CN113449320A - Desensitization method and system for sensitive data of database - Google Patents
Desensitization method and system for sensitive data of database Download PDFInfo
- Publication number
- CN113449320A CN113449320A CN202110711547.2A CN202110711547A CN113449320A CN 113449320 A CN113449320 A CN 113449320A CN 202110711547 A CN202110711547 A CN 202110711547A CN 113449320 A CN113449320 A CN 113449320A
- Authority
- CN
- China
- Prior art keywords
- data
- database
- matching
- encryption
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 23
- 238000000586 desensitisation Methods 0.000 title claims description 28
- 238000012216 screening Methods 0.000 claims description 15
- 238000001914 filtration Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000010485 coping Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011981 development test Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a method and a system for desensitizing sensitive data of a database, which relate to the technical field of databases, and the system for desensitizing sensitive data of the database comprises the following steps: the JDBC agent module analyzes SQL input by a user through the JDBC agent, matches the data according to the data matching module so as to match the data to be desensitized, and finally encrypts and decrypts the data through the encryption and decryption module; and the rule storage module is mainly used for storing the encryption rule provided by the user, and the user can make a proper encryption rule according to actual requirements for encryption. When the user stores data through SQL, the SQL input by the user can be analyzed through JDBC agent mode, and meanwhile, the SQL can be rewritten and encrypted according to the encryption rule provided by the user, so that the data is usually encrypted after being stored in the database, even if the database data is leaked, only the encrypted data is leaked, and the data security is enhanced.
Description
Technical Field
The invention relates to the technical field of databases, in particular to a database sensitive data desensitization method and a database sensitive data desensitization system.
Background
With the rapid development of internet technology, governments and enterprises have accumulated a great deal of sensitive information and data, and the data can be used in many working scenes, such as business analysis, sharing and exchange and development test, and the real business data and information are used. These sensitive data usually require strict rights management to avoid leakage.
The existing desensitization means has better strength, but can be penetrated by an 'ghost in ghost' attack mode of directly copying file blocks and restoring and analyzing in different places, so that the data security of a user is influenced.
Disclosure of Invention
The invention aims to solve the defects in the prior art and provides a database sensitive data desensitization method and a database sensitive data desensitization system.
In order to achieve the purpose, the invention adopts the following technical scheme: a method and a system for desensitizing database sensitive data are provided, wherein the database sensitive data desensitization system comprises:
the JDBC agent module analyzes SQL input by a user through the JDBC agent, matches the data according to the data matching module so as to match the data to be desensitized, and finally encrypts and decrypts the data through the encryption and decryption module;
the rule storage module is mainly used for storing the encryption rule provided by the user, and the user can formulate a proper encryption rule according to actual requirements for encryption;
the encryption and decryption module is used for encrypting and decrypting input data, so that desensitization of the data is realized, and harm caused by database leakage is reduced;
and the data matching module is used for filtering and matching the request of the database client and the response content of the database server according to the preset strategy matching rule in the rule storage module so as to obtain the data to be desensitized.
In order to improve the use safety of the invention, the encryption and decryption module adopts an RSA public key to encrypt when in encryption operation, and the encryption and decryption module uses an RSA private key to decrypt when in decryption operation.
In order to improve the operation performance of the present invention, the data matching module further comprises the following steps: and matching the rule matching data according to a preset strategy in the rule storage module, returning data to be desensitized if the matching is successful, and returning plaintext data if the matching is failed.
In order to match the data to be desensitized separately, the data matching module adopts a regular expression for matching, and the data matching module is connected with the rule storage module.
A method of desensitizing database sensitive data, comprising the steps of:
s1: configuring, namely configuring screening rules of the sensitive data, writing the screening rules into a rule storage module to replace preset strategy matching rules, and screening the data to be desensitized for processing;
s2: the agent analyzes the SQL input by the user through the JDBC agent module, screens according to a screening rule, performs the next step if the data to be desensitized are screened out, and skips if the data are not screened out;
s3: encrypting, namely encrypting the data to be desensitized through an encryption and decryption module, mainly encrypting by adopting an RSA public key to obtain encrypted data;
s4: storing, namely writing the encrypted data into a database for storage to realize a desensitization process;
s5: and decrypting the plaintext, taking out the encrypted data in the database and decrypting the encrypted data through an RSA private key when the data is acquired, and returning the obtained plaintext to the user.
In order to match the data to be desensitized, the screening rule at least comprises a sensitive data type and a desensitization strategy.
In order to improve the security of the invention, the preset strategy matching rules comprise matching rules of identification number, unified social credit code and telephone number.
In order to improve the deployment efficiency of the invention, the RSA private key is stored in the server side, and the RSA public key is a public key.
Compared with the prior art, when a user stores data through SQL, the SQL input by the user can be analyzed through JDBC agent, and meanwhile, the SQL can be rewritten and encrypted according to the encryption rule provided by the user, so that the data is usually encrypted after being stored in a database, even if the data in the database is leaked, only the encrypted data is leaked, the encryption strength is extremely high by adopting an RSA encryption algorithm, the encrypted data can be hardly restored into a plaintext under the condition of no RSA private key, the safety is higher, meanwhile, when the method is deployed, the business logic does not need to be changed, the method can be deployed only by adding the JDBC agent, the method is simple and quick, the deployment cost is reduced, and the innovation is obvious.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
The technical solution of the present invention is further described in detail by the accompanying drawings and embodiments.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is an architecture diagram of a database sensitive data desensitization method and system according to the present invention;
FIG. 2 is a step diagram of a database sensitive data desensitization method and system according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In a first embodiment, referring to fig. 1-2, a database-sensitive data desensitization system includes: the JDBC agent module analyzes SQL input by a user through the JDBC agent, matches the data according to the data matching module so as to match the data to be desensitized, and finally encrypts and decrypts the data through the encryption and decryption module; the rule storage module is mainly used for storing the encryption rule provided by the user, and the user can formulate a proper encryption rule according to actual requirements for encryption; the encryption and decryption module is used for encrypting and decrypting input data, so that desensitization of the data is realized, and harm caused by database leakage is reduced; and the data matching module is used for filtering and matching the request of the database client and the response content of the database server according to the preset strategy matching rule in the rule storage module so as to obtain the data to be desensitized.
In this embodiment, the encryption and decryption module encrypts by using the RSA public key when performing encryption operation, and the encryption and decryption module decrypts by using the RSA private key when performing decryption operation, and the RSA public key cryptosystem is usually based on the number theory, and because it is simpler to find two large prime numbers, it is extremely difficult to factorize the product of the two large prime numbers, so that the product can be disclosed as an encryption key, and simultaneously RSA is a public key algorithm which is researched most widely, and has been accepted by people gradually since the last thirty years ago, and is generally considered as one of the most excellent public key schemes at present, and has extremely high security and extremely high difficulty in decryption.
In this embodiment, the data matching module further includes the following steps: data are matched according to a preset strategy matching rule in the rule storage module, if matching is successful, data to be desensitized are returned, if matching is failed, plaintext data are returned, so that a user can freely configure the data needing desensitization, generally speaking, in account passwords, the passwords need to be encrypted, the account numbers do not need to be encrypted, the user can independently encrypt the passwords by configuring the strategy matching rule, and therefore when the data are used in an actual production environment, performance loss caused by encryption of some irrelevant data can be avoided, and performance is improved.
In this embodiment, the data matching module is matched by using a regular expression, the data matching module is connected with the rule storage module, and the regular expression can describe complex data characteristics by using simple syntax, so that the method is widely applied to multiple fields of network intrusion detection, document content retrieval and the like.
A method of desensitizing database sensitive data, comprising the steps of:
s1: configuring, namely configuring screening rules of the sensitive data, writing the screening rules into a rule storage module to replace preset strategy matching rules, and screening the data to be desensitized for processing;
s2: the agent analyzes the SQL input by the user through the JDBC agent module, screens according to a screening rule, performs the next step if the data to be desensitized are screened out, and skips if the data are not screened out;
s3: encrypting, namely encrypting the data to be desensitized through an encryption and decryption module, mainly encrypting by adopting an RSA public key to obtain encrypted data;
s4: storing, namely writing the encrypted data into a database for storage to realize a desensitization process;
s5: and decrypting the plaintext, taking out the encrypted data in the database and decrypting the encrypted data through an RSA private key when the data is acquired, and returning the obtained plaintext to the user.
In this embodiment, the screening rule at least includes a sensitive data type and a desensitization policy, the sensitive data type refers to a data type requiring desensitization, the desensitization policy refers to a coping method, the coping method includes encryption, confusion, and the like, the data type requiring desensitization refers to data which may bring serious harm to the society or individuals after leakage, and includes personal privacy data, such as names, identification numbers, addresses, telephones, bank accounts, mailboxes, passwords, medical information, educational backgrounds, and the like, and information closely related to personal life and work is regulated by data privacy regulations of different industries and governments.
In this embodiment, the preset policy matching rule includes a matching rule of the identification number, the unified social credit code, and the telephone number, and the identification number, the unified social credit code, and the telephone number can be regarded as individual IDs of each person, and these pieces of information can all correspond to specific natural persons, so these pieces of data are extremely sensitive, and once leaked, a large influence is caused, so the identification number, the unified social credit code, and the telephone number generally need to be encrypted.
In this embodiment, the RSA private key is stored at the server, the RSA public key is a public key, a key pair obtained through the RSA algorithm is guaranteed to be unique worldwide, when the key pair is used, if one key is used to encrypt a piece of data, the other key is used to decrypt the encrypted data, if the public key is used to encrypt the data, the private key is used to decrypt the encrypted data, if the public key is used to encrypt the encrypted data, the public key is used to encrypt the data, otherwise, the decryption will not be successful, that is, the public key is a non-secret half of the key pair used with the private key algorithm, the public key is generally used to encrypt the data, and the private key is used to decrypt the data.
It can be seen from the above embodiments that, when a user stores data through SQL, the SQL input by the user can be analyzed through JDBC proxy, and meanwhile, the SQL can be rewritten and encrypted according to the encryption rule provided by the user, so that after the data is stored in the database, the data is usually encrypted, even if the database data leaks, only the encrypted data is leaked, and the encryption strength is extremely high by using RSA encryption algorithm, and under the condition without RSA private key, the encrypted data can hardly be restored to plaintext, and the security is high.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (8)
1. A database-sensitive-data desensitization system, comprising:
the JDBC agent module analyzes SQL input by a user through the JDBC agent, matches the data according to the data matching module so as to match the data to be desensitized, and finally encrypts and decrypts the data through the encryption and decryption module;
the rule storage module is mainly used for storing the encryption rule provided by the user, and the user can formulate a proper encryption rule according to actual requirements for encryption;
the encryption and decryption module is used for encrypting and decrypting input data, so that desensitization of the data is realized, and harm caused by database leakage is reduced;
and the data matching module is used for filtering and matching the request of the database client and the response content of the database server according to the preset strategy matching rule in the rule storage module so as to obtain the data to be desensitized.
2. A database sensitive data desensitization system according to claim 1, wherein: the encryption and decryption module adopts an RSA public key to encrypt when carrying out encryption operation, and the encryption and decryption module uses an RSA private key to decrypt when carrying out decryption operation.
3. A database sensitive data desensitization system according to claim 1, wherein: the data matching module further comprises the following steps: and matching the rule matching data according to a preset strategy in the rule storage module, returning data to be desensitized if the matching is successful, and returning plaintext data if the matching is failed.
4. A database sensitive data desensitization system according to claim 1, wherein: the data matching module adopts a regular expression for matching, and is connected with the rule storage module.
5. A method of desensitizing database sensitive data, comprising the steps of:
s1: configuring, namely configuring screening rules of the sensitive data, writing the screening rules into a rule storage module to replace preset strategy matching rules, and screening the data to be desensitized for processing;
s2: the agent analyzes the SQL input by the user through the JDBC agent module, screens according to a screening rule, performs the next step if the data to be desensitized are screened out, and skips if the data are not screened out;
s3: encrypting, namely encrypting the data to be desensitized through an encryption and decryption module, mainly encrypting by adopting an RSA public key to obtain encrypted data;
s4: storing, namely writing the encrypted data into a database for storage to realize a desensitization process;
s5: and decrypting the plaintext, taking out the encrypted data in the database and decrypting the encrypted data through an RSA private key when the data is acquired, and returning the obtained plaintext to the user.
6. A method of desensitizing database sensitive data according to claim 5, wherein: the screening rules include at least a sensitive data type and a desensitization policy.
7. A method of desensitizing database sensitive data according to claim 5, wherein: the preset strategy matching rules comprise matching rules of identity card numbers, unified social credit codes and telephone numbers.
8. A method of desensitizing database sensitive data according to claim 5, wherein: the RSA private key is stored in the server side, and the RSA public key is a public key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110711547.2A CN113449320A (en) | 2021-06-25 | 2021-06-25 | Desensitization method and system for sensitive data of database |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110711547.2A CN113449320A (en) | 2021-06-25 | 2021-06-25 | Desensitization method and system for sensitive data of database |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113449320A true CN113449320A (en) | 2021-09-28 |
Family
ID=77812786
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110711547.2A Pending CN113449320A (en) | 2021-06-25 | 2021-06-25 | Desensitization method and system for sensitive data of database |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113449320A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115033914A (en) * | 2022-05-30 | 2022-09-09 | 佳缘科技股份有限公司 | Distributed dynamic desensitization method, system and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108509805A (en) * | 2018-03-21 | 2018-09-07 | 深圳天源迪科信息技术股份有限公司 | Data encrypting and deciphering and desensitization runtime engine and its working method |
| CN110866281A (en) * | 2019-11-20 | 2020-03-06 | 满江(上海)软件科技有限公司 | Safety compliance processing system and method for sensitive data |
| CN112417476A (en) * | 2020-11-24 | 2021-02-26 | 广州华熙汇控小额贷款有限公司 | Desensitization method and data desensitization system for sensitive data |
-
2021
- 2021-06-25 CN CN202110711547.2A patent/CN113449320A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108509805A (en) * | 2018-03-21 | 2018-09-07 | 深圳天源迪科信息技术股份有限公司 | Data encrypting and deciphering and desensitization runtime engine and its working method |
| CN110866281A (en) * | 2019-11-20 | 2020-03-06 | 满江(上海)软件科技有限公司 | Safety compliance processing system and method for sensitive data |
| CN112417476A (en) * | 2020-11-24 | 2021-02-26 | 广州华熙汇控小额贷款有限公司 | Desensitization method and data desensitization system for sensitive data |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115033914A (en) * | 2022-05-30 | 2022-09-09 | 佳缘科技股份有限公司 | Distributed dynamic desensitization method, system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10680821B2 (en) | Confidential information exchange | |
| US9514330B2 (en) | Meta-complete data storage | |
| US11652608B2 (en) | System and method to protect sensitive information via distributed trust | |
| Nagaraju et al. | Trusted framework for online banking in public cloud using multi-factor authentication and privacy protection gateway | |
| CN104079573A (en) | Systems and methods for securing data in the cloud | |
| CN110771190A (en) | Controlling access to data | |
| CN114969128B (en) | Secure multi-party computing technology-based secret query method, system and storage medium | |
| CN112000979B (en) | Database operation method, system and storage medium for private data | |
| CN113449320A (en) | Desensitization method and system for sensitive data of database | |
| Basapur et al. | A Hybrid Cryptographic Model Using AES and RSA for Sensitive Data Privacy Preserving | |
| Geng et al. | Securing relational database storage with attribute association aware shuffling | |
| US11886617B1 (en) | Protecting membership and data in a secure multi-party computation and/or communication | |
| US11829512B1 (en) | Protecting membership in a secure multi-party computation and/or communication | |
| JP2006004301A (en) | Method of managing data, and information processing device | |
| CN113111365B (en) | Online psychological consultation privacy data protection method, storage medium and system based on envelope encryption | |
| Vindhuja et al. | A Brief Survey on Various Technologies Involved in Cloud Computing Security | |
| CN107317679A (en) | A kind of identity card loses the method and system of rear defence swindle | |
| Coles et al. | Expert SQL server 2008 encryption | |
| Azhar et al. | Big Data Security Issues: A Review | |
| Pawar et al. | Enhancement of Data Leakage Detection Using Encryption Technique | |
| Chowdhury et al. | Prevention of Data Leakage via SQL Injection | |
| Hameed et al. | An Enhanced Framework of Hybrid Secure ATM Banking System for Developing Countries | |
| Kumbhar et al. | Forensic Analysis of Database using Secure Audit Log | |
| Shelake et al. | BLOOM FILTER BASED SECURE RECORD LINKAGE: CRYPTANALYSIS ATTACK METHODS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210928 |