarifying the operation types of the SQL sentences to be executed and the database table names used by the SQL sentences; cutting the SQL sentence to be executed, and deleting the character string input by the user in the SQL sentence to be executed; similarity calculation is carried out on the SQL sentences to be executed with the character strings input by the user and the sentences in the SQL sentence template library, if the similarity is larger than a preset similarity threshold, the SQL sentences to be executed are transmitted to a server to be executed, and if not, the source addresses of the illegal SQL sentences are counted into a blacklist;
the specific method for the ECC data encryption module (3) to encrypt the screened sensitive SQL data by utilizing elliptic curve cryptography coding comprises the following steps:
randomly generating an elliptic curve E, selecting a point on an ellipse as a base point G, selecting a private key K, generating a public key K = kG, generating a random number r, and encoding a plaintext M to a point M on the elliptic curve E by using an elliptic curve plaintext embedding algorithm, namely calculating the coordinate of the point M on the elliptic curve;
the random number r is expanded by a representation of a double-base chain,controlling the base chain number, namely the number of nonzero elements in the expansion, estimating the optimal base chain number by using a random number division method in an ECC data encryption module (3), calculating the scalar multiplication of a random integer r and a public key K and the scalar multiplication of the random integer r and a base point G, and obtaining a corresponding ciphertext C by using the scalar multiplication of the random integer r and the public key K and the scalar multiplication of the random integer r and the base point G 1 And ciphertext C 2
2. The system for encrypting sensitive data in a web-configured system as claimed in claim 1, wherein: the specific method for the secure login module (1) to complete user access authentication and blacklist filtering of the encryption system is as follows:
and obtaining a verification code from the security login module (1) by using the reserved mobile phone number, performing user access authentication of the encryption system through the verification code, and filtering a user account and an IP (Internet protocol) by using a user blacklist through the security login module (1).
3. The system for encrypting sensitive data in a web-configured system as claimed in claim 1, wherein: the specific method for screening the sensitive data of the SQL sentence to be executed by the SQL injection attack identification and sensitive data screening module (2) by using the typical field in the SQL sentence is as follows:
and establishing a sensitive data set according to fields containing sensitive data in a database table of the server, scanning the SQL sentence to be executed, if the field name in the sensitive data set is contained, encrypting the SQL sentence, otherwise, directly sending the SQL sentence to the server for execution.
4. The system of claim 3, wherein the encryption system for sensitive data in a web configuration system comprises:
NAF encoding the random number r, r n Denotes the integer of the random number r after NAF coding, s t Leading coefficient of t-th item;
Figure FDA0003763081650000021
wherein n represents an n-bit integer of the random number r after NAF coding; the predicted calculation scale restriction weight ψ is set, which is calculated as follows:
Figure FDA0003763081650000031
wherein r is a random integer, EB is a substrate {2,3,5,7},
Figure FDA0003763081650000032
means to average and round down the basis;
encoding NAF according to pre-calculated scale limiting weight to obtain integer r with length n n Dividing;
Figure FDA0003763081650000033
Figure FDA0003763081650000034
wherein, the first and the second end of the pipe are connected with each other,
Figure FDA0003763081650000035
represents r after division n The term "t" of the expansion of (1),
Figure FDA0003763081650000036
represents r after division n Is of an expanded type
Figure FDA0003763081650000037
An item;
maximum length of radix chain
Figure FDA0003763081650000038
For the
Figure FDA0003763081650000039
Is the optimal multi-radix chain of
Figure FDA00037630816500000310
Wherein pi is a multiplication sign, gamma is an exponential coefficient corresponding to the substrate EB, and s i EB belongs to the set of the base EB for the leading coefficient of the ith item;
calculating a scalar multiplication of the random integer r and the public key K and a scalar multiplication of the random integer r and the base point G;
Figure FDA00037630816500000311
Figure FDA0003763081650000041
wherein d represents the number of radix chains,
Figure FDA0003763081650000042
represents the divided r n Item t of the expansion;
computing a ciphertext C 1 And C 2
C 1 =M+rK
C 2 =rG。
5. A method for encrypting sensitive data in a web configuration system according to claim 1, comprising the steps of:
step 1: the security login module (1) completes user access authentication and blacklist filtering of an encryption system, and transmits SQL sentences to be executed, which are transmitted by a user through the access authentication and the blacklist filtering, to the SQL injection attack identification and sensitive data screening module (2);
and 2, step: the SQL injection attack recognition and sensitive data screening module (2) performs SQL injection attack recognition on an SQL sentence to be executed, adds a user account number corresponding to the identified SQL injection attack into a user blacklist, and the SQL injection attack recognition and sensitive data screening module (2) also performs sensitive data screening on the SQL sentence to be executed by utilizing a typical field in the SQL sentence;
and 3, step 3: and the ECC data encryption module (3) encrypts the screened sensitive SQL data by using elliptic curve cryptography.
6. The method of claim 5, wherein the sensitive data is encrypted according to the following steps: in the step 1, the specific method for the secure login module (1) to complete the user access authentication and the blacklist filtering of the encryption system is as follows:
and obtaining a verification code from the security login module (1) by using the reserved mobile phone number, performing user access authentication of the encryption system through the verification code, and filtering a user account and an IP (Internet protocol) by using a user blacklist through the security login module (1).
7. The method of claim 5, wherein the sensitive data is encrypted according to a key value selected from the group consisting of: in the step 2, the specific method for the SQL injection attack recognition and sensitive data screening module (2) to perform the SQL injection attack recognition on the SQL statement to be executed is as follows:
the SQL injection attack recognition and sensitive data screening module (2) standardizes the SQL sentences to be executed, and firstly converts the SQL sentences to be executed with coding or interference characters into normal sentences or corresponding character strings; then, classifying the SQL sentences to be executed which are converted into normal sentences or corresponding character strings, and clarifying the operation types of the SQL sentences to be executed and the database table names used by the SQL sentences; cutting the SQL sentence to be executed, and deleting the character string input by the user in the SQL sentence to be executed; similarity calculation is carried out on the SQL sentences to be executed with the user input character strings deleted and the sentences in the SQL sentence template library, if the similarity is larger than a preset similarity threshold value, the SQL sentences to be executed are transmitted to a server to be executed, and otherwise, the source addresses of the illegal SQL sentences are included in a blacklist;
the SQL injection attack recognition and sensitive data screening module (2) utilizes typical fields in SQL sentences to screen the sensitive data of the SQL sentences to be executed, and the specific method comprises the following steps:
and establishing a sensitive data set according to fields containing sensitive data in a database table of the server, scanning the SQL sentence to be executed, if the field name in the sensitive data set is contained, encrypting the SQL sentence, otherwise, directly sending the SQL sentence to the server for execution.
8. The method of claim 5, wherein the sensitive data is encrypted according to the following steps: in the step 3, the specific method for the ECC data encryption module (3) to encrypt the screened sensitive SQL data by using elliptic curve cryptography is as follows:
randomly generating an elliptic curve E, selecting a point on an ellipse as a base point G, selecting a private key K, generating a public key K = kG, generating a random number r, and encoding a plaintext M to a point M on the elliptic curve E by using an elliptic curve plaintext embedding algorithm, namely calculating the coordinate of the point M on the elliptic curve;
expanding a random number r by a double-base-chain representation method, controlling the base chain number, namely the number of nonzero elements in the expansion, estimating the optimal base chain number by using a random number division method in an ECC data encryption module (3), calculating scalar multiplication of a random integer r and a public key K, scalar multiplication of the random integer r and a base point G, and calculating to obtain a corresponding ciphertext C by using the scalar multiplication of the random integer r and the public key K and the scalar multiplication of the random integer r and the base point G 1 And ciphertext C 2
CN202011293850.7A 2020-11-18 2020-11-18 Encryption system and method for sensitive data in web configuration system Active CN112398861B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011293850.7A CN112398861B (en) 2020-11-18 2020-11-18 Encryption system and method for sensitive data in web configuration system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011293850.7A CN112398861B (en) 2020-11-18 2020-11-18 Encryption system and method for sensitive data in web configuration system

Publications (2)

Publication Number Publication Date
CN112398861A CN112398861A (en) 2021-02-23
CN112398861B true CN112398861B (en) 2022-10-14

Family

ID=74606640

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011293850.7A Active CN112398861B (en) 2020-11-18 2020-11-18 Encryption system and method for sensitive data in web configuration system

Country Status (1)

Country Link
CN (1) CN112398861B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115103357B (en) * 2022-08-26 2022-11-25 汉仪科技(深圳)有限公司 5G communication encryption system based on FPGA

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104767757A (en) * 2015-04-17 2015-07-08 国家电网公司 Multiple-dimension security monitoring method and system based on WEB services

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105704146A (en) * 2016-03-18 2016-06-22 四川长虹电器股份有限公司 System and method for SQL injection prevention
US10574692B2 (en) * 2016-05-30 2020-02-25 Christopher Nathan Tyrwhitt Drake Mutual authentication security system with detection and mitigation of active man-in-the-middle browser attacks, phishing, and malware and other security improvements
CN109271798A (en) * 2018-09-13 2019-01-25 深圳萨摩耶互联网金融服务有限公司 Sensitive data processing method and system
US11741196B2 (en) * 2018-11-15 2023-08-29 The Research Foundation For The State University Of New York Detecting and preventing exploits of software vulnerability using instruction tags
CN110866281A (en) * 2019-11-20 2020-03-06 满江(上海)软件科技有限公司 Safety compliance processing system and method for sensitive data
CN111695152B (en) * 2020-05-26 2023-05-12 东南大学 MySQL database protection method based on security agent

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104767757A (en) * 2015-04-17 2015-07-08 国家电网公司 Multiple-dimension security monitoring method and system based on WEB services

Also Published As

Publication number Publication date
CN112398861A (en) 2021-02-23

Similar Documents

Publication Publication Date Title
CN112671720B (en) Token construction method, device and equipment for cloud platform resource access control
CN1879072A (en) System and method providing disconnected authentication
JP2017507552A (en) Method and apparatus for providing client-side score-based authentication
CN113542253B (en) Network flow detection method, device, equipment and medium
CN109815051A (en) The data processing method and system of block chain
CN109245899B (en) Trust chain design method based on SM9 cryptographic algorithm
CN102571357A (en) Signature realization method and signature realization device
CN112906056A (en) Cloud storage key security management method based on block chain
CN114781006B (en) Outsourcing data integrity auditing method and system based on block chain and SGX
CN114584306A (en) Data processing method and related device
CN115314889A (en) Multi-level security authentication method and system for power regulation and control terminal, memory and equipment
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
CN112398861B (en) Encryption system and method for sensitive data in web configuration system
CN110572392A (en) Identity authentication method based on HyperLegger network
CN113055153B (en) Data encryption method, system and medium based on fully homomorphic encryption algorithm
CN113434882A (en) Communication protection method and device of application program, computer equipment and storage medium
CN117240625A (en) Tamper-resistant data processing method and device and electronic equipment
CN115002141B (en) File storage method and device based on block chain
CN110266641A (en) Information-reading method and device
CN115150193A (en) Method and system for encrypting sensitive information in data transmission and readable storage medium
CN102098282B (en) Secure encryption method for database
Chen et al. Privacy-Preserving Anomaly Detection of Encrypted Smart Contract for Blockchain-Based Data Trading
KOTEL et al. A Data Security Algorithm for the Cloud Computing based on Elliptic Curve Functions and Sha3 Signature
CN112784314B (en) Data integrity detection method and device, electronic equipment and storage medium
Chaum et al. WOTSwana: A Generalized S leeve Construction for Multiple Proofs of Ownership

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant