CN115987513B - Distributed database fragment encryption and decryption methods, devices, equipment and media - Google Patents
Distributed database fragment encryption and decryption methods, devices, equipment and media Download PDFInfo
- Publication number
- CN115987513B CN115987513B CN202310257387.8A CN202310257387A CN115987513B CN 115987513 B CN115987513 B CN 115987513B CN 202310257387 A CN202310257387 A CN 202310257387A CN 115987513 B CN115987513 B CN 115987513B
- Authority
- CN
- China
- Prior art keywords
- data
- encryption
- database
- cpu
- fpga
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 92
- 239000012634 fragment Substances 0.000 title abstract description 12
- 230000005540 biological transmission Effects 0.000 claims abstract description 71
- 238000013500 data storage Methods 0.000 claims abstract description 40
- 238000007726 management method Methods 0.000 claims abstract description 18
- 238000005538 encapsulation Methods 0.000 claims abstract description 9
- 238000004590 computer program Methods 0.000 claims description 14
- 238000004806 packaging method and process Methods 0.000 claims description 9
- 238000012795 verification Methods 0.000 claims description 4
- 238000013524 data verification Methods 0.000 claims description 3
- 238000011161 development Methods 0.000 claims description 3
- 238000007689 inspection Methods 0.000 claims description 2
- 238000013467 fragmentation Methods 0.000 description 8
- 238000006062 fragmentation reaction Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000002093 peripheral effect Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 230000011218 segmentation Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000013523 data management Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application discloses a distributed database fragment encryption and decryption method, device, equipment and medium, relating to the field of FPGA application, comprising the following steps: the first queue management module is used for reading the first queue descriptor when the data encryption transmission process is called; the queue descriptor comprises a first data storage address, a data slicing mode, a data encryption algorithm and a public key; the first data caching module is used for acquiring data to be transmitted based on a first data storage address; the data slicing module is used for slicing data based on a data slicing mode to obtain a plurality of groups of data to be transmitted; the data encryption module is used for encrypting data according to a data encryption algorithm and the public key to obtain a plurality of groups of encrypted data; and the data transmitting module is used for executing corresponding data encapsulation operation and transmitting the encapsulated encrypted data to corresponding receiving node databases respectively. According to the method and the device, the FPGA is used for encrypting and transmitting the data of the distributed database, so that the overall performance of the database is improved.
Description
Technical Field
The invention relates to the field of FPGA application, in particular to a distributed database fragment encryption and decryption method, device, equipment and medium.
Background
Currently, in order to implement distributed data management, a distributed database distributes data among multiple server nodes in multiple data centers, and frequently performs inter-place scheduling of data among the nodes in a transaction processing process. In this process, man-made attacks, i.e. hacking, from the local or network are important hidden hazards of data security, for which data are typically encrypted at the time of data transmission. However, the data encryption needs to occupy the CPU (central processing unit ) resources and memory resources of the system, so that the CPU and memory resources are excessively occupied, and the resources are in competition with the database core process, thereby severely reducing the overall performance of the database.
Disclosure of Invention
In view of the above, the present invention aims to provide a distributed database fragment encryption and decryption method, device, equipment and medium, which can effectively reduce occupation of CPU and memory resources and improve overall performance of a database. The specific scheme is as follows:
In a first aspect, the present application provides a distributed database sliced encryption device, where the device is a device based on CPU and FPGA isomerism, and the device is applied to an FPGA on a first sliced encryption board card corresponding to a sending node, and includes:
the first queue management module is used for reading a first queue descriptor of data to be transmitted corresponding to a data encryption transmission process in the self node database when a CPU of the self node database invokes the data encryption transmission process; the queue descriptor comprises a corresponding first data storage address, a data slicing mode, a data encryption algorithm and a public key;
the first data caching module is used for searching and acquiring the data to be transmitted from the self node database based on the first data storage address in the first queue descriptor;
the data slicing module is used for slicing the data to be transmitted based on the data slicing mode in the first queue descriptor so as to obtain a plurality of groups of data to be transmitted;
the data encryption module is used for encrypting a plurality of groups of data to be transmitted according to the data encryption algorithm and the public key in the first queue descriptor to obtain a plurality of groups of encrypted data;
And the data transmitting module is used for packaging the plurality of groups of received encrypted data and respectively transmitting the packaged encrypted data to the database of the corresponding receiving node through the network port so as to finish the data encryption transmission process.
Optionally, the distributed database sharding encryption device further includes:
the first FPGA configuration unit is used for burning a preset bit stream file into an FPGA through a preset FPGA development platform after the first sliced encryption board card is electrified so that the data encryption transmission process is completed by the FPGA after the CPU invokes the data encryption transmission process;
or the second FPGA configuration unit is configured to store the preset bitstream file through external Flsah after the first sliced encryption board card is powered on.
Optionally, the first queue management module includes:
the first queue descriptor obtaining unit is used for reading the first queue descriptor of the data to be transmitted corresponding to the data encryption transmission process from the own node database through the own PCIE module.
Optionally, the distributed database sharding encryption device further includes:
and the first process ending unit is used for returning a corresponding transmission completion signal to the CPU of the self node database after the data is successfully transmitted, so that the CPU of the self node database ends the data encryption transmission process after receiving the transmission completion signal.
Optionally, the data sending module includes:
and the checksum inserting unit is used for inserting the checksum calculated based on a preset formula into the packaged encrypted data after the data packaging is completed, so that the data transmission operation is performed based on the packaged encrypted data in which the checksum is inserted.
In a second aspect, the present application provides a distributed database fragmentation decrypting apparatus, where the apparatus is a CPU and FPGA heterogeneous-based apparatus, and is applied to an FPGA on a second fragmentation encryption board card corresponding to a receiving node, and the apparatus includes:
the second queue management module is used for reading a second queue descriptor of the packaged encrypted data corresponding to the data decryption storage process in the self node database when the CPU of the self node database invokes the data decryption storage process; the queue descriptor comprises a corresponding second data storage address, a data slicing mode, a data decryption algorithm and a private key corresponding to the self node;
the data receiving module is used for carrying out unpacking operation on the packed encrypted data which is received through the network port and sent by the sending node so as to obtain unpacked data;
the data decryption module is used for performing data decryption on the unpacked data based on the data decryption algorithm and the private key so as to obtain corresponding decrypted data;
And the second data caching module is used for storing the decrypted data into the self node database based on the second data storage address in the second queue descriptor so as to finish the data decryption storage process.
Optionally, the data receiving module includes:
and the data verification module is used for performing corresponding verification operation and inspection operation on the unpacked data obtained by unpacking the packed encrypted data.
In a third aspect, the present application provides a distributed database slice encryption method, where the method is a method based on CPU and FPGA isomerism, and is applied to an FPGA on a first slice encryption board card corresponding to a sending node, and the method includes:
when a CPU of a self node database invokes a data encryption transmission process, reading a first queue descriptor of data to be transmitted corresponding to the data encryption transmission process in the self node database; the queue descriptor comprises a corresponding first data storage address, a data slicing mode, a data encryption algorithm and a public key;
searching and acquiring the data to be transmitted from the self node database based on the first data storage address in the first queue descriptor;
Splitting the data to be transmitted based on the data splitting mode in the first queue descriptor to obtain a plurality of groups of data to be transmitted;
encrypting a plurality of groups of data to be transmitted according to the data encryption algorithm and the public key in the first queue descriptor to obtain a plurality of groups of encrypted data;
and packaging the received plurality of groups of encrypted data, and respectively sending the packaged encrypted data to a database of a corresponding receiving node through a network port to complete the data encryption transmission process.
In a fourth aspect, the present application provides a distributed database fragment decryption method, where the method is a method based on isomerism of a CPU and an FPGA, and is applied to an FPGA on a second fragment encryption board card corresponding to a receiving node, and the method includes:
when a CPU of a self node database invokes a data decryption storage process, reading a second queue descriptor of the packaged encrypted data corresponding to the data decryption storage process in the self node database; the queue descriptor comprises a corresponding second data storage address, a data slicing mode, a data decryption algorithm and a private key corresponding to the self node;
The encapsulated encrypted data which is received through the network port and sent by the sending node is subjected to an encapsulation operation so as to obtain encapsulated data;
performing data decryption on the unpacked data based on the data decryption algorithm and the private key to obtain corresponding decrypted data;
and storing the decrypted data into the self node database based on the second data storage address in the second queue descriptor to complete the data decryption storage process.
In a fifth aspect, the present application provides an electronic device, including:
a memory for storing a computer program;
a processor for executing the computer program to carry out the steps of the aforementioned method.
In a sixth aspect, the present application provides a computer readable storage medium storing a computer program which, when executed by a processor, performs the steps of the aforementioned method.
In this application, the first queue management module is configured to read, when a CPU of a self-node database invokes a data encryption transmission process, a first queue descriptor of data to be transmitted in the self-node database, where the first queue descriptor corresponds to the data encryption transmission process; the queue descriptor comprises a corresponding first data storage address, a data slicing mode, a data encryption algorithm and a public key; the first data caching module is used for searching and acquiring the data to be transmitted from the self node database based on the first data storage address in the first queue descriptor; the data slicing module is used for slicing the data to be transmitted based on the data slicing mode in the first queue descriptor so as to obtain a plurality of groups of data to be transmitted; the data encryption module is used for encrypting a plurality of groups of data to be transmitted according to the data encryption algorithm and the public key in the first queue descriptor to obtain a plurality of groups of encrypted data; and the data transmitting module is used for packaging the plurality of groups of received encrypted data and respectively transmitting the packaged encrypted data to the database of the corresponding receiving node through the network port so as to finish the data encryption transmission process. According to the method and the device, the CPU+FPGA heterogeneous mode is adopted, when the CPU of the node database of the device invokes the data encryption transmission process, the FPGA is used for carrying out segmentation, encryption and transmission on the data of the distributed database, occupation of CPU and memory resources is reduced, and overall performance of the database is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a distributed database slicing encryption device provided in the present application;
FIG. 2 is a block diagram of an FPGA module provided in the present application;
fig. 3 is a schematic structural diagram of a heterogeneous distributed database fragment encryption method and a fragment encryption transmission board card provided in the present application;
fig. 4 is a schematic structural diagram of a distributed database slicing decryption device based on CPU and FPGA isomerism provided in the present application;
FIG. 5 is a flowchart of a distributed database slicing encryption method based on CPU and FPGA isomerism provided by the application;
FIG. 6 is a flowchart of a distributed database slicing decryption method based on CPU and FPGA isomerism provided by the application;
fig. 7 is a block diagram of an electronic device provided in the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Currently, distributed databases frequently schedule data among nodes in the course of transactions. In this process, man-made attacks, i.e. hacking, from the local or network are important hidden hazards of data security, for which data are typically encrypted at the time of data transmission. However, the data encryption needs to occupy CPU resources and memory resources of the system, so that the CPU and memory resources are excessively occupied, resource competition is carried out with a database core process, and the overall performance of the database is seriously reduced. Therefore, the distributed database fragment encryption and decryption scheme can effectively reduce occupation of CPU and memory resources and improve overall performance of the database.
Referring to fig. 1, an embodiment of the invention discloses a distributed database fragmentation encryption device, wherein the method is based on the isomerism of a CPU and an FPGA, and is applied to the FPGA on a first fragmentation encryption board card corresponding to a transmitting node, and includes:
the first queue management module 11 is configured to read a first queue descriptor of data to be transmitted corresponding to a data encryption transmission process in a self node database when a CPU of the self node database invokes the data encryption transmission process; the queue descriptor comprises a corresponding first data storage address, a data fragmentation mode, a data encryption algorithm and a public key.
In this embodiment, before the CPU of the own node database invokes the data encryption transmission process, the configuration operation of the FPGA (Field Programmable Gate Array ) needs to be completed. In some embodiments, the first queue management module may include a first FPGA configuration unit, configured to burn, when the first sliced encryption board card is powered on, a preset bitstream file to an FPGA based on a preset FPGA development platform, so that after the CPU invokes the data encryption transmission process, the configured FPGA completes the data encryption transmission process. In some specific embodiments, the first queue management module may include a second FPGA configuration unit, configured to store the preset bitstream file through an external Flsah after the first sliced encryption board is powered on. Flash is an interactive animation design tool. Specifically, the first sliced encrypted board card can be powered on by connecting the first sliced encrypted board card to a corresponding PCIE (peripheral component interconnect express, i.e., high-speed serial computer expansion bus standard) slot. And after the FPGA configuration operation is completed, waiting for the CPU to call a corresponding data encryption transmission process can be started.
It should be further understood that, in conjunction with the illustration of fig. 2, in some specific embodiments, the first queue management module, that is, the queue management module in fig. 2, may include a first queue descriptor obtaining unit, where the first queue descriptor obtaining unit is specifically configured to read, by using a PCIE module of the first queue descriptor obtaining unit, a first queue descriptor of data to be transmitted corresponding to the data encryption transmission process from the node database of the first queue descriptor obtaining unit. The first queue descriptor is a queue descriptor generated by the CPU when the CPU invokes the data encryption transmission process, and the CPU generates the first queue descriptor and stores the first queue descriptor into the self node database. It can be understood that the first data storage address is a storage address of data to be transmitted corresponding to the data encryption transmission process in the self node database. The data encryption algorithm and the data slicing mode may be configured in advance by a user, and the data encryption algorithm includes, but is not limited to, an RSA algorithm, a Diffie-Hellman algorithm, and an El Gamal algorithm (ElGamal encryption algorithm, an asymmetric encryption algorithm based on Diffie-Hellman key exchange). Wherein the RSA algorithm is an asymmetric encryption algorithm proposed by Ron Rivest (Ronaud-Livister), adi Shamir (Ronaud-Livister), lenard Adleman (Lonnaud-Aldemann), the Diffie-Hellman algorithm is a key exchange protocol proposed by Whitfield Diffie (Whitfield Diffie) and Martin Hellman (Martin Hellman),
The first data buffer module 12 is configured to search and obtain the data to be transmitted from the own node database based on the first data storage address in the first queue descriptor.
In this embodiment, after the first queue descriptor corresponding to the data encryption transmission process is acquired, the data to be transmitted corresponding to the data encryption transmission process needs to be determined from the self node database by using the first data storage address in the first queue descriptor, so as to perform corresponding data slicing operation based on the data to be transmitted. Wherein the data to be transmitted is unencrypted data.
And the data slicing module 13 is configured to slice the data to be transmitted based on the data slicing manner in the first queue descriptor, so as to obtain a plurality of groups of data to be transmitted.
It can be understood that in this embodiment, since there may be a plurality of database nodes serving as receiving nodes, after the data to be transmitted is acquired, data slicing needs to be performed based on the data slicing manner in the first queue descriptor, and the data to be transmitted is split into a plurality of groups of data, so as to obtain a plurality of groups of data to be transmitted. Wherein each group of data to be transmitted has a corresponding receiving node.
The data encryption module 14 is configured to encrypt the several groups of data to be transmitted according to the data encryption algorithm and the public key in the first queue descriptor, so as to obtain several groups of encrypted data.
It can be understood that, in this embodiment, since the data to be transmitted is unencrypted, before transmitting the data, the data to be transmitted of the plurality of groups obtained after slicing is further encrypted. Specifically, the data to be transmitted of several groups needs to be encrypted based on the data encryption algorithm and the public key in the first queue descriptor, so as to obtain several groups of encrypted data.
The data sending module 15 is configured to encapsulate the received plurality of sets of encrypted data, and send the encapsulated encrypted data to a database of a corresponding receiving node through a network port, so as to complete the data encryption transmission process.
Specifically, in this embodiment, after receiving several sets of encrypted data sent by the data encryption module, the several sets of encrypted data are encapsulated into a structure that meets the requirements of a preset network protocol, such as ATM (Asynchronous Transfer Mode ) frames and data packets. And then, the packaged encrypted data are respectively sent to the database of the corresponding receiving node through the network port on the first sliced encrypted board card. Referring to fig. 3, the encapsulated encrypted data is specifically sent to a sliced encrypted board card of other database nodes through a network. The sliced encryption board card comprises an FPGA, a storage device, an input/output interface, peripheral electronic equipment and a PCB (Printed Circuit Board ). Wherein, the FPGA mainly realizes the functions of two parts. Specifically, the data is transmitted in a piece-wise encrypted manner on a database node serving as a transmitting node. And performing decryption storage of the data on a database node as the receiving node. In addition, the storage device includes, but is not limited to, flash, DDR4 (Dual Date Rate-4, a new generation memory specification), the Flash is used for storing a logic program of the FPGA to implement power-up curing of the FPGA, and the DDR4 is used for storing data. The input/output interfaces include, but are not limited to, a network interface, a PCIE interface, and a JTAG (Joint Test Action Group, joint test engineering group) interface, where the network interface is responsible for transmission of ciphertext data between distributed database nodes, the PCIE interface is responsible for high-speed communication between the FPGA and the database, and the JTAG interface is responsible for burning and debugging of the FPGA logic program. The peripheral electronic devices include, but are not limited to, power chips, clock chips, necessary resistance and capacitance. The PCB board is responsible for providing a carrier for the FPGA, the storage device, the input/output interface and the peripheral electronic device.
It should be understood that, in some specific embodiments, the data sending module includes a checksum inserting unit, configured to insert, after the data encapsulation is completed, a checksum calculated based on a preset formula into the encrypted data after encapsulation, so as to perform a data sending operation based on the encrypted data after encapsulation into which the checksum is inserted. Therefore, the finally transmitted data is the encrypted data with the data encapsulation and checksum insertion completed successively.
Further, the distributed database slicing encryption device further comprises a first process ending unit, which is used for returning a corresponding transmission completion signal to the CPU of the self node database after the data is successfully sent, so that the CPU of the self node database ends the data encryption transmission process after receiving the transmission completion signal. In this way, the FPGA is used as a coprocessor of the CPU, and slicing, encryption and transmission of database node data are realized based on the FPGA, so that data encryption storage and fine granularity sharing of a distributed database are realized, occupation of CPU and memory resources is effectively reduced, and data transmission efficiency is improved due to high parallelism and popularity processing modes of the FPGA, and overall performance of the database is further improved.
It can be seen that, in this embodiment of the present application, when a CPU of a self-node database invokes a data encryption transmission process, the first queue management module is configured to read a first queue descriptor of data to be transmitted in the self-node database, where the first queue descriptor corresponds to the data encryption transmission process; the queue descriptor comprises a corresponding first data storage address, a data slicing mode, a data encryption algorithm and a public key; the first data caching module is used for searching and acquiring the data to be transmitted from the self node database based on the first data storage address in the first queue descriptor; the data slicing module is used for slicing the data to be transmitted based on the data slicing mode in the first queue descriptor so as to obtain a plurality of groups of data to be transmitted; the data encryption module is used for encrypting a plurality of groups of data to be transmitted according to the data encryption algorithm and the public key in the first queue descriptor to obtain a plurality of groups of encrypted data; and the data transmitting module is used for packaging the plurality of groups of received encrypted data and respectively transmitting the packaged encrypted data to the database of the corresponding receiving node through the network port so as to finish the data encryption transmission process. According to the method and the device, the CPU+FPGA heterogeneous mode is adopted, when the CPU of the node database of the device invokes the data encryption transmission process, the FPGA is used for carrying out segmentation, encryption and transmission on the data of the distributed database, occupation of CPU and memory resources is reduced, and overall performance of the database is further improved.
Referring to fig. 4, an embodiment of the present invention discloses a distributed database fragmentation decryption device, where the device is a device based on CPU and FPGA isomerism, and is applied to an FPGA on a second fragmentation encryption board card corresponding to a receiving node, and the device includes:
a second queue management module 21, configured to read, when a CPU of a self node database invokes a data decryption storage process, a second queue descriptor of encapsulated encrypted data corresponding to the data decryption storage process in the self node database; the queue descriptor comprises a corresponding second data storage address, a data slicing mode, a data decryption algorithm and a private key corresponding to the self node.
It should be understood that, in this embodiment, the second queue descriptor is a queue descriptor generated by the CPU of the own node database when the CPU invokes the data decryption and storage process. The second data storage address is an address for storing data obtained by performing unpacking operation and data decryption operation on the packed encrypted data. The data decryption algorithm is a decryption algorithm corresponding to a data encryption algorithm corresponding to the packaged encrypted data.
The data receiving module 22 is configured to perform a decapsulation operation on the encapsulated encrypted data received through the network port and sent by the sending node, so as to obtain decapsulated data.
Specifically, in this embodiment, in some specific embodiments, the data receiving module includes a data verification module, and is specifically configured to perform a corresponding verification operation and a verification operation on decapsulated data obtained by decapsulating the encapsulated encrypted data. Referring to fig. 2, the data receiving module receives the encrypted data after encapsulation transmitted through the network, performs a series of data operations on the encrypted data after encapsulation, and sends the obtained data after decapsulation to the data decrypting module.
The data decryption module 23 is configured to decrypt the decapsulated data based on the data decryption algorithm and the private key, so as to obtain corresponding decrypted data.
And a second data caching module 24, configured to store the decrypted data into the self node database based on the second data storage address in the second queue descriptor, so as to complete the data decryption storage process.
It may be appreciated that in this embodiment, after the decrypted data is stored in the self-node database based on the second data storage address, a corresponding storage completion signal may be returned to the CPU of the self-node database, so that the CPU of the self-node database ends the data decryption storage process after receiving the storage completion signal. In this way, the FPGA is used as a coprocessor of the CPU, and the decryption and storage of the node data of the database are realized based on the FPGA, so that the data decryption storage and fine granularity sharing of the distributed database are realized, the occupation of CPU and memory resources is reduced, and the overall performance of the database is improved.
The specific process of the data decryption module 23 may refer to the corresponding content disclosed in the foregoing embodiment, and will not be described herein.
It can be seen that, in this embodiment of the present application, the second queue management module is configured to read, when a CPU of the own node database invokes a data decryption storage process, a second queue descriptor of packaged encrypted data corresponding to the data decryption storage process in the own node database; the queue descriptor comprises a corresponding second data storage address, a data slicing mode, a data decryption algorithm and a private key corresponding to the self node; the data receiving module is used for carrying out unpacking operation on the packed encrypted data which is received through the network port and sent by the sending node so as to obtain unpacked data; the data decryption module is used for performing data decryption on the unpacked data based on the data decryption algorithm and the private key so as to obtain corresponding decrypted data; and the second data caching module is used for storing the decrypted data into the self node database based on the second data storage address in the second queue descriptor so as to finish the data decryption storage process. According to the method and the device, the CPU+FPGA heterogeneous mode is adopted, when the CPU of the node database of the CPU invokes the data decryption storage process, the FPGA is used for decapsulating, decrypting and storing the received encapsulated decrypted data, so that occupation of CPU and memory resources is reduced, and overall performance of the database is further improved.
Referring to fig. 5, an embodiment of the present invention discloses a distributed database slice encryption method, where the method is a method based on CPU and FPGA isomerism, and is applied to an FPGA on a first slice encryption board card corresponding to a sending node, and the method includes:
step S11, when a CPU of a self node database invokes a data encryption transmission process, reading a first queue descriptor of data to be transmitted corresponding to the data encryption transmission process in the self node database; the queue descriptor comprises a corresponding first data storage address, a data fragmentation mode, a data encryption algorithm and a public key.
And step S12, searching and acquiring the data to be transmitted from the self node database based on the first data storage address in the first queue descriptor.
And step S13, cutting the data to be transmitted based on the data slicing mode in the first queue descriptor so as to obtain a plurality of groups of data to be transmitted.
And step S14, encrypting a plurality of groups of data to be transmitted according to the data encryption algorithm in the first queue descriptor and the public key to obtain a plurality of groups of encrypted data.
And S15, packaging the plurality of groups of received encrypted data, and respectively sending the packaged encrypted data to a database of a corresponding receiving node through a network port so as to complete the data encryption transmission process.
For the specific process from step S11 to step S15, reference may be made to the corresponding content disclosed in the foregoing embodiment, and no further description is given here.
It can be seen that, in this embodiment of the present application, when a CPU of a self-node database invokes a data encryption transmission process, the first queue management module is configured to read a first queue descriptor of data to be transmitted in the self-node database, where the first queue descriptor corresponds to the data encryption transmission process; the queue descriptor comprises a corresponding first data storage address, a data slicing mode, a data encryption algorithm and a public key; the first data caching module is used for searching and acquiring the data to be transmitted from the self node database based on the first data storage address in the first queue descriptor; the data slicing module is used for slicing the data to be transmitted based on the data slicing mode in the first queue descriptor so as to obtain a plurality of groups of data to be transmitted; the data encryption module is used for encrypting a plurality of groups of data to be transmitted according to the data encryption algorithm and the public key in the first queue descriptor to obtain a plurality of groups of encrypted data; and the data transmitting module is used for packaging the plurality of groups of received encrypted data and respectively transmitting the packaged encrypted data to the database of the corresponding receiving node through the network port so as to finish the data encryption transmission process. According to the method and the device, the CPU+FPGA heterogeneous mode is adopted, when the CPU of the node database of the device invokes the data encryption transmission process, the FPGA is used for carrying out segmentation, encryption and transmission on the data of the distributed database, occupation of CPU and memory resources is reduced, and overall performance of the database is further improved.
Referring to fig. 6, an embodiment of the present invention discloses a distributed database fragment decryption method, where the method is a method based on CPU and FPGA isomerism, and is applied to an FPGA on a second fragment encryption board card corresponding to a receiving node, and the method includes:
step S21, when a CPU of a self node database invokes a data decryption storage process, reading a second queue descriptor of the packaged encrypted data corresponding to the data decryption storage process in the self node database; the queue descriptor comprises a corresponding second data storage address, a data slicing mode, a data decryption algorithm and a private key corresponding to the self node.
And S22, performing decapsulation operation on the encapsulated encrypted data received through the network port and sent by the sending node to obtain the decapsulated data.
And step S23, carrying out data decryption on the unpacked data based on the data decryption algorithm and the private key so as to obtain corresponding decrypted data.
And step S24, storing the decrypted data into the self node database based on the second data storage address in the second queue descriptor so as to finish the data decryption storage process.
For the specific process from step S21 to step S24, reference may be made to the corresponding content disclosed in the foregoing embodiment, and no further description is given here.
It can be seen that, in this embodiment of the present application, the second queue management module is configured to read, when a CPU of the own node database invokes a data decryption storage process, a second queue descriptor of packaged encrypted data corresponding to the data decryption storage process in the own node database; the queue descriptor comprises a corresponding second data storage address, a data slicing mode, a data decryption algorithm and a private key corresponding to the self node; the data receiving module is used for carrying out unpacking operation on the packed encrypted data which is received through the network port and sent by the sending node so as to obtain unpacked data; the data decryption module is used for performing data decryption on the unpacked data based on the data decryption algorithm and the private key so as to obtain corresponding decrypted data; and the second data caching module is used for storing the decrypted data into the self node database based on the second data storage address in the second queue descriptor so as to finish the data decryption storage process. According to the method and the device, the CPU+FPGA heterogeneous mode is adopted, when the CPU of the node database of the CPU invokes the data decryption storage process, the FPGA is used for decapsulating, decrypting and storing the received encapsulated decrypted data, so that occupation of CPU and memory resources is reduced, and overall performance of the database is further improved.
Further, the embodiment of the present application further discloses an electronic device, and fig. 7 is a block diagram of an electronic device 30 according to an exemplary embodiment, where the content of the figure is not to be considered as any limitation on the scope of use of the present application.
Fig. 7 is a schematic structural diagram of an electronic device 30 according to an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 31, at least one memory 32, a power supply 33, a communication interface 34, an input-output interface 35, and a communication bus 36. Wherein the memory 32 is adapted to store a computer program, which is loaded and executed by the processor 31 to implement the relevant steps of the method disclosed in any of the previous embodiments. In addition, the electronic device 30 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 33 is configured to provide an operating voltage for each hardware device on the electronic device 30; the communication interface 34 can create a data transmission channel between the electronic device 30 and an external device, and the communication protocol in which the communication interface is in compliance is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 35 is used for acquiring external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.
The memory 32 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 321, a computer program 322, and the like, and the storage may be temporary storage or permanent storage.
The operating system 321 is used for managing and controlling various hardware devices on the electronic device 30 and the computer program 322, which may be Windows Server, netware, unix, linux, etc. The computer program 322 may further comprise a computer program capable of performing other specific tasks in addition to the computer program capable of performing the method performed by the electronic device 30 as disclosed in any of the embodiments previously described.
Further, the application also discloses a computer readable storage medium for storing a computer program; wherein the computer program, when executed by a processor, implements the method of the foregoing disclosure. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing has outlined the detailed description of the preferred embodiment of the present application, and the detailed description of the principles and embodiments of the present application has been provided herein by way of example only to facilitate the understanding of the method and core concepts of the present application; meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.
Claims (10)
1. The distributed database slicing encryption device is a device based on the isomerism of a CPU and an FPGA, is applied to the FPGA on a first slicing encryption board card corresponding to a transmitting node, and comprises:
the first queue management module is used for reading a first queue descriptor of data to be transmitted corresponding to a data encryption transmission process in the self node database when a CPU of the self node database invokes the data encryption transmission process; the queue descriptor comprises a corresponding first data storage address, a data slicing mode, a data encryption algorithm and a public key;
the first data caching module is used for searching and acquiring the data to be transmitted from the self node database based on the first data storage address in the first queue descriptor;
The data slicing module is used for slicing the data to be transmitted based on the data slicing mode in the first queue descriptor so as to obtain a plurality of groups of data to be transmitted;
the data encryption module is used for encrypting a plurality of groups of data to be transmitted according to the data encryption algorithm and the public key in the first queue descriptor to obtain a plurality of groups of encrypted data;
the data transmitting module is used for packaging the plurality of groups of received encrypted data and respectively transmitting the packaged encrypted data to a database of a corresponding receiving node through a network port so as to complete the data encryption transmission process;
wherein, still include:
and the first process ending unit is used for returning a corresponding transmission completion signal to the CPU of the self node database after the data is successfully transmitted, so that the CPU of the self node database ends the data encryption transmission process after receiving the transmission completion signal.
2. The distributed database sharded encryption device of claim 1 further comprising:
the first FPGA configuration unit is used for burning a preset bit stream file into an FPGA through a preset FPGA development platform after the first sliced encryption board card is electrified so that the data encryption transmission process is completed by the FPGA after the CPU invokes the data encryption transmission process;
Or the second FPGA configuration unit is configured to store the preset bitstream file through external Flsah after the first sliced encryption board card is powered on.
3. The distributed database sharding encryption device of claim 1 wherein said first queue management module comprises:
the first queue descriptor obtaining unit is used for reading the first queue descriptor of the data to be transmitted corresponding to the data encryption transmission process from the own node database through the own PCIE module.
4. A distributed database sharding encryption device according to any one of claims 1 to 3, wherein said data transmission module comprises:
and the checksum inserting unit is used for inserting the checksum calculated based on a preset formula into the packaged encrypted data after the data packaging is completed, so that the data transmission operation is performed based on the packaged encrypted data in which the checksum is inserted.
5. The distributed database slicing decryption device is a device based on the isomerism of a CPU and an FPGA, is applied to the FPGA on a second slicing encryption board card corresponding to a receiving node, and comprises:
the second queue management module is used for reading a second queue descriptor of the packaged encrypted data corresponding to the data decryption storage process in the self node database when the CPU of the self node database invokes the data decryption storage process; the queue descriptor comprises a corresponding second data storage address, a data slicing mode, a data decryption algorithm and a private key corresponding to the self node;
The data receiving module is used for carrying out unpacking operation on the packed encrypted data which is received through the network port and sent by the sending node so as to obtain unpacked data;
the data decryption module is used for performing data decryption on the unpacked data based on the data decryption algorithm and the private key so as to obtain corresponding decrypted data;
and the second data caching module is used for storing the decrypted data into the self node database based on the second data storage address in the second queue descriptor so as to finish the data decryption storage process.
6. The distributed database shard decryption apparatus of claim 5, wherein said data receiving module comprises:
and the data verification module is used for performing corresponding verification operation and inspection operation on the unpacked data obtained by unpacking the packed encrypted data.
7. The distributed database slicing encryption method is characterized by being a method based on the isomerism of a CPU and an FPGA, and is applied to the FPGA on a first slicing encryption board card corresponding to a transmitting node, and comprises the following steps:
when a CPU of a self node database invokes a data encryption transmission process, reading a first queue descriptor of data to be transmitted corresponding to the data encryption transmission process in the self node database; the queue descriptor comprises a corresponding first data storage address, a data slicing mode, a data encryption algorithm and a public key;
Searching and acquiring the data to be transmitted from the self node database based on the first data storage address in the first queue descriptor;
splitting the data to be transmitted based on the data splitting mode in the first queue descriptor to obtain a plurality of groups of data to be transmitted;
encrypting a plurality of groups of data to be transmitted according to the data encryption algorithm and the public key in the first queue descriptor to obtain a plurality of groups of encrypted data;
the received encrypted data of the plurality of groups are packaged, and the packaged encrypted data are respectively sent to the databases of the corresponding receiving nodes through the network ports, so that the data encryption transmission process is completed;
wherein, still include:
and after the data is successfully sent, returning a corresponding transmission completion signal to the CPU of the self node database, so that the CPU of the self node database finishes the data encryption transmission process after receiving the transmission completion signal.
8. The distributed database slicing decryption method is characterized by being a method based on the isomerism of a CPU and an FPGA, and is applied to the FPGA on a second slicing encryption board card corresponding to a receiving node, and comprises the following steps:
When a CPU of a self node database invokes a data decryption storage process, reading a second queue descriptor of the packaged encrypted data corresponding to the data decryption storage process in the self node database; the queue descriptor comprises a corresponding second data storage address, a data slicing mode, a data decryption algorithm and a private key corresponding to the self node;
the encapsulated encrypted data which is received through the network port and sent by the sending node is subjected to an encapsulation operation so as to obtain encapsulated data;
performing data decryption on the unpacked data based on the data decryption algorithm and the private key to obtain corresponding decrypted data;
and storing the decrypted data into the self node database based on the second data storage address in the second queue descriptor to complete the data decryption storage process.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the method of claim 7 or 8.
10. A computer readable storage medium for storing a computer program which, when executed by a processor, implements the method of claim 7 or 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310257387.8A CN115987513B (en) | 2023-03-17 | 2023-03-17 | Distributed database fragment encryption and decryption methods, devices, equipment and media |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310257387.8A CN115987513B (en) | 2023-03-17 | 2023-03-17 | Distributed database fragment encryption and decryption methods, devices, equipment and media |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115987513A CN115987513A (en) | 2023-04-18 |
| CN115987513B true CN115987513B (en) | 2023-06-20 |
Family
ID=85968439
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310257387.8A Active CN115987513B (en) | 2023-03-17 | 2023-03-17 | Distributed database fragment encryption and decryption methods, devices, equipment and media |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115987513B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113132484A (en) * | 2021-04-20 | 2021-07-16 | 北京奇艺世纪科技有限公司 | Data transmission method and device |
| CN113568568A (en) * | 2021-06-15 | 2021-10-29 | 苏州海加网络科技股份有限公司 | Hardware encryption method, system and device based on distributed storage |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112927077B (en) * | 2019-09-25 | 2022-05-24 | 支付宝(杭州)信息技术有限公司 | Method and device for realizing contract calling based on FPGA |
| CN112016110B (en) * | 2020-09-01 | 2023-02-28 | 三星电子(中国)研发中心 | Method, device, equipment and storage medium for storing data |
| CN114553411B (en) * | 2022-02-25 | 2023-07-14 | 苏州浪潮智能科技有限公司 | Distributed memory encryption device and distributed memory decryption device |
| CN115022076A (en) * | 2022-06-29 | 2022-09-06 | 浪潮电子信息产业股份有限公司 | Data encryption/decryption method, device, system and medium |
| CN115499249B (en) * | 2022-11-17 | 2023-04-07 | 南京可信区块链与算法经济研究院有限公司 | File storage method and system based on block chain distributed encryption |
-
2023
- 2023-03-17 CN CN202310257387.8A patent/CN115987513B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113132484A (en) * | 2021-04-20 | 2021-07-16 | 北京奇艺世纪科技有限公司 | Data transmission method and device |
| CN113568568A (en) * | 2021-06-15 | 2021-10-29 | 苏州海加网络科技股份有限公司 | Hardware encryption method, system and device based on distributed storage |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115987513A (en) | 2023-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103365625B (en) | The method and system that random value is produced | |
| CN108345806A (en) | A kind of hardware encryption card and encryption method | |
| US20120030421A1 (en) | Maintaining states for the request queue of a hardware accelerator | |
| CN110535742B (en) | Message forwarding method and device, electronic equipment and machine-readable storage medium | |
| CN111860888B (en) | Real-time monitoring and searching system and method for inspection state of unmanned aerial vehicle of power transmission line | |
| CN111163052B (en) | Method, device, medium and electronic equipment for connecting Internet of things platform | |
| CN110620762A (en) | RDMA (remote direct memory Access) -based data transmission method, network card, server and medium | |
| CN109104275A (en) | A kind of HSM equipment | |
| CN112468407A (en) | Data subpackage transmission method and device, computer equipment and storage medium | |
| CN104219298A (en) | Cluster system and data backup method thereof | |
| CN113347257A (en) | Communication method, communication device, server and storage medium | |
| CN111224903A (en) | Data transmission method, data transmission equipment and computer readable storage medium | |
| CN114297114B (en) | Encryption card, data interaction method and device thereof and computer readable storage medium | |
| CN115987513B (en) | Distributed database fragment encryption and decryption methods, devices, equipment and media | |
| CN109714337B (en) | Data encryption transmission method and equipment | |
| CN116932421A (en) | Data storage method, device, equipment and storage medium | |
| CN114553411B (en) | Distributed memory encryption device and distributed memory decryption device | |
| CN116070239A (en) | File encryption and decryption methods, devices, equipment and storage medium | |
| CN107104964B (en) | Network security terminal and use method | |
| CN113542224B (en) | Training data processing method, device, server and medium | |
| CN109714151A (en) | Chip data processing method and system based on AES-GCM | |
| CN108279855A (en) | A method of read-write storage device | |
| CN117319516B (en) | Multi-protocol conversion protocol processing method and device, electronic equipment and medium | |
| CN114978950B (en) | Network algorithm calling method and system based on FPGA and CPU cooperation | |
| CN114244506B (en) | Method and system for quickly synchronizing quantum keys |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230907 Address after: Office Area, 5th Floor, S02 Building, No. 1036 Langchao Road, High tech Zone, Jinan City, Shandong Province, 250000 Patentee after: Shandong Inspur Database Technology Co.,Ltd. Address before: 250000 building S02, No. 1036, Gaoxin Inspur Road, Jinan, Shandong Patentee before: Shandong Inspur Scientific Research Institute Co.,Ltd. |
|
| TR01 | Transfer of patent right |