CN116089976A - Relational database management method and device - Google Patents
Relational database management method and device Download PDFInfo
- Publication number
- CN116089976A CN116089976A CN202211740503.3A CN202211740503A CN116089976A CN 116089976 A CN116089976 A CN 116089976A CN 202211740503 A CN202211740503 A CN 202211740503A CN 116089976 A CN116089976 A CN 116089976A
- Authority
- CN
- China
- Prior art keywords
- data
- ciphertext
- key
- target
- data table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
- G06F16/284—Relational databases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Data Mining & Analysis (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
One or more embodiments of the present disclosure provide a method and an apparatus for managing a relational database, which are applied to a server corresponding to the relational database; the method comprises the following steps: acquiring a connection instruction which is submitted by a client and corresponds to the first data table and the second data table; responding to the connection instruction, and determining whether a first ciphertext obtained based on a target encryption algorithm and a first key and corresponding to the target data field in the first data record and a second ciphertext obtained based on the target encryption algorithm and a second key and corresponding to the target data field in the second data record are ciphertexts obtained by conducting encryption processing on the same data according to the first data record in the first data table and the second data record in the second data table; and if the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data, performing connection processing on the first data record and the second data record.
Description
Technical Field
One or more embodiments of the present disclosure relate to the field of distributed technologies, and in particular, to a method and an apparatus for managing a relational database.
Background
Relational databases, which are databases that employ relational models to organize data, typically store data in rows and columns. In a relational database, a series of rows and columns of data are called a data table, and a set of data tables forms the database. Typically, a row of data in a data table is a data record (record), and a column of data is data corresponding to a data field (field).
In a relational database, it is generally necessary to perform specific processing on data stored in the relational database according to actual data usage requirements. For example, in a relational database, data records with values corresponding to a certain data field greater than a certain threshold are queried, the value corresponding to a certain field in each data record is increased by a specific value, and so on. Most of the relational databases currently store data in plaintext so as to facilitate plaintext processing of the data stored in the relational databases. In this case, the plain text of the data can be easily obtained by both the service provider corresponding to the relational database and the data consumer corresponding to the data. However, for the data owners corresponding to these data, the data owners may not want the plain text of these data to be available to others, but rather want the privacy and security of these data to be ensured. Therefore, how to avoid directly storing the plaintext of the data in the relational database and to ensure the privacy and security of the data stored in the relational database has become a concern.
Disclosure of Invention
One or more embodiments of the present disclosure provide the following technical solutions:
the specification provides a management method of a relational database, which is applied to a server corresponding to the relational database; the relational database comprises a first data table and a second data table; the first data table and the second data table are used for storing the encrypted data records; the first data table and the second data table include a target data field; the ciphertext corresponding to the target data field in the first data table is ciphertext obtained based on a target encryption algorithm and a first key; the ciphertext corresponding to the target data field in the second data table is ciphertext obtained based on the target encryption algorithm and a second key; the method comprises the following steps:
acquiring a connection instruction which is submitted by a client and corresponds to the first data table and the second data table;
responding to the connection instruction, and determining whether a first ciphertext corresponding to the target data field in the first data record and a second ciphertext corresponding to the target data field in the second data record are ciphertexts obtained by conducting encryption processing on the same data or not according to the first data record in the first data table and the second data record in the second data table;
And if the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data, performing connection processing on the first data record and the second data record.
The specification also provides a management device of the relational database, which is applied to a server corresponding to the relational database; the relational database comprises a first data table and a second data table; the first data table and the second data table are used for storing the encrypted data records; the first data table and the second data table include a target data field; the ciphertext corresponding to the target data field in the first data table is ciphertext obtained based on a target encryption algorithm and a first key; the ciphertext corresponding to the target data field in the second data table is ciphertext obtained based on the target encryption algorithm and a second key; the device comprises:
the acquisition module acquires a connection instruction which is submitted by a client and corresponds to the first data table and the second data table;
the determining module is used for determining whether a first ciphertext corresponding to the target data field in the first data record and a second ciphertext corresponding to the target data field in the second data record are ciphertexts obtained by conducting encryption processing on the same data or not according to the first data record in the first data table and the second data record in the second data table in response to the connection instruction;
And the connection module is used for performing connection processing on the first data record and the second data record if the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data.
The present specification also provides an electronic apparatus including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor implements the steps of the method as described in any of the preceding claims by executing the executable instructions.
The present specification also provides a computer readable storage medium having stored thereon computer instructions which when executed by a processor perform the steps of the method as claimed in any one of the preceding claims.
In the above technical solution, when a connection instruction corresponding to a first data table and a second data table in a relational database is acquired, a first ciphertext obtained in the first data record based on a target encryption algorithm and a first key corresponding to a target data field and a second ciphertext obtained in the second data record based on the target encryption algorithm and a second key corresponding to the target data field may be determined for the first data record in the first data table and the second data record in the second data table, and if yes, the first data record and the second data record may be connected.
By adopting the mode, the ciphertext of the data is stored in the relational database, so that the privacy and the safety of the data stored in the relational database can be ensured; and, because the support is directly based on the ciphertext in the relational database, the connection processing is carried out for the data table in the relational database, so that the specific operation on the data stored in the relational database can be normally executed.
Drawings
FIG. 1 is a schematic diagram of a relational database management system according to an exemplary embodiment of the present disclosure.
Fig. 2 is a flowchart illustrating a method for managing a relational database according to an exemplary embodiment of the present disclosure.
Fig. 3 is a flowchart illustrating another method of managing a relational database according to an exemplary embodiment of the present disclosure.
Fig. 4 is a flowchart illustrating another method of managing a relational database according to an exemplary embodiment of the present disclosure.
Fig. 5 is a schematic diagram showing a hardware structure of an apparatus according to an exemplary embodiment of the present specification.
Fig. 6 is a block diagram of a management apparatus for a relational database according to an exemplary embodiment of the present specification.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with aspects of one or more embodiments of the present description as detailed in the accompanying claims.
It should be noted that: in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than described in this specification. Furthermore, individual steps described in this specification, in other embodiments, may be described as being split into multiple steps; while various steps described in this specification may be combined into a single step in other embodiments.
Before explaining one or more embodiments of the present specification in detail, a brief description of an application scenario related to one or more embodiments of the present specification is provided.
The Database System (Database System) may generally include a Database (DB), hardware, software, etc. Wherein the database is a collection of a large amount of data which is stored in a computer for a long time, organized, sharable and uniformly managed, and the data in the database is organized, described and stored according to a specific mathematical model; the hardware is various physical devices forming the computer system, and also comprises external devices required by storage, and the configuration of the hardware meets the requirement of the whole database system; the software may further include an operating system, a database management system (Database Management System, DBMS) and applications. The database management system is core software of the database system, works under the support of an operating system, solves the problems of how to scientifically organize and store data and how to efficiently acquire and maintain the data, and has the main functions of: data definition function, data manipulation function, database operation management and database establishment and maintenance.
In database systems, database management systems typically use a storage engine to perform certain operations on a database, such as: DDL (Data Definition Language ) operations and DML (Data Manipulation Language, data operation language) operations are performed on relational databases to enable reading/writing to the databases. The storage engine is an implementation method of techniques of how to store data, how to index the data, how to query and update the data, and the like. One database system typically supports multiple storage engines to meet the database application needs of different scenarios.
Data modification operations in database systems are typically performed in units of transactions, and a transaction may include multiple data modification operations (including insert, update, delete, etc.). In implementing a transaction, for a data modification operation, modified data is stored in memory and a redo log is generated for the data modification operation. The redo log comprises the storage address of the data before modification corresponding to the data modification operation in the hard disk, modification content and other information. And writing the redo log into a redo log file through a certain strategy. The redo log file is stored in the hard disk, so that if the database system crashes, data recovery can be performed according to the redo log file, and the consistency of the data is ensured.
The relational database system is a database system including a relational database. Index (Index) is a data structure that helps a relational database system to efficiently retrieve data. In a relational database system, an index may provide pointers to data corresponding to particular data fields stored in a data table, so that the data may be found using the index, and then the data record containing the data may be found according to the corresponding pointers.
In the related art, in order to secure privacy and security of data stored in a relational database, data written in the relational database may be encrypted to store ciphertext of the data by the relational database. However, if the data owners corresponding to the data, or other data users authorized by the data owners, need to perform operations such as adding (corresponding to inserting operations), updating, deleting, querying, sorting, or group by (grouping according to a certain rule) on the data stored in the relational database, these operations may not be implemented because the ciphertext can only be directly subjected to text comparison, but cannot be subjected to calculation such as addition, subtraction, multiplication, division, size comparison, and the like.
Take the following table 1 as an example of the data table in the relational database:
| name | salary |
| employee1 | 100 |
| employee2 | 200 |
TABLE 1
Assume that the table name of the data table shown in table 1 above is temp. The data table temp includes two fields, name and salary, respectively. The data table temp includes two data records, the first data record has an emuloyee 1 corresponding to the field name and a 100 corresponding to the field salary, and the second data record has an emuloyee 2 corresponding to the field name and a 200 corresponding to the field salary.
After the values 100 and 200 are encrypted by the same encryption algorithm, the ciphertext abcdeffg corresponding to the value 100 and the ciphertext defghy corresponding to the value 200 can be obtained, and at this time, it can be determined that the two ciphertexts are inconsistent, but the size relationship between the two ciphertexts cannot be determined. Thus, for the data table temp as shown in table 1 above, a query operation corresponding to the SQL statement select from temp, which means that all data records (i.e., the first data record and the second data record) are queried in the data table temp, but a query operation corresponding to the SQL statement select from temp where salary >100, which means that data records (i.e., the second data record) having a value greater than 100 corresponding to the field salary are queried in the data table temp, can not be implemented.
In addition, different data tables in a relational database may correspond to different data owners, which typically hold different keys. Therefore, in these data tables, the ciphertext obtained by encryption is different due to the difference in the key even if the encryption algorithm used is the same for the same original data. In this case, text comparison cannot be directly performed on ciphertext in the data tables, so that operations such as connection processing for the data tables cannot be realized.
The present specification proposes a technical solution for management of a relational database so that a specific operation on data stored in the relational database can be normally performed while ensuring privacy and security of the data stored in the relational database. In the technical scheme, when a connection instruction corresponding to a first data table and a second data table in a relational database is acquired, a first ciphertext obtained in the first data record based on a target encryption algorithm and a first key corresponding to a target data field and a second ciphertext obtained in the second data record based on the target encryption algorithm and a second key corresponding to the target data field can be determined for the first data record in the first data table and the second data record in the second data table, and if the first ciphertext is the ciphertext obtained by conducting encryption processing on the same data, connection processing can be conducted on the first data record and the second data record.
In a specific implementation, the relational database may include two data tables, referred to as a first data table and a second data table, respectively. As previously described, both the first data table and the second database may be used to store encrypted data records.
Wherein the first data table and the second data table may comprise one and the same data field (referred to as a target data field). For any data record in the first data table, the ciphertext corresponding to the target data field in the data record may be a ciphertext obtained by encrypting the corresponding original data based on a preset encryption algorithm (referred to as a target encryption algorithm) and a key (referred to as a first key). For any data record in the second data table, the ciphertext corresponding to the target data field in the data record may be ciphertext obtained by encrypting the corresponding original data based on the target encryption algorithm and a key (referred to as a second key).
In practical applications, the first key and the second key may be different. In this case, the ciphertext obtained by encrypting the same original data based on the target encryption algorithm and the first key is different from the ciphertext obtained by encrypting the same original data based on the target encryption algorithm and the second key.
The client may submit a connection instruction corresponding to the first data table and the second data table.
When the connection instruction is acquired, whether or not the ciphertext corresponding to the target data field in the first data record (referred to as a first ciphertext) and the ciphertext corresponding to the target data field in the second data record (referred to as a second ciphertext) are ciphered with respect to any one of the data records in the first data table (referred to as a first data record) and any one of the data records in the second data table (referred to as a second data record) may be determined in response to the connection instruction.
And if the first ciphertext and the second ciphertext are determined to be ciphertexts obtained by encrypting the same data, performing connection processing on the first data record and the second data record. Thus, the first data table and the second data table for storing the encrypted data record can be connected based on the ciphertext without acquiring the plaintext.
By adopting the mode, the ciphertext of the data is stored in the relational database, so that the privacy and the safety of the data stored in the relational database can be ensured; and, because the support is directly based on the ciphertext in the relational database, the connection processing is carried out for the data table in the relational database, so that the specific operation on the data stored in the relational database can be normally executed.
Referring to fig. 1, fig. 1 is a schematic diagram of a relational database management system according to an exemplary embodiment of the present disclosure.
In a management system of a relational database as shown in fig. 1, a client and a relational database system may be included. The relational database system may further include a relational database and a server corresponding to the database management system.
The client corresponding to the data owner can maintain the data stored in the relational database through the database management system, and perform data query and the like on the relational database. Similarly, a client corresponding to a data user authorized by the data owner may also maintain data stored in the relational database through the database management system, query the relational database for data, and the like.
Referring to fig. 2 in conjunction with fig. 1, fig. 2 is a flowchart illustrating a method for managing a relational database according to an exemplary embodiment of the present disclosure.
The management method of the relational database can be applied to the server corresponding to the relational database. The server may specifically refer to a database management system in the relational database system.
The above-mentioned management method of relational database may include the following steps:
step 102: acquiring at least one encryption algorithm designated by a data owner for at least part of data fields in the relational database; the at least one encryption algorithm supports a ciphertext processing mode authorized by the data owner when performing ciphertext processing on data corresponding to the at least part of the data fields.
In order to ensure the security of the data stored in the relational database, only the data owners corresponding to the data are generally allowed to perform operations such as insertion, update, deletion, etc. on the data stored in the relational database, because the operations may cause the data stored in the relational database to change itself, but the data owners and the data usage parties authorized by the data owners are allowed to perform data query on the relational database.
In this embodiment, for a data owner corresponding to data stored in the relational database, the data owner may specify at least one encryption algorithm for at least a portion of the data fields in the relational database by a client corresponding to the data owner to encrypt data written into the relational database, and store ciphertext of the data by the relational database.
The data owner may authorize the type of operation performed on the data corresponding to the at least partial data field, that is, the processing manner when the data corresponding to the at least partial data field is authorized to be processed, according to the actual data usage requirement. Since the ciphertext of the data is stored in the relational database, in this case, the at least one encryption algorithm may support a ciphertext processing method when the ciphertext processing is performed on the data corresponding to the at least part of the data field, which is authorized by the data owner.
In particular, the data owner may specify at least one encryption algorithm for each of the at least partial data fields. It should be noted that, at least one encryption algorithm designated by the data owner for different data fields may be the same or different in terms of type and number, and the present specification is not limited thereto. Accordingly, the at least one encryption algorithm designated by the data owner for a certain field can support a ciphertext processing mode authorized by the data owner when performing ciphertext processing on data corresponding to the field.
In practical applications, the data owner may specify at least one encryption algorithm for at least some of the data fields when creating a data table comprising the at least some of the data fields in the relational database by means of SQL statements.
Taking the data table in the relational database as shown in table 1 as an example, the data owner can create the data table in the relational database by SQL statement, and authorize the ciphertext processing of mode 1 for the data corresponding to the field name, and process the data of modes 1 and 2 for the data corresponding to the field salary. Assuming that encryption algorithm 1 supports ciphertext processing mode 1 and encryption algorithm 2 supports ciphertext processing mode 2, the data owner may specify encryption algorithm 1 for field name and encryption algorithm 1 and encryption algorithm 2 for field salary.
In one embodiment shown, the ciphertext processing method may include ciphertext query and ciphertext calculation.
In one embodiment shown, the at least one encryption algorithm described above includes a combination of one or more of the following: SM4 encryption algorithm, semi-homomorphic encryption algorithm, and order-preserving encryption algorithm.
The semi-homomorphic encryption algorithm can support addition and subtraction of ciphertext; the homomorphic encryption algorithm can support the addition, subtraction, multiplication and division operation of ciphertext; the order-preserving encryption algorithm can support the size comparison of ciphertext; the SM4 encryption algorithm may support content matching of ciphertext.
Step 204: acquiring a data record submitted by the data owner and to be written into the relational database; wherein the data record comprises the at least partial data field.
In this embodiment, the data owner may submit the data record to be written into the relational database. Specifically, the data owner can directly submit the data record to be written through the client corresponding to the data owner; alternatively, the data owner may designate other devices for generating and transmitting data records to be written, and the other devices may transmit the data records to the server for writing after generating the data records.
It should be noted that, at this time, the data record may include at least part of the data fields.
Step 206: encrypting data corresponding to the at least partial data field in the data record based on the at least one encryption algorithm; wherein the encrypted data record includes at least one ciphertext corresponding to each of the at least partial data fields.
In this embodiment, when the data records are obtained, the data corresponding to the at least partial data fields in the data records may be encrypted based on the at least one encryption algorithm, so as to obtain at least one ciphertext corresponding to each of the at least partial data fields. That is, the encrypted data record includes at least one ciphertext corresponding to each of the at least partial data fields.
Specifically, for a certain data field of the data records, where an encryption algorithm is specified, data corresponding to the data field in the data records may be encrypted based on at least one encryption algorithm specified for the quota digital field, and the encrypted data records include at least one ciphertext corresponding to the data field.
Continuing with the data table in the relational database shown in table 1 as an example, for a certain data record to be written into the data table, encrypting the data corresponding to the field name in the data record based on the encryption algorithm 1 to obtain the ciphertext n1, and encrypting the data corresponding to the field salary in the data record based on the encryption algorithm 1 and the encryption algorithm 2 to obtain the ciphertext s1 and the ciphertext s2. Therefore, the encrypted data record corresponds to the field name with ciphertext n1, and corresponds to the field salary with ciphertext s1 and ciphertext s2. That is, at this time, the data table is not a data table for storing plaintext as shown in table 1 above, but a data table for storing ciphertext as shown in table 2 below:
| name | salary |
| Ciphertext n1 | Ciphertext s1, ciphertext s2 |
TABLE 2
Step 208: and writing the encrypted data record into the relational database.
In this embodiment, when the encrypted data records are obtained by encryption, the encrypted data records may be written into the relational database. Thus, the ciphertext of the data is stored in the relational database, and the specific operation on the data stored in the relational database can be normally executed due to the support of directly performing ciphertext processing.
Referring to fig. 3 in conjunction with fig. 1 and 2, fig. 3 is a flowchart illustrating another method for managing a relational database according to an exemplary embodiment of the present disclosure.
The above-mentioned management method of relational database may include the following steps:
step 302: acquiring a ciphertext processing instruction submitted by a client for a target data field in a target data record stored in the relational database; the ciphertext processing instruction comprises a target ciphertext processing mode when ciphertext processing is performed on data corresponding to the target data field.
In this embodiment, the client may submit a ciphertext processing instruction for a data field (referred to as a target data field) in a data record (referred to as a target data record) stored in the relational database. The ciphertext processing instruction may include a ciphertext processing method (referred to as a target ciphertext processing method) when performing ciphertext processing on data corresponding to the target data field.
In practical applications, the ciphertext processing instruction may be an SQL statement.
Taking SQL statement select from temp where salary >100 as an example, the SQL statement indicates that a data record with a value greater than 100 corresponding to the field salary is queried in the data table temp, so that the SQL statement can be used as a ciphertext processing instruction for the field salary in all data records stored in a relational database including the data table temp, that is, the target data record is all data records in the relational database at this time, the target data field is the field salary, and the target ciphertext processing mode is size comparison in ciphertext calculation.
Taking SQL statement select from temp where name = 'element 1' as an example, the SQL statement indicates that the data record of element 1 is queried in the data table temp, so that the SQL statement may be used as a ciphertext processing instruction for the field name in the data record of element 1 which is stored in the relational database including the data table temp and is the character string corresponding to the field name, that is, the target data record is the data record of element 1 which is the character string corresponding to the field name in the relational database, the target data field is the field name, and the target ciphertext processing mode is ciphertext query.
In one embodiment shown, the client may include a client corresponding to the data owner and/or a client corresponding to a data consumer authorized by the data owner, which is not limited in this specification.
In practical applications, the at least one encryption algorithm specified by the data owner may provide an asymmetric encryption mode, using the private key of the data owner for encryption, and using the public key of the data owner for decryption. In this case, the data owner may authorize its public key to the data consumer and issue the authorization record to the blockchain for storage for subsequent tracing.
In one embodiment shown, the client may submit ciphertext processing instructions for the target data record stored in the relational database. In this case, the server may analyze the ciphertext processing instruction, and split the ciphertext processing instruction into ciphertext processing instructions corresponding to each target data field in the target data record according to the instruction analysis result.
Taking the example of the SQL statement select salary+100from temp where salary>100, the SQL statement refers to that data records with the value greater than 100 corresponding to the field salary are queried in the data table temp, and the value corresponding to the field salary in the data records is increased by 100, so that the ciphertext processing instruction can be split into the following components by performing instruction analysis on the ciphertext processing instruction: the method comprises the steps of comparing the size of a field salary in ciphertext calculation for all data records stored in a relational database comprising a data table temp to determine data records with values greater than 100 corresponding to the field salary, and then adding the value corresponding to the field salary by 100 according to the field salary in the data fields.
Step 304: and responding to the ciphertext processing instruction, determining a target encryption algorithm supporting the target ciphertext processing mode, and reading a target ciphertext encrypted by the target encryption algorithm from at least one ciphertext corresponding to the target data field in the target data record.
In this embodiment, when the ciphertext processing instruction is acquired, an encryption algorithm (referred to as a target encryption algorithm) supporting the target ciphertext processing method may be determined in response to the ciphertext processing instruction, and a ciphertext encrypted by the target encryption algorithm (referred to as a target ciphertext) may be read from at least one ciphertext corresponding to the target data field in the target data record.
Continuing with the example of the data table in the relational database shown in table 2, assuming that the target data record is the first data record in the data table, the target data field is the field salary, and the target encryption algorithm is the encryption algorithm 2, the ciphertext s2 encrypted by the encryption algorithm 2 may be read from the data record, that is, the target ciphertext is the ciphertext s2 at this time.
In one embodiment shown, ciphertext encrypted using different encryption algorithms may have different data types. For example, the data type of the ciphertext encrypted using the semi-homomorphic encryption algorithm and the homomorphic encryption algorithm may be a character string, the data type of the ciphertext encrypted using the order-preserving encryption algorithm may be a big, and so on. In this case, the ciphertext corresponding to the target encryption algorithm may be read as the target ciphertext from at least one ciphertext corresponding to the target data field in the target data record based on a correspondence between the encryption algorithm and a data type of the ciphertext.
Step 306: executing the ciphertext processing instruction, and performing ciphertext processing on the target ciphertext according to the target ciphertext processing mode.
In this embodiment, when the target ciphertext is read, the ciphertext processing instruction may be further executed to perform ciphertext processing on the target ciphertext according to the target ciphertext processing method.
In the illustrated embodiment, in the case where the target ciphertext processing method is a ciphertext query, the target encryption algorithm may be an SM4 encryption algorithm.
In the above-described relational database, for a data field to which the SM4 encryption algorithm is specified, data corresponding to the data field in the data record to be written may be encrypted based on the SM4 encryption algorithm. Subsequently, the encryption characteristic corresponding to the data can be determined, and the encryption characteristic and the encrypted data are spliced, so that the spliced data can be used as a ciphertext corresponding to the data field in the data record to be written.
In practical application, the same data is encrypted by adopting the same encryption algorithm and different keys, and the obtained encrypted data is different, but the encryption characteristics corresponding to the data are the same. Thus, for certain data, the encryption characteristics corresponding to this data may be determined in two ways: 1, taking the part of content which is irrelevant to the privacy of the user in the plaintext of the data as an encryption feature corresponding to the data, for example: special symbols in the plain text of this data, or the first N characters in the plain text of this data; 2, the commonality of the encrypted data obtained by encrypting the data by adopting the same encryption algorithm and different keys is taken as the encryption characteristic corresponding to the data, for example: the same character is continued in the encrypted data.
In particular, in order to facilitate distinguishing between the encrypted features and the encrypted data, the length and content of the encrypted features may be spliced with the length and content of the encrypted data.
For example, assuming that the data corresponding to the data field in a certain data record to be written is X, the X may be encrypted based on the SM4 encryption algorithm to obtain the ciphertext X0. Subsequently, a part of the content in X or a part of the content in X0 may be used as an encryption feature M corresponding to the data, and the length and content of M and the length and content of X0 may be spliced, so that the spliced data may be used as a piece of ciphertext corresponding to the data field in the data record, as shown in table 3 below:
| m (Length) | M (content) | X0 (Length) | X0 (content) |
TABLE 3 Table 3
Accordingly, when ciphertext query is performed on the target ciphertext encrypted by using the SM4 encryption algorithm, the data to be queried in the ciphertext processing instruction can be encrypted based on the SM4 algorithm, and the encryption characteristics corresponding to the data to be queried can be determined. Subsequently, whether the encrypted characteristics corresponding to the data to be queried exist in the encrypted characteristics included in the target ciphertext can be determined based on the bloom filter, and if so, whether the encrypted data to be queried and the encrypted data included in the target ciphertext are matched is further determined. Therefore, the bloom filter can be utilized to perform preliminary screening, and then the accurate matching of the ciphertext is performed, so that the ciphertext matching data quantity is reduced, and the ciphertext matching efficiency is improved.
Further, in order to reduce the probability of ciphertext being decrypted, when the encrypted feature is spliced with the encrypted data, a random variable may be specifically generated according to a preset rule, and the encrypted feature, the encrypted data and the random variable may be spliced.
The rule may be to generate a random variable with a preset length, and splice the random variable to an odd position or an even position in the encrypted data according to the parity of the sequence of the second bit character in the random variable in the english alphabet.
Correspondingly, when determining whether the encrypted data to be queried matches the encrypted data included in the target ciphertext, the random variable can be removed from the encrypted data to be queried according to the rule, and whether the encrypted data to be queried matches the encrypted data included in the target ciphertext is determined.
In the above technical solution, for the data records submitted by the data owner and to be written into the relational database, the data corresponding to at least some of the data fields in the data records may be encrypted based on at least one encryption algorithm specified by the data owner for the at least some of the fields in the relational database, so that the encrypted data records include at least one ciphertext corresponding to each of the at least some of the data fields, and the encrypted data records are written into the relational database.
By adopting the mode, the ciphertext of the data is stored in the relational database, so that the privacy and the safety of the data stored in the relational database can be ensured; and, because the ciphertext processing is supported to be directly carried out on the ciphertext in the relational database, the specific operation on the data stored in the relational database can be normally executed.
Referring to fig. 4, fig. 4 is a flowchart illustrating another method for managing a relational database according to an exemplary embodiment of the present disclosure.
The management method of the relational database can be applied to the server corresponding to the relational database. The server may specifically refer to a database management system in the relational database system.
In this embodiment, the relational database may include two data tables, which are referred to as a first data table and a second data table, respectively. As previously described, both the first data table and the second database may be used to store encrypted data records.
Wherein the first data table and the second data table may comprise one and the same data field (referred to as a target data field). For any data record in the first data table, the ciphertext corresponding to the target data field in the data record may be a ciphertext obtained by encrypting the corresponding original data based on a preset encryption algorithm (referred to as a target encryption algorithm) and a key (referred to as a first key). For any data record in the second data table, the ciphertext corresponding to the target data field in the data record may be ciphertext obtained by encrypting the corresponding original data based on the target encryption algorithm and a key (referred to as a second key).
In practical applications, the first key and the second key may be different. In this case, the ciphertext obtained by encrypting the same original data based on the target encryption algorithm and the first key is different from the ciphertext obtained by encrypting the same original data based on the target encryption algorithm and the second key.
The above-mentioned management method of relational database may include the following steps:
step 402: and acquiring a connection instruction submitted by the client and corresponding to the first data table and the second data table.
In this embodiment, the client may submit the connection instruction corresponding to the first data table and the second data table.
In practical applications, the join instruction may be a join statement in an SQL statement.
Based on the connection instruction, the first data table and the second data table may be combined according to a certain condition to form a new data table. Specifically, based on the target data field, the data records in the first data table and the second data table, which are the same as the original data corresponding to the target data field, may be combined to form a new data table.
For example, it is assumed that the first data table is shown in table 4 below and the second data table is shown in table 5 below:
| id | valueA |
| Ciphertext of id1 | Ciphertext of value A1 |
| Ciphertext of id2 | Ciphertext of value A2 |
TABLE 4 Table 4
| id | valueB |
| Ciphertext of id0 | Ciphertext of value B0 |
| Ciphertext of id1 | Ciphertext of value B1 |
| Ciphertext of id2 | Ciphertext of value B2 |
TABLE 5
Wherein the first data table comprises two data fields of id and value A, and the second data table comprises two data fields of id and value B. That is, the first data table and the second data table include the same data field id; at this time, the data field id is the target data field.
In the first data record in the first data table and the second data record in the second data table, the original data corresponding to the data field id is id1, so that the two data records can be connected. In the second data record in the first data table and the third data record in the second data table, the original data corresponding to the data field id is id2, so that the two data records can be connected. That is, the data table shown in the following table 6 can be obtained by performing the connection processing on the first data table and the second data table based on the data field id column:
| id | valueA | valueB |
| ciphertext of id1 | Ciphertext of value A1 | Ciphertext of value B1 |
| Ciphertext of id2 | Ciphertext of value A2 | Ciphertext of value B2 |
TABLE 6
Step 404: and responding to the connection instruction, and determining whether a first ciphertext corresponding to the target data field in the first data record and a second ciphertext corresponding to the target data field in the second data record are ciphertexts obtained by conducting encryption processing on the same data or not according to the first data record in the first data table and the second data record in the second data table.
In this embodiment, when the connection instruction is acquired, whether or not the ciphertext corresponding to the target data field in the first data record (referred to as a first ciphertext) and the ciphertext corresponding to the target data field in the second data record (referred to as a second ciphertext) are ciphered with respect to any one of the data records in the first data table (referred to as a first data record) and any one of the data records in the second data table (referred to as a second data record) may be determined in response to the connection instruction.
In one embodiment shown, the target encryption algorithm described above may be an SM4 encryption algorithm, similar to the embodiment shown in fig. 3. In this case, the ciphertext corresponding to the target data field in the first data table may include data encrypted based on an SM4 algorithm and the first key, and an encryption feature corresponding to the data; the ciphertext corresponding to the target data field in the second data table may include data encrypted based on an SM4 algorithm and the second key, and an encryption feature corresponding to the data.
And when determining whether the first ciphertext corresponding to the target data field in the first data record and the second ciphertext corresponding to the target data field in the second data record are ciphertexts obtained by encrypting the same data, the encryption characteristics in the first ciphertext corresponding to the target data field in the first data record can be specifically obtained, whether the encryption characteristics exist in the second ciphertext corresponding to the target data field in the second data record is determined based on a bloom filter, and if yes, whether the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data is further determined.
In one embodiment, similar to the embodiment shown in fig. 3, the ciphertext corresponding to the target data field in the first data table may include data encrypted based on an SM4 algorithm and the first key, and a random variable generated according to a preset rule and corresponding to an encryption feature of the data; the ciphertext corresponding to the target data field in the second data table may include data encrypted based on an SM4 algorithm and the second key, and a random variable generated according to a preset rule and corresponding to an encryption feature of the data.
When determining whether the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data, specifically, the random variables are removed from the first ciphertext and the second ciphertext according to the rule, and then whether the first ciphertext and the second ciphertext from which the random variables are removed are ciphertexts obtained by encrypting the same data is determined.
Step 406: and if the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data, performing connection processing on the first data record and the second data record.
In this embodiment, if it is determined that the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data, the connection processing is performed on the first data record and the second data record. Thus, the first data table and the second data table for storing the encrypted data record can be connected based on the ciphertext without acquiring the plaintext.
In the illustrated embodiment, the client may specifically be a client corresponding to a data owner of the first data table. In this case, the data owner of the second data table may authorize the second key to the data owner of the first data table such that the connection instruction may include the first key, and the second key.
In the case of determining whether the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data, the first ciphertext and the second ciphertext may be determined based on the first key and the second key.
In practical applications, the concept of puncturable encryption (Puncturable Encryption) may be employed to determine whether the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data. The puncturable encryption scheme allows the user to update his private key to achieve forward security. In the puncturable encryption scheme, a receiver can use a tag embedded in the ciphertext to update the private key so as to cancel the decryption capability of the private key on the specific message, the receiver or the time period, and the decryption capability of the updated private key on other ciphertexts is not affected, so that even if the private key used at present is leaked, the safety of the message sent before is not affected, and forward safety is realized.
In the illustrated embodiment, when determining whether the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data based on the first key and the second key, specifically, a puncturing key corresponding to the second key may be calculated based on the second key and a puncturing point corresponding to a predetermined puncturable pseudorandom function, then a first function value may be calculated based on the first key and the puncturable pseudorandom function, a second function value may be calculated based on the puncturing key and the puncturable pseudorandom function, and finally whether the first function value and the second function value match may be determined. If the first function value is matched with the second function value, the first ciphertext and the second ciphertext can be determined to be ciphertexts obtained by conducting encryption processing on the same data.
Specifically, assume that there is one pseudo-random generator G: {0,1} n →{0,1} 2n (wherein {0,1 }) n Representing a string consisting of n 0 or 1). For any s.epsilon.0, 1 n Order G 0 (s) represents the first n bits of G(s), G1 ( s) the last n bits of G(s) define a pseudo-random function
Then from s, an arbitrary point x ε {0,1} can be calculated n (wherein x is a character string (x 1 ,x 2 ,…,x n ),x i Function value y=f corresponding to=0 or 1) s (x)。/>
In this case, the above pseudo-random function may correspond to the following four algorithms: gen denotes a random seed s that outputs a pseudo-random generator G as a key K; eval (K, x) represents the function value corresponding to the calculation point x by the key K; puncture (K, x) * ) The representation is based on the key K and the puncture point x * Calculate puncture key K { x } * };F.PEval(K{x * X) represents the puncturing key K { x }, by * And calculating the function value corresponding to the point x. Wherein x is * ∈{0,1} n ,
Specifically, the puncture key K { x }, is * When calculating the function value corresponding to the point x, if x * =x, then error information is output; otherwise, find the ∈ ->
And starting from the found i according to the smallest i of
Iteration is performed to calculate the function value.
In practical application, it is assumed that the first key is K A The second key is K B The first ciphertext is I m =(I 1 ,I 2 ) The second ciphertext is J m′ =(J 1 ,J 2 ). Wherein I is 1 May be I m First n bits of I 2 May be I m The latter n bits of (2); j (J) 1 May be J m′ First n bits, J 2 May be J m′ Is the last n bits of (c).
Can randomly select a puncture point x * ∈{0,1} n Based on the second key K B And the puncture point x * Calculate and this second key K B Corresponding puncture key T B =F.Puncture(K B ,x * ). Then, based on the first key K A And calculating a first function value from the puncturable pseudorandom function
And calculating a second function value based on the puncture key and the puncturable pseudorandom function>
(wherein->
Representing exclusive or). Finally, it can be compared whether y and y 'are the same, and if y=y', the first ciphertext I can be determined m And the second ciphertext J m′ Ciphertext obtained by encrypting the same data.
In the above technical solution, when a connection instruction corresponding to a first data table and a second data table in a relational database is acquired, a first ciphertext obtained in the first data record based on a target encryption algorithm and a first key corresponding to a target data field and a second ciphertext obtained in the second data record based on the target encryption algorithm and a second key corresponding to the target data field may be determined for the first data record in the first data table and the second data record in the second data table, and if yes, the first data record and the second data record may be connected.
By adopting the mode, the ciphertext of the data is stored in the relational database, so that the privacy and the safety of the data stored in the relational database can be ensured; and, because the support is directly based on the ciphertext in the relational database, the connection processing is carried out for the data table in the relational database, so that the specific operation on the data stored in the relational database can be normally executed.
Referring to fig. 5, fig. 5 is a schematic diagram showing a hardware structure of an apparatus according to an exemplary embodiment of the present disclosure.
At the hardware level, as shown in fig. 5, the device includes a processor 502, an internal bus 504, a network interface 506, a memory 508, and a nonvolatile storage 510, although other hardware may be included as needed for other services. One or more embodiments of the present description may be implemented in a software-based manner, such as by the processor 502 reading a corresponding computer program from the non-volatile storage 510 into the memory 508 and then running. Of course, in addition to software implementation, one or more embodiments of the present disclosure do not exclude other implementation manners, such as a logic device or a combination of software and hardware, etc., that is, the execution subject of the following processing flow is not limited to each logic module, but may also be hardware or a logic device.
Referring to fig. 6, fig. 6 is a block diagram of a relational database management apparatus according to an exemplary embodiment of the present disclosure.
The above-mentioned management device of the relational database can be applied to the apparatus shown in fig. 5 to implement the technical solution of the present specification. The device is used as a server corresponding to the relational database; the relational database comprises a first data table and a second data table; the first data table and the second data table are used for storing the encrypted data records; the first data table and the second data table include a target data field; the ciphertext corresponding to the target data field in the first data table is ciphertext obtained based on a target encryption algorithm and a first key; the ciphertext corresponding to the target data field in the second data table is ciphertext obtained based on the target encryption algorithm and a second key;
the device comprises:
the obtaining module 602 obtains a connection instruction submitted by the client and corresponding to the first data table and the second data table;
a determining module 604, responsive to the connection instruction, configured to determine, for a first data record in the first data table and a second data record in the second data table, whether a first ciphertext corresponding to the target data field in the first data record and a second ciphertext corresponding to the target data field in the second data record are ciphertexts obtained by performing encryption processing on the same data;
And the connection module 606 is configured to perform connection processing on the first data record and the second data record if the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data.
Optionally, the target encryption algorithm is an SM4 encryption algorithm; the ciphertext comprises data encrypted based on an SM4 algorithm and a secret key and encryption characteristics corresponding to the data;
the determining module 604:
acquiring an encryption characteristic in a first secret corresponding to the target data field in the first data record;
determining whether the encryption feature exists in a second ciphertext corresponding to the target data field in the second data record based on a bloom filter;
if so, further determining whether the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data.
Optionally, the ciphertext further comprises a random variable generated according to a preset rule;
the determining module 604:
and respectively removing the random variable from the first ciphertext and the second ciphertext according to the rule, and determining whether the removed first ciphertext and the removed second ciphertext are ciphertexts obtained by conducting encryption processing on the same data.
Optionally, the client includes a client corresponding to a data owner of the first data table; the connection instruction includes the first key and the second key authorized by the data owner of the second data table to the data owner of the first data table;
the determining module 604:
and determining whether a first ciphertext corresponding to the target data field in the first data record and a second ciphertext corresponding to the target data field in the second data record are ciphertexts obtained by conducting encryption processing on the same data or not based on the first key and the second key.
Optionally, the determining module 604:
calculating a puncturing key corresponding to the second key based on the second key and a puncturing point corresponding to a preset puncturable pseudorandom function;
calculating a first function value based on the first key and the puncturable pseudorandom function, and calculating a second function value based on the puncture key and the puncturable pseudorandom function;
determining whether the first function value matches the second function value.
For the device embodiments, they essentially correspond to the method embodiments, so that reference is made to the description of the method embodiments for relevant points.
The apparatus embodiments described above are merely illustrative, wherein the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the technical scheme of the specification.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, read only compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by the computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The foregoing description of the preferred embodiment(s) is (are) merely intended to illustrate the embodiment(s) of the present invention, and it is not intended to limit the embodiment(s) of the present invention to the particular embodiment(s) described.
Claims (12)
1. A management method of a relational database is applied to a server corresponding to the relational database; the relational database comprises a first data table and a second data table; the first data table and the second data table are used for storing the encrypted data records; the first data table and the second data table include a target data field; the ciphertext corresponding to the target data field in the first data table is ciphertext obtained based on a target encryption algorithm and a first key; the ciphertext corresponding to the target data field in the second data table is ciphertext obtained based on the target encryption algorithm and a second key; the method comprises the following steps:
acquiring a connection instruction which is submitted by a client and corresponds to the first data table and the second data table;
Responding to the connection instruction, and determining whether a first ciphertext corresponding to the target data field in the first data record and a second ciphertext corresponding to the target data field in the second data record are ciphertexts obtained by conducting encryption processing on the same data or not according to the first data record in the first data table and the second data record in the second data table;
and if the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data, performing connection processing on the first data record and the second data record.
2. The method of claim 1, the target encryption algorithm being an SM4 encryption algorithm; the ciphertext comprises data encrypted based on an SM4 algorithm and a secret key and encryption characteristics corresponding to the data;
the determining whether the first ciphertext corresponding to the target data field in the first data record and the second ciphertext corresponding to the target data field in the second data record are ciphertexts obtained by performing encryption processing on the same data includes:
acquiring an encryption characteristic in a first secret corresponding to the target data field in the first data record;
Determining whether the encryption feature exists in a second ciphertext corresponding to the target data field in the second data record based on a bloom filter;
if so, further determining whether the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data.
3. The method of claim 2, the ciphertext further comprising a random variable generated according to a preset rule;
the determining whether the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data includes:
and respectively removing the random variable from the first ciphertext and the second ciphertext according to the rule, and determining whether the removed first ciphertext and the removed second ciphertext are ciphertexts obtained by conducting encryption processing on the same data.
4. The method of claim 1, the client comprising a client corresponding to a data owner of the first data table; the connection instruction includes the first key and the second key authorized by the data owner of the second data table to the data owner of the first data table;
the determining whether the first ciphertext corresponding to the target data field in the first data record and the second ciphertext corresponding to the target data field in the second data record are ciphertexts obtained by performing encryption processing on the same data includes:
And determining whether a first ciphertext corresponding to the target data field in the first data record and a second ciphertext corresponding to the target data field in the second data record are ciphertexts obtained by conducting encryption processing on the same data or not based on the first key and the second key.
5. The method according to claim 4, wherein determining, based on the first key and the second key, whether the first ciphertext corresponding to the target data field in the first data record and the second ciphertext corresponding to the target data field in the second data record are ciphertexts obtained by encrypting the same data includes:
calculating a puncturing key corresponding to the second key based on the second key and a puncturing point corresponding to a preset puncturable pseudorandom function;
calculating a first function value based on the first key and the puncturable pseudorandom function, and calculating a second function value based on the puncture key and the puncturable pseudorandom function;
determining whether the first function value matches the second function value.
6. A management device of a relational database is applied to a server corresponding to the relational database; the relational database comprises a first data table and a second data table; the first data table and the second data table are used for storing the encrypted data records; the first data table and the second data table include a target data field; the ciphertext corresponding to the target data field in the first data table is ciphertext obtained based on a target encryption algorithm and a first key; the ciphertext corresponding to the target data field in the second data table is ciphertext obtained based on the target encryption algorithm and a second key; the device comprises:
The acquisition module acquires a connection instruction which is submitted by a client and corresponds to the first data table and the second data table;
the determining module is used for determining whether a first ciphertext corresponding to the target data field in the first data record and a second ciphertext corresponding to the target data field in the second data record are ciphertexts obtained by conducting encryption processing on the same data or not according to the first data record in the first data table and the second data record in the second data table in response to the connection instruction;
and the connection module is used for performing connection processing on the first data record and the second data record if the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data.
7. The apparatus of claim 6, the target encryption algorithm being an SM4 encryption algorithm; the ciphertext comprises data encrypted based on an SM4 algorithm and a secret key and encryption characteristics corresponding to the data;
the determination module:
acquiring an encryption characteristic in a first secret corresponding to the target data field in the first data record;
determining whether the encryption feature exists in a second ciphertext corresponding to the target data field in the second data record based on a bloom filter;
If so, further determining whether the first ciphertext and the second ciphertext are ciphertexts obtained by encrypting the same data.
8. The apparatus of claim 7, the ciphertext further comprising a random variable generated according to a preset rule;
the determination module:
and respectively removing the random variable from the first ciphertext and the second ciphertext according to the rule, and determining whether the removed first ciphertext and the removed second ciphertext are ciphertexts obtained by conducting encryption processing on the same data.
9. The apparatus of claim 6, the client comprising a client corresponding to a data owner of the first data table; the connection instruction includes the first key and the second key authorized by the data owner of the second data table to the data owner of the first data table;
the determination module:
and determining whether a first ciphertext corresponding to the target data field in the first data record and a second ciphertext corresponding to the target data field in the second data record are ciphertexts obtained by conducting encryption processing on the same data or not based on the first key and the second key.
10. The apparatus of claim 9, the determination module to:
calculating a puncturing key corresponding to the second key based on the second key and a puncturing point corresponding to a preset puncturable pseudorandom function;
calculating a first function value based on the first key and the puncturable pseudorandom function, and calculating a second function value based on the puncture key and the puncturable pseudorandom function;
determining whether the first function value matches the second function value.
11. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to implement the method of any of claims 1-5 by executing the executable instructions.
12. A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the method of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211740503.3A CN116089976A (en) | 2022-12-30 | 2022-12-30 | Relational database management method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211740503.3A CN116089976A (en) | 2022-12-30 | 2022-12-30 | Relational database management method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116089976A true CN116089976A (en) | 2023-05-09 |
Family
ID=86211545
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211740503.3A Pending CN116089976A (en) | 2022-12-30 | 2022-12-30 | Relational database management method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116089976A (en) |
-
2022
- 2022-12-30 CN CN202211740503.3A patent/CN116089976A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10474835B2 (en) | Zero-knowledge databases | |
| Wang et al. | Searchable encryption over feature-rich data | |
| US11726993B1 (en) | Systems and methods for cryptographically-secure queries using filters generated by multiple parties | |
| US10089487B2 (en) | Masking query data access pattern in encrypted data | |
| US11709948B1 (en) | Systems and methods for generation of secure indexes for cryptographically-secure queries | |
| US10742623B1 (en) | Selective encryption of profile fields for multiple consumers | |
| US8930691B2 (en) | Dynamic symmetric searchable encryption | |
| EP3168771B1 (en) | Poly-logarythmic range queries on encrypted data | |
| US9852306B2 (en) | Conjunctive search in encrypted data | |
| US7519835B2 (en) | Encrypted table indexes and searching encrypted tables | |
| US9740879B2 (en) | Searchable encryption with secure and efficient updates | |
| CN113886418B (en) | Data processing method, device, electronic equipment and machine-readable storage medium | |
| CN115292737B (en) | Multi-keyword fuzzy search encryption method and system and electronic equipment | |
| US20210182314A1 (en) | Systems and methods for on-chain / off-chain storage using a cryptographic blockchain | |
| CN115408724A (en) | Distributed data processing method and device, electronic equipment and storage medium | |
| CN116089976A (en) | Relational database management method and device | |
| CN115455463A (en) | Hidden SQL query method based on homomorphic encryption | |
| Karakasidis et al. | More sparking soundex-based privacy-preserving record linkage | |
| CN115687535A (en) | Management method and device of relational database | |
| US11977657B1 (en) | Method and system for confidential repository searching and retrieval | |
| US20130036474A1 (en) | Method and Apparatus for Secure Data Representation Allowing Efficient Collection, Search and Retrieval | |
| CN116827630A (en) | Searchable encryption method, device, equipment and storage medium for card service information | |
| CN117076406A (en) | Document storage method, system, device, computer equipment and storage medium | |
| CN115905210A (en) | Database system and database processing method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |