CN114826702B - Database access password encryption method and device and computer equipment - Google Patents
Database access password encryption method and device and computer equipment Download PDFInfo
- Publication number
- CN114826702B CN114826702B CN202210373593.0A CN202210373593A CN114826702B CN 114826702 B CN114826702 B CN 114826702B CN 202210373593 A CN202210373593 A CN 202210373593A CN 114826702 B CN114826702 B CN 114826702B
- Authority
- CN
- China
- Prior art keywords
- password
- current user
- encrypted
- cipher
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 83
- 238000012545 processing Methods 0.000 claims abstract description 13
- 238000004590 computer program Methods 0.000 claims description 24
- 230000008569 process Effects 0.000 claims description 14
- 230000004044 response Effects 0.000 claims description 14
- 238000013507 mapping Methods 0.000 claims description 12
- 230000011218 segmentation Effects 0.000 claims description 8
- 238000012790 confirmation Methods 0.000 claims description 6
- 238000007499 fusion processing Methods 0.000 claims description 6
- 238000004891 communication Methods 0.000 description 18
- 238000012795 verification Methods 0.000 description 14
- 238000013475 authorization Methods 0.000 description 4
- 238000013478 data encryption standard Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 235000019580 granularity Nutrition 0.000 description 3
- 238000003062 neural network model Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- OTZZZISTDGMMMX-UHFFFAOYSA-N 2-(3,5-dimethylpyrazol-1-yl)-n,n-bis[2-(3,5-dimethylpyrazol-1-yl)ethyl]ethanamine Chemical compound N1=C(C)C=C(C)N1CCN(CCN1C(=CC(C)=N1)C)CCN1C(C)=CC(C)=N1 OTZZZISTDGMMMX-UHFFFAOYSA-N 0.000 description 1
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000004377 microelectronic Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000036961 partial effect Effects 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to a database access password encryption method, a database access password encryption device and computer equipment. Firstly, if a user password request of a current user is received and the identity of the current user is legal, generating an access password of the current user, distributing a target password machine to the current user, conducting encryption processing on the access password through the target password machine to obtain an encrypted access password, and then sending the encrypted access password to the current user, wherein the encrypted access password is used for indicating the current user to access a database according to the encrypted access password. The method improves the safety of database access and ensures the reliability of the database access.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, and a computer device for encrypting a database access password.
Background
A distributed database system is a physically decentralized and logically centralized database system that can be viewed as an organic combination of a computer network and a database system. The rapid development of computer technology has driven the development of distributed databases, but at the same time has increased the complexity of the security problem of distributed databases.
Network security is the basis of distributed database security, and in general, hackers use data access holes of the distributed database to overcome the network security system of the whole server, thereby causing a large number of data leakage events.
Therefore, in order to prevent data leakage, improving access security of the distributed database is a problem to be solved.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a database access password encryption method, apparatus, and computer device, which can prevent data leakage and improve access security of a distributed database.
In a first aspect, the present application provides a method for encrypting a database access password, the method comprising:
If a user password request of the current user is received and the identity of the current user is legal, generating an access password of the current user;
Distributing a target cipher machine to the current user; the target crypto-engine comprises at least two crypto-engines;
Encrypting the access password through a target password machine to obtain an encrypted access password;
And sending the encrypted access password to the current user, wherein the encrypted access password is used for indicating the current user to access the database according to the encrypted access password.
In one embodiment, the user password request includes identity information of the current user, and before generating the access password of the current user, the method further includes:
detecting whether identity information which is the same as the identity information of the current user exists in an identity information database; the identity information database comprises identity information of a plurality of users;
if yes, determining that the identity of the current user is legal.
In one embodiment, assigning a target cryptographic engine to a current user includes:
distributing a target cipher machine to the current user according to a preset mapping table; the mapping table includes correspondence between a plurality of users and the cryptographic engine.
In one embodiment, the encrypting the access password by the target password machine to obtain the encrypted access password includes:
According to the number of the cipher machines in the target cipher machine, carrying out sectional operation on the access cipher to obtain a plurality of cipher segments; the number of the cipher segments is the same as that of the cipher machines, and one cipher machine corresponds to one cipher segment respectively;
each cipher segment is sent to a corresponding cipher machine, and encryption processing is carried out on each cipher segment through each cipher machine, so that a plurality of encrypted cipher segments are obtained;
And receiving the encrypted password segments returned by the password machines, and generating an encrypted access password according to the received encrypted password segments.
In one embodiment, each cipher machine performs cross encryption on each cipher segment to obtain cross encrypted cipher segments, and creates corresponding indexes for the cross encrypted cipher segments according to the arrangement sequence of each cipher segment to obtain a plurality of encrypted cipher segments.
In one embodiment, generating an encrypted access code from the received encrypted code segment includes:
and carrying out fusion processing on each encrypted password segment based on the index corresponding to each encrypted password segment to obtain an encrypted access password.
In one embodiment, sending the encrypted access code to the current user includes:
acquiring a public key of an access password and a private key of a current user, and executing identity authentication operation on the current user through the public key and the private key;
and if the identity authentication of the current user is passed, sending the encrypted access password to the current user.
In one embodiment, performing an authentication operation on a current user with a public key and a private key includes:
sending a private key to the current user;
if a response signal of the current user is received, matching the public key with the private key; the response signal represents a confirmation signal after the current user receives the private key;
if the public key and the private key are successfully matched, the identity authentication of the current user is determined to pass.
In a second aspect, the present application also provides a database access password encryption apparatus, the apparatus comprising:
The generation module is used for generating an access password of the current user if the user password request of the current user is received and the identity of the current user is legal;
The distribution module is used for distributing a target cipher machine to the current user; the target crypto-engine comprises at least two crypto-engines;
the encryption module is used for encrypting the access password through the target password machine to obtain an encrypted access password;
the sending module is used for sending the encrypted access password to the current user, and the encrypted access password is used for indicating the current user to access the database according to the encrypted access password.
In a third aspect, an embodiment of the present application provides a computer device, including a memory storing a computer program and a processor implementing the steps of any one of the methods provided in the embodiments of the first aspect, when the processor executes the computer program.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of any of the methods provided by the embodiments of the first aspect described above.
In a fifth aspect, embodiments of the present application provide a computer program product comprising a computer program which, when executed by a processor, implements the steps of any of the methods provided by the embodiments of the first aspect described above.
The embodiment of the application provides a database access password encryption method, a device and computer equipment, which are characterized in that firstly, if a user password request of a current user is received and the identity of the current user is legal, an access password of the current user is generated, a target password machine is allocated to the current user, the access password is encrypted through the target password machine to obtain an encrypted access password, then the encrypted access password is sent to the current user, and the encrypted access password is used for indicating the current user to access a database according to the encrypted access password. In the method, firstly, the identity of the user is legally judged according to the user password request of the current user, then, if the identity of the user is legal, an access password is generated for the current user, and a password machine is allocated for the current user, the access password is encrypted by utilizing the password machine, and the access password is encrypted by utilizing at least two password machines, so that the security of the access password is ensured, and the reliability and the security of database access are improved.
Drawings
FIG. 1 is a diagram of an application environment for a database access password encryption method in one embodiment;
FIG. 2 is a flow diagram of a database access password encryption method in one embodiment;
FIG. 3 is a flow chart of a database access password encryption method in another embodiment;
FIG. 4 is a flow chart of a database access password encryption method in another embodiment;
FIG. 5 is a flow chart of a database access password encryption method in another embodiment;
FIG. 6 is a flow chart of a database access password encryption method in another embodiment;
FIG. 7 is a flow chart of a database access password encryption method in another embodiment;
FIG. 8 is a flow chart of a database access password encryption method in another embodiment;
FIG. 9 is a block diagram of a database access password encryption device in one embodiment;
Fig. 10 is an internal structural view of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The encryption method for the database access password provided by the embodiment of the application can be applied to an application environment shown in figure 1. Wherein the current user communicates with the server via a network. The database may store data that the server needs to process. The database may be integrated on the server or may be placed on the cloud or other network server.
The server may be implemented as a stand-alone server or as a server cluster formed by a plurality of servers.
The embodiment of the application provides a database access password encryption method, a database access password encryption device and computer equipment, which can prevent data leakage and improve the access security of a distributed database.
The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the application.
In one embodiment, taking an application environment as an example, where the application environment is applied in fig. 1, the embodiment relates to a specific process of firstly generating an access password of a current user if a user password request of the current user is received and an identity of the current user is legal, distributing a target password machine to the current user, then encrypting the access password by the target password machine to obtain an encrypted access password, and sending the encrypted access password by the current user, where the encrypted access password is used to instruct the current user to access the database according to the encrypted access password, as shown in fig. 2, where the embodiment includes the following steps:
s201, if a user password request of the current user is received and the identity of the current user is legal, an access password of the current user is generated.
First, when a user wants to access data in a database, a user password request needs to be sent to a server, and the user password request indicates a request sent by the user to the server to access the database.
The current user indicates the user who needs to access the database currently, if the server receives the user password request of the current user, the server further judges whether the identity of the current user is legal, and if the identity of the current user is legal, the server generates the access password of the current user.
And judging whether the identity of the current user is legal or not through a certain means, and completing the confirmation of the identity of the current user, namely, the identity verification, wherein the purpose of the identity verification is to confirm that the user which is currently purported to be a certain identity is indeed the purported user.
The ways of determining whether the identity of the current user is legitimate include three ways: based on a shared key, based on biological characteristics, based on a public key encryption algorithm.
The user identity validity verification based on the shared key means that the server side and the user commonly possess one or a group of passwords, when the user needs identity verification, the user submits the passwords commonly owned by the user and the server through input or equipment storing the passwords, after receiving the passwords submitted by the user, the server checks whether the passwords submitted by the user are consistent with the passwords stored by the server side, and if so, the user is judged to be a legal user. If the password submitted by the user is inconsistent with the password stored in the server, the authentication is judged to be failed.
If the identity of the current user is legally judged by using the shared key, the password shared by the current user and the server can be carried in the user password request of the current user, and after the server receives the user password request of the current user, the server judges whether the password in the user password request is consistent with the password stored in the server or not, if so, the identity of the current user is judged to be legal, otherwise, the identity of the current user is judged to be illegal.
The authentication based on the public key encryption algorithm means that both sides in communication respectively hold a public key and a private key, one of the two sides adopts the private key to encrypt specific data, the other side adopts the public key to decrypt the data, if the decryption is successful, the user is considered as a legal user, and otherwise, the user is considered as an authentication failure.
If the identity of the current user is judged legally by using a public key encryption algorithm, the user password request of the current user can carry specific data encrypted by using the private key of the current user, after the server receives the user password request, the encrypted data carried in the user password request is decrypted by using the public key of the server, if the decryption is successful, the identity of the current user is determined to be legal, otherwise, the identity of the current user is determined to be illegal.
If the identity of the current user is legal, generating an access password of the current user, wherein the access password is set in a server, and the current user can access a database through the access password; the access password may be generated by the server according to a preset access policy to the database, and the current user access password is generated; the access policy may be a corresponding access policy configured for the current user, where the access policy includes relevant information such as DNS intelligent resolution, a primary address pool set/standby address pool set, an effective address pool set switching policy, and the like, and for example, the access policy may be a preset access protocol.
The above description is made on the condition that the identity of the current user is legal, and there is also a condition that the identity of the current user is not legal, if the identity of the current user is not legal, the server pulls the current user into the blacklist.
S202, distributing a target cipher machine to a current user; the target crypto-engine includes at least two crypto-engines.
The cipher machine is special equipment for encrypting and decrypting information and authenticating information by using cipher. The basic function of the cipher machine is information encryption protection; the cipher machine is mainly used for secret communication, i.e. implementing cipher transformation on various communication means, communication facilities and information transmitted by communication modes.
The cipher machine is used in communication confidentiality, information integrity check, identity verification and digital signature, and is combined with various information media and military applications to provide information confidentiality and integrity service.
Major classifications of cryptographic machines: according to the technical structure, there are a mechanical cipher machine, an electromechanical cipher machine, a photoelectric cipher machine, an electronic cipher machine and a microelectronic cipher machine; according to the division of the using objects, the general and army dedicated cipher machines and the cipher machines used by special army are provided; the special ciphers such as a vehicle-mounted ciphers, a carrier-based ciphers, an airborne ciphers and a satellite-based ciphers are divided according to equipment carriers; according to the equipment environment division, a low-radiation cipher machine, a severe environment-resistant reinforcement cipher machine and a portable cipher machine for mobile combat use are provided; there are terminal-type crypto-engines, server-type crypto-engines, gateway-type crypto-engines, node-type crypto-engines, etc., divided by physical location in the communication network; the data is divided according to the computer network protocol hierarchy where the protected data is located, and includes a physical layer crypto-engine, a link layer crypto-engine, an internet protocol (Internet Protocol Address, IP) layer crypto-engine, a transport layer crypto-engine, an application layer crypto-engine, etc.
It should be noted that, the embodiment of the present application does not limit the type of the cryptographic engine.
After the access password is generated for the current user based on the above, then the current user is allocated with the password machine, the password machine allocated for the current user is determined as the target password machine, and at least two password machines are allocated for the current user.
The manner of allocating the cryptographic engines to the current user may be allocated according to a preset allocation method, and the preset allocation method may be preset to allocate a preset number of cryptographic engines to the current user, for example, may allocate 4 cryptographic engines to the current user.
S203, the access password is encrypted through the target password machine, and the encrypted access password is obtained.
To directly access the database file against hackers using network protocols, security mechanisms that operate system security vulnerabilities to bypass the database, the access password may be encrypted.
Encryption is a technique that limits the access rights to data transmitted over a network, which prevents an outsider from viewing confidential data files, confidential data from being revealed or tampered with, privileged users (e.g., system administrators) from viewing private data files, and which prevents an intruder from easily searching for a system file.
The cipher machine can encrypt and decrypt information by using the cipher, so that the cipher machine can encrypt the access cipher to obtain the encrypted access cipher.
The encryption processing mode of the access password may be that a preset password exists in the target password machine, the access password is encrypted through the preset password, and the data encryption algorithm may be used for encryption when the encryption processing is performed.
The data encryption algorithm comprises a symmetric encryption algorithm and an asymmetric encryption algorithm; the symmetric encryption algorithm is a comparatively traditional encryption mode, the encryption operation and the decryption operation use the same secret key, and the sender of information and the receiver of information must commonly hold the password (called symmetric password) when transmitting and processing the information, and the specific process is as follows: the sender of the information subjects the plaintext (original information) and the cipher to special encryption processing to generate a complex encrypted ciphertext for transmission. Asymmetric encryption algorithms use a set of public/private key systems, one key for encryption and another key for decryption: if the public key is used for encrypting the data, the data can be decrypted only by the corresponding private key; if the data is encrypted with the private key, then decryption is only possible with the corresponding public key; public keys can be widely shared and revealed when it is desired to transmit data outside the server in an encrypted manner. The basic process of data encryption is to process the original file or data in plaintext according to a certain algorithm to form a code which can not be directly read, usually called as ciphertext, and the purpose of protecting the data from being illegally stolen and read is achieved through the way.
Alternatively, two encryption methods can be used in the encryption processing of the access password, the data encryption standard (Data Encryption Standard, DES) uses 64-bit password, the algorithm is implemented on a small integrated circuit chip, and the ciphertext is processed at an operation speed of 1 Mb/s; another approach, known as public key cryptosystem, is to give each user two codes, one encryption code and one decryption code, the encryption code of the user is public, just like a telephone number, but only the corresponding decryption code can decrypt the message, and it is impossible to derive the decryption code from the encryption code, because the cryptosystem is asymmetric encryption, i.e. the encryption process is irreversible.
Encryption of the password should provide several encryption and decryption algorithms with different security intensity and speed at the same time, so that a user can set an appropriate algorithm according to the importance degree of the data object and the access speed requirement. At the same time, the granularity of the encrypted data object can be adjusted, so that the access speed can be improved while the security of the important data object is ensured. In addition, the encrypted data index is skillfully established for the encrypted data object, and the quick retrieval of the ciphertext can be performed. If an attacker knows part of the information of the original library and tries to decrypt the ciphertext using a cryptanalysis method accordingly, a basic encryption algorithm feedback connection or other means may be used to assign a different encryption key to each object to be encrypted.
S204, sending the encrypted access password to the current user, wherein the encrypted access password is used for indicating the current user to access the database according to the encrypted access password.
After encrypting the access password, the server can send the encrypted access password to the current user. After receiving the encrypted access password, the current user can access the database according to the encrypted access password.
The database is a repository for storing data, and the database includes a distributed database, and in the embodiment of the present application, when a user accesses the database, the corresponding database may be a distributed database, and it should be noted that the type of the database in the embodiment is not limited by the present application.
Wherein, the distributed database system uses a computer network to disperse the geographic position and manage and control a plurality of logic units (usually centralized databases) which need to be centralized in different degrees, and the logic units are connected together to form a unified database system.
In general, distributed databases face two broad categories of security issues: one type is caused by natural factors such as single-site faults, network faults and the like, and the faults can generally realize safety protection by utilizing the safety provided by a network; another type of man-made attack, i.e., hacking, from the local or network is mainly eavesdropping, replay attack, counterfeit attack, unauthorized attack, ciphertext decoding, etc. in the current hacking network.
Therefore, when accessing the database, the identity of the accessing user needs to be verified, and in order to ensure the security of the database access, the access password needs to be encrypted, so that the reliability of the database access is ensured.
According to the database access password encryption method, firstly, if a user password request of a current user is received and the identity of the current user is legal, the access password of the current user is generated, a target password machine is allocated to the current user, the access password is encrypted through the target password machine to obtain an encrypted access password, then the encrypted access password is sent to the current user, and the encrypted access password is used for indicating the current user to access the database according to the encrypted access password. In the method, firstly, the identity of the user is legally judged according to the user password request of the current user, then, if the identity of the user is legal, an access password is generated for the current user, and a password machine is allocated for the current user, the access password is encrypted by utilizing the password machine, and the access password is encrypted by utilizing at least two password machines, so that the security of the access password is ensured, and the reliability and the security of database access are improved.
The above description of generating the access password of the current user through an embodiment further needs to determine whether the identity of the current user is legal before generating the access password of the current user, and if the identity of the current user is legal, the access password of the current user is generated; in the following, it is explained how to determine that the identity of the current user is legal by means of an embodiment, which in one embodiment comprises the following steps, as shown in fig. 3:
S301, detecting whether identity information which is the same as the identity information of the current user exists in an identity information database; the identity information database includes identity information of a plurality of users.
Before a user sends a user password request to a server, the user firstly performs identity registration on the server, and identity information of the user which is successfully registered is stored in an identity information database of the server; the identity information database stores the identity information of all the users registered on the server, and thus the identity information database includes the identity information of a plurality of users.
The method comprises the steps that a current user sends a user password request to a server, and after the server receives the user password request of the current user, validity verification is carried out on identity information of the user; specifically, the user password request carries the identity information of the user, and after receiving the identity information of the user, the server detects whether the identity information which is the same as the identity information of the current user exists in the identity information database.
And S301, if yes, determining that the identity of the current user is legal.
If the identity information same as the identity information of the current user exists in the identity information database, the identity information of the current user is legal, and if the identity information same as the identity information of the current user does not exist in the identity information database, the identity of the current user is illegal.
Optionally, the filled-in information also includes selected service and authentication information when the user registers with the server. Wherein the selected service may represent a service that the user needs to perform in the server, for example: accessing a database, modifying the database, etc., the authentication information represents authentication information that the user fills in according to an authentication question at the time of registration, for example, the authentication question is "what is the name of your primary school", and the authentication information that the user can fill in according to this authentication question at the time of registration is "x school".
The user password request can also carry the service and verification information selected by the current user, and can judge the service and verification information selected by the current user while judging the validity of the identity information of the current user, if the identity information, the selected service and the verification information of the current user are the same as the information in the identity information database, the identity of the current user is legal, an access password of the current user is generated, and a globally unique user number can be allocated to the current user and used for uniquely identifying the current user; otherwise, the identity of the current user is illegal, and the current user is pulled into a blacklist.
The database access password encryption method detects whether the identity information database contains the identity information identical to the identity information of the current user, and the identity information database contains the identity information of a plurality of users; if yes, determining that the identity of the current user is legal. In the method, whether the identity of the current user is legal or not is judged through the identity information of the current user, so that the safety and reliability of database access are improved.
In one embodiment, assigning a target cryptographic engine to a current user includes: distributing a target cipher machine to the current user according to a preset mapping table; the mapping table includes correspondence between a plurality of users and the cryptographic engine.
After the user is successfully registered on the server, the server allocates the cipher machines to the user, stores the number of the user and the allocated cipher machines in a mapping table, and a corresponding relation exists between the user and the number of the cipher machines in the mapping table, for example, the user 1 corresponds to 3 cipher machines, and the user 2 corresponds to 5 cipher machines. If the user 1 is the current user, 3 cipher machines are allocated to the user 1; if user 2 is the current user, user 2 is assigned 5 cryptographic engines.
The number of the target ciphers allocated to the current user at least comprises two, one of the target ciphers is a master cipher and the other multiple ciphers are slave ciphers, and if the number of the target ciphers is 5, 1 master cipher and 4 slave ciphers are present.
In one embodiment, as shown in fig. 4, the target crypto-engine encrypts the access code to obtain an encrypted access code, which includes the following steps:
S401, performing sectional operation on the access password according to the number of the password machines in the target password machine to obtain a plurality of password sections; the number of the cipher segments is the same as that of the cipher machines, and one cipher machine corresponds to one cipher segment respectively.
The method for performing the segmentation operation on the access passwords can be a method of using a preset neural network model, taking the number of the passwords in the target passwords and the access passwords as inputs of the preset neural network model, and outputting a plurality of password segments through analysis of the neural network model; the number of the output cipher segments is the same as the number of the cipher machines in the target cipher machine, and one cipher segment corresponds to one cipher machine.
For example, the target crypto-engine includes crypto-engine 1, crypto-engine 2, and crypto-engine 3, and the obtained plurality of crypto-segments includes crypto-segment 1, crypto-segment 2, and crypto-segment 3, then crypto-segment 1 may correspond to crypto-engine 1, crypto-segment 2 corresponds to crypto-engine 2, and crypto-segment 3 corresponds to crypto-engine 3 according to a preset corresponding rule; it is also possible to correspond crypto-segment 1 to crypto-engine 2, crypto-segment 2 to crypto-engine 1, and crypto-segment 3 to crypto-engine 3.
Note that, the crypto-sets 1,2, 3 are names named for better distinguishing between the crypto-sets in the embodiment of the present application, and have no practical meaning.
S402, each cipher segment is sent to a corresponding cipher machine, and encryption processing is carried out on each cipher segment through each cipher machine, so that a plurality of encrypted cipher segments are obtained.
Continuing the description for the above-mentioned cipher machine 1 corresponding to cipher machine 1, cipher machine 2 corresponding to cipher machine 2, and cipher machine 3 corresponding to cipher machine 3, if each cipher segment is sent to the corresponding cipher machine, the server sends cipher segment 1 to cipher machine 1, cipher segment 2 to cipher machine 2, and cipher segment 3 to cipher machine 3.
After the cipher machine receives the corresponding cipher segments, the cipher segments are respectively encrypted to obtain a plurality of encrypted cipher segments.
The encryption algorithm used by each cipher machine when each cipher segment is encrypted may be different or the same, and embodiments of the present application are not limited herein.
Specifically, the encryption algorithm includes a symmetric encryption algorithm and an asymmetric encryption algorithm, the symmetric encryption algorithm including: DES, triple data encryption algorithm (TRIPLE DATA Encryption Algorithm, TDEA), international data encryption algorithm (International Data Encryption Algorithm, IDEA), etc., the asymmetric encryption algorithm includes: backpack algorithm, elliptic curve cryptography algorithm (Elliptic Curve Cryptography, ECC), etc.
S403, receiving the encrypted password segments returned by the password machines, and generating an encrypted access password according to the received encrypted password segments.
After each receiver encrypts each cipher segment, each encrypted cipher segment is returned to the server, and the server receives the encrypted cipher segment returned by each cipher machine.
After receiving the encrypted password segments of all the passwords, the server generates encrypted access passwords according to all the encrypted password segments; each encrypted password section is segmented according to the original access password, and then each segmented password section is encrypted by each password machine, so that the encrypted access password can be obtained according to the encrypted password section.
Optionally, the encrypted access password may be generated by determining, by a preset generation algorithm, each encrypted password segment as input to the generation algorithm, and finally outputting the encrypted access password by running the generation algorithm.
According to the database access password encryption method, the access passwords are subjected to sectional operation according to the number of the passwords in the target passwords, so that a plurality of password segments are obtained, each password segment is respectively sent to the corresponding passwords, encryption processing is carried out on each password segment through each password machine, a plurality of encrypted password segments are obtained, then the encrypted password segments returned by each password machine are received, and an encrypted access password is generated according to the received encrypted password segments. In the method, the access password is divided into the password sections with the same number as the password machines, so that one password section corresponds to one password machine, each password section can be encrypted by each password machine, each password section is encrypted by a plurality of password machines, the security of the access password is improved, and the access security of the distributed database is improved.
The encryption of the cryptographic segments by the cryptographic machines has been described above by way of example, and the particular manner in which the cryptographic segments are encrypted by the cryptographic machines is described below by way of example, which, in one example, each cipher machine carries out cross encryption on each cipher section to obtain the cross encrypted cipher section, and creates corresponding indexes for the cross encrypted cipher section according to the arrangement sequence of each cipher section to obtain a plurality of encrypted cipher sections.
The cross-encryption may be a cross-interlocking and the cross-encryption of the cryptosegments may be expressed as: inserting data into the cipher segment, if the data is successfully inserted, the cipher segment is cross-encrypted, and the encrypted cipher segment is obtained, namely, the encryption lock is obtained, so that the cipher segment cannot be changed.
Each cipher machine carries out cross encryption on each cipher segment to obtain a cross encrypted cipher segment, and creates a corresponding index for the cross encrypted cipher segment according to the arrangement sequence of each cipher segment in the access cipher to obtain an encrypted cipher segment; and after each cipher segment is cross-encrypted and an index is created, each cipher opportunity deletes the original cipher segment.
An index is a structure that orders the values of one or more columns in a database table, with which specific information in the database table can be accessed quickly.
For example, if the sequence of the access codes is { crypto segment 1, crypto segment 2, crypto segment 3}, the access code is divided into 3 segments: the method comprises the steps of a password section 1, a password section 2 and a password section 3, wherein the password section 1 is at the first position of an access password, the password section 2 is at the middle position of the access password, and the password section 3 is at the last position of the access password, so that an index 1 can be created for the password section 1 after cross encryption, an index 2 can be created for the password section 2 after cross encryption, and an index 3 can be created for the password section 3 after cross encryption.
The encrypted cipher segments include all the cross-encrypted cipher segments and the corresponding indexes.
Optionally, the target cipher machine has a master cipher machine and at least one slave cipher machine, when each cipher machine cross encrypts each cipher segment, the master cipher machine cross interlocks the cipher segments corresponding to the master cipher machine by using the access cipher, and each slave cipher machine cross interlocks the cipher segments corresponding to each slave cipher machine by using the cipher segments corresponding to the master cipher machine.
In one embodiment, generating an encrypted access code from the received encrypted code segment includes: and carrying out fusion processing on each encrypted password segment based on the index corresponding to each encrypted password segment to obtain an encrypted access password.
According to the indexes corresponding to the encrypted password sections, fusion processing can be performed on the encrypted password sections, for example, the index corresponding to the encrypted password section 1 is a, the index corresponding to the encrypted password section 2 is b, the index corresponding to the encrypted password section 3 is c, and if the preset sequence of the indexes is abc, the encrypted access password is { encrypted password section 1, encrypted password section 2 and encrypted password section 3}.
In one embodiment, as shown in fig. 5, sending the encrypted access password to the current user includes the steps of:
s501, a public key of an access password and a private key of a current user are obtained, and identity authentication operation is performed on the current user through the public key and the private key.
And respectively acquiring the public key of the access password and the private key of the current user through key delegation.
Optionally, the method of obtaining the public key of the access password and the private key of the current user may also be that the public key of the server is the public key of the access password by obtaining the public key of the server and the private key of the current user in the key management center; the key management center stores public keys and private keys of a plurality of users and servers in advance.
In one embodiment, the server and the user share a set of public key and private key, so that the public key and the private key are used for performing identity authentication operation on the current user, that is, the public key is used for encrypting the specific data, and the private key is used for decrypting the encrypted specific data.
S502, if the identity authentication of the current user is passed, the encrypted access password is sent to the current user.
Based on the above embodiment, if the private key can decrypt the encrypted specific data, and the decryption is successful, the server sends the encrypted access password to the current user.
The identity authentication of the current user can further determine that the current user is a legal user and has the access right of the data block through the representation, so that the encrypted access password is sent to the current user, and the current user can access the database according to the encrypted access password.
The foregoing is a description of the case where the identity authentication of the current user passes, and there is a case where the identity authentication of the current user does not pass, and in one embodiment, the embodiment includes: if the identity authentication of the current user is not passed, executing a timing task, clearing the access password after failure, and then re-executing the steps of obtaining the access password and encrypting.
After the target cipher machine and the access cipher are allocated to the current user, a list of data tables is newly added in the server, wherein the data tables are used for recording the number of the cipher machines and the access cipher transfer thread information which are currently acquired.
If the identity authentication of the current user is not passed, firstly, inquiring whether the number of the cipher machines and the thread information in the data table are the same as the number of the cipher machines and the thread information of the current user, and if so, directly sending the encrypted access cipher to the current user; if the access passwords are different, starting to record the expiration time of the access passwords, executing a timing task, clearing the expired access passwords, reacquiring the access passwords, and executing the step of encrypting the access passwords; and the timing task clears the access password if the expiration time of the access password reaches the preset time.
In this embodiment, the steps of re-acquiring the access code and performing the encryption of the access code are the same as those described in the above embodiment, and will not be described here.
According to the database access password encryption method, the public key of the access password and the private key of the current user are obtained, the identity authentication operation is carried out on the current user through the public key and the private key, and if the identity authentication of the current user is passed, the encrypted access password is sent to the current user. In the method, the authentication operation is further carried out on the identity of the current user, and if the authentication operation of the identity of the current user is successful, the encrypted access password is sent to the current user, so that the validity of the identity of the current user is further verified, and the access security of the database is improved.
In one embodiment, as shown in fig. 6, the authentication operation is performed on the current user by the public key and the private key, including the steps of:
S601, a private key is sent to the current user.
When the identity authentication operation is performed on the current user, firstly, the private key is sent to the current user.
S602, if a response signal of a current user is received, matching the public key with the private key; the reply signal represents an acknowledgement signal after the current user receives the private key.
After receiving the private key, the current user sends a response signal to the server, and the response signal is used for indicating to the server that the current user has received the private key; if the server receives the response signal of the current user, the server matches the public key with the private key in a manner of verifying whether the public key and the private key meet a preset matching rule.
Alternatively, the matching rule may be that the server encrypts the preset data by using the public key, and then decrypts the encrypted preset data according to the private key.
S603, if the public key and the private key are successfully matched, the identity authentication of the current user is determined to pass.
If the preset data encrypted by the public key is decrypted by the private key, the obtained preset data is original, and the matching between the public key and the private key is successful, otherwise, the matching between the public key and the private key is unsuccessful.
To prevent various forgery attacks, prior to performing a data access operation, two-way authentication is required between a user and a master server, such as when the user logs into a distributed database or when data is transferred between servers in a distributed database system.
In the authentication protocol, each station obtains a key for communication with a target station from a key management center station, thereby performing secure communication. Since the key management center is responsible for managing and securely distributing a large number of keys, and a key management center trusted by all sites must be present in the system; the site is a storage area, all data files and the like are stored, and in the embodiment of the application, the site and the target site can be in one-to-one correspondence with a user and a database.
According to the database access password encryption method, the private key is sent to the current user, if the response signal of the current user is received, the public key and the private key are matched, the response signal represents the confirmation signal after the current user receives the private key, and if the public key and the private key are successfully matched, the identity authentication of the current user is confirmed to pass. The method further limits the identity authentication mode of the current user, and improves the access security of the database.
In one embodiment, as shown in fig. 7, the embodiment provides a process of encrypting an access password, the server takes a master control server as an example, firstly, after receiving a user password request submitted by a user, the master control server performs identity authentication on the user, determines validity of the user identity, if the user identity is not legal, invokes a verification result and pulls a current user into a blacklist, and if the user identity is legal, allocates a globally unique user ID to the legal user.
Then, the master control server distributes at least two cipher machines for the user with legal user identity judgment, wherein one master cipher machine and at least one slave cipher machine generate an access cipher for the user according to a formulated access policy; segmenting the access password according to the number of the passwords, wherein one password corresponds to one password segment; the cipher section of the main cipher machine and the access cipher are interlocked and encrypted, the slave cipher machine encrypts the stored cipher section and creates a unique index, and the encrypted access cipher is obtained according to the encrypted cipher section.
Finally, the public key of the main control server and the private key of the current user are obtained through key entrusting, the private key of the current user is sent to the user, the user receives the key, the password verification is judged to pass, authentication operation is carried out, the encrypted access password is sent to the user, and if the password verification is not passed, the process of obtaining the access password and encrypting is needed to be re-executed.
In one embodiment, to simplify the distribution of the communication key between the user and the server, a two-way authentication technology based on a public key cryptosystem may be adopted, in which both the user and the server generate a public key pair of an asymmetric cryptographic algorithm, where the private key is stored by the user himself, and the public key of the user himself may be distributed to other cryptosystems in the distributed system through a trusted channel, so that the obtained public key information may be used to mutually authenticate the identity between any two users and the server.
The application has prospective, brings security performance guarantee for the security problem of the distributed password, provides strong security control, strengthens the reliability and privacy of the password, removes global trust to the centralized server by using the distributed password, provides password access control by using encryption, and ensures the reliability, availability and correctness. Since the encryption is re-encrypted using the crypto segment, the unencrypted symmetric key (capable of decrypting the private data) is never exposed at the server side, even if broken, the hacker can only get the re-encrypted key and access to the file is still protected.
Under the distributed system environment, the same encryption method can only be executed by one thread of one machine at the same time, and simultaneously has the legality of acquiring the user identity and verifying the identity with high availability and high performance, thereby ensuring the security of the encryption process.
In one embodiment, after the user successfully verifies the identity between the master crypto-engine and the slave crypto-engine, the data can be transmitted, and in order to combat message interception and Wen Chongfa attacks, a secret channel needs to be established between the two parties of communication, and the data is encrypted for transmission. In the distributed database, the system is encrypted and decrypted by using an encryption and decryption algorithm because the transmitted data volume is large. The process of establishing a secure channel is referred to as provisioning a session key, which is used to encrypt and decrypt data. This process can also be combined with authentication in general. The secure communication may be implemented by a distributed database system, or may employ a security mechanism provided by an underlying network protocol, such as secure sockets layer (Secure Socket Layer, SSL).
In general, in a database management system, any user cannot directly operate inventory data in order to prevent an unauthorized attack. The data access request of the user is sent to the access control module for examination, and then the access control module of the system proxies the user with access authority to complete the corresponding data operation. User access control takes two forms: autonomous access authorization control and mandatory access authorization control; wherein the autonomous access authorization control sets an access control table by an administrator, the table specifying operations that can be performed by the user and operations that cannot be performed; the mandatory access authorization control firstly grants security levels to users and data objects in the system, and limits the operation authority of the users according to the security level relation between the users and the data objects.
In the two modes, the smaller the granularity of the data objects is, the finer the access authority is specified, so that the overhead of system management is larger, and particularly in a distributed database system, on one hand, the more users and data objects are, on the other hand, the distributed access control is required, and the burden of the system access control is increased.
Many users in the system have similar access rights, so that roles can be determined according to the user rights, one role can be granted to a plurality of users, and one user can have a plurality of roles, so that the overhead of access control management of the system can be reduced to a certain extent
In one embodiment, in the distributed password database, the encryption and decryption algorithm is used for authentication, secret communication, password encryption and the like, and only a small amount of control information is required to be transmitted for authentication; secret communications typically communicate large data information in addition to small amounts of control information; the encryption of the password requires designing data objects with different granularities, and also considers operations such as inserting, deleting, changing the data password of a password database and the like; therefore, when the encryption and decryption algorithm is selected, the proper encryption and decryption algorithm can be selected according to the characteristics of different operation steps of the distributed database system.
Key management includes key generation, key distribution, key storage, key updating, key revocation and deletion, etc., and its core problem is key distribution. In addition, since the confidentiality strength of the cryptosystem is strongly dependent on the confidentiality of the key, a strict management scheme is formulated for a large number of public keys and keys involved in the distributed cryptosystem so as to ensure that the public keys are not counterfeited and the keys are not leaked.
In one embodiment, taking a master server as an example, as shown in fig. 8, the embodiment includes:
s801, a main control server receives a user password request of a user;
wherein the user password request carries the identity information of the user, the selected service and the authentication information.
S802, judging the legitimacy of the user identity according to the user password request;
Specifically, if the user identity exists in the database of the main control server, the user identity is legal, otherwise, the user identity is illegal; black is not a rule;
s803, if the identity of the user is legal, at least two cipher machines are allocated to the user;
Wherein the at least two crypto-engines comprise a master crypto-engine and at least one slave crypto-engine; if the user identity is legal, the method further comprises the following steps: the user is assigned a user number that can uniquely identify the user identity.
S804, generating an access password for the user according to a preset access strategy;
wherein the access policy, e.g., access protocol, etc.
S805, according to the number of the cipher machines, obtaining cipher segments corresponding to all the cipher machines for accessing the cipher segments;
Wherein, one cipher machine corresponds to one cipher section; the segmentation may be an average segmentation or a preset segmentation.
S806, the master control server sends each cipher segment to a corresponding cipher machine, and instructs the cipher machine to encrypt the cipher segments to obtain each encrypted access cipher segment;
The encryption process is as follows: the password section of the main password machine and the access password are cross-interlocked to obtain the encrypted password section of the main password machine; and encrypting the password sections of the slave password machines according to the password sections of the master password machine to obtain the encrypted password sections of the slave password machines, and creating a unique index, wherein one slave password machine corresponds to one index.
S807, receiving each encrypted access code segment returned by each cipher machine, and obtaining the encrypted access code according to each encrypted access code segment.
S808, obtaining the public key of the main control server and the private key of the current user through key delegation.
S809, the master control server sends the private key to the user, if the user receives the private key of the user, the password verification is judged to pass, and authentication operation is continuously executed;
The authentication operation is to match the public key of the main control server with the private key of the user.
S810, when the password verification is not passed, restarting the encryption steps S806-S809 to conduct re-encryption.
And S811, if the authentication operation is successful, the encrypted access password is sent to the user.
The specific limitation of the encryption method of the database access password provided in this embodiment may be referred to above for the limitation of the steps of each embodiment in the encryption method of the database access password, which is not described herein again.
It should be understood that, although the steps in the flowcharts attached in the above embodiments are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least a part of the steps in the drawings attached in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least a part of the steps or stages in other steps or other steps.
In one embodiment, as shown in fig. 9, an embodiment of the present application further provides a database access password encryption apparatus 900, where the apparatus 900 includes: a generating module 901, an allocating module 902, an encrypting module 903 and a transmitting module 904, wherein:
The generating module 901 is configured to generate an access password of the current user if a user password request of the current user is received and the identity of the current user is legal;
An allocation module 902, configured to allocate a target cryptographic engine to a current user; the target crypto-engine comprises at least two crypto-engines;
the encryption module 903 is configured to encrypt the access password by using the target crypto-engine, so as to obtain an encrypted access password;
and the sending module 904 is configured to send the encrypted access password to the current user, where the encrypted access password is used to instruct the current user to access the database according to the encrypted access password.
In one embodiment, the generating module 901 includes:
The detection unit is used for detecting whether the identity information which is the same as the identity information of the current user exists in the identity information database; the identity information database comprises identity information of a plurality of users;
And the determining unit is used for determining that the identity of the current user is legal if the current user is legal.
In one embodiment, the allocation module 902 includes:
the distribution unit is used for distributing a target cipher machine to the current user according to a preset mapping table; the mapping table includes correspondence between a plurality of users and the cryptographic engine.
In one embodiment, the encryption module 903 includes:
The segmentation unit is used for carrying out segmentation operation on the access password according to the number of the password machines in the target password machine to obtain a plurality of password segments; the number of the cipher segments is the same as that of the cipher machines, and one cipher machine corresponds to one cipher segment respectively;
the encryption unit is used for respectively sending each cipher segment to a corresponding cipher machine, and encrypting each cipher segment through each cipher machine to obtain a plurality of encrypted cipher segments;
and the generating unit is used for receiving the encrypted password segments returned by the password machines and generating encrypted access passwords according to the received encrypted password segments.
In one embodiment, each cipher machine performs cross encryption on each cipher segment to obtain cross encrypted cipher segments, and creates corresponding indexes for the cross encrypted cipher segments according to the arrangement sequence of each cipher segment to obtain a plurality of encrypted cipher segments.
In one embodiment, the generating unit comprises:
And the generation subunit is used for carrying out fusion processing on each encrypted password segment based on the index corresponding to each encrypted password segment to obtain the encrypted access password.
In one embodiment, the transmitting module 904 includes:
The authentication unit is used for acquiring the public key of the access password and the private key of the current user, and executing identity authentication operation on the current user through the public key and the private key;
And the sending unit is used for sending the encrypted access password to the current user if the identity authentication of the current user is passed.
In one embodiment, the authentication unit includes:
A transmitting subunit, configured to transmit a private key to a current user;
The matching subunit is used for matching the public key with the private key if receiving the response signal of the current user; the response signal represents a confirmation signal after the current user receives the private key;
And the authentication subunit is used for determining that the identity authentication of the current user passes if the public key and the private key are successfully matched.
The specific limitation of the database access password encryption device can be referred to as limitation of each step in the database access password encryption method, and the description thereof is omitted herein. The various modules in the database access password encryption device described above may be implemented in whole or in part by software, hardware, or a combination thereof. The modules can be embedded in or independent of the target device in a hardware form, and can also be stored in a memory in the target device in a software form, so that the target device can call and execute the operations corresponding to the modules.
In one embodiment, a computer device is provided, as shown in FIG. 10, comprising a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a database access password encryption method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by persons skilled in the art that the foregoing structural descriptions of computer devices are merely partial structures relevant to the present inventive arrangements and do not constitute a limitation of the computer devices to which the present inventive arrangements are applied, and that a particular computer device may include more or less components than those shown in the drawings, or may combine certain components, or have a different arrangement of components.
In one embodiment, there is also provided a computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
If a user password request of the current user is received and the identity of the current user is legal, generating an access password of the current user;
Distributing a target cipher machine to the current user; the target crypto-engine comprises at least two crypto-engines;
Encrypting the access password through a target password machine to obtain an encrypted access password;
And sending the encrypted access password to the current user, wherein the encrypted access password is used for indicating the current user to access the database according to the encrypted access password.
In one embodiment, the processor when executing the computer program further performs the steps of:
detecting whether identity information which is the same as the identity information of the current user exists in an identity information database; the identity information database comprises identity information of a plurality of users;
if yes, determining that the identity of the current user is legal.
In one embodiment, the processor when executing the computer program further performs the steps of:
distributing a target cipher machine to the current user according to a preset mapping table; the mapping table includes correspondence between a plurality of users and the cryptographic engine.
In one embodiment, the processor when executing the computer program further performs the steps of:
According to the number of the cipher machines in the target cipher machine, carrying out sectional operation on the access cipher to obtain a plurality of cipher segments; the number of the cipher segments is the same as that of the cipher machines, and one cipher machine corresponds to one cipher segment respectively;
each cipher segment is sent to a corresponding cipher machine, and encryption processing is carried out on each cipher segment through each cipher machine, so that a plurality of encrypted cipher segments are obtained;
And receiving the encrypted password segments returned by the password machines, and generating an encrypted access password according to the received encrypted password segments.
In one embodiment, each cipher machine performs cross encryption on each cipher segment to obtain cross encrypted cipher segments, and creates corresponding indexes for the cross encrypted cipher segments according to the arrangement sequence of each cipher segment to obtain a plurality of encrypted cipher segments.
In one embodiment, the processor when executing the computer program further performs the steps of:
and carrying out fusion processing on each encrypted password segment based on the index corresponding to each encrypted password segment to obtain an encrypted access password.
In one embodiment, the processor when executing the computer program further performs the steps of:
acquiring a public key of an access password and a private key of a current user, and executing identity authentication operation on the current user through the public key and the private key;
and if the identity authentication of the current user is passed, sending the encrypted access password to the current user.
In one embodiment, the processor when executing the computer program further performs the steps of:
sending a private key to the current user;
if a response signal of the current user is received, matching the public key with the private key; the response signal represents a confirmation signal after the current user receives the private key;
if the public key and the private key are successfully matched, the identity authentication of the current user is determined to pass.
The implementation principle and technical effects of each step implemented by the processor in this embodiment are similar to those of the above-mentioned database access password encryption method, and are not described herein.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, carries out the steps of the method embodiments described above.
The steps implemented when the computer program is executed by the processor in this embodiment are similar to the above-described database access password encryption method in terms of the principle and technical effects, and will not be described in detail herein.
In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
The steps implemented when the computer program is executed by the processor in this embodiment are similar to the above-described database access password encryption method in terms of the principle and technical effects, and will not be described in detail herein.
The user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magneto-resistive random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (PHASE CHANGE Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in various forms such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), etc. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.
Claims (10)
1. A method for encrypting a database access password, the method comprising:
If a user password request of a current user is received and the identity of the current user is legal, generating an access password of the current user; the access password is an access password of a current user generated by the server according to a preset access strategy of the database;
Distributing target ciphers to the current user according to preset quantity distributed to the current user; the target crypto-engine comprises at least two crypto-engines;
according to the number of the target cipher machines, carrying out sectional operation on the access cipher to obtain a plurality of cipher segments; the number of the cipher segments is the same as that of the cipher machines, and one cipher machine corresponds to one cipher segment respectively;
each cipher segment is sent to a corresponding cipher machine, and encryption processing is carried out on each cipher segment through each cipher machine, so that a plurality of encrypted cipher segments are obtained;
Receiving the encrypted password segments returned by the password machines, and generating the encrypted access password according to the received encrypted password segments;
And sending the encrypted access password to the current user, wherein the encrypted access password is used for indicating the current user to access a database according to the encrypted access password.
2. The method of claim 1, wherein the user password request includes identity information of the current user, and wherein prior to the generating the access password of the current user, the method further comprises:
Detecting whether identity information which is the same as the identity information of the current user exists in an identity information database; the identity information database comprises identity information of a plurality of users;
If yes, determining that the identity of the current user is legal.
3. The method according to claim 1 or 2, wherein said assigning a target cryptographic machine to said current user comprises:
distributing a target cipher machine to the current user according to a preset mapping table; the mapping table comprises correspondence between a plurality of users and the cryptographic engine.
4. The method of claim 1, wherein each of the cryptographic machines cross-encrypts each of the cryptographic segments to obtain cross-encrypted cryptographic segments, and creates a corresponding index for each of the cross-encrypted cryptographic segments according to an arrangement order of each of the cryptographic segments to obtain the plurality of encrypted cryptographic segments.
5. The method of claim 4, wherein the generating the encrypted access code from the received encrypted code segment comprises:
And carrying out fusion processing on each encrypted password segment based on the index corresponding to each encrypted password segment to obtain the encrypted access password.
6. The method according to claim 1 or 2, wherein said sending the encrypted access code to the current user comprises:
Acquiring a public key of the access password and a private key of the current user, and executing identity authentication operation on the current user through the public key and the private key;
And if the identity authentication of the current user is passed, sending the encrypted access password to the current user.
7. The method of claim 6, wherein the performing an authentication operation on the current user with the public key and the private key comprises:
Sending the private key to the current user;
if the response signal of the current user is received, matching the public key with the private key; the response signal represents a confirmation signal after the current user receives the private key;
And if the public key and the private key are successfully matched, determining that the identity authentication of the current user passes.
8. The method according to claim 1, wherein the encryption process refers to a method of encrypting using a data encryption algorithm including a symmetric encryption algorithm and an asymmetric encryption algorithm.
9. A database access password encryption apparatus, the apparatus comprising:
The generation module is used for generating an access password of the current user if the user password request of the current user is received and the identity of the current user is legal; the access password is an access password of a current user generated by the server according to a preset access strategy of the database;
The distribution module is used for distributing target cipher machines to the current user according to preset quantity distributed to the current user; the target crypto-engine comprises at least two crypto-engines;
The segmentation unit is used for carrying out segmentation operation on the access password according to the number of the password machines in the target password machine to obtain a plurality of password segments; the number of the cipher segments is the same as that of the cipher machines, and one cipher machine corresponds to one cipher segment respectively;
the encryption unit is used for respectively sending each cipher segment to a corresponding cipher machine, and encrypting each cipher segment through each cipher machine to obtain a plurality of encrypted cipher segments;
the generation unit is used for receiving the encrypted password segments returned by the password machines and generating an encrypted access password according to the received encrypted password segments;
The sending module is used for sending the encrypted access password to the current user, and the encrypted access password is used for indicating the current user to access a database according to the encrypted access password.
10. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 8 when the computer program is executed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210373593.0A CN114826702B (en) | 2022-04-11 | 2022-04-11 | Database access password encryption method and device and computer equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210373593.0A CN114826702B (en) | 2022-04-11 | 2022-04-11 | Database access password encryption method and device and computer equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114826702A CN114826702A (en) | 2022-07-29 |
CN114826702B true CN114826702B (en) | 2024-08-13 |
Family
ID=82534010
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210373593.0A Active CN114826702B (en) | 2022-04-11 | 2022-04-11 | Database access password encryption method and device and computer equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114826702B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115811397B (en) * | 2022-11-21 | 2023-08-04 | 北京神州安付科技股份有限公司 | High-safety server cipher machine |
CN116541550B (en) * | 2023-07-06 | 2024-07-02 | 广州方图科技有限公司 | Photo classification method and device for self-help photographing equipment, electronic equipment and medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1889081A (en) * | 2006-08-01 | 2007-01-03 | 中国工商银行股份有限公司 | Data base safety access method and system |
CN108259175A (en) * | 2017-12-28 | 2018-07-06 | 成都卫士通信息产业股份有限公司 | A kind of distribution routing algorithm method of servicing and system |
CN112003690A (en) * | 2019-08-16 | 2020-11-27 | 华控清交信息科技(北京)有限公司 | Password service system, method and device |
CN114239000A (en) * | 2021-11-11 | 2022-03-25 | 中国南方电网有限责任公司 | Password processing method, device, computer equipment and storage medium |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050240995A1 (en) * | 2004-04-23 | 2005-10-27 | Ali Valiuddin Y | Computer security system and method |
CN103001957B (en) * | 2012-11-26 | 2015-07-15 | 广州大学 | Key generation method, device and server |
US10805284B2 (en) * | 2017-07-12 | 2020-10-13 | Logmein, Inc. | Federated login for password vault |
CN108228316B (en) * | 2017-12-26 | 2022-01-25 | 成都卫士通信息产业股份有限公司 | Method and device for virtualizing password device |
CN109525544B (en) * | 2018-06-01 | 2021-08-13 | 中央军委后勤保障部信息中心 | Business system access method and system based on cipher machine cluster |
US11438152B2 (en) * | 2020-01-31 | 2022-09-06 | Visa International Service Association | Distributed symmetric encryption |
-
2022
- 2022-04-11 CN CN202210373593.0A patent/CN114826702B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1889081A (en) * | 2006-08-01 | 2007-01-03 | 中国工商银行股份有限公司 | Data base safety access method and system |
CN108259175A (en) * | 2017-12-28 | 2018-07-06 | 成都卫士通信息产业股份有限公司 | A kind of distribution routing algorithm method of servicing and system |
CN112003690A (en) * | 2019-08-16 | 2020-11-27 | 华控清交信息科技(北京)有限公司 | Password service system, method and device |
CN114239000A (en) * | 2021-11-11 | 2022-03-25 | 中国南方电网有限责任公司 | Password processing method, device, computer equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN114826702A (en) | 2022-07-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110537346B (en) | Safe decentralized domain name system | |
JP6547079B1 (en) | Registration / authorization method, device and system | |
CN107959567B (en) | Data storage method, data acquisition method, device and system | |
AU2003202511B2 (en) | Methods for authenticating potential members invited to join a group | |
JP5860815B2 (en) | System and method for enforcing computer policy | |
US8856530B2 (en) | Data storage incorporating cryptographically enhanced data protection | |
US8059818B2 (en) | Accessing protected data on network storage from multiple devices | |
EP3398073B1 (en) | Securely storing and distributing sensitive data in a cloud-based application | |
US9219722B2 (en) | Unclonable ID based chip-to-chip communication | |
WO2019191378A1 (en) | Threshold secret share authentication proof and secure blockchain voting with hardware security modules | |
US20140112470A1 (en) | Method and system for key generation, backup, and migration based on trusted computing | |
US20130227286A1 (en) | Dynamic Identity Verification and Authentication, Dynamic Distributed Key Infrastructures, Dynamic Distributed Key Systems and Method for Identity Management, Authentication Servers, Data Security and Preventing Man-in-the-Middle Attacks, Side Channel Attacks, Botnet Attacks, and Credit Card and Financial Transaction Fraud, Mitigating Biometric False Positives and False Negatives, and Controlling Life of Accessible Data in the Cloud | |
CN110881177B (en) | Anti-quantum computing distributed Internet of vehicles method and system based on identity secret sharing | |
CN114826702B (en) | Database access password encryption method and device and computer equipment | |
Chidambaram et al. | Enhancing the security of customer data in cloud environments using a novel digital fingerprinting technique | |
Tu et al. | A secure, efficient and verifiable multimedia data sharing scheme in fog networking system | |
Junghanns et al. | Engineering of secure multi-cloud storage | |
Castiglione et al. | A secure file sharing service for distributed computing environments | |
CN114553557B (en) | Key calling method, device, computer equipment and storage medium | |
CN118449786B (en) | Local communication lightweight authentication method, system, equipment and medium of power terminal | |
JP2014081887A (en) | Secure single sign-on system and program | |
ALnwihel et al. | A Novel Cloud Authentication Framework | |
CN116599771B (en) | Data hierarchical protection transmission method and device, storage medium and terminal | |
KR100842014B1 (en) | Accessing protected data on network storage from multiple devices | |
Shaheen et al. | Fortifying Multi-User Cloud Security in Quantum Networking Using Cryptographic Algorithms |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |