CN112580100A - ODBC (optical distribution bus) driving agent based structured data fine-grained encryption and decryption method and system - Google Patents
ODBC (optical distribution bus) driving agent based structured data fine-grained encryption and decryption method and system Download PDFInfo
- Publication number
- CN112580100A CN112580100A CN202011584034.1A CN202011584034A CN112580100A CN 112580100 A CN112580100 A CN 112580100A CN 202011584034 A CN202011584034 A CN 202011584034A CN 112580100 A CN112580100 A CN 112580100A
- Authority
- CN
- China
- Prior art keywords
- data
- encryption
- database
- sensitive data
- remote
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Abstract
The invention provides a structured data fine-grained encryption and decryption method and system based on an ODBC (optical distribution bus) driving agent, wherein the system comprises a data interception component, a remote data encryption device and a data encryption management component; when an application operates a database, the operation is intercepted and sent to remote data encryption equipment for operation analysis and permission judgment, sensitive data is encrypted and replaced by using an encryption method in an encryption and decryption strategy according to conditions, a result is sent back to a data interception component, the data interception component sends the encrypted result to a database engine to obtain a result set and sends the result set to the remote encryption equipment for processing, the remote encryption equipment analyzes the result set, the result is sent back to the data interception component after decryption or desensitization replacement is carried out according to entity permission, and the database interception component returns the data sent back by the remote encryption equipment to the application. The invention protects sensitive data from three levels of a storage state, a transmission state and a use state of the data based on an ODBC driving agent technology, and ensures the data security of enterprises.
Description
Technical Field
The invention relates to the field of data encryption, in particular to a structured data fine-grained encryption and decryption method and system based on an ODBC driver proxy.
Background
There is a large amount of high-value data in the enterprise information system, and the data is generally stored in a database, which is a core asset of the enterprise and is also a target of an attacker. Once the data is leaked, immeasurable loss is brought to the enterprise. In order to maintain the benefits of the enterprises, attention must be paid to protecting the data security of the enterprises, and the database is the key point of security protection. The method is the most economic and effective means in safety protection by encrypting the key and sensitive data in the enterprise database. The database encryption schemes currently used in the industry mainly include the following schemes: when the application system carries out data addition and deletion modification, sensitive data are encrypted through an encryption and decryption API, and the encrypted data are stored in a database through an original database driving interface; and when data retrieval is carried out, the ciphertext data is retrieved to the application side and then decrypted through the encryption and decryption API. The scheme has the defects that the application program must be transformed in a large scale, the logic for calling the encryption and decryption API is added, and data is encrypted and decrypted, so that the programming complexity is increased, the existing application system cannot be transparent, and the transformation difficulty is huge. Secondly, a front proxy and an encryption gateway: the security agent service is added before the database, the application side accesses the database and must pass through the security agent service, data encryption and decryption and access control are realized in the security agent service, and then the security agent service realizes data storage through an access interface of the database. The technical scheme has the defects that the internal communication protocol of the database needs to be adapted, different database products or different versions of the same database product have different protocol interfaces, and some protocol contents are still not disclosed, so that the workload of adaptation is large. In addition, this scheme is prone to single point failures and performance bottlenecks, and is difficult to implement access control. Thirdly, post-proxy: after receiving an operation request of an application system, the database engine realizes data encryption and decryption and data retrieval after encryption in a mode of using a view, a trigger, an extended index and a user-defined function. The disadvantage of this solution is that in large data volume scenarios, the trigger performance is significantly reduced, and in addition the use of the view requires some modification on the application side, cannot be made fully transparent for the application side, and is difficult to implement access control. Fourthly, transparent encryption of the database: and the data encryption and decryption of the data column are realized by using the transparent encryption and decryption functions of the database product. The scheme has the defects that the commercial cipher algorithm of China cannot be used, in addition, the data protection range is too narrow, and only risks of 'disk pulling' and the like can be prevented. Fifthly, file-level encryption: according to the scheme, an interception process is implanted into an operating system of a database server, decryption processing is performed when a data storage file is opened, encryption processing is performed when the data file is written, and access control is performed according to an operating system user or a process for accessing the file. The disadvantage of the scheme is the same as that of transparent encryption of the database, the data protection range is too narrow, and only risks such as 'disk pulling' and the like can be prevented. Sixthly, the general drive proxy encryption: according to the scheme, proxy service is added between an application system and a universal database driver, and data encryption and decryption of a data column are realized by intercepting read-write access through a universal database driver interface. The disadvantage of this solution is based on generic database driver loading, it is difficult to adapt to other proprietary database drivers or various native database drivers.
Disclosure of Invention
The invention provides a structured data fine-grained encryption and decryption method and system based on an ODBC driver agent, based on the ODBC driver agent technology, the operation of an application system on the database driver access is intercepted on an application layer, the fine-grained encryption of the structured data is realized through remote data encryption equipment, fine-grained access control is established by identifying and encrypting sensitive data and based on entity information in the application, the sensitive data is protected from three levels of a storage state, a transmission state and a use state of the data, and the data security of an enterprise is ensured.
Specifically, the method for fine-grained encryption and decryption of structured data based on an ODBC driver proxy in one mode of the present invention includes the following steps:
a structured data fine-grained encryption and decryption method based on an ODBC driver agent is characterized by comprising the following steps:
s1, installing the data interception component in each application needing to access the database in a plug-in mode;
s2, restarting the application program to enable the application program to load the data interception component;
s3, extracting the meta-information of the sensitive data in the database, and submitting the meta-information to a data encryption management component for storage; the meta information of the sensitive data comprises library information, table information, column information and row information of a database where the sensitive data are located;
s4, configuring encryption and decryption strategies of sensitive data in a database in the data encryption management component, wherein the encryption and decryption strategies of the sensitive data comprise field meta-information, a master key ID, derivation factors of keys, an encryption algorithm, an encryption initialization vector, a desensitization algorithm, positioning information of encrypted data and entity information with the authority of using original sensitive data;
s5, the encryption and decryption strategies are sent to the data interception component and the remote data encryption equipment in a pushing or timed polling mode of the data encryption management component;
s6, performing batch encryption on the stock data in the database by using an encryption method in an encryption and decryption strategy, and encrypting the original plaintext data into a ciphertext at one time;
s7, when the application executes the operation on the database, the data interception component intercepts the operation of the application system on the database drive access in the application layer, and sends the database operation and the entity information as the instruction to the remote data encryption equipment;
s8, after receiving the instruction, the remote data encryption device first performs semantic analysis on the operation request of the database, and determines whether the operation object of the database is sensitive data in the database, including the following steps:
s81, the remote data encryption equipment firstly obtains a master key ID and a key derivation factor in the strategy and requests the data encryption management equipment to derive and acquire an encryption key through the network;
s82, after the encryption key is obtained, the remote data encryption equipment calls an encryption algorithm interface, transmits the parameters including the encryption key, the encryption initialization vector and the sensitive data to be encrypted to the algorithm interface, then encrypts the parameters and obtains the encrypted sensitive data;
s83, performing semantic analysis on the operation request;
the remote data encryption equipment splits the logic in the database operation, and distinguishes operation actions from the logic, including insertion, updating, deletion and query; and database meta information of the operation, including a database name, a table name, a field name, and a value of the data of the operation;
s84, matching the analysis result with the sensitive data encryption and decryption strategy;
after the remote data encryption equipment analyzes the database operation, judging whether the value of the data needs to be encrypted or not by comparing whether the meta-information of the data operated in the database operation is matched with the sensitive data meta-information in the encryption and decryption strategy or not;
s85, when the meta-information of the data operated in the database operation is matched with the meta-information of the sensitive data in the encryption and decryption strategy, judging that the database operation object is the sensitive data in the database, and when the database operation object is the sensitive data, encrypting the sensitive data;
s9, after the remote data encryption equipment encrypts the sensitive data, replacing the sensitive data in the plaintext state in the previous analysis result, combining the operation action, the meta information of the operation data and the encrypted sensitive data into a new database operation consistent with the original database operation, and sending the new database operation to the data interception component;
s10, the data interception component operates the database which is sent back from the remote data encryption equipment and is encrypted with the sensitive data, sends an encryption result to the database engine by calling an ODBC interface, obtains a result set returned by the database engine, and sends the result set to the remote encryption equipment for processing;
s11, after receiving the instruction, the remote data encryption device obtains entity information by restoring the context information in the process, and judges whether the current operation entity has the authority of using the original sensitive data by comparing whether the entity information is matched with the entity information which has the authority of using the original sensitive data in the encryption and decryption strategy;
s12, according to the judgment result in the step 11, when the database operation is judged to be directed to the sensitive data in the database and the entity has the right to use the original sensitive data, executing a step S13, otherwise executing a step S14;
s13, decrypting the value of the sensitive data according to an encryption and decryption strategy, replacing the sensitive data in the ciphertext state in the previous analysis result set with a plaintext after the remote data encryption equipment obtains the decrypted plaintext state sensitive data, and combining the operation action, the meta information of the operation data and the decrypted sensitive data into a new database operation consistent with the original database operation and sending the new database operation to the data interception component;
s14, decrypting the value of the sensitive data according to an encryption and decryption strategy, desensitizing the value of the sensitive data according to the encryption and decryption strategy, replacing the sensitive data in the prior analysis result set ciphertext state with desensitized data after the desensitized sensitive data is obtained by the remote data encryption equipment, and combining the operation action, the meta information of the operation data and the decrypted sensitive data into a new database operation consistent with the operation of the original database and sending the new database operation to the data interception component;
and S15, the database interception component returns the data sent back by the remote encryption equipment to the application, and the encryption is finished.
Preferably, when the step S81 obtains the key required for data encryption, the direct source of the key used includes a key management module of the data encryption management device, a hardware security module HSM, and a key management system of the enterprise.
Preferably, the key can also be obtained from the key management system indirectly through the database encryption management device.
Preferably, in the data encryption strategy, the encryption algorithm adopts a deterministic encryption technology, and after repeatedly encrypting a plaintext for multiple times, ciphertexts obtained by encrypting each time are consistent, so that the requirement of accurately retrieving the ciphertexts is met.
Preferably, the components of the remote data encryption device comprise a cryptographic software module supporting a chinese commercial cipher and an international cipher algorithm.
A structured data fine-grained encryption and decryption system based on an ODBC driver agent comprises a data interception component, a remote data encryption device and a data encryption management component;
the data interception component is installed in the application in a plug-in mode, intercepts ODBC database standard drive or primary drive interface call of a database product based on a database access layer, monitors the process of the application, intercepts the operation of the application on the database, and is used for restoring entity information in the context of the application process; the data encryption management component is configured with an encryption and decryption strategy of sensitive data; the encryption and decryption strategy is issued to the data interception component and the remote data encryption equipment in a mode of timed polling or pushing by the data encryption management component; the components of the remote data encryption device comprise a password software module with encryption capability;
when the application executes writing or query operation on the database, the writing or query operation is sent to the remote data encryption equipment, the remote data encryption equipment analyzes the operation request, sensitive data contained in the sensitive data are encrypted and replaced by using an encryption method in an encryption and decryption strategy according to needs, the encrypted result is sent back to the data interception component, the data interception component calls an ODBC interface after receiving the processing result of the database operation, the database operation is sent to the database, the processed result is sent to the remote encryption equipment for processing, the remote encryption equipment provides real sensitive data of plaintext with authority according to the authority regulation in the encryption and decryption strategy, and sensitive data of entities without authority after desensitization are obtained.
The invention has the following beneficial effects:
1. the invention is completely transparent to the application system, and does not need to modify the existing application system;
2. the present invention may use the chinese commercial cipher algorithm;
3. the invention does not increase single point failure;
4. the encryption result only changes the state of the plain text and the ciphertext of the data, and does not change the meaning of the application to the database driving operation;
5. the invention does not have obvious influence on the original read-write performance;
6. the protection range of the sensitive data is expanded to the application system side, and illegal direct read-write access of the database can be prevented;
7. the invention can control the access authority of the read-write processing of the sensitive data.
Drawings
FIG. 1 is a system architecture diagram of fine-grained encryption and decryption of structured data based on ODBC-driven agent according to the present invention;
FIG. 2 is a schematic representation of the steps of the present invention;
FIG. 3 is a schematic of the encryption flow of the present invention;
fig. 4 is a schematic diagram of the decryption process of the present invention.
Detailed Description
Hereinafter, embodiments of the present invention will be described with reference to the drawings.
The system comprises a data interception component AOE-ODBC, a remote data encryption device AOE-grpc and a data encryption management component, wherein the data interception component AOE-ODBC is installed in each application needing to access a database in a plug-in mode, the ODBC database standard drive or the native drive interface call of a database product is intercepted based on a database access layer, the process of the application is monitored at any time, and the operation of the application on the database is intercepted, so that entity information in the context of the application process is restored. The components of the remote data encryption equipment AOE-grpc comprise a password software module supporting Chinese commercial passwords and international password algorithms, and encryption capacity is provided for the components. And the entity information can be obtained by monitoring the target application process through the data encryption component and restoring the context information in the process.
The data interception component AOE-ODBC is an interface agent for ODBC, and the main functions of the data interception component AOE-ODBC comprise: intercepting the operation of the application on the database, and sending the database operation to the remote data encryption equipment AOE-grpc through the network for encryption and decryption.
The method comprises the following steps:
s1, installing the data interception component in each application needing to access the database in a plug-in mode, wherein the specific deployment mode is as follows: replacing the system.data.dll file in the original system with the system.data.dll file integrated with the AOE-ODBC, and placing a configuration file used by the AOE-ODBC, wherein the network address of the AOE-grpc of the remote data encryption equipment and the network address of the data encryption management component are configured.
S2, after the data interception component AOE-ODBC is deployed, the application program is restarted, so that the application program can load the AOE-ODBC component.
And S3, extracting sensitive data meta-information, wherein the meta-information is library information, table information, column information and row information of a database in which the sensitive data are located. Submitting the extracted sensitive data meta-information to a data encryption management component;
s4, configuring encryption strategies of the sensitive data in a visual mode, wherein the strategies comprise; the encryption and decryption strategy of the sensitive data comprises field meta-information, a master key ID, key derivation factors, an encryption algorithm, an encryption initialization vector, a desensitization algorithm, positioning information of encrypted data and entity information with the authority of using original sensitive data.
And S5, the data encryption and decryption strategy is issued to the database interception component AOE-ODBC and the remote data encryption equipment AOE-grpc in a mode of timed polling or data encryption management component pushing.
S6, performing batch encryption on the stock data in the database by using an encryption method in an encryption and decryption strategy, and encrypting the original plaintext data into a ciphertext at one time;
s7, when the application executes writing operation or query operation to the database, the data interception component AOE-ODBC intercepts the operation or query result set of the application system to the database driver access in the application layer, and sends the database operation to the remote data encryption equipment AOE-grpc.
Interception of ODBC driver library or database native driver library calls is performed as follows:
1) and intercepting at an application layer of an operating system, namely, before loading the ODBC database standard driver or the database product native driver, preferentially loading the intercepting library of the invention by utilizing the sequence of searching the dynamic library by the operating system, and calling a corresponding interface in the original ODBC database standard driver or the database product native driver after processing the read-write request.
2) The following two methods are used for core layer interception of an operating system:
A. hook with built-in core (Kernel Inline Hook)
Namely, the offset address in the section of the loaded ODBC driver or database native driver library is modified to point to the interception library of the invention, thereby realizing the interception processing.
B. Using a Kernel debug mechanism (KProbes)
Three detection means in the kprobes technology are utilized: kprobe, jprobe and kretprobe, dynamically inserting a probe point into a loaded ODBC driver or database native driver library function, calling the callback function (and the interception function in the invention) when the kernel execution flow is executed to the specified probe function, and after processing, returning the kernel to the original normal execution flow.
S8, after receiving the database operation sent by the data interception component AOE-ODBC, the remote data encryption equipment AOE-grpc firstly analyzes the received database operation, wherein the analysis mainly includes that the AOE-grpc splits the logic in the database operation, and distinguishes operation actions such as insertion, update, deletion, query and the like; and data metadata information of the operation, such as database name, table name, field name, etc.; and the value of the data of the operation;
then, matching the analysis result with a sensitive data encryption and decryption strategy, wherein the matching is to judge whether the value of the data needs to be encrypted or not by comparing whether the meta-information of the data operated in the database operation is matched with the meta-information of the sensitive data in the encryption and decryption strategy or not after the AOE-grpc analyzes the database operation;
finally, when the meta-information is matched, the AOE-grpc encrypts and decrypts the value of the sensitive data according to the strategy; the AOE-grpc matches the meta-information of the data operated in the database operation with the meta-information of the sensitive data in the encryption and decryption strategies one by one, and when the meta-information of the data operated in the database operation is matched with the meta-information of the sensitive data in the encryption and decryption strategies, the AOE-grpc firstly obtains a master key ID and a key derivation factor in the strategies to request derivation from the data encryption management equipment through a network and obtains an encryption key. After the encryption key is obtained, the AOE-grpc calls an encryption algorithm interface, transmits parameters such as the encryption key, an encryption initialization vector and sensitive data to be encrypted to the algorithm interface, encrypts the sensitive data and obtains the encrypted sensitive data. And encrypting the sensitive data according to a strategy, encrypting and replacing the sensitive data contained in the sensitive data by using an encryption method, wherein the replacement is to replace the sensitive data in the plaintext state in the previous analysis result after the AOE-grpc obtains the encrypted sensitive data, and combine the operation action, the meta information of the operation data and the encrypted sensitive data into a new database operation consistent with the original database operation. Such as:
original database operation:
SELECT phone _ num, age FROM user _ info WHERE user name is "zhang san";
encrypted database operations:
SELECT phone_num,age FROM table_name WHERE username=”MDHjtprAvPyVlrn8hs4FuA6rtpfwfegkwG1THfxj7iyg0Uww75IEOwB+zXHavQ==|^|”;
it can be seen that the original database operates as: and looking up the mobile phone number and age of Zhang III, wherein data displayed by the encrypted database operation is desensitized fake information.
Further, in the step of obtaining the key required by data encryption, the data encryption component in the application system does not generate a root key or a work key for encryption itself based on the security factor, and the key used may be directly from a key management module of the data encryption management device or a Hardware Security Module (HSM) or a key management system of an enterprise, or may be obtained from the key management system through a database encryption management device.
Furthermore, in the data encryption strategy, the encryption algorithm supports the adoption of a deterministic encryption technology, and after a plaintext is repeatedly encrypted for multiple times, ciphertexts obtained by encryption each time are consistent, so that the requirement of accurate retrieval of the ciphertexts is met.
S9, after the remote data encryption equipment encrypts the sensitive data, replacing the sensitive data in the plaintext state in the previous analysis result, combining the operation action, the meta information of the operation data and the encrypted sensitive data into a new database operation consistent with the original database operation, and sending the new database operation to the data interception component;
s10, the data interception component operates the database which is sent back from the remote data encryption equipment and is encrypted with the sensitive data, sends an encryption result to the database engine by calling the ODBC interface, obtains a result set returned by the database engine, and then sends the result set to the remote encryption equipment for processing;
s11, after receiving the instruction, the remote data encryption device obtains entity information by restoring the context information in the process, and judges whether the current operation entity has the authority of using the original sensitive data by comparing whether the entity information is matched with the entity information which has the authority of using the original sensitive data in the encryption and decryption strategy;
s12, according to the judgment result in the step 11, when the database operation is judged to be directed to the sensitive data in the database and the entity has the right to use the original sensitive data, executing a step S13, otherwise executing a step S14;
s13, decrypting the value of the sensitive data according to an encryption and decryption strategy, replacing the sensitive data in the ciphertext state in the previous analysis result set with a plaintext after the remote data encryption equipment obtains the decrypted plaintext state sensitive data, and combining the operation action, the meta information of the operation data and the decrypted sensitive data into a new database operation consistent with the original database operation and sending the new database operation to the data interception component;
s14, decrypting the value of the sensitive data according to the encryption and decryption strategy, desensitizing the value of the sensitive data according to the encryption and decryption strategy, replacing the sensitive data in the prior analysis result set ciphertext state with desensitized data after the desensitized sensitive data is obtained by the remote data encryption equipment, combining the operation action, the meta information of the operation data and the decrypted sensitive data into a new database operation consistent with the operation of the original database, and sending the new database operation to the data interception component;
and S15, the database interception component returns the data sent back by the remote encryption equipment to the application, and the encryption is finished.
The decryption process is similar to the encryption process, the data interception component AOE-ODBC sends a result set returned by the database to the remote data encryption equipment, the remote data encryption equipment analyzes meta-information of data in the result set, matches the meta-information with a sensitive data encryption and decryption strategy, decrypts or desensitizes the sensitive data according to access subject information, replaces original ciphertext data with decrypted or desensitized data, and recombines the result set. Such as:
raw result set (phone number list):
phone_num
Ls4q/kAz1cxMl4f
)}(>|$V1^-6WP|%
N:{J)hcaQK!-X80
decrypted or desensitized result:
phone_num
138****9087
185****8234
135****6191
the remote data encryption and decryption equipment sends the decrypted result back to the data interception component AOE-ODBC, and the data interception component AOE-ODBC returns the result set to the application after receiving the decrypted or desensitized result set returned from the remote data encryption equipment.
The data interception component is installed in an application in a plug-in mode, intercepts ODBC database standard drive or primary drive interface call of a database product based on a database access layer, monitors the process of the application, intercepts the operation of the application on the database, and is used for restoring entity information in the context of the application process; the data encryption management component is configured with an encryption and decryption strategy of sensitive data; the encryption and decryption strategy is issued to the data interception component and the remote data encryption equipment in a mode of timed polling or pushing by the data encryption management component; the components of the remote data encryption equipment comprise a password software module with encryption capability; when an application executes writing or query operation on a database, the writing or query operation is sent to remote data encryption equipment, the remote data encryption equipment analyzes an operation request of the remote data encryption equipment, encrypts and replaces sensitive data contained in the sensitive data by using an encryption method in an encryption and decryption strategy according to needs, sends an encrypted result back to a data interception component, and after receiving a database operation processing result, the data interception component calls an ODBC interface, sends the database operation to the database and returns the processed result to the application; therefore, real sensitive data provided for an entity with authority and desensitized sensitive data of an entity without authority are regulated according to the authority in the encryption and decryption strategy.
The above examples are only for describing the preferred embodiments of the present invention, and are not intended to limit the scope of the present invention, and various modifications and improvements made to the technical solution of the present invention by those skilled in the art without departing from the spirit of the present invention should fall within the protection scope defined by the claims of the present invention.
Claims (6)
1. A structured data fine-grained encryption and decryption method based on an ODBC driver agent is characterized by comprising the following steps:
s1, installing the data interception component in each application needing to access the database in a plug-in mode;
s2, restarting the application program to enable the application program to load the data interception component;
s3, extracting the meta-information of the sensitive data in the database, and submitting the meta-information to a data encryption management component for storage; the meta information of the sensitive data comprises library information, table information, column information and row information of a database where the sensitive data are located;
s4, configuring encryption and decryption strategies of sensitive data in a database in the data encryption management component, wherein the encryption and decryption strategies of the sensitive data comprise field meta-information, a master key ID, derivation factors of keys, an encryption algorithm, an encryption initialization vector, a desensitization algorithm, positioning information of encrypted data and entity information with the authority of using original sensitive data;
s5, the encryption and decryption strategies are sent to the data interception component and the remote data encryption equipment in a pushing or timed polling mode of the data encryption management component;
s6, performing batch encryption on the stock data in the database by using an encryption method in an encryption and decryption strategy, and encrypting the original plaintext data into a ciphertext at one time;
s7, when the application executes the operation on the database, the data interception component intercepts the operation of the application system on the database drive access in the application layer, and sends the database operation and the entity information as the instruction to the remote data encryption equipment;
s8, after receiving the instruction, the remote data encryption device first performs semantic analysis on the operation request of the database, and determines whether the operation object of the database is sensitive data in the database, including the following steps:
s81, the remote data encryption equipment firstly obtains a master key ID and a key derivation factor in the strategy and requests the data encryption management equipment to derive and acquire an encryption key through the network;
s82, after the encryption key is obtained, the remote data encryption equipment calls an encryption algorithm interface, transmits the parameters including the encryption key, the encryption initialization vector and the sensitive data to be encrypted to the algorithm interface, then encrypts the parameters and obtains the encrypted sensitive data;
s83, performing semantic analysis on the operation request;
the remote data encryption equipment splits the logic in the database operation, and distinguishes operation actions from the logic, including insertion, updating, deletion and query; and database meta information of the operation, including a database name, a table name, a field name, and a value of the data of the operation;
s84, matching the analysis result with the sensitive data encryption and decryption strategy;
after the remote data encryption equipment analyzes the database operation, judging whether the value of the data needs to be encrypted or not by comparing whether the meta-information of the data operated in the database operation is matched with the sensitive data meta-information in the encryption and decryption strategy or not;
s85, when the meta-information of the data operated in the database operation is matched with the meta-information of the sensitive data in the encryption and decryption strategy, judging that the database operation object is the sensitive data in the database, and when the database operation object is the sensitive data, encrypting the sensitive data;
s9, after the remote data encryption equipment encrypts the sensitive data, replacing the sensitive data in the plaintext state in the previous analysis result, combining the operation action, the meta information of the operation data and the encrypted sensitive data into a new database operation consistent with the original database operation, and sending the new database operation to the data interception component;
s10, the data interception component operates the database which is sent back from the remote data encryption equipment and is encrypted with the sensitive data, sends an encryption result to the database engine by calling an ODBC interface, obtains a result set returned by the database engine, and sends the result set to the remote encryption equipment for processing;
s11, after receiving the instruction, the remote data encryption device obtains entity information by restoring the context information in the process, and judges whether the current operation entity has the authority of using the original sensitive data by comparing whether the entity information is matched with the entity information which has the authority of using the original sensitive data in the encryption and decryption strategy;
s12, according to the judgment result in the step 11, when the database operation is judged to be directed to the sensitive data in the database and the entity has the right to use the original sensitive data, executing a step S13, otherwise executing a step S14;
s13, decrypting the value of the sensitive data according to an encryption and decryption strategy, replacing the sensitive data in the ciphertext state in the previous analysis result set with a plaintext after the remote data encryption equipment obtains the decrypted plaintext state sensitive data, and combining the operation action, the meta information of the operation data and the decrypted sensitive data into a new database operation consistent with the original database operation and sending the new database operation to the data interception component;
s14, decrypting the value of the sensitive data according to an encryption and decryption strategy, desensitizing the value of the sensitive data according to the encryption and decryption strategy, replacing the sensitive data in the prior analysis result set ciphertext state with desensitized data after the desensitized sensitive data is obtained by the remote data encryption equipment, and combining the operation action, the meta information of the operation data and the decrypted sensitive data into a new database operation consistent with the operation of the original database and sending the new database operation to the data interception component;
and S15, the database interception component returns the data sent back by the remote encryption equipment to the application, and the encryption is finished.
2. The ODBC-driven-agent-based fine-grained encryption and decryption method for structured data according to claim 1, wherein when the step S81 obtains the key required by data encryption, the direct source of the key used comprises a key management module of a data encryption management device, a Hardware Security Module (HSM), and a key management system of an enterprise.
3. The ODBC-driven-agent-based structured data fine-grained encryption and decryption method according to claim 2, wherein the key is further indirectly obtained from a key management system through a database encryption management device.
4. The ODBC-driven-agent-based fine-grained encryption and decryption method for structured data, according to claim 1, is characterized in that in the data encryption strategy, an encryption algorithm adopts a deterministic encryption technology, after repeatedly performing encryption on a plaintext for multiple times, ciphertexts obtained by each encryption are consistent, and the requirement of accurate retrieval on the ciphertexts is met.
5. The ODBC-driven-agent-based fine-grained encryption and decryption method for structured data according to claim 1, wherein components of the remote data encryption device comprise a cryptographic software module supporting Chinese commercial cryptography and international cryptographic algorithms.
6. The ODBC-driven-agent-based system for fine-grained encryption and decryption of structured data is characterized by comprising a data interception component, a remote data encryption device and a data encryption management component, wherein the data interception component is used for intercepting the structured data;
the data interception component is installed in the application in a plug-in mode, intercepts ODBC database standard drive or primary drive interface call of a database product based on a database access layer, monitors the process of the application, intercepts the operation of the application on the database, and is used for restoring entity information in the context of the application process; the data encryption management component is configured with an encryption and decryption strategy of sensitive data; the encryption and decryption strategy is issued to the data interception component and the remote data encryption equipment in a mode of timed polling or pushing by the data encryption management component; the components of the remote data encryption device comprise a password software module with encryption capability;
when the application executes writing or query operation on the database, the writing or query operation is sent to the remote data encryption equipment, the remote data encryption equipment analyzes the operation request, sensitive data contained in the sensitive data are encrypted and replaced by using an encryption method in an encryption and decryption strategy according to needs, the encrypted result is sent back to the data interception component, the data interception component calls an ODBC interface after receiving the processing result of the database operation, the database operation is sent to the database, the processed result is sent to the remote encryption equipment for processing, the remote encryption equipment provides real sensitive data of plaintext with authority according to the authority regulation in the encryption and decryption strategy, and sensitive data of entities without authority after desensitization are obtained.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011584034.1A CN112580100B (en) | 2020-12-28 | 2020-12-28 | ODBC (optical distribution bus) driving agent based structured data fine-grained encryption and decryption method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011584034.1A CN112580100B (en) | 2020-12-28 | 2020-12-28 | ODBC (optical distribution bus) driving agent based structured data fine-grained encryption and decryption method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112580100A true CN112580100A (en) | 2021-03-30 |
| CN112580100B CN112580100B (en) | 2022-06-10 |
Family
ID=75140301
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011584034.1A Active CN112580100B (en) | 2020-12-28 | 2020-12-28 | ODBC (optical distribution bus) driving agent based structured data fine-grained encryption and decryption method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112580100B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113408729A (en) * | 2021-07-06 | 2021-09-17 | 安徽理工大学 | Data processing method for DNA calculation |
| CN116595564A (en) * | 2023-07-13 | 2023-08-15 | 南京煋禾网络科技有限公司 | Information system database detection management method |
| CN117113422A (en) * | 2023-10-24 | 2023-11-24 | 中电科网络安全科技股份有限公司 | Database encryption method, device, equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070180275A1 (en) * | 2006-01-27 | 2007-08-02 | Brian Metzger | Transparent encryption using secure JDBC/ODBC wrappers |
| CN110765434A (en) * | 2019-10-23 | 2020-02-07 | 上海商汤智能科技有限公司 | Identity authentication method and device, electronic equipment and storage medium |
| CN110889130A (en) * | 2018-12-10 | 2020-03-17 | 北京炼石网络技术有限公司 | Database-based fine-grained data encryption method, system and device |
-
2020
- 2020-12-28 CN CN202011584034.1A patent/CN112580100B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070180275A1 (en) * | 2006-01-27 | 2007-08-02 | Brian Metzger | Transparent encryption using secure JDBC/ODBC wrappers |
| CN110889130A (en) * | 2018-12-10 | 2020-03-17 | 北京炼石网络技术有限公司 | Database-based fine-grained data encryption method, system and device |
| CN110765434A (en) * | 2019-10-23 | 2020-02-07 | 上海商汤智能科技有限公司 | Identity authentication method and device, electronic equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 孙从友: "基于PKI的Kerbero统一认证授权系统的设计与实现", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113408729A (en) * | 2021-07-06 | 2021-09-17 | 安徽理工大学 | Data processing method for DNA calculation |
| CN116595564A (en) * | 2023-07-13 | 2023-08-15 | 南京煋禾网络科技有限公司 | Information system database detection management method |
| CN116595564B (en) * | 2023-07-13 | 2023-09-15 | 南京煋禾网络科技有限公司 | Information system database detection management method |
| CN117113422A (en) * | 2023-10-24 | 2023-11-24 | 中电科网络安全科技股份有限公司 | Database encryption method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112580100B (en) | 2022-06-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112580100B (en) | ODBC (optical distribution bus) driving agent based structured data fine-grained encryption and decryption method and system | |
| US11366918B1 (en) | Methods and apparatus for encrypted indexing and searching encrypted data | |
| CN107506659B (en) | Data protection system and method of general database based on SGX | |
| US10594490B2 (en) | Filtering encrypted data using indexes | |
| CN110889130B (en) | Database-based fine-grained data encryption method, system and device | |
| EP1662355A2 (en) | Method and apparatus for storing data on the application layer in mobile devices | |
| CN104995621A (en) | Server device, private search program, recording medium, and private search system | |
| CN101587479A (en) | Database management system kernel oriented data encryption/decryption system and method thereof | |
| US8769302B2 (en) | Encrypting data and characterization data that describes valid contents of a column | |
| CN105786521B (en) | File outgoing protection method and device | |
| US11849026B2 (en) | Database integration with an external key management system | |
| CN115758420B (en) | File access control method, device, equipment and medium | |
| CN115146318B (en) | Virtual disk safe storage method | |
| US8402278B2 (en) | Method and system for protecting data | |
| CN113642014A (en) | Data access system based on hybrid cloud and public cloud server | |
| CN114556869A (en) | Key management for encrypted data | |
| US20090150680A1 (en) | Data Security in Mobile Devices | |
| CN107918564B (en) | Data transmission exception handling method and device, electronic equipment and storage medium | |
| CN101447013A (en) | Method, device and system for running software | |
| US20120144500A1 (en) | Method and apparatus for protecting data using a virtual environment | |
| US20240028759A1 (en) | Database access method and apparatus | |
| CN103605934A (en) | Protection method and device for executable files | |
| CN111079188B (en) | mybatis field encryption and decryption device and encryption and decryption system | |
| CN109977692B (en) | Data processing method and device, storage medium and electronic equipment | |
| CN116680715A (en) | Database encryption configuration method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |