CN115033925A - Database security retrieval method - Google Patents
Database security retrieval method Download PDFInfo
- Publication number
- CN115033925A CN115033925A CN202210958903.5A CN202210958903A CN115033925A CN 115033925 A CN115033925 A CN 115033925A CN 202210958903 A CN202210958903 A CN 202210958903A CN 115033925 A CN115033925 A CN 115033925A
- Authority
- CN
- China
- Prior art keywords
- retrieval
- hmac
- data
- ciphertext
- digital envelope
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6254—Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Medical Informatics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a database security retrieval method, which belongs to the technical field of security retrieval and comprises the following steps: creating a ciphertext table, an HMAC table and a dictionary table according to plaintext data and the retrieval field; acquiring the unique code and retrieval content of the data to be inquired as an original text according to the dictionary table, and packaging the original text into a digital envelope I by using a local encryption digital certificate of a user side and a preset encryption public key certificate; transmitting the digital envelope I and the local encrypted digital certificate to a retrieval security module to request retrieval; disassembling the first digital envelope to obtain the original text and the content in the HMAC table corresponding to the current query content; obtaining ciphertext data in the ciphertext table through the corresponding relation between the HMAC table and the ciphertext table; according to the local encryption digital certificate, in combination with the main key of the retrieval content, the plaintext information is obtained through decryption, and the plaintext information is packaged and sent; and disassembling to obtain internal original text information. The invention can realize accurate retrieval and query of the data of the whole service process in a full ciphertext mode, and can simultaneously give consideration to the safety and the service efficiency.
Description
Technical Field
The invention relates to the technical field of security retrieval, in particular to a database security retrieval method.
Background
The existing database retrieval technology has the following defects:
firstly, the search content has leakage risk:
the database is provided with a log system, and the information searched and inquired aiming at the database can be recorded in the log system, so that the data recovery risk when the database is abnormal is solved. An attacker can quickly analyze the query content and the result of the data user calling data by backtracking and querying the logs of the database and combining the dimensionalities such as query time and the like.
Second, search performance is low:
the problem of safety query is solved to a certain extent by the aid of cryptographic algorithms such as careless transmission and homomorphic encryption, but a large amount of server operation and information transmission are carried out by the algorithm principle. When the data volume is large, the retrieval performance of the data volume is greatly reduced, and the actual service application is influenced.
Therefore, how to provide a database security retrieval method that can achieve both the security of service data retrieval and the high efficiency is a problem that needs to be solved urgently by those skilled in the art.
Disclosure of Invention
In view of this, the present invention provides a database security retrieval method, which implements accurate retrieval and query of full-service process data in a full-ciphertext manner, and can simultaneously consider the security of the retrieval process and the efficiency of the service.
In order to achieve the purpose, the invention adopts the following technical scheme:
the invention discloses a database security retrieval method, which comprises the following steps:
step of creating a dense library:
s11, initializing a ciphertext table, an HMAC table and a dictionary table; the HMAC table comprises a HMAC table and a ciphertext table, wherein the HMAC table comprises naming characters and a ciphertext table, and the HMAC table comprises naming characters;
s12, acquiring plaintext data and all retrieval fields by taking a group as a unit;
s13, extracting corresponding plaintext data according to the retrieval fields, performing HMAC calculation on the extracted plaintext data one by one to obtain an HMAC value, and storing the corresponding retrieval fields in the HMAC table; creating a UUID and carrying out MAC hash calculation to obtain a K, wherein the K is used as a main key and is stored in the HMAC table;
s14, encrypting the plaintext data one by adopting a symmetric key method, storing the encrypted plaintext data into the ciphertext table, and storing K as a main key into the ciphertext table;
s15, storing retrieval fields corresponding to all query data in the dictionary table, namely unique codes of column names corresponding to the specific query data, named characters of the HMAC table and retrieval fields in the HMAC table;
sending a retrieval request:
s21, setting the encrypted public key certificate of the retrieval security module at the user side in a preset mode;
s22, acquiring the unique code of the data to be inquired and the inquiry data as original texts according to the dictionary table, and packaging the original texts by using a local encryption digital certificate of a user side and a preset encryption public key certificate to obtain a digital envelope I;
s23, transmitting the first digital envelope and the local encrypted digital certificate to a retrieval security module to carry out retrieval request;
response step of the retrieval request:
s31, using the transmitted local encrypted digital certificate to authenticate the user end, and after the authentication is passed, authenticating and disassembling the digital envelope to obtain the original text;
s32, obtaining the naming character of the HMAC table corresponding to the current query data and the corresponding retrieval field in the HMAC table by using the unique code of the data to be queried in the original text;
s33, obtaining a corresponding ciphertext table through the corresponding relation between the naming character of the HMAC table and the naming character of the ciphertext table;
s34, calling the query data to an HMAC key for calculation to obtain an HMAC value, and retrieving the main key information K corresponding to the current query data; performing information retrieval on the obtained ciphertext table through K to obtain corresponding ciphertext data;
and S35, according to the local encryption digital certificate obtained when the retrieval request is sent, combining the main key information K corresponding to the query data, decrypting through the symmetric key to obtain plaintext information, using the plaintext information as a text, packaging again to obtain a second digital envelope, and sending the second digital envelope to the user side.
Preferably, the step S12 further includes obtaining the plaintext data in units of groups, and then transposing the data arrangement order in the units of groups.
Preferably, in S14, the plaintext data is encrypted by using a CBC encryption mode; taking K in the HMAC table as IV vector content of the CBC encryption mode; after the fields of all plaintext data in the current group are encrypted, a record is newly created in the ciphertext table, namely, the symmetrically encrypted data are sequentially written in, and the IV vector is used as the content of the main key of the record. Based on the generation principle of the IV vector K, the K values of all records are different, so that after the same plaintext information is encrypted, the ciphertext contents of the same plaintext information are also different, the same plaintext can be effectively changed through the same password to form different ciphertext expression forms, and the arrangement relation between the original plaintexts is changed.
Preferably, in S22: and packaging the original text by using a local signature private key, a signature public key certificate and a preset encryption public key certificate of the user to obtain a SignedAndEnveloped type digital envelope I.
Preferably, in S35, the step of packaging the plaintext information as an original text again to obtain the second digital envelope is the same as the method for packaging the first digital envelope, and the second digital envelope is a digital envelope of a signeddandeveloped type.
Preferably, the method further comprises the following steps: s4, the user terminal disassembles the digital envelope II: and the user side authenticates and disassembles the digital envelope II fed back by the retrieval security module by using a PKI certificate authentication mechanism, and acquires the internal original text information.
Preferably, the method further comprises the following steps:
the retrieval security module records the retrieval request information and the processing result in the node of the response step of the retrieval request, including but not limited to: identity information of the user side, retrieval request time and processing results, and an integrity protection mechanism is adopted to protect the records.
Through the technical scheme, compared with the prior art, the invention has the beneficial effects that:
the invention can realize accurate retrieval and query of the data of the whole service process in a full ciphertext mode, and can simultaneously give consideration to the safety and the service efficiency.
The invisibility of the original text in the retrieval process is ensured by carrying out full-text symmetric encryption on the original data source;
the retrieval field information of accurate retrieval is identified in advance, and a main key obtained by combining MAC hash calculation is written into an independently created HMAC table to realize the hiding query of the retrieval content;
the retrieval safety module automatically realizes functions of converting SignedAndEnveloped into HMAC and converting symmetric ciphertext into SignedAndEnveloped inside, and adopts an integrity protection mechanism to ensure query records, ensure invisibility of plaintext and have audit traceability.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts;
fig. 1 is a retrieval block diagram of a database security retrieval method according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating data transformation of a ciphertext table in a secure database retrieval method according to an embodiment of the present invention;
fig. 3 is a flowchart of anonymous searching in a method for securely searching a database according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention discloses a database security retrieval method, as shown in figure 1, a retrieval security module is the core of the whole system and provides a reliable cryptographic operation environment. Through customization and upgrading of a cryptographic algorithm, the retrieval security module can internally realize the capability of converting a signed digital envelope into an HMAC (high-speed memory access) and converting symmetric encrypted data into the signed digital envelope. The data user can use the password security equipment such as the intelligent password key containing the digital certificate and the secret key as the terminal identity identification. And (3) retrieving the built-in signature/encryption key and the corresponding digital certificate of the security module, and presetting the encryption public key certificate of the security module in a data user.
When the data retrieval system is used, the original database plaintext data is subjected to ciphertext conversion through the retrieval security module and is stored independently. And during subsequent retrieval, the retrieval of the security module and the ciphertext data can be completed. All the queries are based on the retrieval security module and the internal security password module, the security conversion of data is completed in the retrieval security module, the whole retrieval process is ensured to be carried out in a ciphertext mode, and no plaintext information appears inside or outside the retrieval security module (without the password modules such as the internal password card and the like). The retrieval security module can record the information retrieved each time, and carry out integrity protection for log audit and tracing.
The method comprises the following specific steps:
(1) step of creating a dense library:
the secret library is obtained by symmetrically encrypting and calculating table information of a plaintext through a cryptographic technology, so that the table information is completely stored in a ciphertext mode, and a data manager can not check actual plaintext information expressed by current information even through a database management tool, and the secret library specifically comprises a secret table, an HMAC table and a dictionary table. The conversion steps from the original data to the ciphertext database are as follows:
s11, initializing a ciphertext table, an HMAC table and a dictionary table; the HMAC table comprises a HMAC table and a ciphertext table, wherein the HMAC table comprises naming characters and a ciphertext table, and the HMAC table comprises naming characters;
s12, acquiring plaintext data and all retrieval fields by taking a group as a unit;
s13, extracting corresponding plaintext data according to the retrieval fields, performing HMAC calculation on the extracted plaintext data one by one to obtain an HMAC value, and storing the corresponding retrieval fields in the HMAC table; creating a UUID and carrying out MAC hash calculation to obtain a K, wherein the K is used as a main key and is stored in the HMAC table;
s14, encrypting the plaintext data one by adopting a symmetric key method, storing the encrypted plaintext data into the ciphertext table, and storing K as a main key into the ciphertext table;
s15, storing the unique codes of the corresponding retrieval fields of all query data, the named characters of the HMAC table and the retrieval fields in the HMAC table in the dictionary table. For example, the name is a retrieval field, i.e., a retrieval column name, and the corresponding unique code in the dictionary table is 01, so that the unique code 01 is opened to the user side, and the protection of the retrieval field, i.e., the column name, is realized.
In one embodiment, for the plaintext table P, there are N columns of fields. Before conversion, the number C of search fields for accurate search needs to be confirmed, wherein C is less than or equal to N. Before conversion, a ciphertext table M is required to be created, the number of fields of the ciphertext table M is N +1 when the table name is MN, and a main key column is added; creating an HMAC table HM corresponding to the ciphertext table M, wherein the number of fields of the HMAC table HM is C +1, and the table name of the HM is MN _ HMAC; and creating a global dictionary table, and creating a new record for the C field names in the dictionary table D and encoding.
In this embodiment, the dictionary table has at least the following fields: the accurate query data reduces the name (unique code), the table name corresponding to the HMAC table, the field name corresponding to the HMAC table, and creates the retrieval field for the retrieved information in the HM table one by one in the dictionary table D in advance.
In one embodiment, when performing the conversion from the plaintext table P to the ciphertext table M, the retrieval security module reads a plaintext data set of the BM (BM is a positive integer greater than or equal to 1, and sets the BM to a larger number on the premise of meeting performance for ensuring security) each time, and randomly exchanges an arrangement order of the plaintext data set of the BM in the memory.
In one embodiment, for each group of data, the original text information corresponding to the column to be accurately queried is taken out one by one according to the service requirement, a retrieval security module is called, an internal HMAC key is adopted to perform HMAC operation to obtain a check value of the original text information, a new record is created in an HM table, the data operated by the HMAC is inserted into the corresponding column, meanwhile, a UUID is randomly created, MAC hash calculation is performed to obtain K, and the K is used as the main key information of the column. The data of each field in the group is encrypted by adopting a symmetric key of the retrieval security module in turn, and can be encrypted by adopting an encryption mode with an IV vector, such as CBC. Let K in the HM table above be the IV vector content. After all fields in the group are encrypted, a record can be newly created in the ciphertext table M, the symmetrically encrypted data is sequentially written in, and the IV vector is used as the content of the main key of the symmetrically encrypted data.
(2) Sending a retrieval request:
retrieval is the core service applied by the entire system. And (3) issuing by a data user according to the simplified name (unique code) and the meaning represented by the simplified name (unique code) in the dictionary table D created in the step (1), and indicating the simplified name (unique code) corresponding to the query data when the query section is required to query. The method comprises the following specific steps:
s21, the terminal cipher device and the retrieval security module have double keys (signature/encryption private key) and double certificates (signature/encryption digital certificate), and the encryption public key certificate of the retrieval security module is arranged at the user side in a preset mode; in this step, the terminal cryptographic device is used for providing an encrypted public key certificate of the user side at the stage of sending a retrieval request by the user side and completing encapsulation of a signed enhanced digital envelope.
S22, acquiring the unique code of the data to be inquired and the inquiry data as an original text according to the dictionary table, for example, the inquiry data is Liqu, the corresponding unique code of which is 01, and packaging the original text by using a local encryption digital certificate of a user side and a preset encryption public key certificate to obtain a digital envelope I;
and S23, transmitting the digital envelope and the local encrypted digital certificate to a retrieval security module together to carry out retrieval request.
In one embodiment, the original text is encapsulated by using a local signature private key, a signature public key certificate and a preset encryption public key certificate of a user to obtain a signed and enhanced type digital envelope one, and the signed and enhanced type digital envelope one and the local encryption digital certificate are transmitted to an internal password module of the retrieval security module, such as an internal password card or a chip, to perform an inquiry request.
(3) Response step of the retrieval request:
s31, authenticating the user by using the transmitted local encrypted digital certificate, and authenticating and disassembling the digital envelope after the authentication is passed to obtain the original text;
s32, obtaining the naming character of the HMAC table corresponding to the current query data and the corresponding retrieval field in the HMAC table by using the unique code of the data to be queried in the original text;
s33, obtaining a corresponding ciphertext table through the corresponding relation between the naming character of the HMAC table and the naming character of the ciphertext table;
s34, calling the query data to an HMAC key for calculation to obtain an HMAC value, and retrieving the main key information K corresponding to the current query data; performing information retrieval through K in the obtained ciphertext table to obtain corresponding ciphertext data;
and S35, according to the local encrypted digital certificate obtained when the retrieval request is sent, combining the main key information K corresponding to the query data, decrypting through the symmetric key to obtain plaintext information, using the plaintext information as an original text, packaging again to obtain a second digital envelope, and sending the second digital envelope to the user side.
In one embodiment, after receiving the request, the retrieval security module verifies the transmitted encrypted digital certificate (local encrypted digital certificate) of the data user by combining with a PKI certificate authentication mechanism, and verifies and disassembles the data format of signed and encrypted, so that the corresponding query simplified name and retrieval content can be obtained by the internal cryptographic module. And calling the HMAC key to operate the retrieval content to obtain an HMAC value used for subsequent retrieval.
In one embodiment, the retrieval security module is connected with the ciphertext database, and queries the dictionary D table according to the query simplified name, so that the name of the HM table corresponding to the current query content and the corresponding field information in the HM table can be obtained; the table name of the current ciphertext table can be deduced through the table name relationship between the HM table name and the ciphertext table M; and searching out the primary key information K corresponding to the current query through the obtained HMAC value, the HM table name given by the D table and the HM field information. If the query record K exists, information retrieval can be carried out on the ciphertext table M through the K, and corresponding ciphertext data can be obtained.
After the retrieval security module takes the related recorded content of the ciphertext table, the retrieval security module takes the encrypted public key certificate of the data user in a request, combines the current item main key as an IV vector, decrypts through a symmetric key in the retrieval security module to obtain plaintext information, uses the plaintext information as original text, and then packages the plaintext information into a digital envelope for standby transmission.
In this embodiment, the plaintext information is used as the original text, and the encapsulation step of obtaining the second digital envelope is the same as the encapsulation method of the first digital envelope, where the second digital envelope is a signedindlencelled digital envelope.
In this embodiment, the data user can authenticate and disassemble the signed and enhanced digital envelope two fed back by the retrieval security module by relying on a PKI certificate authentication mechanism, and disassemble and restore the original text information of the digital envelope two sent by the server retrieval security module by using the own encryption private key provided by the terminal password device, thereby completing the anonymous retrieval query.
In one embodiment, the method further comprises the following steps:
and the data manager is distributed with retrieval auditing authority, so that a data user can realize full ciphertext query in the process from retrieval to result acquisition, and the data manager cannot know the specific content information retrieved and acquired by the data user.
When the query is performed, the retrieval security module records request information and processing results including but not limited to identity information (public key, public key certificate or identifier, etc.), initiation time and processing results (success, failure) of an initiator in nodes that respond to the query request, return the processing results, etc., and adopts integrity protection mechanisms such as HMAC, etc. to realize protection of records, thereby facilitating audit and backtrack of services by data managers.
The above detailed description is provided for the database security retrieval method provided by the present invention, and the present embodiment applies a specific example to illustrate the principle and implementation manner of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined in this embodiment may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (7)
1. A database security retrieval method is characterized by comprising the following steps:
step of creating a dense library:
s11, initializing a ciphertext table, an HMAC table and a dictionary table; the HMAC table comprises a HMAC table and a ciphertext table, wherein the HMAC table comprises naming characters and a ciphertext table, and the HMAC table comprises naming characters;
s12, acquiring plaintext data and all retrieval fields by taking a group as a unit;
s13, extracting corresponding plaintext data according to the retrieval fields, performing HMAC calculation on the extracted plaintext data one by one to obtain an HMAC value, and storing the corresponding retrieval fields in the HMAC table; creating a UUID and carrying out MAC hash calculation to obtain a K, wherein the K is used as a main key and is stored in the HMAC table;
s14, encrypting the plaintext data one by adopting a symmetric key method, storing the encrypted plaintext data into the ciphertext table, and storing K as a main key into the ciphertext table;
s15, storing the unique codes of the retrieval fields corresponding to all the query data, the named characters of the HMAC table and the retrieval fields in the HMAC table in the dictionary table;
sending a retrieval request:
s21, setting the encrypted public key certificate of the retrieval security module at the user side in a preset mode;
s22, acquiring the unique code of the data to be inquired and the inquiry data as original texts according to the dictionary table, and packaging the original texts by using a local encryption digital certificate of a user side and a preset encryption public key certificate to obtain a digital envelope I;
s23, transmitting the digital envelope I and the local encryption digital certificate to a retrieval security module together for making a retrieval request;
response step of the retrieval request:
s31, using the transmitted local encrypted digital certificate to authenticate the user end, and after the authentication is passed, authenticating and disassembling the digital envelope to obtain the original text;
s32, obtaining the naming character of the HMAC table corresponding to the current query data and the corresponding retrieval field in the HMAC table by using the unique code of the data to be queried in the original text;
s33, obtaining a corresponding ciphertext table through the corresponding relation between the naming character of the HMAC table and the naming character of the ciphertext table;
s34, calling the query data to an HMAC key for calculation to obtain an HMAC value, and retrieving the main key information K corresponding to the current query data; performing information retrieval on the obtained ciphertext table through K to obtain corresponding ciphertext data;
and S35, according to the local encrypted digital certificate obtained when the retrieval request is sent, combining the main key information K corresponding to the query data, decrypting through the symmetric key to obtain plaintext information, using the plaintext information as an original text, packaging again to obtain a second digital envelope, and sending the second digital envelope to the user side.
2. The method for securely retrieving a database as claimed in claim 1, wherein the step S12 further comprises obtaining plaintext data in units of groups, and then permuting the data in the units of groups.
3. The method for securely retrieving a database according to claim 1, wherein in S14, the plaintext data is encrypted by CBC encryption mode; taking K in the HMAC table as IV vector content of the CBC encryption mode; after the fields of all plaintext data in the current group are encrypted, a record is newly created in the ciphertext table, namely, the symmetrically encrypted data are sequentially written in, and the IV vector is used as the content of the main key of the record.
4. The method for securely retrieving a database according to claim 1, wherein in S22: and packaging the original text by using a local signature private key, a signature public key certificate and a preset encryption public key certificate of the user to obtain a SignedAndEnveloped type digital envelope I.
5. The database security retrieval method of claim 1, wherein in S35, the step of encapsulating the plaintext information as an original text again to obtain a second digital envelope is the same as the step of encapsulating the first digital envelope, and the second digital envelope is a digital envelope of a signedandencapsulated type.
6. The method for securely retrieving a database according to claim 1, further comprising: s4, the user terminal disassembles the digital envelope II: and the user side authenticates and disassembles the digital envelope II fed back by the retrieval security module by using a PKI certificate authentication mechanism, and acquires the internal original text information.
7. The database security retrieval method of claim 1, further comprising a retrieval auditing step:
the retrieval security module records the retrieval request information and the processing result in the node of the response step of the retrieval request, including but not limited to: identity information of the user side, retrieval request time and processing results, and an integrity protection mechanism is adopted to protect the records.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210958903.5A CN115033925B (en) | 2022-08-11 | 2022-08-11 | Database security retrieval method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210958903.5A CN115033925B (en) | 2022-08-11 | 2022-08-11 | Database security retrieval method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115033925A true CN115033925A (en) | 2022-09-09 |
CN115033925B CN115033925B (en) | 2022-10-28 |
Family
ID=83131096
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210958903.5A Active CN115033925B (en) | 2022-08-11 | 2022-08-11 | Database security retrieval method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115033925B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117440372A (en) * | 2023-12-20 | 2024-01-23 | 商飞智能技术有限公司 | Zero trust authentication method and device for wireless network |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080133935A1 (en) * | 2004-06-01 | 2008-06-05 | Yuval Elovici | Structure Preserving Database Encryption Method and System |
CN112560065A (en) * | 2020-12-24 | 2021-03-26 | 航天科工网络信息发展有限公司 | Method for directly indexing database ciphertext |
CN112632598A (en) * | 2020-12-09 | 2021-04-09 | 西安电子科技大学 | Encrypted data retrieval and sharing method, system, medium, equipment and application |
CN112702379A (en) * | 2020-08-20 | 2021-04-23 | 纬领(青岛)网络安全研究院有限公司 | Full-secret search research for big data security |
CN112800088A (en) * | 2021-01-19 | 2021-05-14 | 东北大学 | Database ciphertext retrieval system and method based on bidirectional security index |
CN114564735A (en) * | 2022-03-02 | 2022-05-31 | 信弈数(北京)科技有限责任公司 | Database encryption and complete matching retrieval system |
-
2022
- 2022-08-11 CN CN202210958903.5A patent/CN115033925B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080133935A1 (en) * | 2004-06-01 | 2008-06-05 | Yuval Elovici | Structure Preserving Database Encryption Method and System |
CN112702379A (en) * | 2020-08-20 | 2021-04-23 | 纬领(青岛)网络安全研究院有限公司 | Full-secret search research for big data security |
CN112632598A (en) * | 2020-12-09 | 2021-04-09 | 西安电子科技大学 | Encrypted data retrieval and sharing method, system, medium, equipment and application |
CN112560065A (en) * | 2020-12-24 | 2021-03-26 | 航天科工网络信息发展有限公司 | Method for directly indexing database ciphertext |
CN112800088A (en) * | 2021-01-19 | 2021-05-14 | 东北大学 | Database ciphertext retrieval system and method based on bidirectional security index |
CN114564735A (en) * | 2022-03-02 | 2022-05-31 | 信弈数(北京)科技有限责任公司 | Database encryption and complete matching retrieval system |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117440372A (en) * | 2023-12-20 | 2024-01-23 | 商飞智能技术有限公司 | Zero trust authentication method and device for wireless network |
CN117440372B (en) * | 2023-12-20 | 2024-05-31 | 商飞智能技术有限公司 | Zero trust authentication method and device for wireless network |
Also Published As
Publication number | Publication date |
---|---|
CN115033925B (en) | 2022-10-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4240297B2 (en) | Terminal device, authentication terminal program, device authentication server, device authentication program | |
JP6180177B2 (en) | Encrypted data inquiry method and system capable of protecting privacy | |
CN110324143A (en) | Data transmission method, electronic equipment and storage medium | |
KR20040007769A (en) | Method for an integrated protection system of data distributed processing in computer networks and system for carrying out said method | |
US20080263645A1 (en) | Privacy identifier remediation | |
US11979500B2 (en) | Data format-preserving encryption, tokenization, and access control for vaultless systems and methods | |
CN113489710B (en) | File sharing method, device, equipment and storage medium | |
CN110210270A (en) | Two-dimensional barcode information safety encryption and system and image in 2 D code analytic method and system | |
JPWO2012081450A1 (en) | Encrypted database management system, client and server, natural join method and program | |
CN112906056A (en) | Cloud storage key security management method based on block chain | |
CN115632880B (en) | Reliable data transmission and storage method and system based on state cryptographic algorithm | |
JP2001177513A (en) | Authenticating method in communication system, center equipment, and recording medium with authentication program recorded thereon | |
CN108809936A (en) | A kind of intelligent mobile terminal auth method and its realization system based on Hybrid Encryption algorithm | |
CN115033925B (en) | Database security retrieval method | |
Bhagat et al. | Reverse encryption algorithm: a technique for encryption & decryption | |
CN114553557B (en) | Key calling method, device, computer equipment and storage medium | |
US20220020010A1 (en) | Decentralized electronic contract attestation platform | |
CN114547649A (en) | Database encryption method and system | |
RU2259639C2 (en) | Method for complex protection of distributed information processing in computer systems and system for realization of said method | |
CN113065146A (en) | Homomorphic encryption method for block chain data protection | |
CN109120589B (en) | Terminal information protection method and device based on encryption password | |
RU2707398C1 (en) | Method and system for secure storage of information in file storages of data | |
CN115168909B (en) | Ciphertext data range query method and system based on comparison index | |
CN117914491B (en) | Digital encryption and decryption method and system for portable SRAM PUF | |
CN117077185B (en) | Data storage and protection method, system and medium based on HMAC and secret sharing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |