CN114462059A - Table field level encryption and security access control method and system - Google Patents

Table field level encryption and security access control method and system Download PDF

Info

Publication number
CN114462059A
CN114462059A CN202111658174.3A CN202111658174A CN114462059A CN 114462059 A CN114462059 A CN 114462059A CN 202111658174 A CN202111658174 A CN 202111658174A CN 114462059 A CN114462059 A CN 114462059A
Authority
CN
China
Prior art keywords
encryption
column
server
access request
request message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111658174.3A
Other languages
Chinese (zh)
Inventor
杨新群
李晓峰
戚勇
王继志
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinan Supercomputing Technology Research Institute
Original Assignee
Jinan Supercomputing Technology Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinan Supercomputing Technology Research Institute filed Critical Jinan Supercomputing Technology Research Institute
Priority to CN202111658174.3A priority Critical patent/CN114462059A/en
Publication of CN114462059A publication Critical patent/CN114462059A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a table field level encryption and security access control method and a system, comprising the following steps: connecting a first server through a virtual login password, and receiving an access request message of the first server; analyzing the access request message to obtain the query parameter to be encrypted and the value thereof, determining the encryption type, the ciphertext of the column encryption key and the column main key according to the encryption field, decrypting the ciphertext of the column encryption key according to the column main key, encrypting the value of the query parameter according to the encryption type and the decrypted column encryption key, packaging the encrypted query parameter into the access request message, and forwarding the access request message to a second server; and receiving the response message of the second server, analyzing and decrypting the response message, and sending the decrypted response message to the first server. The centralized storage, the alternation, the state updating and the like of the column master key are realized, the propagation of the column master key is avoided, and the leakage risk is solved.

Description

Table field level encryption and security access control method and system
Technical Field
The invention relates to the technical field of data encryption, in particular to a table field level encryption and security access control method and system.
Background
The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
The relational database (SQL Server) supports table field level encryption operations (Always Encrypted), and can protect data from rogue administrators, backup thieves and man-in-the-middle attacks. Supported encryption methods include Deterministic encryption (Deterministic) and non-Deterministic encryption (randomised). Wherein, the column Master Key (Master Key) is provided for the client in the form of an x.509 certificate to decrypt the column Encryption Key (Encryption Key), thereby encrypting the query parameters and decrypting the query result.
The column master key needs to be provided for the client, so that the column master key is widely spread, and the leakage risk exists. Although the SQL Server supports the Azure cloud key warehouse service and can store the column master key in a centralized manner, not all systems support the Azure cloud service, some medical and financial institutions and other mechanisms are based on factors such as security inspection, and the column master key leakage risk exists when the Azure cloud service cannot be used.
Moreover, the SQL Server does not support perfect multi-factor identity authentication (MFA), and needs to provide the client with the database account password in an account password authentication manner, thereby causing the propagation of the database account password and the leakage risk. In addition, the SQL Server cannot flexibly set access rules, and thus cannot effectively resist high-risk SQL operations.
Disclosure of Invention
In order to solve the above problems, the present invention provides a table field level encryption and security access control method and system, wherein when a message is forwarded between a first server and a second server, a transparent gateway uniformly manages a column master key, so as to implement encryption and decryption of the message, and through centralized storage, rotation, status update, etc. of the column master key, propagation of the column master key is avoided, and leakage risk is solved.
In order to achieve the purpose, the invention adopts the following technical scheme:
in a first aspect, the present invention provides a table field level encryption and security access control method, including:
connecting a first server through a virtual login password, and receiving an access request message of the first server;
analyzing the access request message to obtain the query parameter to be encrypted and the value thereof, determining the encryption type, the ciphertext of the column encryption key and the column main key according to the encryption field, decrypting the ciphertext of the column encryption key according to the column main key, encrypting the value of the query parameter according to the encryption type and the decrypted column encryption key, packaging the encrypted query parameter into the access request message, and forwarding the access request message to a second server;
and receiving the response message of the second server, analyzing and decrypting the response message, and sending the decrypted response message to the first server.
As an alternative embodiment, after connecting to the first server, an encrypted channel is established with the first server to receive the access request message, and the connection mode with the first server includes a virtual login password, IP address verification, login time verification, login machine name verification or login program verification.
As an alternative embodiment, the column master key is managed uniformly, including centralized storage, rotation, and status update of the column master key, and a column master key fingerprint is determined from parsing the access request message to obtain the corresponding column master key, and a ciphertext of the column encryption key is decrypted.
As an alternative embodiment, in the process of parsing and decrypting the response message, the encryption metadata of the column is obtained, which includes the encryption field, the encryption type, the ciphertext of the column encryption key, and the column master key fingerprint, the corresponding column master key is called according to the column master key fingerprint to decrypt the ciphertext of the column encryption key, and the response message is decrypted according to the encryption type and the decrypted column encryption key.
As an alternative implementation, the encrypted query parameters are encapsulated into the access request message, and the metadata type of the query parameters is modified at the same time, so that the encrypted query parameters are encapsulated into an SQL statement in the access request message, and the modification of the message body is completed;
and deleting the encrypted metadata and restoring the field type when the plaintext of the decrypted response message is encapsulated into the response message.
As an optional implementation manner, the control method further includes decrypting the OUT parameter of the storage process, parsing the response message of the storage process to obtain an encryption type, and decrypting the OUT parameter by using a pre-cached column encryption key.
As an optional implementation manner, the control method further includes a dangerous behavior interception, where the dangerous behavior interception includes DDL statement interception, DML statement interception, query result line number control, and login failure number control.
In a second aspect, the present invention provides a table field level encryption and security access control system, including:
the communication module is configured to be connected with the first server through the virtual login password and receive an access request message of the first server;
the encryption module is configured to analyze the access request message to obtain the query parameter to be encrypted and the value of the query parameter, decrypt the ciphertext of the column encryption key according to the encryption type determined by the encryption field, the column master key and the column master key, encrypt the value of the query parameter according to the encryption type and the decrypted column encryption key, package the encrypted query parameter into the access request message and forward the access request message to the second server;
and the decryption module is configured to receive the response message of the second server, analyze and decrypt the response message, and send the decrypted response message to the first server.
In a third aspect, the present invention provides an electronic device comprising a memory and a processor, and computer instructions stored on the memory and executed on the processor, wherein when the computer instructions are executed by the processor, the method of the first aspect is performed.
In a fourth aspect, the present invention provides a computer readable storage medium for storing computer instructions which, when executed by a processor, perform the method of the first aspect.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides a table field level encryption and security access control method and system.
The invention provides a table field level encryption and security access control method and system, which are characterized in that a virtual user name password is provided to connect a gateway, so that a real database user name password is not leaked, and the propagation risk of the real user name password is reduced; and an identity verification method based on multiple factors is provided, flexible access rules are set, the reliability of the identity is ensured, and high-risk SQL operation is effectively resisted.
Advantages of additional aspects of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, are included to provide a further understanding of the invention, and are incorporated in and constitute a part of this specification, illustrate exemplary embodiments of the invention and together with the description serve to explain the invention and not to limit the invention.
Fig. 1 is a schematic diagram of a table field level encryption and security access control method provided in embodiment 1 of the present invention;
fig. 2 is a network topology diagram of log audit processing provided in embodiment 1 of the present invention.
Detailed Description
The invention is further described with reference to the following figures and examples.
It is to be understood that the following detailed description is exemplary and is intended to provide further explanation of the invention as claimed. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the invention. As used herein, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and it should be understood that the terms "comprises" and "comprising", and any variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiments and features of the embodiments of the present invention may be combined with each other without conflict.
Example 1
As shown in fig. 1, the present embodiment provides a table field level encryption and security access control method, applied to a gateway side, including:
connecting a first server through a virtual login password, and receiving an access request message of the first server;
analyzing the access request message to obtain the query parameter to be encrypted and the value thereof, determining the encryption type, the ciphertext of the column encryption key and the column main key according to the encryption field, decrypting the ciphertext of the column encryption key according to the column main key, encrypting the value of the query parameter according to the encryption type and the decrypted column encryption key, packaging the encrypted query parameter into the access request message, and forwarding the access request message to a second server;
and receiving the response message of the second server, analyzing and decrypting the response message, and sending the decrypted response message to the first server.
In this embodiment, taking data access between the client and the SQL database server as an example, a transparent gateway is constructed between the client and the SQL database server to implement data access request and response between the application server and the database server. The gateway can monitor the TCP flow of a plurality of network cards and ports on the client, also can monitor aiming at a single network card, and forwards the flow to different SQL Server servers.
Alternatively, the gateway may share the same Server as the SQL Server, so the gateway listens 2433 to the port by default, and the administrator may manually configure the network card and port information that is listened to.
In the embodiment, the client is connected through the virtual login password, an encryption channel with the client is established, and an access request message of the client is received; by providing a virtual login password without exposing the actual database username password, the risk of propagation of the actual username password is reduced.
As an alternative embodiment, password authentication is achieved through mapping of a virtual login password to a real database username password.
Alternatively, the virtual username password is managed by the gateway uniformly, and the mapping relation can be modified at any time.
In this embodiment, besides the virtual username and password authentication, a multi-factor-based authentication method of IP address authentication, login time authentication, login machine name authentication, and login procedure authentication is also used to establish a connection to the client;
specifically, the method comprises the following steps: and (3) IP address verification: setting an access rule (black and white list) according to a source IP address of a TCP (transmission control protocol) in the access request message; such as setting rules for individual IP addresses, IP address ranges, or CIDR blocks.
And (3) login time verification: and setting an access rule according to the login time of the client, such as only allowing working time access.
Login machine name verification: analyzing Login7 information of TDS protocol, obtaining Login machine name, and deciding whether to reject access according to preset machine name validation rule.
And (3) login program verification: analyzing Login7 information of TDS protocol, obtaining Login program name, and determining whether to reject access according to preset program name verification rule.
In this embodiment, since there is a security risk in the client transmitting the plaintext to the gateway, an encrypted channel is enabled between the client and the gateway; a TLS encrypted channel is established between the client and the gateway using the system.
As an alternative, if the performance factor is prioritized, the non-secure connection option may be activated, and the TLS channel will not be used between the client and the gateway to transfer messages; however, it should be noted that even if the non-secure connection option is enabled, the tdselgin 7 message of the client login process will pass the username password and the like using the TLS channel in view of security issues.
In the embodiment, after receiving an access request message of a client, analyzing a TDS protocol on an upper layer of the client, and forwarding the processed TDS message to a specified SQL Server according to a preconfigured access policy and encrypted query parameters;
the encryption process of the query parameters comprises the following steps: because the TDS message capable of executing the SQL statement includes the Rpc message and the SQLBatch message, the gateway program needs to be able to analyze the Rpc message and the SQLBatch message and determine the message formats of the two messages; wherein, the Rpc message can execute SQL statements and can also execute storage procedures; SQLBatch can only execute SQL statements without query parameters.
The method comprises the steps of analyzing a syntax tree of an SQL statement by using a Microsoft, SqlServer, TransactSql, script Dom library to obtain field names and values of query parameters, and then determining whether fields of the query parameters belong to encrypted fields, encryption types (Deterministic, Randomized) of the encrypted fields, ciphertext of column encryption keys, fingerprint information of the column master keys and other metadata information by using a sp _ descriptor _ parameter _ encryption system storage process of the SQL Server.
If the query parameter belongs to the encrypted field, the value of the query parameter needs to be encrypted; specifically, the column master key is obtained from a local MySQL database or a certificate library according to the fingerprint of the column master key, the ciphertext of the column encryption key is decrypted according to the column master key, a random vector or a determined vector is selected according to the encryption type (Deterministic, Randomized) of an encryption field, and finally the value of the query parameter is encrypted by adopting an AES (256-bit) encryption algorithm and the decrypted column encryption key.
And packaging the encrypted ciphertext of the query parameter into an access request message, and serializing the modified TDS message into a System.
It should be noted that, the ciphertext of the query parameter value cannot be directly written into the SQL statement, the query parameter metadata information also needs to be modified, for example, the parameter type is modified from the original VARCHAR, NUMBER, etc. to the VARBINARY type, and the query parameter value needs to be modified to the PLP coding format (only one PLP Chunk is needed).
In this embodiment, since the SQL database stores the ciphertext, the constant query of the encrypted field (for example, FieldA 123AND FiledB) cannot be executed correctly, AND the constant query needs to be converted into a parameter query with encrypted metadata; and if it is a SQLBatch message, it also needs to convert the message type to a Rpc message.
Specifically, after the SQL text is analyzed, the information such as the query field, the table, the mode and the like is acquired, the SQL text for querying metadata of the field is issued to the SQL Server, the metadata such as Type, MaxLength, Precision, Scale, EncryptionType of the field is acquired, and the query parameter is constructed, so that the query parameter is encrypted by using the steps.
In this embodiment, the encrypted query parameter is encapsulated in the access request message and forwarded to the SQL database server, so that the SQL database server responds to the access request message, receives the response message of the SQL database server, and returns the response message to the client according to the preconfigured policy and the decrypted query result.
The decryption process of the query result comprises the following steps: analyzing a Tabulilarresult message of the TDS response message to obtain column encryption metadata, wherein the column encryption metadata comprises whether a field is an encrypted field, an encryption type (Deterministic, Randomized) of the field, a ciphertext of a column encryption key, fingerprint information of a column master key and the like;
according to the fingerprint information of the column master key, the column master key is obtained from a local MySQL database or a certificate library, the ciphertext of the column encryption key is decrypted according to the column master key, then a random vector or a determined vector is selected according to the encryption type (Deterministic, Randomized) of an encryption field, and finally an AES (256-bit) encryption algorithm and the column encryption key obtained through decryption are adopted to decrypt a query result, so that an execution result of an SQL statement is obtained.
And after the plaintext of the query result is obtained, writing the plaintext into a TDS message body, and serializing the modified TDS message into a System.
Since the query result has been decrypted, the corresponding encrypted metadata in the ColMetaData of the TabulilarResult message is deleted, and the query result type is reverted from the VARBINARY type to the actual type of field (e.g., VARCHAR, NUMBER, etc.).
In the TDS protocol, although the return message ReturnValue of the stored procedure contains the encryption type (Deterministic, random) of the OUT parameter, the return message ReturnValue does not contain the ciphertext of the column encryption key and the fingerprint information of the column master key, so that the OUT parameter of the stored procedure cannot be decrypted if the SQL Server is directly accessed by an ado.
In this embodiment, the process of implementing decryption of the OUT parameter in the storage process through the transparent gateway is to cache the query result of sp _ descriptor _ parameter _ encryption in advance before calling the storage process, and directly use the column encryption key cached before obtaining the response result return value message, thereby implementing decryption processing of the OUT parameter.
In this embodiment, the implementation of unified management on the column master key through the transparent gateway specifically includes: column master key centralized storage, column master key alternation and column master key state update;
wherein, the column master key is stored in a centralized way; the column master key is stored in a transparent gateway side in a centralized manner, MySQL relational database storage is supported, and meanwhile, if the gateway program runs on a Windows Server Server, Windows Certificate Store (Certificate Store) storage is also supported.
The database security administrator needs to export the column master key from SQL Server in TripleDES-SHA1 encrypted format and then import it into the transparent gateway.
After analyzing the TDS protocol to obtain the column encryption metadata, the gateway program locates the specific position of the certificate according to the certificate fingerprint (thumbprint) of the obtained metadata.
Column master key rotation; the rotation of the column master key is performed by a batch process executed once per day some time before the expiration date of the column master key.
The master key rotation uses the Sql Server module of PowerShell, New-SqlColumnMasterKey, Invoke-SqlColumnMasterKeyRotation, Complete-SqlColumnMasterKeyRotation, Remove-SqlColumnMasterKey and other commands to Complete the rotation task of the column master key.
If the key rotation fails, the next time the batch processing program is started, the rotation is tried again, if the rotation can not be completed before the expiration date, a system log is recorded, and an administrator is reminded to manually change the column master key.
Updating the state of the old column master key; after the expiration date of the column master key is expired, updating the certificate state to be invalid by a batch processing program executed once a day; and an invalid column master key will not be available.
In this embodiment, the method further includes a dangerous behavior interception, including: DDL statement interception, DML statement interception, query result line number control, user login failure frequency control and the like;
wherein, DDL statement is intercepted; the method comprises the steps of analyzing SQL (structured query language) by using Microsoft (Microsoft, SqlServer, TransactSql, script Dom library of Microsoft, obtaining statement types (DDL statements) of the SQL, DDL operation objects (database, table, view, trigger, schema and the like), DDL operation types (alter, create, drop and the like), and determining whether to reject access and give an alarm according to preset rules of login users.
Intercepting a DML statement; the method comprises the steps of analyzing SQL texts by using Microsoft (Microsoft, SqlServer, TransactSql, script Dom) library of Microsoft, obtaining statement types (DML statements), operation object table names and operation types CRUD of the SQL texts, and determining whether to reject access and give an alarm according to preset rules of a login user.
Controlling the number of query result lines; analyzing the Tabularresult message of the TDS, obtaining the number of the query results in the Done Token, and determining whether to intercept the number of the query results and alarm according to a preset rule.
Controlling the number of times of user login failure; and setting the maximum login failure times of the user, and if the login failure times exceed a set threshold, prohibiting the client from being connected again within a certain period.
Other interception rules; such as intercepting Update statements and Delete statements that have no query conditions.
In this embodiment, all behaviors of accessing the transparent gateway are recorded, and the access records (such as SQL texts, binding parameters, query results, and the like) are viewed on a graphical interface; as shown in fig. 2, in order not to affect the performance of the gateway, the TDS message is sent to the kafka cluster, and the batch processing program records the SQL text, the restore binding parameters, and the like, so as to facilitate viewing. The content of the log audit comprises: execution time, global session ID, client IP address, service name, client machine name, calling and storing process name, ID, transaction, SQL execution result, SQL return record number, SQL feature Hash, SQL execution time, SQL statement type, SQL statement (containing binding parameters), data flow size and the like.
Example 2
This embodiment provides a table field level encryption and security access control system, including:
the communication module is configured to be connected with the first server through the virtual login password and receive an access request message of the first server;
the encryption module is configured to analyze the access request message to obtain the query parameter to be encrypted and the value of the query parameter, decrypt the ciphertext of the column encryption key according to the encryption type determined by the encryption field, the column master key and the column master key, encrypt the value of the query parameter according to the encryption type and the decrypted column encryption key, package the encrypted query parameter into the access request message and forward the access request message to the second server;
and the decryption module is configured to receive the response message of the second server, analyze and decrypt the response message, and send the decrypted response message to the first server.
It should be noted that the modules correspond to the steps described in embodiment 1, and the modules are the same as the corresponding steps in the implementation examples and application scenarios, but are not limited to the disclosure in embodiment 1. It should be noted that the modules described above as part of a system may be implemented in a computer system such as a set of computer-executable instructions.
In further embodiments, there is also provided:
an electronic device comprising a memory and a processor and computer instructions stored on the memory and executed on the processor, the computer instructions when executed by the processor performing the method of embodiment 1. For brevity, no further description is provided herein.
It should be understood that in this embodiment, the processor may be a central processing unit CPU, and the processor may also be other general purpose processors, digital signal processors DSP, application specific integrated circuits ASIC, off-the-shelf programmable gate arrays FPGA or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and so on. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may include both read-only memory and random access memory, and may provide instructions and data to the processor, and a portion of the memory may also include non-volatile random access memory. For example, the memory may also store device type information.
A computer readable storage medium storing computer instructions which, when executed by a processor, perform the method described in embodiment 1.
The method in embodiment 1 may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor. The software modules may be located in ram, flash, rom, prom, or eprom, registers, among other storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor. To avoid repetition, it is not described in detail here.
Those of ordinary skill in the art will appreciate that the various illustrative elements, i.e., algorithm steps, described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
Although the embodiments of the present invention have been described with reference to the accompanying drawings, it is not intended to limit the scope of the present invention, and it should be understood by those skilled in the art that various modifications and variations can be made without inventive efforts by those skilled in the art based on the technical solution of the present invention.

Claims (10)

1. A table field level encryption and security access control method is characterized by comprising the following steps:
connecting a first server through a virtual login password, and receiving an access request message of the first server;
analyzing the access request message to obtain the query parameter to be encrypted and the value thereof, determining the encryption type, the ciphertext of the column encryption key and the column master key according to the encryption field, decrypting the ciphertext of the column encryption key according to the column master key, encrypting the value of the query parameter according to the encryption type and the decrypted column encryption key, packaging the encrypted query parameter into the access request message, and forwarding the access request message to a second server;
and receiving the response message of the second server, analyzing and decrypting the response message, and sending the decrypted response message to the first server.
2. The table field level encryption and security access control method of claim 1, wherein the first server is connected to establish an encrypted channel with the first server to receive the access request message, and the connection with the first server comprises a virtual login password, an IP address verification, a login time verification, a login machine name verification or a login procedure verification.
3. The table field level encryption and secure access control method of claim 1, wherein the column master keys are managed uniformly, including centralized storage, rotation, and state updating of the column master keys, determining column master key fingerprints from parsing the access request message to obtain corresponding column master keys, and decrypting the ciphertext of the column encryption keys.
4. The table field level encryption and security access control method of claim 1, wherein in the process of parsing and decrypting the response message, the encryption metadata of the column is obtained, including the encryption field, the encryption type, the ciphertext of the column encryption key, and the column master key fingerprint, the corresponding column master key is called according to the column master key fingerprint to decrypt the ciphertext of the column encryption key, and the response message is decrypted according to the encryption type and the decrypted column encryption key.
5. The table field level encryption and security access control method of claim 1, wherein the encrypted query parameters are encapsulated into the access request message, and the query parameter metadata type is modified, so as to encapsulate the encrypted query parameters into the SQL statements in the access request message, thereby completing the modification of the message body;
and deleting the encrypted metadata and restoring the field type when the plaintext of the decrypted response message is encapsulated into the response message.
6. The table field level encryption and security access control method of claim 1, wherein the control method further comprises decrypting the OUT parameter of the stored procedure, parsing the response message of the stored procedure to obtain the encryption type, and decrypting the OUT parameter using a pre-cached column encryption key.
7. The table field level encryption and security access control method of claim 1, wherein the control method further comprises a dangerous behavior interception, and the dangerous behavior interception comprises DDL statement interception, DML statement interception, query result line number control, and login failure number control.
8. A table field level encryption and secure access control system, comprising:
the communication module is configured to be connected with the first server through the virtual login password and receive an access request message of the first server;
the encryption module is configured to analyze the access request message to obtain the query parameter to be encrypted and the value of the query parameter, decrypt the ciphertext of the column encryption key according to the encryption type determined by the encryption field, the column master key and the column master key, encrypt the value of the query parameter according to the encryption type and the decrypted column encryption key, package the encrypted query parameter into the access request message and forward the access request message to the second server;
and the decryption module is configured to receive the response message of the second server, analyze and decrypt the response message, and send the decrypted response message to the first server.
9. An electronic device comprising a memory and a processor and computer instructions stored on the memory and executed on the processor, the computer instructions when executed by the processor performing the method of any of claims 1-7.
10. A computer-readable storage medium storing computer instructions which, when executed by a processor, perform the method of any one of claims 1 to 7.
CN202111658174.3A 2021-12-30 2021-12-30 Table field level encryption and security access control method and system Pending CN114462059A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111658174.3A CN114462059A (en) 2021-12-30 2021-12-30 Table field level encryption and security access control method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111658174.3A CN114462059A (en) 2021-12-30 2021-12-30 Table field level encryption and security access control method and system

Publications (1)

Publication Number Publication Date
CN114462059A true CN114462059A (en) 2022-05-10

Family

ID=81408236

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111658174.3A Pending CN114462059A (en) 2021-12-30 2021-12-30 Table field level encryption and security access control method and system

Country Status (1)

Country Link
CN (1) CN114462059A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115001799A (en) * 2022-05-30 2022-09-02 上海华客信息科技有限公司 Page interaction method, system, equipment and storage medium based on check-in information
CN115174100A (en) * 2022-06-21 2022-10-11 武汉理工大学 Password processing method and system for gPRC data
CN115618396A (en) * 2022-11-28 2023-01-17 云账户技术(天津)有限公司 Data encryption method and device
WO2024087312A1 (en) * 2022-10-28 2024-05-02 蚂蚁区块链科技(上海)有限公司 Database access method, computing device and server

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115001799A (en) * 2022-05-30 2022-09-02 上海华客信息科技有限公司 Page interaction method, system, equipment and storage medium based on check-in information
CN115174100A (en) * 2022-06-21 2022-10-11 武汉理工大学 Password processing method and system for gPRC data
CN115174100B (en) * 2022-06-21 2024-04-12 武汉理工大学 Password processing method and system for gRPC data
WO2024087312A1 (en) * 2022-10-28 2024-05-02 蚂蚁区块链科技(上海)有限公司 Database access method, computing device and server
CN115618396A (en) * 2022-11-28 2023-01-17 云账户技术(天津)有限公司 Data encryption method and device

Similar Documents

Publication Publication Date Title
US11818274B1 (en) Systems and methods for trusted path secure communication
CN114462059A (en) Table field level encryption and security access control method and system
Zawoad et al. Towards building forensics enabled cloud through secure logging-as-a-service
CN112422532B (en) Service communication method, system and device and electronic equipment
US11196561B2 (en) Authorized data sharing using smart contracts
US20230208622A1 (en) Secure key exchange electronic transactions
US11829502B2 (en) Data sharing via distributed ledgers
KR102396643B1 (en) API and encryption key secret management system and method
US11626998B2 (en) Validated payload execution
WO2016122646A1 (en) Systems and methods for providing data security services
CN111597583B (en) Data sharing and exchanging method based on block chain
Junghanns et al. Engineering of secure multi-cloud storage
US11227032B1 (en) Dynamic posture assessment to mitigate reverse engineering
US20230244797A1 (en) Data processing method and apparatus, electronic device, and medium
KR20050099751A (en) System and method for security of database
CN116522308A (en) Database account hosting method, device, computer equipment and storage medium
US11799633B1 (en) Enabling using external tenant master keys
CN114679299A (en) Communication protocol encryption method, device, computer equipment and storage medium
Zhang Research on the application of computer big data technology in cloud storage security
JP2022531538A (en) Cryptographic system
US20240048532A1 (en) Data exchange protection and governance system
US20240048380A1 (en) Cryptography-as-a-Service
US20240048361A1 (en) Key Management for Cryptography-as-a-service and Data Governance Systems
CN117993017B (en) Data sharing system, method, device, computer equipment and storage medium
US20230403138A1 (en) Agentless single sign-on techniques

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination