CN114329390A - Financial institution database access password protection method and system - Google Patents
Financial institution database access password protection method and system Download PDFInfo
- Publication number
- CN114329390A CN114329390A CN202111676445.8A CN202111676445A CN114329390A CN 114329390 A CN114329390 A CN 114329390A CN 202111676445 A CN202111676445 A CN 202111676445A CN 114329390 A CN114329390 A CN 114329390A
- Authority
- CN
- China
- Prior art keywords
- database
- access
- password
- database access
- protection key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a financial institution database access password protection method and a system, wherein the access authority of an access system to a financial institution database is configured, and a database access password is generated according to the access authority; generating a protection key for the database access password, and storing the protection key; and encrypting the database access password by the protection key to form a database access ciphertext password, and storing the database access ciphertext password. The invention encrypts the database access password by the protection key, thereby avoiding the contact of a man-in-the-middle with the database plaintext password, and ensuring the safety of the database information access.
Description
Technical Field
The invention relates to the field of data security of financial institutions, in particular to a method and a system for protecting access passwords of a financial institution database.
Background
In the process of system development and system operation, the database is operated, and usually the database is accessed by inputting an account number + a password, so that the database password plaintext is exposed to developers or unnecessary system operation and maintenance personnel, and the risk of data information leakage caused by stealing of a database account may occur over time.
In the prior art, a database is accessed through a special database access system, unnecessary systems cannot be managed and controlled, and as long as an application system accesses the database through a plaintext, developers still contact the plaintext password, so that the risk of data information leakage caused by stealing of database accounts may occur.
Disclosure of Invention
The invention aims to solve the technical problem that the security risk of a database is inevitably brought when an operator contacts a plaintext password of a financial database, and aims to provide a method and a system for protecting the database access password of a financial institution.
The invention is realized by the following technical scheme:
a financial institution database access password protection method is characterized in that access authority of an access system to a financial institution database is configured, and a database access password is generated according to the access authority; generating a protection key for the database access password, and storing the protection key; and encrypting the database access password through the protection key to form a database access ciphertext password, and storing the database access ciphertext password.
In the prior art, unnecessary systems cannot be managed and controlled, and as long as an application system (i.e., an access system in the invention) accesses a database through a plaintext, developers still contact the plaintext password, so that a risk of data information leakage caused by stealing of a database account may occur. The invention encrypts the database access password by the protection key, thereby avoiding the contact of a man-in-the-middle with the database plaintext password, and ensuring the safety of the database information access.
Further, when an access request of the access system to the database is received, a stored protection key is obtained according to the access authority of the access system to the database of the financial institution, and the database access ciphertext password is decrypted through the protection key to obtain a database access password; and the access system accesses the financial institution database according to the database access password.
Further, the protection key uses a symmetric encryption algorithm to encrypt or decrypt the database access password.
Further, before the protection key is saved, the protection key is encrypted by adopting an asymmetric encryption algorithm; and after the stored protection key is obtained according to the access authority of the financial institution database by the access system, the stored protection key is decrypted by adopting the asymmetric encryption algorithm, and the database access ciphertext password is decrypted by the decrypted protection key.
The invention manages the database password by using an asymmetric and symmetric encryption and decryption mode, thereby achieving the encryption access to the database.
Further, the asymmetric encryption algorithm is an elliptic curve algorithm.
In a second implementation manner of the present invention, a financial institution database access password protection system includes: the database unified management service center configures the access authority of the access system to the database according to a database access request provided by the access system, generates a database access password according to the access authority, acquires a protection key from the unified password management service center, encrypts the database access password through the protection key, and stores the database access ciphertext password into the configuration center; the unified password management service center generates the protection key, and distributes the protection key to the database unified management service center or the access system based on an asymmetric algorithm according to the request of the database unified management service center or the access system; and the configuration center stores the database access ciphertext password.
Further, the method comprises the following steps: the access system is used for providing an access application to the database unified management service center; acquiring the database access ciphertext password from the configuration center; and acquiring a protection key from the unified password management service center, and decrypting the database access ciphertext password through the protection key to obtain the database access password. The asymmetric encryption algorithm is an elliptic curve algorithm.
In a third implementation manner of the present invention, a computer device includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the above-mentioned financial institution database access password protection method when executing the computer program.
In a fourth implementation manner of the present invention, a computer-readable storage medium stores a computer program, and the computer program, when executed by a processor, implements the above financial institution database access password protection method.
Compared with the prior art, the invention has the following advantages and beneficial effects:
the invention ensures that the access of the financial institution database is safer and more reliable, and prevents the database password leakage caused by the financial institution in the system development process; the protection key, the database access password and the database access password encrypted by the protection key are respectively managed, the database access password is encrypted or decrypted by the protection key according to a symmetric algorithm, and the protection key is managed according to an asymmetric algorithm, so that multiple safety protection of the database access password is realized, and the encryption scheme is safer and more reliable. The scheme of the invention can replace the protection key and the database access password at any time.
Drawings
In order to more clearly illustrate the technical solutions of the exemplary embodiments of the present invention, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and that for those skilled in the art, other related drawings can be obtained from these drawings without inventive effort. In the drawings:
FIG. 1 is a schematic view of the process of example 2;
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to examples and accompanying drawings, and the exemplary embodiments and descriptions thereof are only used for explaining the present invention and are not meant to limit the present invention.
Noun meaning:
DBAdmin: unified database management service;
KMS: a unified password management service;
CS: a configuration center;
DBPWD: a database access password;
MK: protecting the secret key;
MKByDBAdminPubKey: a protection key is encrypted by a public key of the database unified management service by adopting an asymmetric encryption algorithm;
MKBySysAPubKey: a protection key encrypted by a public key of an access system (system A) by adopting an asymmetric encryption algorithm;
ENC _ DBPWD: and accessing the password through the database encrypted by the protection key through a symmetric encryption algorithm.
Example 1
This embodiment 1 is a method for protecting an access password of a financial institution database, where access permissions of an access system to the financial institution database are configured, and a database access password is generated according to the access permissions of the access system; generating a protection key for the database access password, and storing the protection key; and encrypting the database access password by the protection key to form a database access ciphertext password, and storing the database access ciphertext password.
In the prior art, unnecessary systems cannot be managed and controlled, and as long as an application system (i.e., the access system in this embodiment 1) accesses a database through plaintext, a developer still contacts a plaintext password, which may cause a risk of data information leakage due to stealing of a database account. In this embodiment 1, the database access password is encrypted by the protection key, so that a man-in-the-middle is prevented from contacting the plaintext database password, thereby ensuring the security of database information access.
When an access request of an access system to the database is received, acquiring a stored protection key according to the access authority of the access system to the database of the financial institution, and decrypting a database access ciphertext password through the protection key to obtain a database access password; and the access system accesses the financial institution database according to the database access password. The access system needs to access the financial institution database, firstly, the access right is applied, then a protection key is obtained based on an asymmetric algorithm, and a database access password encrypted by the protection key is obtained, wherein the database access password is generated based on the access right of the access system to the database. The access system decrypts the database access password encrypted by the protection key, namely the database access ciphertext password, based on the symmetric encryption algorithm and according to the protection key to obtain the database access password. And finally, the access system accesses the financial institution database according to the database access password. In the process, the whole process of the database access password is a ciphertext, so that plaintext display cannot be performed, and meanwhile, the database access password is encrypted and decrypted based on the symmetric encryption algorithm and the protection key is encrypted and decrypted by the asymmetric encryption algorithm, so that multiple safety protection of the database access password is realized, and the risk of leakage of an operator is avoided.
In one possible embodiment, the asymmetric cryptographic algorithm is an elliptic curve algorithm, which meets the requirements of the national cryptographic algorithm XM 2.
Example 2
This embodiment 2 is a financial institution database access password protection method based on embodiment 1, as shown in fig. 1.
The system role related to the method of embodiment 2:
1. database unified management service (DBAdmin): the method is used for configuring access authority for each access system needing database access, and is an authority control service for all database access.
2. Unified password management service (KMS): an encryption key for generating and escrowing the database password.
3. Access system requiring access to a database: referred to as system a in this embodiment.
4. Configuration Center (CS): the system configuration database access cryptograph is used for storing the system configuration database access cryptograph which needs to be accessed to the database.
Before the method of the embodiment is executed, when a database unified management service (DBAdmin) is newly built and a system (example: system a) needing to access the database is newly built, a 256-bit elliptic curve algorithm (asymmetric cryptographic algorithm) is adopted to generate a public-private key pair for the DBAdmin and the system a.
The steps of this embodiment:
1. system a applies for database access to DBAdmin:
to access a database, a user needs to apply for access to DBAdmin, and a system A applies for access to the DBAdmin to access a specific database and a specific table;
2. the DBAdmin configures the database access authority of the system A, and applies a protection key of a database access password (DBPWD) to the KMS:
the DBAdmin configures a database and a table which are allowed to be accessed by the system A, and generates a record, at the moment, the DBAdmin does not directly inform the system A of a database plaintext password (DBPWD), but applies a protection key of the database password (DBPWD) to the KMS (the protection key is used for carrying out symmetric algorithm encryption on the database plaintext password, and database protection keys applied by different systems and personnel are different), and simultaneously sends a public key of the DBAdmin to the KMS.
3. The KMS encrypts a protection key of a database access password (DBPWD) by using a public key of DBAdmin and issues the protection key to the DBAdmin: the KMS receives a request of applying for a protection key by the DBAdmin, generates a protection key (MK), and simultaneously generates an MKByDBAdminPubKey for the protection key by using public key encryption protection based on an elliptic curve (asymmetric) encryption algorithm by using a public key of the received DBAdmin, and sends the MKByDBAdminPubKey to the DBAdmin.
4. The DBAdmin decrypts the protection key of the DBPWD by using a private key, encrypts a database password by adopting a symmetric encryption mode, and sends the encrypted password to a configuration Center (CS) of a system A for accessing a database:
after receiving the MKByDBAdminPubKey sent back by the KMS, the DBAdmin decrypts the MKbByDBAdminPubKey by using a private key of the DBAdmin based on an elliptic curve (asymmetric) encryption algorithm to obtain a protection key MK, encrypts a DBPWD (database server side wall) which is required to access a certain database by using the MK by using the symmetric encryption algorithm to obtain an ENC-DBPWD (ENC _ DBPWD), and sends the encrypted MK to the Configuration (CS) of the system A.
5. The system A needs to access the database, and applies a protection key (MK) of a database access password (DBPWD) to the KMS:
the system A applies a protection key of the DBPWD (the protection key is used for carrying out symmetric algorithm encryption on the DBPWD, and database protection keys applied by different systems and personnel are different) to the KMS, and simultaneously sends a public key of the system A to the KMS.
6. The KMS encrypts a protection key (MK) of a database access password (DBPWD) by using a public key of the system A and issues the encrypted MK to the system A:
the KMS receives a request of a system A for applying a protection key, generates a protection key (MK), uses the received public key of the system A to encrypt and protect the protection key by the public key based on an elliptic curve (asymmetric) encryption algorithm to generate an MKBySysAPubKey, and sends the MKBySysAPubKey to the system A.
7. System a decrypts out the protection key (MK) of the database access password:
after receiving the MKBySysAPubKey sent back by the KMS, the system A decrypts a protection key (MK) of the database access password by using a private key of the system A based on an elliptic curve (asymmetric) encryption algorithm.
8. System a decrypts out database password plaintext (DBPWD):
the system A acquires ENC _ DBPWD from a configuration Center (CS), decrypts the DBPWD by using MK through a symmetric encryption algorithm, establishes a database connection pool in a program mode, accesses the database in the program mode, and does not allow people to contact a database plaintext password.
9. If the database password protection key needs to be replaced or the database password needs to be replaced, the steps are repeated once again.
In the embodiment, the key roles are 3, namely DBAdmin, KMS and a system needing to access the database; and protecting the database password by adopting an asymmetric + symmetric encryption algorithm. The access of the database is safer and more reliable, the leakage of the database password caused by a financial institution in the system development process is prevented, 3 key roles are added, the encryption scheme is safer and more reliable, and the secret key can be replaced; the asymmetric + symmetric algorithm encryption mode enables the encryption scheme to be safer and more reliable.
Example 3
This embodiment 3 is a financial institution database access password protection system based on embodiment 1, and includes: the database unified management service center configures the access authority of the access system to the database according to a database access request provided by the access system, generates a database access password according to the access authority, acquires a protection key from the unified password management service center, encrypts the database access password through the protection key, and stores the database access ciphertext password into the configuration center; the unified password management service center generates a protection key, and distributes the protection key to the database unified management service center or the access system based on an asymmetric algorithm according to the request of the database unified management service center or the access system; and the configuration center stores the cipher text password accessed by the database.
In a possible embodiment, further comprising: the access system is used for providing an access application to the database unified management service center; acquiring a database access ciphertext password from a configuration center; and acquiring a protection key from the unified password management service center, and decrypting the database access ciphertext password through the protection key to obtain the database access password. In the present embodiment, the asymmetric encryption algorithm is an elliptic curve algorithm.
Example 4
This embodiment 4 is a computer device including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the financial institution database access password protection method of embodiment 1 when executing the computer program.
Example 5
This embodiment 5 is a computer-readable storage medium storing a computer program which, when executed by a processor, implements the financial institution database access password protection method of embodiment 1.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be understood by those skilled in the art that all or part of the steps of the above facts and methods can be implemented by hardware related to instructions of a program, and the related program or the program can be stored in a computer readable storage medium, and when executed, the program includes the following steps: corresponding method steps are introduced here, and the storage medium may be a ROM/RAM, a magnetic disk, an optical disk, etc.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A financial institution database access password protection method is characterized in that,
configuring access authority of an access system to a financial institution database, and generating a database access password according to the access authority;
generating a protection key for the database access password, and storing the protection key;
and encrypting the database access password through the protection key to form a database access ciphertext password, and storing the database access ciphertext password.
2. The financial institution database access password protection method as claimed in claim 1,
when an access request of the access system to the database is received, a stored protection key is obtained according to the access authority of the access system to the database of the financial institution, and the database access ciphertext password is decrypted through the protection key to obtain a database access password;
and the access system accesses the financial institution database according to the database access password.
3. The method of claim 2, wherein the protection key uses a symmetric encryption algorithm to encrypt or decrypt the database access password.
4. The financial institution database access password protection method of claim 2, wherein the protection key is encrypted using an asymmetric encryption algorithm before saving the protection key;
and after the stored protection key is obtained according to the access authority of the financial institution database by the access system, the stored protection key is decrypted by adopting the asymmetric encryption algorithm, and the database access ciphertext password is decrypted by the decrypted protection key.
5. The financial institution database access password protection method of claim 4, wherein the asymmetric encryption algorithm is an elliptic curve algorithm.
6. A financial institution database access password protection system, comprising:
the database is used for uniformly managing the service center,
configuring access authority of an access system to a database according to a database access request provided by the access system, generating a database access password according to the access authority, acquiring a protection key from a unified password management service center, encrypting the database access password through the protection key to form a database access ciphertext password, and storing the database access ciphertext password in a configuration center;
a unified password management service center is provided,
generating the protection key, and distributing the protection key to the database unified management service center or the access system based on an asymmetric algorithm according to the request of the database unified management service center or the access system;
the center is configured to be used for configuring the center,
and storing the database access ciphertext password.
7. The financial institution database access password protection system of claim 6, comprising:
the system is accessed and the system is accessed,
an access application is put forward to the database unified management service center;
acquiring the database access ciphertext password from the configuration center;
and acquiring a protection key from the unified password management service center, and decrypting the database access ciphertext password through the protection key to obtain the database access password.
8. The financial institution database access password protection system as claimed in claim 6 or 7, wherein the asymmetric encryption algorithm is an elliptic curve algorithm.
9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the financial institution database access password protection method of any one of claims 1 to 5 when executing the computer program.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements a financial institution database access password protection method as recited in any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111676445.8A CN114329390A (en) | 2021-12-31 | 2021-12-31 | Financial institution database access password protection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111676445.8A CN114329390A (en) | 2021-12-31 | 2021-12-31 | Financial institution database access password protection method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114329390A true CN114329390A (en) | 2022-04-12 |
Family
ID=81021998
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111676445.8A Pending CN114329390A (en) | 2021-12-31 | 2021-12-31 | Financial institution database access password protection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114329390A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114884661A (en) * | 2022-07-13 | 2022-08-09 | 麒麟软件有限公司 | Hybrid security service password system and implementation method thereof |
-
2021
- 2021-12-31 CN CN202111676445.8A patent/CN114329390A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114884661A (en) * | 2022-07-13 | 2022-08-09 | 麒麟软件有限公司 | Hybrid security service password system and implementation method thereof |
| WO2024011833A1 (en) * | 2022-07-13 | 2024-01-18 | 麒麟软件有限公司 | Hybrid security service cryptosystem and implementation method therefor |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110855671B (en) | Trusted computing method and system | |
| US10020939B2 (en) | Device, server and method for providing secret key encryption and restoration | |
| US9465947B2 (en) | System and method for encryption and key management in cloud storage | |
| US20210320789A1 (en) | Secure distribution of device key sets over a network | |
| US9197410B2 (en) | Key management system | |
| CN111181720A (en) | Service processing method and device based on trusted execution environment | |
| TW201814496A (en) | Data storage method, data acquisition method, device and system wherein security of both the data key and the data ciphertext is ensured because the data key shared by the first device and the second device is protected under the storage root key of the respective trusted platform modules | |
| US9237013B2 (en) | Encrypted data management device, encrypted data management method, and encrypted data management program | |
| CN104618096B (en) | Protect method, equipment and the TPM key administrative center of key authorization data | |
| TW202015378A (en) | Cryptographic operation method, method for creating work key, and cryptographic service platform and device | |
| CN102377564A (en) | Method and device for encrypting private key | |
| CN106027503A (en) | Cloud storage data encryption method based on TPM | |
| CN103036880A (en) | Network information transmission method, transmission equipment and transmission system | |
| CN104994068A (en) | Multimedia content protection and safe distribution method in cloud environment | |
| CN112507296B (en) | User login verification method and system based on blockchain | |
| CN109039598A (en) | Data transfer encryption method, client and server-side | |
| US11783091B2 (en) | Executing entity-specific cryptographic code in a cryptographic coprocessor | |
| KR20120132708A (en) | Distributed access priviledge management apparatus and method in cloud computing environments | |
| CN114547648A (en) | Data hiding trace query method and system | |
| KR20160076731A (en) | A method for authenticating a device of smart grid | |
| CN114329390A (en) | Financial institution database access password protection method and system | |
| CN113326518A (en) | Data processing method and device | |
| CN108550035B (en) | Cross-border online banking transaction method and cross-border online banking system | |
| CN116244750A (en) | Secret-related information maintenance method, device, equipment and storage medium | |
| CN115801232A (en) | Private key protection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |