CN114329562A - Request processing method and device - Google Patents

Request processing method and device Download PDF

Info

Publication number
CN114329562A
CN114329562A CN202111653000.8A CN202111653000A CN114329562A CN 114329562 A CN114329562 A CN 114329562A CN 202111653000 A CN202111653000 A CN 202111653000A CN 114329562 A CN114329562 A CN 114329562A
Authority
CN
China
Prior art keywords
data
access request
desensitization
service system
database
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111653000.8A
Other languages
Chinese (zh)
Inventor
严林
雷军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shengdoushi Shanghai Science and Technology Development Co Ltd
Original Assignee
Shengdoushi Shanghai Technology Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shengdoushi Shanghai Technology Development Co Ltd filed Critical Shengdoushi Shanghai Technology Development Co Ltd
Priority to CN202111653000.8A priority Critical patent/CN114329562A/en
Publication of CN114329562A publication Critical patent/CN114329562A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The present disclosure relates to a request processing method and device, which are applied to a DAL, where the DAL is a DAL interfacing with databases of at least two service systems, and a desensitization rule is configured in the DAL in advance for each service system, and the DAL implements processing of a data access request by the following steps: after receiving a data access request, determining whether the data access request is an access request for sensitive data according to the identification of the sensitive data in a desensitization rule configured in a service system sent to the data access request, and under the condition that the data access request is determined to be an access request for sensitive data, encrypting the data or the data identification contained in the data access request according to an encryption algorithm of each type of sensitive data included in the desensitization rule, and sending the encrypted data access request to a database.

Description

Request processing method and device
Technical Field
The present disclosure relates to the field of computer application technologies, and in particular, to a request processing method and apparatus.
Background
For any business system, the database of the server side stores the information of the user, and some information belongs to the personal privacy of the user (such information is also called sensitive information). At present, personal privacy information stored by some business systems is not stored in a ciphertext mode but in a plaintext mode, and the risk of data leakage exists.
In order to prevent data leakage, sensitive information stored in the database needs to be converted from plaintext storage to ciphertext storage. Since the service system needs to use plaintext data instead of ciphertext data, the execution logic of the service system needs to be modified while the data is converted into ciphertext data, that is, each read operation is modified to read first and then decrypt, and each write operation is modified to encrypt first and then write. The method for modifying the execution logic of the service system is complex to implement and increases the workload. Particularly, when data of a plurality of business systems are stored in the database, the plurality of business systems need to be configured separately, which results in a large workload.
Disclosure of Invention
To overcome the problems in the related art, the present disclosure provides a request processing method and apparatus.
According to a first aspect of the embodiments of the present disclosure, a request processing method is provided, which is applied to a data access layer DAL of a database, and encrypts sensitive data in the database in advance; the database is in butt joint with at least two service systems, and for each service system in the butt joint with the database, the service system is configured with a desensitization rule of the service system on the DAL; the method comprises the following steps:
receiving a data access request sent by any business system, wherein the data access request is a data reading request or a data writing request;
judging whether the data access request is an access request aiming at the sensitive data or not according to the identification of the sensitive data included in a reference desensitization rule, wherein the reference desensitization rule is a desensitization rule configured by a service system sending the data access request;
and in the case that the data access request is determined to be an access request for sensitive data, rewriting the data access request according to an encryption algorithm for each type of sensitive data included in the reference desensitization rule, and sending the rewritten data access request to the database.
According to a second aspect of the embodiments of the present disclosure, there is provided a request processing apparatus, applied to a data access layer DAL of a database, for encrypting sensitive data in the database in advance; the database is in butt joint with at least two service systems, and for each service system in the butt joint with the database, the service system is configured with a desensitization rule of the service system on the DAL; the device comprises:
the access request receiving module is configured to receive a data access request sent by any service system, wherein the data access request is a data reading request or a data writing request;
the access request judging module is configured to judge whether the data access request is an access request aiming at the sensitive data according to the identification of the sensitive data included in a reference desensitization rule, wherein the reference desensitization rule is a desensitization rule configured by a service system sending the data access request;
and the access request rewriting module is configured to rewrite the data access request according to the encryption algorithm of each type of sensitive data included in the reference desensitization rule under the condition that the data access request is determined to be the access request of the sensitive data, and send the rewritten data access request to the database.
According to a third aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the request processing method described above.
According to a fourth aspect of embodiments of the present disclosure, there is provided a computer apparatus comprising:
one or more processors;
a memory for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the request processing method described above.
The present disclosure relates to a request processing method and device, which are applied to a DAL, where the DAL is a DAL interfacing with databases of at least two service systems, and a desensitization rule is configured in the DAL in advance for each service system, and the DAL implements processing of a data access request by the following steps: after receiving a data access request, determining whether the data access request is an access request for sensitive data according to the identification of the sensitive data in a desensitization rule configured in a service system sent to the data access request, and under the condition that the data access request is determined to be an access request for sensitive data, encrypting the data or the data identification contained in the data access request according to an encryption algorithm of each type of sensitive data included in the desensitization rule, and sending the encrypted data access request to a database.
In this way, by configuring desensitization rules of a plurality of service systems on the DAL, and the DAL can encrypt the data access request according to the configured desensitization rules, the service systems can realize access operation for encrypted data, and because of the implementation on the DAL, code intrusion is avoided, development cost is reduced, and a large processing burden is not brought to the database.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
FIG. 1 is a flow chart illustrating a request processing method according to an exemplary embodiment of the present disclosure.
Fig. 2A is an application scenario diagram illustrating another request processing method according to an exemplary embodiment of the present disclosure.
Fig. 2B is an application scenario diagram illustrating yet another request processing method according to an exemplary embodiment of the present disclosure.
Fig. 2C is an application scenario diagram illustrating yet another request processing method according to an exemplary embodiment of the present disclosure.
Fig. 3 is a block diagram illustrating a DAL according to a specific embodiment of the present disclosure.
FIG. 4 is a block diagram illustrating a request processing device according to an example embodiment of the present disclosure.
Fig. 5 is a hardware configuration diagram of a computer device in which a request processing apparatus according to an exemplary embodiment of the present disclosure is shown.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.
The terminology used in the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present disclosure. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
For a company, data of a plurality of business systems of the company is generally stored in a database for storage. When each service system is developed, if encryption logic is not written into the service system, then if data stored in the service system needs to be encrypted again, the logic of the service system needs to be rewritten, which brings a large workload, especially under the condition that both the service system and the data are much, the workload is larger.
In order to solve the above problem, it is considered that, when there are a plurality of service systems and each service system has a plurality of types of data, it is troublesome to implement an encryption method by changing the execution logic of the service system (for example, changing the code on the service system side), and it is not easy to maintain; if the implementation is performed on the service system side, for example, the implementation is performed by adding an SDK in the APP of the service client, and under the condition that the number of service systems is large, a separate SDK needs to be developed for each service system, the workload is still large; if the encryption and decryption method is implemented in the database, for example, a write instruction in the database is changed into a write plus encryption instruction, and a read instruction is changed into a read encryption and decryption instruction, so that the database needs to perform encryption and decryption operations, and a large processing load is brought to the database.
Therefore, in order to implement a desensitization task of sensitive data stored in a database without code intrusion (i.e. changing logic of business systems), reducing development cost, and not bringing a large processing burden to the database, the present disclosure proposes a request processing method, for a database interfacing at least two business systems, in a DAL of the database, a desensitization rule is configured in advance for each business system, and the DAL implements processing of a data access request by: after receiving a data access request, determining whether the data access request is an access request for sensitive data according to the identification of the sensitive data in a desensitization rule configured in a service system sent to the data access request, and under the condition that the data access request is determined to be an access request for sensitive data, encrypting the data or the data identification contained in the data access request according to an encryption algorithm of each type of sensitive data included in the desensitization rule, and sending the encrypted data access request to a database.
In this way, by configuring desensitization rules of a plurality of service systems on the DAL, and the DAL can encrypt the data access request according to the configured desensitization rules, the service systems can realize access operation for encrypted data, and because of the implementation on the DAL, code intrusion is avoided, development cost is reduced, and a large processing burden is not brought to the database.
The embodiments of the present disclosure are explained in detail below.
The present disclosure provides a request processing method, which is applied to a Data Access Layer (DAL) of a database, and encrypts sensitive Data in the database in advance; the database is in butt joint with at least two service systems, and for each service system in the butt joint of the database, the service system is configured with desensitization rules of the service system on the DAL.
First, a database related to the present disclosure will be explained. In order to ensure the security of the sensitive data in the database, the sensitive data in the database is encrypted in advance, and besides the sensitive data is encrypted, the identifier for identifying the sensitive data in the database is also encrypted so as to prevent the sensitive data from being decoded in a targeted manner.
The encryption algorithm used for encrypting the sensitive data is the encryption algorithm corresponding to the desensitization rule, for example, for the data identified as a in the desensitization rule, the encryption algorithm configured for the data in the desensitization rule is B, and then the a data in the database is encrypted by using the B algorithm.
The database is docked with at least two service systems, each service system is configured with a desensitization rule on the DAL, and the specific configuration method of the desensitization rule is described in detail later and is not described herein again. The management device of the business system is a device that manages the background of the business system.
As shown in fig. 1, fig. 1 is a flow chart of a method shown in the present disclosure according to an exemplary embodiment, including the steps of:
step 101, receiving a data access request sent by any service system, where the data access request is a data read request or a data write request.
Specifically, a data access request sent to the database is received by the DAL before reaching the database, and the data access request is processed after being received by the DAL, so that the database can execute the corresponding data access request, and data in the database is encrypted and stored.
The data access request may be sent by a client corresponding to the service system, may also be sent by background software of the service system, and may also be sent by a management device of the service system.
For data access requests, typically data read requests or data write requests, for data read requests, typically include an identification of the data that needs to be read, and the instruction is a read instruction. For a data write request, it typically includes the data that needs to be written, the identification of the data that needs to be written (so that the database knows where to store the data), and the instruction of the access request is a write instruction. In addition, an access request for modifying certain data may also be regarded as a data write request.
Step 103, judging whether the data access request is an access request for the sensitive data according to the identification of the sensitive data included in a reference desensitization rule, wherein the reference desensitization rule is a desensitization rule configured by a service system sending the data access request.
Specifically, since the encryption is performed only on the sensitive data and the reading and writing of the encrypted sensitive data are performed in the method provided by the present disclosure, and other data are not encrypted, after the DAL receives the data, it is necessary to first determine whether the data access request is for the sensitive data, and if the data access request is not for the sensitive data, the data access request can be directly sent to the database.
It should be noted that the desensitization rule generally includes the identifier of the data and an encryption algorithm used for each included identifier of the data, so that it may be determined whether the data included in the data access request is sensitive data according to the desensitization rule configured for the service system, and further determine whether the access request needs to be further processed.
And 105, in the case that the data access request is determined to be an access request for sensitive data, rewriting the data access request according to the encryption algorithm of each type of sensitive data included in the reference desensitization rule, and sending the rewritten data access request to the database.
In particular, in the case that it is determined that the data targeted by the data access request is sensitive data, the data access request needs to be processed to enable the business system to access the encrypted database.
For a data access request, whether a data read request or a data write request, the two requests both include an identifier of data to be accessed, and in the encrypted database, for sensitive data, the identifier of the sensitive data is also encrypted (for example, for a key-value database, a key refers to the identifier of the data), so that the identifier of the data included in the data access request needs to be encrypted, so that the database can recognize the identifier of the data, the data read or write is completed, in some cases, a table name used by the database is different from a table name visible to a business system, and in this case, the identifier of the data to be accessed by the data access request needs to be changed, so that the database can recognize the access request. In addition, for a data write request, data to be written is generally included, and in order to implement encryption of sensitive data in a database, the DAL is required to encrypt data included in the data write request.
Furthermore, in some cases, the table identifiers seen by the database are different from the table identifiers seen by the service system, such as tables a1 and a2 seen by the database, the service system is invisible, and only table a (the actual table a includes tables a1 and a2) is visible, in which case, the encrypted data access request needs to be rewritten, i.e., a is changed to a1, so that the database can recognize the data access request.
The algorithm used to encrypt the data and/or the identification of the data is: for example, for a certain data reading request, the identifier of the data to which the data is addressed is a, the data to which the identifier a is addressed is determined by searching the desensitization rule of the service system, and the data is encrypted by using the algorithm B, so that the identifier a of the data included in the data reading request is encrypted by using the algorithm B.
In addition, for the data reading request, the data returned by the database is also encrypted data, and in order that the business system can normally read the data in the database, when the database returns the data for the data reading request, the returned data needs to be decrypted.
In other words, in the case where the data access request is a data read request, said overwriting the data access request according to the encryption algorithm referring to each sensitive data included in the desensitization rule includes: determining the identification of the data required to be read by the data read request under the condition that the data access request is the data read request; and rewriting the determined data identification according to the encryption algorithm of each sensitive data included in the reference desensitization rule. Furthermore, the method further comprises: under the condition that returned data of the database aiming at the data reading request are received, the returned data are decrypted according to the encryption algorithm of each sensitive data included in the desensitization rule; and returning the decrypted data to the service system.
In the case that the data access request is a data write request, said overwriting the data access request according to an encryption algorithm that references each sensitive data included in the desensitization rule, comprising: determining the data required to be written by the data write request and the identification of the data under the condition that the data access request is a data write request; the determined data and the identity of the data are overwritten according to the encryption algorithm for each sensitive data included in the reference desensitization rule.
After describing how to encrypt the data and/or the data identifier in step 105, it is necessary to explain how to encrypt the data and/or the data identifier. The algorithm to implement encryption may be built into the DAL; in order to ensure the execution efficiency of the DAL, an encryption device may be separately provided for encryption, where the encryption device may be a device externally connected to the DAL. In consideration of the fact that the desensitization rule is configured on the DAL, it is more efficient to determine the encryption algorithm by the DAL, so in the case of an encryption device, the DAL needs to determine the encryption algorithm corresponding to the data to be encrypted or decrypted first, and send the determined algorithm and the data to be encrypted or decrypted to the encryption device.
In other words, the encrypting the data or the identification of the data in the data access request according to the encryption algorithm of each sensitive data included in the reference desensitization rule includes: determining an encryption algorithm of data targeted by the data access request according to the encryption algorithm of each sensitive data included in the reference desensitization rule; sending the data and the encryption algorithm included in the data access request to an encryption device to encrypt the data or the data identifier in the data access request; and receiving the encrypted data access request returned by the encryption device, and rewriting the encrypted data access request when rewriting is needed.
In this case, the need for overwriting is the case where the above-mentioned identification of the table visible to the database and the identification of the table visible to the business system are different.
After the processing procedure of the data access request is described, the configuration method of the desensitization rule will be described below.
Because the database is connected with a plurality of different service systems, for convenience, the present disclosure only provides a way to encrypt sensitive data, and does not configure desensitization rules in each system in advance, but configures desensitization rules of each service system by a technician responsible for each service system (the technician of each service system knows the service system more, and knows which data are service systems more). In order to allow the technician to successfully configure the desensitization rules, the technician is provided with an instruction manual for configuring the desensitization rules, and the technician configures the desensitization rules according to the instructions on the desensitization rule configuration method in the instruction manual.
The method of configuring the desensitization rule will be described in detail below.
For different service systems, each service system may store one piece of data, that is, there is no intersection between data accessible by different service systems, and in this case, because the data accessible by different service systems are different, the desensitization rule may be freely configured by each service system. The specific configuration may be that a technician inputs a desensitization rule to be configured through a management device of the service system, or that the DAL provides a plurality of pre-stored desensitization rules in advance, and the technician optionally performs configuration in one of the plurality of pre-stored desensitization rules.
In other words, the desensitization rule may be configured as follows. A plurality of pre-stored desensitization rules are pre-configured, and for each service system, the configuration process of the desensitization rules comprises the following steps: determining the identification of data which can be accessed by the service system, and acquiring the identification of sensitive data included in each pre-stored desensitization rule; determining pre-stored desensitization rules of which all the included sensitive data identifiers are identifiers of data accessible to the service system, and taking the determined pre-stored desensitization rules as the pre-stored desensitization rules matched with the service system; pushing a pre-stored desensitization rule matched with the service system to a management device of the service system; and acquiring a target desensitization rule selected by a user from the pushed pre-stored desensitization rules, and configuring the target desensitization rule.
In addition, in some cases, the same data may be used between different services, for example, the login accounts of service a and service B are the same, and in this case, the login accounts of service a and service B are shared in the database in order to reduce the amount of data stored. In other words, the database contains common data that is accessible to at least two business systems. In the presence of shared data, the configured desensitization rules need to guarantee: desensitization rules of different business systems for common data configuration are the same.
How this is achieved will be followed: different business systems are explained for the same desensitization rule of the common data configuration.
Firstly, in order to ensure that the common data is configured with the same desensitization algorithm, a plurality of pre-stored desensitization rules can be pre-configured (different pre-stored desensitization rules are the same for the desensitization algorithm configured for the common data), when each service system is configured, several pre-stored desensitization rules are recommended to the service system, and the service system selects one of the pre-stored desensitization rules as the used desensitization rule. But it is guaranteed that the desensitization rules for different business systems for a common data configuration are the same.
In other words, in the case of pre-stored desensitization rules, the configuration process of the desensitization rules includes, for each business system: determining a pre-stored desensitization rule matched with the service system, and pushing the pre-stored desensitization rule matched with the service system to a management device of the service system; and acquiring a target desensitization rule selected by a user from the pushed pre-stored desensitization rules, and configuring the target desensitization rule.
The service system and which pre-stored desensitization rule are determined to be matched, which may be the pre-stored desensitization rule that the number of coincidences of the identifier of the data contained in the pre-stored desensitization rule and the identifier of the data of the service system exceeds a preset threshold value, and the pre-stored desensitization rule is used as the matched desensitization rule.
It may also be that a desensitization rule matching the business system is determined in the following way. Specifically, determining the identity of the accessible data specifically includes: determining the identification of data which can be accessed by the service system, and acquiring the identification of sensitive data included in each pre-stored desensitization rule; and determining pre-stored desensitization rules of which the identifiers of the included sensitive data are all the identifiers of the data which can be accessed by the service system, taking the determined pre-stored desensitization rules as the pre-stored desensitization rules matched with the service system, and taking the determined pre-stored desensitization rules as the pre-stored desensitization rules matched with the service system. Wherein desensitization algorithms configured by different pre-stored desensitization rules for common data are the same
In addition, after the pre-stored desensitization rule matched with the service system is determined, one matched pre-stored desensitization rule can be randomly selected as the desensitization rule used by the service system.
Secondly, in the case of the shared data, the desensitization rule may be configured by only storing pre-stored desensitization rules for the shared data in advance, and the desensitization rules for the non-shared data may be configured by the user.
Specifically, pre-stored desensitization rules for each common data are pre-configured; for each business system, the configuration process of the desensitization rule comprises the following steps: determining the identification of data accessible to the business system; determining common data in the data which can be accessed by the business system from the identification of the data which can be accessed by the business system; acquiring a pre-stored desensitization rule aiming at the determined shared data, and acquiring a desensitization rule configured by the service system aiming at other data except the shared data; and taking the acquired pre-stored desensitization rule and the desensitization rule configured by the service system as the desensitization rule configured by the service system.
In addition, in the above method, in order to improve processing efficiency, when the service system is online, the configuration file of the service system may be scanned, and the configuration file of the service system is stored: identification of data accessible to the business system. And when the equipment is started, pre-stored desensitization rules are pre-loaded to determine common data.
In other words, the method further comprises: aiming at each service system, under the condition that the service system is on line, acquiring a configuration result according to configuration information of the service system; the configuration result at least comprises an identifier of data which can be accessed by the business system; pre-scanning to obtain the identification of the sensitive data included by each desensitization rule; the determining the identification of the data accessible to the business system includes: and acquiring a configuration result aiming at the service system, and determining the identification of the data which can be accessed by the service system.
Finally, except the configuration method of the desensitization rule, the pre-stored desensitization rule can be not configured in advance, and all desensitization rules are configured by the user. And before each configuration, different service systems are prevented from configuring different desensitization rules for the same shared data by scanning the configured desensitization rules.
Specifically, for each business system, the configuration process of the desensitization rule includes: determining configured common data which is configured with desensitization rules from all common data; under the condition that the data which can be accessed by the service system comprises the configured shared data, the desensitization rule configured by the service system for other data except the configured shared data is obtained, and the obtained desensitization rule configured for the other data and the configured desensitization rule of the shared data are used as the desensitization rule configured by the service system. And under the condition that the data which can be accessed by the service system does not comprise configured shared data, acquiring desensitization rules which can be configured by the service system for all accessible data, and taking the acquired desensitization rules as the desensitization rules configured by the service system.
After the description of the configuration method of the desensitization rule, the desensitization of the online service will be described below.
For the offline service, the configuration can be directly performed by the above method, the reading of the encrypted data is completed, and after the configuration is completed, the reading and writing of the data are performed as shown in fig. 2A.
For an online service system, the database stores the data of the service system, and then for the online service system, there are three stages: in the first stage, sensitive data stored in a database is required to be encrypted; sometimes, the result of the encryption performed by the encryption tool is not good, some unencrypted data still exists, in this case, the DAL needs to wait for a period of time to complete the encryption operation of the unencrypted data, in this case, in order to ensure that the business system reads data normally, a plaintext column and a ciphertext column are stored in the database for sensitive data, a data read request is performed for the plaintext column, a data write request is performed for the plaintext column and the ciphertext column, and this waiting period is referred to as a second stage, as shown in fig. 2B. In the third stage, after all plaintext data are converted into ciphertext data, the plaintext data are deleted, and only the ciphertext data are retained, and the third stage may refer to fig. 2C, where the specific ciphertext data access method is described in detail above. It should be noted that the logical columns in fig. 2B and 2C refer to the identification of the columns or tables visible to the business system.
In other words, the service system of the database interface comprises at least one service system which is online; in the second stage, for the online service system, the method further includes: sending the unencrypted data write request and the encrypted data write request to the database together. For the data reading request, the method is not suitable, and in the case of the second stage, the data reading request is not encrypted, and the plaintext data is directly read.
Further, the structure of the DAL can be seen in fig. 3. Among them, the DAL desensitization framework enclosed by the dashed line is the framework added to implement the request processing method of the present disclosure. For a new service system (i.e. an offline service system), encryption and access of sensitive data can be realized only by configuring a desensitization rule, and for an old service system (i.e. an online service system), a processing rule needs to be sent to a plaintext-to-ciphertext tool first, so that plaintext data of the online service system, which is stored in a database, can be converted into a ciphertext. In addition, the online service system needs to send a desensitization rule to the DAL to implement rewriting of the data access request.
For DAL, when a data access request (also referred to as SQL) arrives, SQL needs to be intercepted first, and then the SQL is analyzed, a desensitization interceptor determines whether the current SQL needs to be rewritten according to a configured desensitization rule, and sends SQL to an encryption device for encryption when it is determined that the current SQL needs to be rewritten, and further rewrites the encrypted SQL, and after the rewriting is completed, a database executes the rewritten SQL to obtain a data source.
Corresponding to the embodiment of the method, the disclosure also provides an embodiment of the device and the terminal applied by the device.
As shown in fig. 4, fig. 4 is a block diagram of a request processing device according to an exemplary embodiment, which is applied to a data access layer DAL of a database, and encrypts sensitive data in the database in advance; the database is in butt joint with at least two service systems, and for each service system in the butt joint with the database, the service system is configured with a desensitization rule of the service system on the DAL; the device comprises:
the access request receiving module 410 is configured to receive a data access request sent by any service system, where the data access request is a data read request or a data write request.
The access request determining module 420 is configured to determine whether the data access request is an access request for the sensitive data according to the identifier of the sensitive data included in the reference desensitization rule, where the reference desensitization rule is a desensitization rule configured by the service system that sends the data access request.
And an access request rewriting module 430 configured to, in a case where it is determined that the data access request is an access request for sensitive data, rewrite the data access request according to an encryption algorithm for each type of sensitive data included in the reference desensitization rule, and send the rewritten data access request to the database.
Wherein, the DAL is preconfigured with a plurality of pre-stored desensitization rules, and the apparatus further includes a desensitization rule configuration module (not shown in the figure), configured to execute, for each service system: determining the identification of data which can be accessed by the service system, and acquiring the identification of sensitive data included in each pre-stored desensitization rule; determining pre-stored desensitization rules of which all the included sensitive data identifiers are identifiers of data accessible to the service system, and taking the determined pre-stored desensitization rules as the pre-stored desensitization rules matched with the service system; pushing a pre-stored desensitization rule matched with the service system to a management device of the service system; and acquiring a target desensitization rule selected by a user from the pushed pre-stored desensitization rules, and configuring the target desensitization rule.
In the above case, the database may contain common data accessible by at least two business systems, wherein desensitization algorithms configured for the common data by different pre-stored desensitization rules are the same.
Under the condition that the database contains shared data which can be accessed by at least two service systems, pre-storing desensitization rules aiming at each shared data are configured in advance; the apparatus further comprises a desensitization rule configuration module (not shown in the figures) specifically configured to: for each business system, performing: determining the identification of data accessible to the business system; determining common data in the data which can be accessed by the business system from the identification of the data which can be accessed by the business system; acquiring a pre-stored desensitization rule aiming at the determined shared data, and acquiring a desensitization rule configured by the service system aiming at other data except the shared data; and taking the acquired pre-stored desensitization rule and the desensitization rule configured by the service system as the desensitization rule configured by the service system.
In the above case, the apparatus further comprises an obtaining module (not shown in the figure), specifically configured to: aiming at each service system, under the condition that the service system is on line, acquiring a configuration result according to configuration information of the service system; the configuration result at least comprises an identifier of data which can be accessed by the business system; pre-scanning to obtain the identification of the sensitive data included by each desensitization rule; the identification of the data which can be accessed by the service system and is determined in the desensitization rule configuration module is specifically configured as follows: and acquiring a configuration result aiming at the service system, and determining the identification of the data which can be accessed by the service system.
In the case where the database contains common data accessible to at least two business systems, the apparatus further comprises a desensitization rule configuration module (not shown), which is specifically configured to: for each business system, performing: determining configured common data which is configured with desensitization rules from all common data; under the condition that the data which can be accessed by the service system comprises configured shared data, acquiring desensitization rules configured by the service system for other data except the configured shared data, and taking the acquired desensitization rules configured for the other data and the configured desensitization rules of the shared data as desensitization rules configured by the service system; and under the condition that the data which can be accessed by the service system does not comprise configured shared data, acquiring desensitization rules which can be configured by the service system for all accessible data, and taking the acquired desensitization rules as the desensitization rules configured by the service system.
Wherein, the DAL is externally connected with an encryption device; the access request rewriting module 430 is specifically configured to: in a case where it is determined that the data access request is an access request for sensitive data, determining an encryption algorithm of data for which the data access request is directed, in accordance with an encryption algorithm of each type of sensitive data included in the reference desensitization rule; sending the data and the encryption algorithm included in the data access request to an external encryption device to encrypt the data or the data identifier in the data access request; and receiving the encrypted data access request returned by the encryption device, rewriting the encrypted data access request when rewriting is needed, and sending the rewritten data access request to the database.
The access request rewriting module 430 is specifically configured to: and under the condition that the data access request is determined to be an access request for sensitive data and under the condition that the data access request is a data reading request, determining the identifier of the data required to be read by the data reading request, rewriting the determined data identifier according to the encryption algorithm of each type of sensitive data included in the reference desensitization rule, and sending the rewritten data access request to the database. The device further comprises a decryption module (not shown in the figures), configured in particular to: under the condition that returned data of the database aiming at the data reading request are received, the returned data are decrypted according to the encryption algorithm of each sensitive data included in the desensitization rule; and returning the decrypted data to the service system.
The access request rewriting module 430 is specifically configured to: if the data access request is determined to be an access request for sensitive data, and if the data access request is a data write request, determining data required to be written by the data write request and an identification of the data; and rewriting the determined data and the identification of the data according to the encryption algorithm of each kind of sensitive data included in the reference desensitization rule, and sending a rewritten data access request to the database.
The service system for the database butt joint comprises at least one on-line service system; for the online service system, the apparatus further includes a sending module (not shown in the figure) configured to: sending the data access request which is not rewritten and the data access request which is rewritten to the database.
The implementation process of the functions and actions of each module in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the disclosed solution. One of ordinary skill in the art can understand and implement it without inventive effort.
As shown in fig. 5, fig. 5 is a hardware structure diagram of a computer device in which the request processing apparatus according to the embodiment is located, where the device may include: one or more processors 1010, memory 1020, input/output interface 1030, communication interface 1040, and bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050. Wherein the memory is used for storing one or more programs; when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the request processing method described above. It is also noted that a plurality of one or more processors refers to at least two.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided by the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 can store an operating system and other application programs, and when the technical solution provided by the embodiments of the present disclosure is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
Bus 1050 includes a path that transfers information between various components of the device, such as processor 1010, memory 1020, input/output interface 1030, and communication interface 1040.
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. Moreover, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present disclosure, and need not include all of the components shown in the figures.
The disclosed embodiments also provide a computer-readable storage medium on which a computer program is stored, which when executed by a processor implements the request processing method described above.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
The foregoing description of specific embodiments of the present disclosure has been described. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Other embodiments of the present disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.
The above description is only exemplary of the present disclosure and should not be taken as limiting the disclosure, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.

Claims (13)

1. A request processing method is characterized in that the method is applied to a data access layer DAL of a database, and sensitive data in the database are encrypted in advance; the database is in butt joint with at least two service systems, and for each service system in the butt joint with the database, the service system is configured with a desensitization rule of the service system on the DAL; the method comprises the following steps:
receiving a data access request sent by any business system, wherein the data access request is a data reading request or a data writing request;
judging whether the data access request is an access request aiming at the sensitive data or not according to the identification of the sensitive data included in a reference desensitization rule, wherein the reference desensitization rule is a desensitization rule configured by a service system sending the data access request;
and in the case that the data access request is determined to be an access request for sensitive data, rewriting the data access request according to an encryption algorithm for each type of sensitive data included in the reference desensitization rule, and sending the rewritten data access request to the database.
2. The method of claim 1, wherein a plurality of pre-stored desensitization rules are pre-configured, and wherein the configuring of the desensitization rules comprises, for each business system:
determining the identification of data which can be accessed by the service system, and acquiring the identification of sensitive data included in each pre-stored desensitization rule;
determining pre-stored desensitization rules of which all the included sensitive data identifiers are identifiers of data accessible to the service system, and taking the determined pre-stored desensitization rules as the pre-stored desensitization rules matched with the service system;
pushing a pre-stored desensitization rule matched with the service system to a management device of the service system;
and acquiring a target desensitization rule selected by a user from the pushed pre-stored desensitization rules, and configuring the target desensitization rule.
3. The method of claim 2, wherein the database comprises common data accessible by at least two of the business systems, and wherein the desensitization algorithms configured for the common data for different pre-stored desensitization rules are the same.
4. The method of claim 1, wherein the database contains common data accessible to at least two business systems, pre-configured with pre-stored desensitization rules for each common data; for each business system, the configuration process of the desensitization rule comprises the following steps:
determining the identification of data accessible to the business system;
determining common data in the data which can be accessed by the business system from the identification of the data which can be accessed by the business system; acquiring a pre-stored desensitization rule aiming at the determined shared data, and acquiring a desensitization rule configured by the service system aiming at other data except the shared data;
and taking the acquired pre-stored desensitization rule and the desensitization rule configured by the service system as the desensitization rule configured by the service system.
5. The method according to any one of claims 2-4, further comprising:
aiming at each service system, under the condition that the service system is on line, acquiring a configuration result according to configuration information of the service system; the configuration result at least comprises an identifier of data which can be accessed by the business system; pre-scanning to obtain the identification of the sensitive data included by each desensitization rule;
the determining the identification of the data accessible to the business system includes:
and acquiring a configuration result aiming at the service system, and determining the identification of the data which can be accessed by the service system.
6. The method of claim 1, wherein the database contains common data accessible to at least two business systems, and wherein for each business system, the configuration process for desensitization rules comprises:
determining configured common data which is configured with desensitization rules from all common data;
under the condition that the data which can be accessed by the service system comprises configured shared data, acquiring desensitization rules configured by the service system for other data except the configured shared data, and taking the acquired desensitization rules configured for the other data and the configured desensitization rules of the shared data as desensitization rules configured by the service system;
and under the condition that the data which can be accessed by the service system does not comprise configured shared data, acquiring desensitization rules which can be configured by the service system for all accessible data, and taking the acquired desensitization rules as the desensitization rules configured by the service system.
7. The method of claim 1, wherein overwriting the data access request according to an encryption algorithm that references each sensitive data included in the desensitization rule comprises:
determining an encryption algorithm of data targeted by the data access request according to the encryption algorithm of each sensitive data included in the reference desensitization rule;
sending the data and the encryption algorithm included in the data access request to an encryption device to encrypt the data or the data identifier in the data access request;
and receiving the encrypted data access request returned by the encryption device, and rewriting the encrypted data access request when rewriting is needed.
8. The method of claim 1, wherein overwriting the data access request according to an encryption algorithm that references each sensitive data included in the desensitization rule comprises:
determining the identification of the data required to be read by the data read request under the condition that the data access request is the data read request;
rewriting the determined data identification according to the encryption algorithm of each sensitive data included in the reference desensitization rule;
the method further comprises the following steps:
under the condition that returned data of the database aiming at the data reading request are received, the returned data are decrypted according to the encryption algorithm of each sensitive data included in the desensitization rule;
and returning the decrypted data to the service system.
9. The method of claim 1, wherein overwriting the data access request according to an encryption algorithm that references each sensitive data included in the desensitization rule comprises:
determining the data required to be written by the data write request and the identification of the data under the condition that the data access request is a data write request;
the determined data and the identity of the data are overwritten according to the encryption algorithm for each sensitive data included in the reference desensitization rule.
10. The method of claim 1, wherein the database-interfaced business systems comprise at least one business system that is online;
for an online business system, the method further comprises:
sending the data access request which is not rewritten and the data access request which is rewritten to the database.
11. A request processing device is characterized in that a data access layer DAL applied to a database encrypts sensitive data in the database in advance; the database is in butt joint with at least two service systems, and for each service system in the butt joint with the database, the service system is configured with a desensitization rule of the service system on the DAL; the device comprises:
the access request receiving module is configured to receive a data access request sent by any service system, wherein the data access request is a data reading request or a data writing request;
the access request judging module is configured to judge whether the data access request is an access request aiming at the sensitive data according to the identification of the sensitive data included in a reference desensitization rule, wherein the reference desensitization rule is a desensitization rule configured by a service system sending the data access request;
and the access request rewriting module is configured to rewrite the data access request according to the encryption algorithm of each type of sensitive data included in the reference desensitization rule under the condition that the data access request is determined to be the access request of the sensitive data, and send the rewritten data access request to the database.
12. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a computer program which, when executed by a processor, implements the request processing method according to any one of claims 1 to 10.
13. A computer device, characterized in that the computer device comprises:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement a request processing method as recited in any one of claims 1 to 10.
CN202111653000.8A 2021-12-30 2021-12-30 Request processing method and device Pending CN114329562A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111653000.8A CN114329562A (en) 2021-12-30 2021-12-30 Request processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111653000.8A CN114329562A (en) 2021-12-30 2021-12-30 Request processing method and device

Publications (1)

Publication Number Publication Date
CN114329562A true CN114329562A (en) 2022-04-12

Family

ID=81019033

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111653000.8A Pending CN114329562A (en) 2021-12-30 2021-12-30 Request processing method and device

Country Status (1)

Country Link
CN (1) CN114329562A (en)

Similar Documents

Publication Publication Date Title
KR102132504B1 (en) Secure identification of computing device and secure identification methods
US10833859B2 (en) Automating verification using secure encrypted phone verification
CN111539813A (en) Method, device, equipment and system for backtracking processing of business behaviors
US20150302185A1 (en) Method and apparatus for account intercommunication among apps
US9280665B2 (en) Fast and accurate identification of message-based API calls in application binaries
US10754954B2 (en) Securely exchanging information during application startup
CN109154968B (en) System and method for secure and efficient communication within an organization
KR20170061664A (en) Method to modify android application life cycle to control its execution in a containerized workspace environment
US11546333B2 (en) Blockchain-based service processing methods, apparatuses, devices, and storage media
US9910724B2 (en) Fast and accurate identification of message-based API calls in application binaries
JP6923582B2 (en) Information processing equipment, information processing methods, and programs
US10049222B1 (en) Establishing application trust levels using taint propagation
CN114003510A (en) Script testing method, device, equipment and medium based on Mock service
CN111753268B (en) Single sign-on method, single sign-on device, storage medium and mobile terminal
CN113609147A (en) Data sharing method and device and electronic equipment
CN112579955A (en) Page access method, equipment, medium and electronic equipment
US20180107840A1 (en) Method of restoring a secure element to a factory state
CN116628773A (en) Data processing method, device, electronic equipment and storage medium
CN114329562A (en) Request processing method and device
CN110457959B (en) Information transmission method and device based on Trust application
JP2016128966A (en) Service cooperation system, service cooperation device, terminal device, service cooperation method, and service cooperation program
US20230045103A1 (en) Data Re-Encryption For Software Applications
CN114374545B (en) Method, server, device and electronic equipment for preventing message leakage
US20230342817A1 (en) Systems and methods for implementation and use of an identity graph
CN113986342A (en) Data processing method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20220412

Assignee: Baisheng Consultation (Shanghai) Co.,Ltd.

Assignor: Shengdoushi (Shanghai) Technology Development Co.,Ltd.

Contract record no.: X2023310000138

Denomination of invention: A request processing method and device

License type: Common License

Record date: 20230714