CN113434535B - Data processing method, communication system, device, product and storage medium - Google Patents

Data processing method, communication system, device, product and storage medium Download PDF

Info

Publication number
CN113434535B
CN113434535B CN202110984058.4A CN202110984058A CN113434535B CN 113434535 B CN113434535 B CN 113434535B CN 202110984058 A CN202110984058 A CN 202110984058A CN 113434535 B CN113434535 B CN 113434535B
Authority
CN
China
Prior art keywords
target
database
type
target operation
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110984058.4A
Other languages
Chinese (zh)
Other versions
CN113434535A (en
Inventor
李亦然
李飞飞
汪晟
杨新颖
张焱山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Cloud Computing Ltd
Original Assignee
Alibaba China Co Ltd
Alibaba Cloud Computing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba China Co Ltd, Alibaba Cloud Computing Ltd filed Critical Alibaba China Co Ltd
Priority to CN202110984058.4A priority Critical patent/CN113434535B/en
Publication of CN113434535A publication Critical patent/CN113434535A/en
Application granted granted Critical
Publication of CN113434535B publication Critical patent/CN113434535B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2433Query languages
    • G06F16/2445Data retrieval commands; View definitions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Abstract

The embodiment of the application provides a data processing method, a communication system, equipment, a product and a storage medium. The method comprises the following steps: determining operation elements contained in a database access statement and operation objects corresponding to the operation elements according to the database access statement; determining a target operation object corresponding to a database field in a database in the operation objects; acquiring related information from the database according to the operation element and the target operation object; determining target operation information corresponding to the operation element according to the related information, wherein the target operation information comprises a target operation object type; the target operation object type comprises one of a plaintext type and a ciphertext type; and encrypting the database access statement according to the target operation information. The scheme provided by the embodiment of the application has better universality.

Description

Data processing method, communication system, device, product and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a data processing method, a communication system, a device, a product, and a storage medium.
Background
The cloud platform has sound safety protection capability, so that when a user uses the cloud database, the user does not need to worry about data leakage caused by external attack on the database. However, user data is visible to the cloud platform, which results in users still worrying about internal staff of the cloud platform being unauthorized to access or used by the cloud platform.
At present, some cloud databases implement ciphertext-based retrieval and computation by using technologies such as TEE (Trusted Execution Environment). Therefore, the user can store the encrypted user data in the cloud database, and the cloud database side cannot acquire the plaintext user data because the plaintext encryption key of the user data cannot be acquired, so that the safety of the user data is ensured. In the existing scheme, the client side encrypts and rewrites the database query codes based on a rule configured in advance locally, and the rule-based encryption and rewriting scheme is only suitable for part of simple database query codes, cannot be suitable for complex database query codes, and is poor in universality.
Disclosure of Invention
The present application provides a data processing method, a communication system, a device, an article of manufacture, and a storage medium that solve the above problems, or at least partially solve the above problems, to improve the versatility of the solution.
Thus, in one embodiment of the present application, a data processing method is provided. The method comprises the following steps:
determining operation elements contained in a database access statement and operation objects corresponding to the operation elements according to the database access statement;
determining a target operation object corresponding to a database field in a database in the operation objects;
acquiring related information from the database according to the operation element and the target operation object;
determining target operation information corresponding to the operation element according to the related information, wherein the target operation information comprises a target operation object type; the target operation object type comprises one of a plaintext type and a ciphertext type;
and encrypting the database access statement according to the target operation information.
In yet another embodiment of the present application, a communication system is provided. The system, comprising:
a client and a server;
the client is used for generating a database access statement; determining operation elements contained in the database access statement and operation objects corresponding to the operation elements according to the database access statement; determining a target operation object corresponding to a database field in a database in the operation objects; sending the operation element and the target operation object to the server;
the server is used for receiving the operation element and the target operation object; acquiring related information from the database according to the operation element and the target operation object; and sending the relevant information to the client;
the client is also used for receiving the related information; determining target operation information corresponding to the operation element according to the related information, wherein the target operation information comprises a target operation object type; the target operation object type comprises one of a plaintext type and a ciphertext type; encrypting the database access statement according to the target operation information to obtain an encryption result; and sending the encryption result to the server.
In yet another embodiment of the present application, an electronic device is provided. The electronic device includes: a memory and a processor, wherein,
the memory is used for storing programs;
the processor is coupled to the memory, and is configured to execute the program stored in the memory, so as to implement the data processing method.
In still another embodiment of the present application, there is provided a computer-readable storage medium storing a computer program capable of implementing the data processing method of any one of the above when executed by a computer.
In yet another embodiment of the present application, there is provided a computer program product, comprising: a computer program; the computer program is capable of implementing any one of the data processing methods described above when executed by a computer.
In the technical scheme provided by the embodiment of the application, a database access statement is analyzed to determine operation elements contained in the database access statement and a target operation object corresponding to a database field in a database in the operation object; acquiring target operation information corresponding to each operation element from a database according to the operation element and a target operation object corresponding to a database field in the database; then, type inference is carried out on each operation object in the database access statement based on target operation information corresponding to each operation element acquired from the database so as to determine whether each operation object needs to be encrypted. In other words, the information according to which the database access statement is encrypted is obtained from the database to be accessed, so that the encryption rewriting of any database access statement can be supported universally, and the universality of the scheme is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic flow chart of a data processing method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a data processing method according to an embodiment of the present application;
FIG. 3 provides an exemplary diagram of a communication system according to an embodiment of the present application;
fig. 4 is a block diagram of a data processing apparatus according to an embodiment of the present application;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
At present, in order to encrypt and rewrite a database query code, a developer of a client needs to write an encryption rewriting rule. The applicant finds that, in practical application, database query codes generally involve various complex situations, and the encryption rewriting rule can only encrypt and rewrite some simple database query codes, but cannot correctly encrypt and rewrite complex database query codes, so that the universality is poor.
In order to solve the above problem, embodiments of the present application provide an encryption rewriting scheme for a database access statement, that is, operation information is acquired from a database to be accessed, so that type inference is performed on each operation object in the database access statement based on the operation information of the database to determine whether each operation object needs to be encrypted, so that encryption rewriting of any database access statement can be supported universally, and the universality of the scheme is improved.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below according to the drawings in the embodiments of the present application. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Further, in some flows described in the specification, claims, and above-described figures of the present application, a number of operations are included that occur in a particular order, which operations may be performed out of order or in parallel as they occur herein. The sequence numbers of the operations, e.g., 101, 102, etc., are used merely to distinguish between the various operations, and do not represent any order of execution per se. Additionally, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first", "second", etc. in this document are used for distinguishing different messages, devices, modules, etc., and do not represent a sequential order, nor limit the types of "first" and "second" to be different.
Fig. 1 shows a schematic flow chart of a data processing method according to an embodiment of the present application. The execution main body of the data processing method provided by the embodiment of the application can be a client. In an example, the client may be hardware integrated on the terminal and having an embedded program, may also be application software installed in the terminal, and may also be tool software embedded in an operating system of the terminal, which is not limited in this embodiment of the present application. The terminal can be any terminal equipment including a mobile phone, a computer and the like. As shown in fig. 1, the method includes:
101. and determining the operation elements contained in the database access statement and the operation objects corresponding to the operation elements according to the database access statement.
102. And determining a target operation object corresponding to a database field in the database in the operation objects.
103. And acquiring related information from the database according to the operation element and the target operation object.
104. And determining target operation information corresponding to the operation element according to the related information, wherein the target operation information comprises a target operation object type.
Wherein the target operation object type comprises one of a plaintext type and a ciphertext type.
105. And encrypting the database access statement according to the target operation information.
In the foregoing 101, the database access statement may specifically be an SQL (Structured Query Language) statement, which is used to store data and Query, update, and manage the database.
The database access statement comprises at least one operation element and an operation object corresponding to each operation element. The operation elements may include an operation function name and an operator. For example: when the operation element is the name of the operation function, the operation object corresponding to the operation element is also the function parameter. When an operation element is an operator, the operand corresponding to the operation element is also an operand.
For example: the database access statement is: SELECT FROM component WHERE subsystem (name, 1, 1) = 'sheet' AND score > 60, wherein the operation elements include: substring () is an operation function name, each of = AND + is an operator, substring corresponds to three operation objects whose object values are name, 1 AND 1, respectively, = corresponds to two operation objects whose object values are an operation return value AND a sheet, AND corresponds to two operation objects whose object values are an operation return value AND an operation return value of =, respectively, > corresponds to two operation objects whose object values are score AND 60, respectively.
In the above 102, the target operation object corresponding to the database field in the database, that is, the target operation object whose object value is the field name of the database field in the database, is determined from the plurality of operation objects included in the database access statement. The specific determination method can be found in the prior art, and is not described in detail herein. In one example, the field names of all database fields involved in the database may be obtained from the database in advance and stored, and then the target operation object may be determined by matching the stored field names.
Along the above example, name and score are field names of the database fields, and the operation objects with object values of name and score are target operation objects.
In 103, the operation element and the target operation object may be sent to a server, so that the server obtains relevant information from the database according to the operation element and the target operation object; and receiving the related information sent by the server.
In 104, the target operation information corresponding to the operation element may include a target operation object type of each operation object corresponding to the operation element. The target operation object type includes one of a plaintext type and a ciphertext type. The plaintext type can be used for indicating that the corresponding operation object does not need to be encrypted, and the ciphertext type is used for indicating that the corresponding operation object needs to be encrypted.
When the operation element is an operation function name, the target operation information may further include a corresponding operation function name. When the operation element is an operator, the target operation information may further include an operation function name corresponding to the corresponding operator. Taking an operator > as an example, the corresponding operation function name is cmp ().
It should be added that, in practical applications, usually, one and the same operation element may correspond to multiple operations, for example: the same operation function name corresponds to a plurality of operation functions, the same operator corresponds to a plurality of operation functions (note: there is a one-to-one correspondence between the operator and the operation function name, so the plurality of operation functions corresponding to the same operator are also the plurality of operation functions corresponding to the operation function name corresponding to the operator), although the operation function names of the plurality of operation functions are the same, there is a difference in function parameter types. Wherein the operation information is used to uniquely identify an operation. In one example, the operational information may be a function signature.
In addition, the target operation information corresponding to the operation element may further include the number of operation objects corresponding to the operation element, an operation object sequence corresponding to the operation element, and/or an operation function name corresponding to the operation element.
In the step 105, an operation object to be encrypted is determined according to the target operation information; and encrypting the operation object to be encrypted. And encrypting the operation object to be encrypted, namely encrypting the object value of the operation object to be encrypted.
In the technical scheme provided by the embodiment of the application, a database access statement is analyzed to determine operation elements contained in the database access statement and a target operation object corresponding to a database field in a database in the operation object; acquiring target operation information corresponding to each operation element from a database according to the operation element and a target operation object corresponding to a database field in the database; then, type inference is carried out on each operation object in the database access statement based on target operation information corresponding to each operation element acquired from the database so as to determine whether each operation object needs to be encrypted. In other words, the information according to which the database access statement is encrypted is obtained from the database to be accessed, so that the encryption rewriting of any database access statement can be supported universally, and the universality of the scheme is improved.
Moreover, the required information is obtained from the database, so that the configuration of a user is not needed; the scheme also does not need local calculation and can fully exert the performance of the database.
In an implementation scheme, in the above 103, "obtaining relevant information from the database according to the operation element and the target operation object" may specifically be implemented by the following steps:
1031a, sending the operation element and the target operation object to a server, so that the server obtains at least one piece of alternative operation information corresponding to the operation element and the field type of the database field corresponding to the target operation object from the database.
1032a, receiving at least one alternative operation information corresponding to the operation element returned by the server and the field type of the database field corresponding to the target operation object.
The related information includes at least one alternative operation information corresponding to the operation element and a field type of a database field corresponding to the target operation object.
1031a above, obtaining at least one alternative operation information corresponding to the operation element from the database, that is, obtaining operation information of at least one operation corresponding to the operation element from the database, as the at least one alternative operation information corresponding to the operation element. The database supports all operations in at least one operation corresponding to the operation element. Taking an operation element as an operation function name as an example, acquiring a function signature of at least one operation function corresponding to the operation function name from a database to serve as at least one piece of alternative operation information corresponding to the operation function name. Wherein the at least one alternative operation information comprises one or more alternative operation information.
Wherein the field type includes one of a ciphertext type or a plaintext type. In an example, the field type can also include a data type. The data type may include a text type, a numerical type, a date type, and the like, among others.
After the server side obtains the at least one alternative operation information corresponding to the operation element and the field type of the database field corresponding to the target operation object from the database, the server side can send the at least one alternative operation information corresponding to the operation element and the field type of the database field corresponding to the target operation object to the client side.
In an example, in the above 104, "determining the target operation information corresponding to the operation element according to the related information" may be implemented by:
1041a, determining the target operation information corresponding to the operation element from the at least one candidate operation information corresponding to the operation element based on the field type of the database field corresponding to the target operation object.
In a specific example, the target operation object comprises a first target operation object; the operation elements comprise a first operation element; the operation object corresponding to the first operation element comprises the first target operation object. In 1041a, "determining, based on the field type of the database field corresponding to the target operation object, the target operation information corresponding to the operation element from the at least one candidate operation information corresponding to the operation element" may specifically include:
and S1, matching at least one alternative operation information corresponding to the first operation element according to the field type of the database field corresponding to the first target operation object, and obtaining the target operation information of the first operation element.
Specifically, a first alternative operation information is determined from at least one alternative operation information corresponding to the first operation element; determining whether an operation object type corresponding to the first target operation object in the first candidate operation information is matched with a field type of a database field corresponding to the first target operation object; if so, determining the first alternative operation information as target operation information of the first operation element; and if not, continuously traversing the next alternative operation information in the at least one alternative operation information corresponding to the first operation element until the target operation information of the first operation element is determined. And the second position ordering information of the operation object type relative to the first target operation object in the first candidate operation information is the same as the third position ordering information of the first target operation object among a plurality of operation objects corresponding to the first operation element. Third position ordering information of the first target operation object among the operation objects corresponding to the first operation element can be determined according to the database access code.
Along with the "substring (name, 1, 1)" in the above example, for convenience of description, the operation objects whose object values are name, 1, 1 are simply referred to as name, 1, and 1, respectively. The multiple operation objects corresponding to the first operation element substring have names, 1 and 1, the field type of the database field corresponding to the operation object name in the database is a ciphertext type and a text type, and the first alternative operation information sequentially records three operation object types, namely the ciphertext type and the text type, the ciphertext type and the numerical value type, and the ciphertext type and the numerical value type. Note that, in this embodiment, one operation object type includes both a plaintext type and a ciphertext type, and also includes a data type. The name is the first position sorting information among the multiple operation objects corresponding to the first operation element substring, and then the ciphertext type and the text type, which are corresponding to the name and are the first second position sorting information, in the first candidate operation information are matched with (that is, the same as) the field type of the database field corresponding to the operation object name in the database, so that the first candidate operation information is the target operation information of the first operation element.
Further, the target operation information further includes a target operation return value type; the target operation return value type comprises one of a plaintext type and a ciphertext type; the operation elements comprise a second operation element; and the operation object corresponding to the second operation element comprises a return operation object of which the object value is the operation return value corresponding to the third operation element. In 1041a, "determining, based on the field type of the database field corresponding to the target operation object, the target operation information corresponding to the operation element from the at least one candidate operation information corresponding to the operation element" may specifically include:
and S2, determining the target operation return value type corresponding to the third operation element according to the target operation information corresponding to the third operation element.
And S3, matching at least one alternative operation information corresponding to the second operation element according to the target operation return value type corresponding to the third operation element to obtain the target operation information corresponding to the second operation element.
Specifically, second alternative operation information is determined from at least one alternative operation information corresponding to the second operation element; determining whether an operation object type corresponding to the return operation object in the second alternative operation information is matched with a target operation return value type corresponding to the third operation element; if so, determining the second alternative operation information as target operation information of the second operation element; and if not, continuously traversing the next alternative operation information in the at least one alternative operation information corresponding to the second operation element until the target operation information of the second operation element is determined. And the fourth position ordering information of the operation object type opposite to the return operation object in the second alternative operation information is the same as the fifth position ordering information of the return operation object among a plurality of operation objects corresponding to a second operation element. And determining fifth position sorting information of the returned operation object among a plurality of operation objects corresponding to the second operation element according to the database access code.
Along with "subsystem (name, 1, 1) = 'sheet'" in the above example, where the second operation element = the corresponding plurality of operation objects has a return operation object whose object value is the operation return value of subsystem and a sheet. Assume that the target operation return value type of substring includes a ciphertext type and a text type. The second alternative operation information is recorded with two operation object types of a ciphertext type and a text type, and the ciphertext type and the text type in sequence. Note that, in this embodiment, one operation object type includes both a plaintext type and a ciphertext type, and also includes a data type. The above-mentioned returning operation object is first in the fifth position sorting information among the multiple operation objects corresponding to the second operation element = then, what is supposed to be in the second candidate operation information is the ciphertext type and the text type whose fourth position sorting information is first, which are corresponding to the above-mentioned returning operation object, and this matches (i.e. is the same as) the target operation return value type of the substring, then the second candidate operation information is the target operation information of the second operation element.
In another implementation scheme, in the above 103, "obtaining relevant information from the database according to the operation element and the target operation object" may specifically be implemented by the following steps:
1031b, sending the operation element and the target operation object to a server, so that the server obtains at least one piece of alternative operation information corresponding to the operation element and a field type of a database field corresponding to the target operation object from the database; and determining target operation information corresponding to the operation element from at least one piece of alternative operation information corresponding to the operation element based on the field type of the database field corresponding to the target operation object, wherein the target operation information is used as the related information.
1032b, receiving the relevant information returned by the server.
For specific implementation of "based on the field type of the database field corresponding to the target operation object, determining the target operation information corresponding to the operation element from the at least one candidate operation information corresponding to the operation element, and using the target operation information as the related information" in 1031b, reference may be made to corresponding contents in the above embodiments, and details are not repeated here.
Optionally, in the foregoing 105, "encrypt the database access statement according to the target operation information" may specifically be implemented by adopting the following steps:
1051. and determining the target operation object types of other operation objects except the target operation object and the return operation object with the object value as the operation return value in the operation objects according to the target operation information.
1052. And encrypting the database access statement according to the target operation object types of the other operation objects.
In 1051, the target operation object types of all the operation objects can be specified based on the target operation information.
In actual application, the target operation object and the return operation object whose object value is the operation return value do not need to be encrypted, so that only the target operation object type of the operation object other than the target operation object and the return operation object whose object value is the operation return value is determined.
In the above example, "backing (name, 1, 1)" is taken as an example, and for convenience of description, the operation objects with the object values of name, 1, and 1 are simply referred to as name, 1, and 1, respectively. Wherein, the name is a target operation object. Three operation object types, namely a ciphertext type and a text type, a ciphertext type and a numerical value type, and a ciphertext type and a numerical value type, are recorded in the target operation information corresponding to the operation element substring in sequence, and then the target operation object types of the operation objects 1 and 1 are the ciphertext type and the numerical value type, and the ciphertext type and the numerical value type respectively.
In the above example, "substring (name, 1, 1) = 'sheet'" is used as an example, and for convenience of description, the operation objects with the object values of substring (name, 1, 1) and sheet are abbreviated as substring (name, 1, 1) and sheet, respectively. Wherein, the substring (name, 1, 1) is a return operation object whose object value is an operation return value. And the operation element = two operation object types, namely a ciphertext type and a text type, and a ciphertext type and a text type, are recorded in the corresponding target operation information in sequence, and the target operation object type of the operation object sheet is the ciphertext type and the text type.
In an example, the above 1052 of "performing encryption processing on the database access statement according to the target operand type of the other operand" may be implemented by the following steps:
and S11, according to the target operation object types of the other operation objects, determining the operation objects of which the target operation object types comprise the ciphertext types from the other operation objects to be used as the operation objects to be encrypted.
And S12, encrypting the operation object to be encrypted.
The operation object with the target operation object type including the ciphertext type is an object needing to be encrypted; the operand whose target operand type includes a plaintext type is an object that does not need to be encrypted.
In an example, the target operation object type further includes a target data type, and the "encrypting the operation object to be encrypted" in S12 may specifically include:
s121, if the actual data type of the operation object to be encrypted is the same as the target data type of the operation object to be encrypted, encrypting the operation object to be encrypted.
The actual data type of the first operation object can be determined according to the database access code; and if the actual data type of the operation object to be encrypted is the same as the target data type of the operation object to be encrypted, directly encrypting the operation object to be encrypted.
Further, the step of "encrypting the operation object to be encrypted" in S12 may specifically include:
s121a, if the actual data type of the operation object to be encrypted is different from the target data type of the operation object to be encrypted, converting the data type of the operation object to be encrypted into the target data type of the operation object to be encrypted, and obtaining the converted operation object.
S122a, encrypting the converted operation object.
For example: the actual data type of the first operation object is a numerical value type, and the target data type of the first operation object is a text type, so that the data type of the first operation object can be converted into the text type to obtain a converted operation object; then, the converted operation object is encrypted.
In this embodiment, even if a new data type is added or a data type is modified on the database side, the technical scheme provided by the embodiment of the present application is supported and has good applicability.
In an implementation scheme, the above-mentioned "encrypt the operand to be encrypted" in S12 may be implemented by the following steps:
s121b, obtaining the encryption key ciphertext of the database field corresponding to the target operation object from the database.
S122b, decrypting the encrypted key ciphertext to obtain an encrypted key plaintext.
S123b, encrypting the operation object to be encrypted according to the encryption key plaintext.
In S121b, the database stores the encryption key ciphertext of each database field. And according to each database field, acquiring a corresponding encryption key ciphertext from the database.
In S122b, the obtained cipher key ciphertext may be decrypted by using a locally pre-stored password to obtain a cipher key plaintext.
In S123b, when the number of target operation objects is one in actual use, the number of the encryption key ciphertext and the encryption key plaintext is also one. Then, all the operation objects to be encrypted are encrypted by adopting the encryption key plaintext corresponding to the encryption key ciphertext.
When the number of target operation objects is plural, the number of the encryption key ciphertext and the number of the encryption key plaintext are plural. In this case, in S123b, the following steps may be specifically adopted:
A. and determining an operation object related to the second target operation object from the operation objects to be encrypted.
The target operation object comprises a second target operation object, and the operation object related to the second target operation object refers to the operation element corresponding to the second target operation object or the operation element corresponding to the operation object with the object value being the operation return value determined by the second target operation object.
B. And encrypting the operation object related to the second target operation object in the first operation object by adopting the encryption key plaintext of the database field corresponding to the second target operation object.
For example, the database access statement is: SELECT FROM member WHERE subsystem (name, 1, 1) =' sheet AND score > 60. The second target operand is an operand whose object value is name, the operation return value of the substring is determined by the name, and the operand whose object value is the operation return value of the substring determined by the name corresponds to the same operation element =asthe operand whose object value is sheet. Then, the operation object with the object value of one sheet is the operation object related to the second target operation object, and the sheet is encrypted by using the encryption key plaintext of the database field corresponding to the second target operation object.
In one example, encrypting the operand to be encrypted may include: calling a database Software Development Kit (SDK) to encrypt the operation object to be encrypted. The SDK is specifically configured to perform the steps S121b, S122b, and S123 b.
In practical application, a user can configure the encryption granularity of the first operation object, such as allowing only a specific substring in a character string to be encrypted or only specific time in an encryption date to be encrypted according to the encryption requirement configured by the user. Specifically, in the above S12, "encrypt the operation object to be encrypted", the following steps may be adopted to implement:
s121c, determining the part to be encrypted in the operation object to be encrypted according to the encryption requirement input by the user.
S122c, encrypting the part to be encrypted in the operation object to be encrypted.
In the above S121c, an input interface may be provided in advance for the user to input the encryption requirement in the input interface, for example: encrypting only the first n characters of the operation object of the text type, wherein n is an integer greater than or equal to 1; only the month and the day in the operation object of the date type are encrypted; the operand for the value type is fully encrypted.
For example, if the object value of the operation object to be encrypted is abcd (character string type) and n is 2, only ab can be encrypted.
For another example: the object value of the object to be encrypted is 19920603 (date type), only 0603 can be encrypted.
In another example, the object values of the other operation objects in the database access statement are represented by placeholders, that is, the database access statement is a parameterized query statement, and in the step 1052, the "encrypting the database access statement according to the target operation object types of the other operation objects" may specifically be implemented by:
and S21, according to the first position sequencing information of the other operation objects in the database access statement, sequentially recording the target operation object types of the other operation objects to obtain recorded information.
And S22, receiving filling information of the user aiming at the database access statement. Wherein, the fill-in information includes object values of the other operation objects.
And S23, determining the target operation object type corresponding to each object value in the filling information according to the record information.
And S24, encrypting each object value according to the target operation object type corresponding to each object value in the filling information.
For example: the parameterized query statement is: SELECT FROM component WHERE following, (name, #, #) = '#', WHERE # is a placeholder, it is assumed that the target operation object types of the operation objects represented by the three placeholders # are determined to be A, B and C, respectively, and the form of the record obtained by sequentially recording may be (a, B, C); the filling information of the user for the parameterized query statement may be in the form of (1, 1, sheet), that is, the object value of the operation object represented by the first placeholder in the statement is 1, the object value of the operation object represented by the second placeholder is 1, and the object value of the operation object represented by the third placeholder is sheet; according to the recorded information (a, B, C), it can be determined that, in the filled-in information (1, 1, sheet), the target operation object type corresponding to the first 1 is a, the target operation object type corresponding to the second 1 is B, and the target operation object type corresponding to the sheet is C.
In the above S24, according to the target operation object type corresponding to each object value in the padding information, the specific implementation of the encryption processing on each object value may refer to the corresponding content in the above embodiments, and details are not described here.
The technical scheme provided by the embodiment of the application can simultaneously support the encrypted rewriting of the parameterized query statement and the unparameterized query statement, does not limit the form of the query statement, and does not need to modify logic codes by a user.
In order to facilitate analysis of the database access statement to determine the operation elements included in the database access statement and the operation objects corresponding to the operation elements, an abstract syntax tree ast (abstract syntax tree) corresponding to the database access statement may be generated. Specifically, in the foregoing 101, "determining, according to a database access statement, an operation element included in the database access statement and an operation object corresponding to the operation element" may be implemented by adopting the following steps:
1011. and generating an abstract syntax tree according to the database access statement.
1012. And determining the operation elements contained in the database access statement and the operation objects corresponding to the operation elements according to the abstract syntax tree.
The AST generation process and principle can refer to the prior art, and are not described in detail herein.
In one example, the method further includes:
106. and generating the database access statement.
After the database access statement is generated, steps 101, 102, 103, 104 and 105 in the above embodiments are executed. In this embodiment, after the client generates the database access statement, the database access statement is encrypted locally and then sent to the server, so that it is ensured that plaintext data does not exit from the local host, and data security is improved.
In one example, the method further includes:
107. after the database access statement is generated, calling a preset program package to realize that: determining operation elements contained in the database access statement and operation objects corresponding to the operation elements according to the database access statement; the step of determining a target operation object corresponding to a database field in a database in the operation objects, and the step of acquiring target operation information corresponding to the operation element from the database according to the operation element and the target operation object.
That is, the steps 101, 102, 103, 104 and 105 in the above embodiments are implemented by a predetermined program package. Therefore, the client can realize the encryption rewriting scheme provided by each embodiment only by downloading a preset program package, and can allow the logic code of the client to directly use the original database access code, thereby avoiding the complex modification of the code logic of the client and reducing the use cost of a user.
After the client side obtains the encrypted database access code, the client side can send the database access code to the server side so that the server side can access the database.
The technical solution provided by the embodiment of the present application will be described with reference to fig. 2: after generating a database query code plaintext, the client calls a rewriting module CrytoRewriter201 (the rewriting module 201 is formed by the preset program package). The rewriting module 201 includes a Parser Query Parser2011, a Type estimator 2012 and a Rewriter 2013. A database Query code Plaintext (plain Query) is input to the parser2011, so that the parser2011 obtains a Query ast (Query ast); the parser2011 inputs the AST into the type inference engine 2012; the type deducer 2012 obtains Function signatures (Function signatures) from the database 301, determines the operation object types of the operation objects in the AST according to the Function signatures, and correspondingly marks the operation object types of the operation objects in the AST to obtain a type-marked AST (identified AST); the type deducer 2012 sends the AST after the type marking to the rewriter 2013, the rewriter 2013 sends the operation object to be encrypted to the SDK202, the SDK202 obtains an Encryption key ciphertext (Keys) from the database 301, the SDK202 decrypts the Encryption key ciphertext to obtain an Encryption key plaintext, the operation object to be encrypted is encrypted by using the Encryption key plaintext to obtain an encrypted operation object (Encryption), and the encrypted operation object is sent to the rewriter 2013; the rewriter 2013 determines a database Query code ciphertext (Encrypted Query) according to the Encrypted operation object.
For specific implementation processes of each unit in the rewriting module 201, reference may be made to corresponding contents in the above embodiments, and details are not described here.
Fig. 3 is a schematic diagram of a communication system according to an embodiment of the present application. As shown in fig. 3, the system includes: a client 20 and a server 30. Wherein the content of the first and second substances,
the client 20 is configured to generate a database access statement; determining operation elements contained in the database access statement and operation objects corresponding to the operation elements according to the database access statement; determining a target operation object corresponding to a database field in a database in the operation objects; sending the operation element and the target operation object to the server 30;
the server 30 is configured to receive the operation element and the target operation object; acquiring related information from the database according to the operation element and the target operation object; and sends the relevant information to the client 20;
the client 20 is further configured to receive the relevant information; determining target operation information corresponding to the operation element according to the related information, wherein the target operation information comprises a target operation object type; the target operation object type comprises one of a plaintext type and a ciphertext type; encrypting the database access statement according to the target operation information to obtain an encryption result; and sends the encryption result to the server 30.
In an example, when the database access statement is a parameterized query statement, the client 20 is specifically configured to: according to the first position sequencing information of the other operation objects in the database access statement, sequentially recording the types of the target operation objects of the other operation objects to obtain recorded information; receiving filling information of a user aiming at the database access statement; determining the types of target operation objects corresponding to the object values in the filling information according to the record information; and encrypting each object value according to the target operation object type corresponding to each object value in the filling information to obtain the encryption result.
In practical application, when the database access statement is a parameterized query statement, the database access statement is sent to the server 30 before the encrypted result is sent to the server 30.
The server side receives the encrypted database access statement and executes corresponding retrieval or calculation operation, and specific implementation can be referred to in the prior art, and details are not described here. The server determines an access result according to the encrypted database access statement, and returns the access result to the client 20. Wherein, in one example, the returned result can be a query result.
Here, it should be noted that: for specific implementation and interaction processes of the client and the server related in the system provided by the embodiment of the present application, reference may be made to corresponding contents in the above embodiments, which are not described herein again.
In the scheme, the client can encrypt the database access code locally without encrypting the database access code through the proxy server, so that the data security is improved.
Fig. 4 shows a block diagram of a data processing apparatus according to an embodiment of the present application. As shown in fig. 4, the apparatus includes:
a first determining module 401, configured to determine, according to a database access statement, an operation element included in the database access statement and an operation object corresponding to the operation element;
a second determining module 402, configured to determine, among the operation objects, a target operation object corresponding to a database field in a database;
an obtaining module 403, configured to obtain relevant information from the database according to the operation element and the target operation object;
a third determining module 404, configured to determine, according to the relevant information, target operation information corresponding to the operation element, where the target operation information includes a target operation object type; the target operation object type comprises one of a plaintext type and a ciphertext type;
and the processing module 405 is configured to encrypt the database access statement according to the target operation information.
Optionally, the apparatus further includes:
a generation module for generating the database access statement;
the calling module is used for calling a preset program package after the database access statement is generated so as to realize that: determining operation elements contained in the database access statement and operation objects corresponding to the operation elements according to the database access statement; the step of determining a target operation object corresponding to a database field in a database in the operation objects, the step of acquiring relevant information from the database according to the operation elements and the target operation object, and the step of determining target operation information corresponding to the operation elements according to the relevant information.
Here, it should be noted that: the data processing apparatus provided in the foregoing embodiments may implement the technical solutions described in the foregoing method embodiments, and the specific implementation principle of each module may refer to the corresponding content in the foregoing method embodiments, which is not described herein again.
Fig. 5 shows a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 5, the electronic device includes a memory 1101 and a processor 1102. The memory 1101 may be configured to store other various data to support operations on the electronic device. Examples of such data include instructions for any application or method operating on the electronic device. The memory 1101 may be implemented by any type or combination of volatile or non-volatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
The memory 1101 is used for storing programs;
the processor 1102 is coupled to the memory 1101, and configured to execute the program stored in the memory 1101, so as to implement the data processing method provided by each of the above method embodiments.
Further, as shown in fig. 5, the electronic device further includes: communication components 1103, display 1104, power components 1105, audio components 1106, and the like. Only some of the components are schematically shown in fig. 5, and it is not meant that the electronic device comprises only the components shown in fig. 5.
Accordingly, the present application further provides a computer-readable storage medium storing a computer program, where the computer program can implement the steps or functions of the data processing method provided by the above method embodiments when executed by a computer.
An embodiment of the present application further provides a computer program product, which includes: a computer program; the computer program, when executed by a computer, is capable of implementing the steps or functions of the data processing methods provided by the method embodiments.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims (10)

1. A data processing method, comprising:
determining operation elements contained in a database access statement and operation objects corresponding to the operation elements according to the database access statement; the operation element comprises an operation function name;
determining a target operation object corresponding to a database field in a database in the operation objects;
acquiring related information from the database according to the operation element and the target operation object, wherein the related information comprises: sending the operation element and the target operation object to a server side so that the server side obtains at least one piece of alternative operation information corresponding to the operation element and a field type of a database field corresponding to the target operation object from the database; receiving at least one piece of alternative operation information corresponding to the operation element returned by the server and the field type of the database field corresponding to the target operation object;
according to the related information, determining target operation information corresponding to the operation element, including: matching at least one piece of alternative operation information corresponding to a first operation element according to the field type of the database field corresponding to the first target operation object to obtain target operation information corresponding to the first operation element; the target operation object comprises the first target operation object; the operation elements comprise the first operation element; the operation object corresponding to the first operation element comprises the first target operation object; the target operation information comprises target operation object types of all operation objects corresponding to the operation elements; the target operation object type comprises one of a plaintext type and a ciphertext type;
and encrypting the database access statement according to the target operation information.
2. The method of claim 1, wherein the target operation information further includes a target operation return value type; the target operation return value type comprises one of a plaintext type and a ciphertext type;
the operation elements comprise a second operation element; the operation object corresponding to the second operation element comprises a return operation object of which the object value is the operation return value corresponding to the third operation element;
determining target operation information corresponding to the operation element according to the related information, and further comprising:
determining a target operation return value type corresponding to the third operation element according to the target operation information corresponding to the third operation element;
and matching at least one piece of alternative operation information corresponding to the second operation element according to the target operation return value type corresponding to the third operation element to obtain target operation information corresponding to the second operation element.
3. The method according to claim 1 or 2, wherein encrypting the database access statement according to the target operation information includes:
determining the target operation object types of other operation objects except the target operation object and a return operation object with an object value as an operation return value in the operation objects according to the target operation information;
and encrypting the database access statement according to the target operation object types of the other operation objects.
4. The method of claim 3, wherein encrypting the database access statement according to the target operand type of the other operand comprises:
determining an operation object with a target operation object type including a ciphertext type from the other operation objects according to the target operation object types of the other operation objects to serve as an operation object to be encrypted;
and encrypting the operation object to be encrypted.
5. The method of claim 4, wherein the target operand type further includes a target data type;
encrypting the operation object to be encrypted, comprising:
and if the actual data type of the operation object to be encrypted is the same as the target data type of the operation object to be encrypted, encrypting the operation object to be encrypted.
6. The method of claim 3, wherein the object values of the other operands in the database access statement are represented by placeholders;
according to the target operation object types of the other operation objects, the database access statement is encrypted, and the encryption processing comprises the following steps:
according to the first position sequencing information of the other operation objects in the database access statement, sequentially recording the types of the target operation objects of the other operation objects to obtain recorded information;
receiving filling information of a user aiming at the database access statement, wherein the filling information comprises object values of other operation objects;
determining the types of target operation objects corresponding to the object values in the filling information according to the record information;
and encrypting each object value according to the target operation object type corresponding to each object value in the filling information.
7. The method of claim 1 or 2, further comprising:
generating the database access statement;
after the database access statement is generated, calling a preset program package to realize that: determining operation elements contained in the database access statement and operation objects corresponding to the operation elements according to the database access statement; the step of determining a target operation object corresponding to a database field in a database in the operation objects, the step of acquiring relevant information from the database according to the operation elements and the target operation object, and the step of determining target operation information corresponding to the operation elements according to the relevant information.
8. A communication system comprises a client and a server;
the client is used for generating a database access statement; determining operation elements contained in the database access statement and operation objects corresponding to the operation elements according to the database access statement; determining a target operation object corresponding to a database field in a database in the operation objects; sending the operation element and the target operation object to the server; the operation element comprises an operation function name;
the server is used for receiving the operation element and the target operation object; acquiring related information from the database according to the operation element and the target operation object, wherein the related information comprises: sending the operation element and the target operation object to a server side so that the server side obtains at least one piece of alternative operation information corresponding to the operation element and a field type of a database field corresponding to the target operation object from the database; receiving at least one piece of alternative operation information corresponding to the operation element returned by the server and the field type of the database field corresponding to the target operation object; and sending the relevant information to the client;
the client is also used for receiving the related information; according to the related information, determining target operation information corresponding to the operation element, including: matching at least one piece of alternative operation information corresponding to a first operation element according to the field type of the database field corresponding to the first target operation object to obtain target operation information corresponding to the first operation element; the target operation object comprises the first target operation object; the operation elements comprise the first operation element; the operation object corresponding to the first operation element comprises the first target operation object; the target operation information comprises target operation object types of all operation objects corresponding to the operation elements; the target operation object type comprises one of a plaintext type and a ciphertext type; encrypting the database access statement according to the target operation information to obtain an encryption result; and sending the encryption result to the server.
9. An electronic device, comprising: a memory and a processor, wherein,
the memory is used for storing programs;
the processor, coupled with the memory, is configured to execute the program stored in the memory to implement the data processing method of any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program, wherein the computer program is capable of implementing the data processing method of any one of claims 1 to 7 when executed by a computer.
CN202110984058.4A 2021-08-25 2021-08-25 Data processing method, communication system, device, product and storage medium Active CN113434535B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110984058.4A CN113434535B (en) 2021-08-25 2021-08-25 Data processing method, communication system, device, product and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110984058.4A CN113434535B (en) 2021-08-25 2021-08-25 Data processing method, communication system, device, product and storage medium

Publications (2)

Publication Number Publication Date
CN113434535A CN113434535A (en) 2021-09-24
CN113434535B true CN113434535B (en) 2022-03-08

Family

ID=77797862

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110984058.4A Active CN113434535B (en) 2021-08-25 2021-08-25 Data processing method, communication system, device, product and storage medium

Country Status (1)

Country Link
CN (1) CN113434535B (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0798669A (en) * 1993-08-05 1995-04-11 Hitachi Ltd Distributed data base management system
CN102855448B (en) * 2012-08-10 2016-02-10 深圳市黎明网络系统有限公司 A kind of Field-level database encryption device
US9860063B2 (en) * 2015-02-27 2018-01-02 Microsoft Technology Licensing, Llc Code analysis tool for recommending encryption of data without affecting program semantics
CN112380557B (en) * 2020-12-01 2021-10-12 江西师范大学 Relational database encryption method and encrypted database query method
CN113111082B (en) * 2021-03-09 2022-01-14 深圳市教育信息技术中心(深圳市教育装备中心) Structured query statement rewriting method, device, equipment and medium

Also Published As

Publication number Publication date
CN113434535A (en) 2021-09-24

Similar Documents

Publication Publication Date Title
US10936744B1 (en) Mathematical method for performing homomorphic operations
US9946810B1 (en) Mathematical method for performing homomorphic operations
EP3275115B1 (en) Database server and client for query processing on encrypted data
KR101213916B1 (en) Method and system for obfuscating data structures by deterministic natural data substitution
CN101627390B (en) Method for the secure storing of program state data in an electronic device
US20170063525A1 (en) Comparison and search operations of encrypted data
EP1227613A2 (en) Method and apparatus for attaching electronic signature to document having structure
CN111753320A (en) Data encryption method and device based on interceptor and computer equipment
CN113127915A (en) Data encryption desensitization method and device, electronic equipment and storage medium
CN110162988A (en) A kind of sensitive data encryption method based on operation system
CN112966229A (en) Method and device for safely operating SDK
CN111666558B (en) Key rotation method, device, computer equipment and storage medium
CN112966227A (en) Code encryption and decryption method and device and storage medium
CN113434535B (en) Data processing method, communication system, device, product and storage medium
KR20100112298A (en) System for searching index according to a pattern encrypted database and method therefor
CN113904832A (en) Data encryption method, device, equipment and storage medium
CN112307449A (en) Permission hierarchical management method and device, electronic equipment and readable storage medium
WO2022002352A1 (en) Data storage server and client devices for securely storing data
CN112580101A (en) Data decryption method and terminal
CN117235814B (en) Data processing method and device containing time sequence associated confusion data
US20220337404A1 (en) Data classification model with key store for import, storage, export and security compliance end points checks
Douglas Querying over encrypted databases in a cloud environment
WO2023178792A1 (en) Ciphertext data storage method and apparatus, and device and storage medium
CN114282244A (en) Multi-cloud key management and BYOK-based data security management method
Jha et al. Cloud Privacy and Security-A Review Paper

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20231215

Address after: Room 1-2-A06, Yungu Park, No. 1008 Dengcai Street, Sandun Town, Xihu District, Hangzhou City, Zhejiang Province, 310030

Patentee after: Aliyun Computing Co.,Ltd.

Address before: No.12, Zhuantang science and technology economic block, Xihu District, Hangzhou City, Zhejiang Province, 310012

Patentee before: Aliyun Computing Co.,Ltd.

Patentee before: Alibaba (China) Co.,Ltd.

TR01 Transfer of patent right