CN114785498A - Database password protection method, device and equipment - Google Patents

Database password protection method, device and equipment Download PDF

Info

Publication number
CN114785498A
CN114785498A CN202210434269.5A CN202210434269A CN114785498A CN 114785498 A CN114785498 A CN 114785498A CN 202210434269 A CN202210434269 A CN 202210434269A CN 114785498 A CN114785498 A CN 114785498A
Authority
CN
China
Prior art keywords
password
database
encryption
access
access password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210434269.5A
Other languages
Chinese (zh)
Inventor
谢永贵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Qianhai Baidi Network Co ltd
Original Assignee
Shenzhen Qianhai Baidi Network Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Qianhai Baidi Network Co ltd filed Critical Shenzhen Qianhai Baidi Network Co ltd
Priority to CN202210434269.5A priority Critical patent/CN114785498A/en
Publication of CN114785498A publication Critical patent/CN114785498A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a method, a device and equipment for protecting database passwords, which comprise the following steps: acquiring an access password query request aiming at a target database, which is sent by an application service; querying an access password of the target database based on the access password query request; encrypting the access password to obtain an encrypted password; and returning the encrypted password to the application service so that the application service calls an encryption and decryption file generated in advance by the password service to decrypt the encrypted password to obtain the access password. Therefore, the password plaintext or the encrypted password ciphertext is prevented from being written into the application program or the configuration file and the environment variable which can be accessed by the application program, the encryption is carried out through the password service, the encryption and decryption file generated by the password service is used for decryption, the security of the database password can be improved, and data leakage is prevented.

Description

Database password protection method, device and equipment
Technical Field
The present application relates to the field of database technologies, and in particular, to a method, an apparatus, and a device for protecting a database password.
Background
When a server program accesses a database, a connection is usually required to be created to interact with the database, and when the database connection is created, information such as a URL, a user name, a password and the like for accessing the database is required to be specified, the information is usually written into a configuration file, an environment variable or an application code segment which can be read by an application program, and when the database connection is created, a database access channel is established according to the information. However, the information is easily acquired by related development, operation and maintenance personnel or attackers, which causes the password leakage of the database, further causes the data stored in the database to be illegally acquired, and generates serious data security accidents.
At present, in order to protect a database password, an existing solution is to encrypt the database password by some encryption techniques and then write the encrypted database password into a configuration file or a program code, when an application needs to establish a database connection, read out an encrypted ciphertext, decrypt the encrypted ciphertext by using the same key and a corresponding decryption algorithm to obtain a database access password of a plaintext, and then access the database to establish the connection. However, in this scheme, the secret key and the encryption algorithm used for encryption are present on the application server as part of the application program or the configuration file and the environment variable which can be accessed by the application program, and related development, operation and maintenance personnel or an attacker who illegally logs in the application server can still obtain the encryption secret key and the encryption algorithm by analyzing the application program, the configuration file and the environment variable thereof, and further obtain the database access password, so that huge potential safety hazards still exist.
Disclosure of Invention
In view of this, an object of the present application is to provide a method, an apparatus, and a device for protecting a database password, which can improve security of the database password, thereby preventing data leakage. The specific scheme is as follows:
in a first aspect, the present application discloses a database password protection method, applied to a password service, including:
acquiring an access password query request aiming at a target database, which is sent by an application service;
querying an access password of the target database based on the access password query request;
encrypting the access password to obtain an encrypted password;
and returning the encrypted password to the application service so that the application service calls an encryption and decryption file generated in advance by the password service to decrypt the encrypted password to obtain the access password.
Optionally, the method further includes:
generating a public and private key pair corresponding to the application service, and adding a private key in the public and private key pair to the encryption and decryption file;
correspondingly, the encrypting the access password to obtain an encrypted password includes:
encrypting the access password by using a public key in the public and private key pair to obtain an encrypted password;
and the application service is used for calling the private key in the encryption and decryption file to decrypt the encrypted password to obtain the access password.
Optionally, the access password query request carries a first ciphertext; the first ciphertext is a ciphertext obtained by encrypting request data by using a target key in the encryption and decryption file, and the request data comprises identification information of the application service;
correspondingly, the querying the access password of the target database based on the access password query request includes:
decrypting the first ciphertext by using the target key to obtain first decrypted data;
inquiring the public key corresponding to the application service based on the identification information in the first decrypted data and the source IP address of the access password inquiry request;
and if the public key is inquired, inquiring the access password of the target database.
Optionally, the request data further includes a second ciphertext; the second ciphertext is a ciphertext obtained by encrypting specified information by using the private key in the encryption and decryption file, wherein the specified information comprises at least one of identification information of the application service, an outlet IP address for accessing the password service and a random character string generated by the encryption and decryption file;
correspondingly, if the public key is queried, the method further includes:
decrypting the second ciphertext by using the public key to obtain second decrypted data;
and verifying the second decrypted data, and inquiring the access password of the target database if the second decrypted data passes the verification.
Optionally, the verifying the second decrypted data includes:
if the second decrypted data comprises the identification information of the application service, comparing the identification information with the identification information in the first decrypted data, and if the identification information is consistent with the identification information in the first decrypted data, judging that the identification information passes verification;
if the second decrypted data comprises the exit IP address, comparing the exit IP address with the source IP address of the access password inquiry request, and if the exit IP address is consistent with the source IP address of the access password inquiry request, judging that the exit IP address passes verification;
if the second decrypted data comprises the random character string, judging whether the random character string is acquired for the first time, and if the random character string is acquired for the first time, judging that the random character string passes verification;
and when all the specified information in the second decrypted data passes the verification, judging that the second decrypted data passes the verification.
Optionally, after the encrypting the access password to obtain the encrypted password, the method further includes:
encrypting the encrypted password and the identification information of the application service by using a target key to obtain a response ciphertext;
and returning the response ciphertext to the application service so that the application service calls the encryption and decryption file to decrypt the response ciphertext, comparing the identification information obtained by decryption with prestored identification information, and if the identification information is consistent with the prestored identification information, decrypting the encrypted password to obtain the access password.
Optionally, the method further includes:
acquiring an encryption and decryption file generation request;
and judging whether the encryption and decryption file generation request is a local request or not, and if the encryption and decryption file generation request is the local request, generating the encryption and decryption file.
Optionally, the method further includes:
and determining the update password of the target database at regular time, and modifying the current access password into the update password.
In a second aspect, the present application discloses a database password protection apparatus, which is applied to a password service, and includes:
the query request acquisition module is used for acquiring an access password query request aiming at a target database sent by an application service;
the access password query module is used for querying an access password of the target database based on the access password query request;
the access password encryption module is used for encrypting the access password to obtain an encrypted password;
and the encrypted password returning module is used for returning the encrypted password to the application service so that the application service calls an encrypted and decrypted file generated in advance by the password service to decrypt the encrypted password to obtain the access password.
In a third aspect, the present application discloses an electronic device comprising a processor and a memory; wherein the content of the first and second substances,
the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the foregoing database password protection method.
In a fourth aspect, the present application discloses a computer-readable storage medium for storing a computer program, which when executed by a processor implements the aforementioned database password protection method.
In a fifth aspect, the present application discloses a computer program product, which when executed implements the aforementioned database password protection method.
Therefore, the method and the device for inquiring the access password of the target database obtain an access password inquiry request which is sent by an application service and aims at the target database through a password service, then inquire the access password of the target database based on the access password inquiry request, encrypt the access password to obtain an encrypted password, and finally return the encrypted password to the application service so that the application service can call an encryption and decryption file generated in advance by the password service to decrypt the encrypted password to obtain the access password. That is, the application processes the access password request of the application service to the target database through the password service, after the access password of the target database is inquired, the password is encrypted to obtain the encrypted password, and the encrypted password is returned to the application service, the application service can decrypt the encrypted password only by calling the encryption and decryption file generated in advance by the password service, thus, the situation that the password plaintext or the encrypted password ciphertext is written into the application program or the configuration file and the environment variable which can be accessed by the application program is avoided, the encryption is performed through the password service, and the encryption and decryption file generated through the password service is decrypted, so that the security of the database password can be improved, and the data leakage is prevented.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a diagram of a system architecture for a database password protection scheme as disclosed herein;
FIG. 2 is a flow chart of database password protection as disclosed herein;
FIG. 3 is a schematic diagram of a specific encryption/decryption file generation disclosed in the present application;
FIG. 4 is a flow chart of a specific database access password request disclosed herein;
FIG. 5 is a schematic diagram of a database password protection scheme disclosed herein;
FIG. 6 is a schematic diagram of a database password protection apparatus according to the present disclosure;
fig. 7 is a block diagram of an electronic device disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described clearly and completely with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, in order to protect a database password, an existing solution is to encrypt the database password by some encryption techniques and then write the encrypted database password into a configuration file or a program code, when an application needs to establish a database connection, read out an encrypted ciphertext, decrypt the encrypted ciphertext by using the same key and a corresponding decryption algorithm to obtain a database access password of a plaintext, and then access the database to establish the connection. However, in this scheme, the secret key and the encryption algorithm used for encryption are present on the application server as part of the application program or the configuration file and the environment variable which can be accessed by the application program, and related development, operation and maintenance personnel or an attacker who illegally logs in the application server can still obtain the encryption secret key and the encryption algorithm by analyzing the application program, the configuration file and the environment variable thereof, and further obtain the database access password, so that huge potential safety hazards still exist. Therefore, the application provides a database password protection scheme, which can improve the security of the database password so as to prevent data leakage.
In the database password protection of the present application, the system framework adopted may specifically refer to fig. 1, and may specifically include: the second electronic device 101, the first electronic device 102, the second electronic device 101 and the first electronic device 102 are in communication connection through a network 103. The first electronic device and the second electronic device can be both terminal devices or servers. For example, the first electronic device may be a server running a cryptographic service, and the second electronic device may be a terminal running an application service. As shown in fig. 1, the second electronic device sends an access password query request for the target database to the first electronic device through the network, and the first electronic device returns response data to the second electronic device.
Referring to fig. 2, the embodiment of the present application discloses a database password protection method, which is applied to a password service, and includes:
step S11: and acquiring an access password query request which is sent by an application service and aims at the target database.
In a specific implementation manner, in the embodiment of the present application, an encryption/decryption file generation request may be obtained first; and judging whether the encryption and decryption file generation request is a local request or not, and if the encryption and decryption file generation request is the local request, generating the encryption and decryption file.
It should be noted that, in the embodiment of the present application, a database access password interface is provided by a cryptographic service, an application service may obtain a database access password based on the database access password interface, and when generating an encryption/decryption file, it is also necessary to call a corresponding interface provided by the cryptographic service to generate an encryption/decryption file, in order to prevent an attacker from generating the encryption/decryption file by itself to forge a database access password interface request, the cryptographic service restricts an interface that generates the encryption/decryption file to be accessible only based on a local request, and an application service maintainer may deploy the cryptographic service in a security domain and manually execute a script on a machine where the cryptographic service is deployed to generate the encryption/decryption file, so that the encryption/decryption file may be generated only on the machine where the cryptographic service is deployed, thereby improving security.
The encryption and decryption file generation request carries identification information of an application service and an outlet IP address of an access password service, the identification information can be an application service program package name, the outlet IP address is an IP address bound when the application service requests the password service, when the password service judges that the encryption and decryption file generation request is a local request, whether the identification information and a generated encryption and decryption file corresponding to the access password service exist or not is judged, if the identification information and the generated encryption and decryption file do not exist, an encryption and decryption file corresponding to the application service is generated, the application service corresponds to the encryption and decryption file one to one, a public and private key pair corresponding to the application service is generated, and a private key in the public and private key pair is added to the encryption and decryption file. The identification information of the application service, the exit IP address to access the cryptographic service, and the public key are then saved to a cryptographic service database.
For example, referring to fig. 3, an embodiment of the present application discloses a specific encryption/decryption file generation schematic diagram. When generating an encryption and decryption file, inputting an application service program package name of an application service and an outlet IP address of an access password service, judging whether the encryption and decryption file corresponding to the application service program package name and the IP address is generated by the password service, if not, generating a public and private key pair, recording a public key, the application service program package name and the outlet IP address of the access password service in a password service database, then generating an encryption and decryption file code, attaching the private key to the encryption and decryption file code, then using a code obfuscation technology to obfuscate the encryption and decryption code, finally compiling into a so file to be output, and deploying and calling a supply service to perform encryption and decryption operations of a password service interface request. The encryption and decryption files and the application service deployment instances are in one-to-one correspondence, and correct encryption and decryption results can be obtained only under the condition that the package name of the application service program and the export IP address of the access password service are consistent with the input password service database. And the encryption and decryption file only receives the input character string to return the encryption or decryption result, and does not output any other information.
Step S12: and querying the access password of the target database based on the access password query request.
In a specific implementation manner, the access password query request carries a first ciphertext; the first ciphertext is a ciphertext obtained by encrypting request data by using a target secret key in the encryption and decryption file, wherein the request data comprises identification information of the application service; correspondingly, the first ciphertext can be decrypted by using the target key to obtain first decrypted data; inquiring the public key corresponding to the application service based on the identification information in the first decryption data and the source IP address of the access password inquiry request; and if the public key is inquired, inquiring the access password of the target database.
The target key may be a fixed key, and the fixed key may be modified periodically. And if the public key can not be inquired, returning an error response.
It should be noted that, in the embodiment of the present application, a public key corresponding to the application service may be queried in the cryptographic service database based on the identification information in the first decryption data and the source IP address of the access cryptographic query request, so that since an exit IP address of the access cryptographic service is stored in the cryptographic service database, the exit IP address is queried by querying the identification information and the source IP address of the access cryptographic query request, and if the identification information and the IP address are queried to be consistent, the public key is returned, so that the database access cryptographic interface can only be invoked on a specified machine, that is, a machine where the cryptographic service is located, by restricting the exit IP address.
Further, the request data further comprises a second ciphertext; the second ciphertext is a ciphertext obtained by encrypting specified information by using the private key in the encryption and decryption file, wherein the specified information comprises at least one of identification information of the application service, an outlet IP address for accessing the password service and a random character string generated by the encryption and decryption file; correspondingly, if the public key is queried, the method further includes: decrypting the second ciphertext by using the public key to obtain second decrypted data; and verifying the second decrypted data, and inquiring the access password of the target database if the second decrypted data passes the verification.
Wherein the verifying the second decrypted data comprises: if the second decrypted data comprises the identification information of the application service, comparing the identification information with the identification information in the first decrypted data, and if the identification information is consistent with the identification information in the first decrypted data, judging that the identification information passes verification; if the second decrypted data comprises the exit IP address, comparing the exit IP address with the source IP address of the access password inquiry request, and if the exit IP address is consistent with the source IP address of the access password inquiry request, judging that the exit IP address passes verification; if the second decrypted data comprises the random character string, judging whether the random character string is acquired for the first time, if so, judging that the random character string passes the verification, otherwise, judging that the random character string does not pass the verification; and when all the specified information in the second decrypted data passes the verification, judging that the second decrypted data passes the verification. And if any item of the specified information in the second decrypted data is not verified, determining that the second decrypted data is not verified, and generating an error response.
Step S13: and encrypting the access password to obtain an encrypted password.
In a specific implementation manner, the access password may be encrypted by using a public key in the public-private key pair to obtain an encrypted password.
Step S14: and returning the encrypted password to the application service so that the application service calls an encryption and decryption file generated in advance by the password service to decrypt the encrypted password to obtain the access password.
In a specific embodiment, after the encrypting the access password to obtain an encrypted password, the method further includes: encrypting the encrypted password and the identification information of the application service by using a target key to obtain a response ciphertext; and then returning the response ciphertext to the application service so that the application service calls the encryption and decryption file to decrypt the response ciphertext, compares the identification information obtained by decryption with pre-stored identification information, and decrypts the encrypted password if the identification information obtained by decryption is consistent with the pre-stored identification information to obtain the access password.
And the encryption and decryption file decrypts the encrypted password by using the private key to obtain the access password.
For example, referring to fig. 4, fig. 4 is a flowchart of a specific database access password request disclosed in the embodiment of the present application. In fig. 4, the encryption and decryption module is a function module implemented based on an encryption and decryption file, the application service calls the encryption and decryption module to check a service packet name of the application service, and if the check is successful, a request string is generated as specified information, for example, the request string is { "pkg": com.xxx "," IP ": xxx.xxx.xxx.xx", "rand": dsfetkwowerwoweoweoweojoinjeejjeejjejtjejtjejtejlerk "}, where pkg represents an application service packet name, IP is an exit IP address for accessing the cryptographic service, and rand is a generated random string. And encrypting the request string by using a private key to obtain a cip parameter, namely a second ciphertext, encrypting the application service program package name and the second ciphertext by using a fixed key to generate a first ciphertext, initiating a request based on the first ciphertext, if the verification is not successful, generating an invalid ciphertext, encrypting the invalid ciphertext and the application service program package name by using the fixed key, and initiating the request. The invalid ciphertext is a ciphertext obtained by encrypting the error identifier by using a private key. After receiving the request, the cipher service decrypts the request data by using the fixed key, and obtains the IP address of the request source through the network layer, inquiring the public key in the cipher service data according to the application service program package name and the request source IP address, if the public key exists, then the public key is used to decrypt the cip parameter to obtain the application service program package name preset by the encryption and decryption module, the export IP address of the access password service, the random string, the verification is carried out, after the access password is passed, the access password of the database is inquired, the public key is firstly used for encrypting the access password, then, the fixed key is used for encrypting the encryption password and the package name of the application program, response information is returned, the application service receives the response information, the encryption and decryption module is called to decrypt the response information, the fixed key is used for decryption, and then, verifying the application package name, decrypting the application package name by using a private key after the verification is successful, and outputting an access password of the database. If the password service receives the request, the fixed secret key is used for decryption to obtain an invalid ciphertext, then the public key is used for decryption to obtain an error identifier, the error identifier cannot pass verification, and the embodiment of the application can record the request source IP as the IP with the risk. That is, in the embodiment of the present application, the application service obtains the database access password by calling the password service interface, and the application service side uses the password service call encryption and decryption module to encrypt the request data and decrypt the response data returned by the password service interface. Thereby protecting the access password of the database.
Furthermore, the embodiment of the application can also determine the update password of the target database at regular time, and modify the current access password into the update password.
In a specific implementation mode, the password service can start a timing task, regularly modify the access password of the application database, and notify the application system that the modified password can only be obtained through a legal request password service interface after the password is modified, so that even if an attacker obtains the access password of the application database, the password will be invalid after a period of time, and the password security is improved. Also, an initial password may be specified before the timed task of dynamically modifying the application database password is initiated.
Further, referring to fig. 5, an embodiment of the present application discloses a schematic diagram of a database password protection scheme. According to the database password protection scheme, a database access password interface is provided for an application service through a database access password service with limited access, and the application service acquires a database access password based on the database access password interface and is used for creating database connection. In order to improve the security of the password, the database access password service randomly changes the access password of the database, the application service calls the database access password interface after the encryption and decryption module is called by the password service to encrypt the request data, and the data returned by the password interface service is decrypted to obtain the access password of the database. The encryption and decryption module is a functional module realized based on an encryption and decryption file, and the encryption and decryption file is a file generated by the cryptographic service.
Therefore, in the embodiment of the application, an access password query request which is sent by an application service and is aimed at a target database is obtained through a password service, then an access password of the target database is queried based on the access password query request, then the access password is encrypted to obtain an encrypted password, and finally the encrypted password is returned to the application service, so that the application service calls an encryption and decryption file which is generated in advance by the password service to decrypt the encrypted password to obtain the access password. That is, in the embodiment of the present application, the password service processes the access password request of the application service to the target database, after the access password of the target database is queried, the password is encrypted to obtain the encrypted password, and the encrypted password is returned to the application service, and the application service can decrypt the encrypted password only by calling the encryption and decryption file generated in advance by the password service, so that writing the password plaintext or the encrypted password ciphertext into the application program or the configuration file and the environment variable that can be accessed by the application program is avoided, the encryption is performed by the password service, and the encryption and decryption file generated by the password service is decrypted, so that the security of the password of the database can be improved, and thus data leakage is prevented.
Referring to fig. 6, an embodiment of the present application discloses a database password protection device, which is applied to a password service, and includes:
a query request obtaining module 11, configured to obtain an access password query request for a target database sent by an application service;
an access password query module 12, configured to query an access password of the target database based on the access password query request;
an access password encryption module 13, configured to encrypt the access password to obtain an encrypted password;
and an encrypted password returning module 14, configured to return the encrypted password to the application service, so that the application service calls an encryption and decryption file generated in advance by the password service to decrypt the encrypted password, and obtains the access password.
Therefore, in the embodiment of the application, an access password query request which is sent by an application service and is aimed at a target database is obtained through a password service, then an access password of the target database is queried based on the access password query request, then the access password is encrypted to obtain an encrypted password, and finally the encrypted password is returned to the application service, so that the application service calls an encryption and decryption file which is generated in advance by the password service to decrypt the encrypted password to obtain the access password. That is, in the embodiment of the present application, the password service processes the access password request of the application service to the target database, after the access password of the target database is queried, the password is encrypted to obtain the encrypted password, and the encrypted password is returned to the application service, and the application service can decrypt the encrypted password only by calling the encryption and decryption file generated in advance by the password service, so that writing the password plaintext or the encrypted password ciphertext into the application program or the configuration file and the environment variable that can be accessed by the application program is avoided, the encryption is performed by the password service, and the encryption and decryption file generated by the password service is decrypted, so that the security of the password of the database can be improved, and thus data leakage is prevented.
Further, the apparatus further includes an encryption/decryption file generation module, which is specifically configured to: acquiring an encryption and decryption file generation request; and judging whether the encryption and decryption file generation request is a local request or not, and if the encryption and decryption file generation request is the local request, generating the encryption and decryption file.
The encryption and decryption generation module is further used for generating a public and private key pair corresponding to the application service and adding a private key in the public and private key pair to the encryption and decryption file;
correspondingly, the access password encryption module 13 is specifically configured to encrypt the access password by using a public key in the public and private key pair to obtain an encrypted password; and the application service is used for calling the private key in the encryption and decryption file to decrypt the encrypted password to obtain the access password.
Further, the access password query request carries a first ciphertext; the first ciphertext is a ciphertext obtained by encrypting request data by using a target key in the encryption and decryption file, and the request data comprises identification information of the application service;
correspondingly, the access password query module 12 includes:
the first decryption module is used for decrypting the first ciphertext by using the target key to obtain first decrypted data;
a public key query module, configured to query the public key corresponding to the application service based on the identification information in the first decrypted data and a source IP address of the access password query request;
and the password query module is used for querying the access password of the target database if the public key is queried.
Further, the request data further comprises a second ciphertext; the second ciphertext is a ciphertext obtained by encrypting specified information by using the private key in the encryption and decryption file, wherein the specified information comprises at least one of identification information of the application service, an outlet IP address for accessing the cryptographic service and a random character string generated by the encryption and decryption file;
correspondingly, the password inquiry module further comprises:
the second decryption module is used for decrypting the second ciphertext by using the public key to obtain second decrypted data if the public key is inquired by the public key inquiry module;
and the decrypted data checking module is used for checking the second decrypted data, and inquiring the access password of the target database if the second decrypted data passes the check.
Further, the decrypted data verification module is specifically configured to:
if the second decrypted data comprises the identification information of the application service, comparing the identification information with the identification information in the first decrypted data, and if the identification information is consistent with the identification information in the first decrypted data, judging that the identification information passes verification;
if the second decrypted data comprise the exit IP address, comparing the exit IP address with the source IP address of the access password query request, and if the exit IP address is consistent with the source IP address of the access password query request, judging that the exit IP address passes verification;
if the second decrypted data comprises the random character string, judging whether the random character string is acquired for the first time, and if the random character string is acquired for the first time, judging that the random character string passes verification;
and when all the items of specified information in the second decrypted data pass the verification, judging that the second decrypted data pass the verification.
Further, the apparatus further comprises:
the encryption module is used for encrypting the encrypted password and the identification information of the application service by using a target key to obtain a response ciphertext;
correspondingly, the encrypted password returning module 14 is specifically configured to return the response ciphertext to the application service, so that the application service calls the encryption and decryption file to decrypt the response ciphertext, compares the identifier information obtained by decryption with the prestored identifier information, and decrypts the encrypted password to obtain the access password if the identifier information obtained by decryption is consistent with the prestored identifier information.
In addition, the device also comprises an access password updating module which is used for determining the updating password of the target database at regular time and modifying the current access password into the updating password.
Referring to fig. 7, an embodiment of the present application discloses an electronic device 20, which includes a processor 21 and a memory 22; wherein, the memory 22 is used for storing computer programs; the processor 21 is configured to execute the computer program, and the database password protection method disclosed in the foregoing embodiment.
For the specific process of the above database password protection method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
The memory 22 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, and the storage mode may be a transient storage mode or a permanent storage mode.
In addition, the electronic device 20 further includes a power supply 23, a communication interface 24, an input-output interface 25, and a communication bus 26; the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to acquire external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
Further, an embodiment of the present application also discloses a computer-readable storage medium for storing a computer program, where the computer program is executed by a processor to implement the database password protection method disclosed in the foregoing embodiment.
For the specific process of the above database password protection method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
The embodiment of the application also discloses a computer program product, and when being executed, the computer program product realizes the database password protection method disclosed by the embodiment.
For the specific process of the above database password protection method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
In the present specification, the embodiments are described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same or similar parts between the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above detailed description is given to a database password protection method, apparatus, and device provided by the present application, and specific examples are applied herein to explain the principles and embodiments of the present application, and the descriptions of the above embodiments are only used to help understand the method and core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, the specific implementation manner and the application scope may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (11)

1. A database password protection method is applied to password service and comprises the following steps:
acquiring an access password query request aiming at a target database, which is sent by an application service;
querying an access password of the target database based on the access password query request;
encrypting the access password to obtain an encrypted password;
and returning the encrypted password to the application service so that the application service calls an encryption and decryption file generated in advance by the password service to decrypt the encrypted password to obtain the access password.
2. The database password protection method of claim 1, further comprising:
generating a public and private key pair corresponding to the application service, and adding a private key in the public and private key pair to the encryption and decryption file;
correspondingly, the encrypting the access password to obtain an encrypted password includes:
encrypting the access password by using a public key in the public and private key pair to obtain an encrypted password;
and the application service is used for calling the private key in the encryption and decryption file to decrypt the encrypted password to obtain the access password.
3. The database password protection method of claim 2, wherein the access password query request carries a first ciphertext; the first ciphertext is a ciphertext obtained by encrypting request data by using a target secret key in the encryption and decryption file, wherein the request data comprises identification information of the application service;
correspondingly, the querying the access password of the target database based on the access password query request comprises:
decrypting the first ciphertext by using the target key to obtain first decrypted data;
inquiring the public key corresponding to the application service based on the identification information in the first decrypted data and the source IP address of the access password inquiry request;
and if the public key is inquired, inquiring the access password of the target database.
4. The database password protection method of claim 3, wherein said request data further includes a second ciphertext; the second ciphertext is a ciphertext obtained by encrypting specified information by using the private key in the encryption and decryption file, wherein the specified information comprises at least one of identification information of the application service, an outlet IP address for accessing the cryptographic service and a random character string generated by the encryption and decryption file;
correspondingly, if the public key is queried, the method further includes:
decrypting the second ciphertext by using the public key to obtain second decrypted data;
and verifying the second decrypted data, and inquiring the access password of the target database if the second decrypted data passes the verification.
5. The method for password protection of a database according to claim 4, wherein said verifying said second decrypted data comprises:
if the second decrypted data comprises the identification information of the application service, comparing the identification information with the identification information in the first decrypted data, and if the identification information is consistent with the identification information in the first decrypted data, judging that the identification information passes verification;
if the second decrypted data comprises the exit IP address, comparing the exit IP address with the source IP address of the access password inquiry request, and if the exit IP address is consistent with the source IP address of the access password inquiry request, judging that the exit IP address passes verification;
if the second decrypted data comprises the random character string, judging whether the random character string is acquired for the first time, and if the random character string is acquired for the first time, judging that the random character string passes verification;
and when all the specified information in the second decrypted data passes the verification, judging that the second decrypted data passes the verification.
6. The method for protecting database password according to claim 3, wherein after encrypting the access password to obtain the encrypted password, the method further comprises:
encrypting the encrypted password and the identification information of the application service by using a target key to obtain a response ciphertext;
and returning the response ciphertext to the application service so that the application service calls the encryption and decryption file to decrypt the response ciphertext, comparing the decrypted identification information with pre-stored identification information, and if the decrypted identification information is consistent with the pre-stored identification information, decrypting the encrypted password to obtain the access password.
7. The database password protection method of claim 1, further comprising:
acquiring an encryption and decryption file generation request;
and judging whether the encryption and decryption file generation request is a local request or not, and if the encryption and decryption file generation request is the local request, generating the encryption and decryption file.
8. The database password protection method according to any one of claims 1 to 7, further comprising:
and determining the update password of the target database at regular time, and modifying the current access password into the update password.
9. A database password protection device is characterized in that the device is applied to password service and comprises the following components:
the query request acquisition module is used for acquiring an access password query request aiming at a target database, which is sent by an application service;
the access password query module is used for querying an access password of the target database based on the access password query request;
the access password encryption module is used for encrypting the access password to obtain an encrypted password;
and the encrypted password returning module is used for returning the encrypted password to the application service so that the application service calls an encrypted and decrypted file generated in advance by the password service to decrypt the encrypted password to obtain the access password.
10. An electronic device comprising a processor and a memory; wherein the content of the first and second substances,
the memory is used for storing a computer program;
the processor for executing the computer program to implement the database password protection method of any of claims 1 to 8.
11. A computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the database password protection method of any of claims 1 to 8.
CN202210434269.5A 2022-04-24 2022-04-24 Database password protection method, device and equipment Pending CN114785498A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210434269.5A CN114785498A (en) 2022-04-24 2022-04-24 Database password protection method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210434269.5A CN114785498A (en) 2022-04-24 2022-04-24 Database password protection method, device and equipment

Publications (1)

Publication Number Publication Date
CN114785498A true CN114785498A (en) 2022-07-22

Family

ID=82433504

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210434269.5A Pending CN114785498A (en) 2022-04-24 2022-04-24 Database password protection method, device and equipment

Country Status (1)

Country Link
CN (1) CN114785498A (en)

Similar Documents

Publication Publication Date Title
CN108023874B (en) Single sign-on verification device and method and computer readable storage medium
JP4145118B2 (en) Application authentication system
CN110401615B (en) Identity authentication method, device, equipment, system and readable storage medium
CN107528865B (en) File downloading method and system
JP4816975B2 (en) Application authentication system
CN106790183A (en) Logging on authentication method of calibration, device
CN101567893A (en) Method and system for uploading files in WEB application
CN109981665B (en) Resource providing method and device, and resource access method, device and system
CN102946392A (en) URL (Uniform Resource Locator) data encrypted transmission method and system
US20020144118A1 (en) Authentication method in an agent system
CN111538977B (en) Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server
JP2010514000A (en) Method for securely storing program state data in an electronic device
CN112765637A (en) Data processing method, password service device and electronic equipment
CN113204772A (en) Data processing method, device, system, terminal, server and storage medium
CN113918967A (en) Data transmission method, system, computer equipment and medium based on security check
CN114844644A (en) Resource request method, device, electronic equipment and storage medium
CN111901287A (en) Method and device for providing encryption information for light application and intelligent equipment
KR20070059891A (en) Application authentication security system and method thereof
CN110807210B (en) Information processing method, platform, system and computer storage medium
JP4409497B2 (en) How to send confidential information
CN115459929B (en) Security verification method, security verification device, electronic equipment, security verification system, security verification medium and security verification product
CN111831978A (en) Method and device for protecting configuration file
CN111182010A (en) Local service providing method and device
US11550932B2 (en) Method for a terminal to acquire and access data
CN114785498A (en) Database password protection method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination