CN116415214A - Data access control method and system based on digital signature - Google Patents

Data access control method and system based on digital signature Download PDF

Info

Publication number
CN116415214A
CN116415214A CN202310060656.1A CN202310060656A CN116415214A CN 116415214 A CN116415214 A CN 116415214A CN 202310060656 A CN202310060656 A CN 202310060656A CN 116415214 A CN116415214 A CN 116415214A
Authority
CN
China
Prior art keywords
data access
access request
digital signature
data
database system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310060656.1A
Other languages
Chinese (zh)
Inventor
吴成杰
沈梦婷
张宏兵
郑凡奇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202310060656.1A priority Critical patent/CN116415214A/en
Publication of CN116415214A publication Critical patent/CN116415214A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the field of data access, and provides a data access control method and system based on digital signature, wherein the method comprises the following steps: the data access control device receives a data access request sent by a client, verifies the access authority of a user, performs signature processing on the data access request after the authority verification is passed to obtain a digital signature, and sends the digital signature to the client, wherein the data access request comprises: user information, database system identification, access command; the client sends a data access request and a digital signature to a target database system; and the target database system receives the data access request and the digital signature, performs signature verification operation on the digital signature to judge whether the digital signature is matched with the received data access request, and responds to the data access request if the digital signature is matched with the received data access request. The method and the device can ensure the safe access of the data in the database system, simultaneously can reduce the load of the data access control device, improve the throughput and can meet the data access control requirement in a high concurrency scene.

Description

Data access control method and system based on digital signature
Technical Field
The present disclosure relates to the field of data access, and in particular, to a method and system for controlling data access based on digital signature.
Background
Along with the rapid development of society, the importance of data is increasingly prominent, a large amount of data is stored in a database system in a centralized manner, and functions of use number, check number and the like are provided for data analysts or enterprise management staff through various modes such as a business intelligent platform and the like so as to meet various data application scenes such as enterprise client marketing, management analysis, enterprise management and the like. In the process, the various data using methods bring new challenges to the information security of the data, and the important significance is provided for ensuring that the data can be used conveniently and rapidly on the premise of the data information security.
In the prior art, a data access control method relies on database users of a database system, namely, a plurality of database users are allocated to perform operations of adding, deleting and checking, and the authority of each database user is different. This method has the following problems: firstly, the number of database users is often limited due to the function provided by the database system, and the use of a large number of enterprise users cannot be met, and secondly, the users and rights management implementation modes of each database system are inconsistent, so that each database system needs to be configured with the users and the rights, and the maintenance cost is high and the management is difficult.
Another data access control method in the prior art is to receive a database access request of a user through a data access control device, determine whether the user has access rights to related data, and send an access command (SQL statement) to a database system if the user has rights. According to the method, the database system and the data access control are decoupled in a centralized control mode, so that the use of a large number of users of enterprises is met, and the maintenance cost is reduced due to centralized control. However, in the method, the database system cannot sense or verify whether the SQL statement of the request is legal, and if an illegal user bypasses the data access control device to directly send the SQL statement to the database system, unauthorized access can occur; on the other hand, all SQL sentences need to be transferred to a database system through a data access control device, and under the condition of high concurrency, the problems of high load of the data access control device and untimely data access response are generated.
Disclosure of Invention
The method is used for solving the problem that the data access control in the prior art can cause poor security when the data access quantity is increased.
In order to solve the above technical problem, an aspect of the present disclosure provides a data access control method based on digital signature, which is applied to a data access control device, including:
Receiving a data access request sent by a client, verifying the access authority of a user, and signing the data access request after the authority verification is passed to obtain a digital signature, wherein the data access request comprises: user information, database system identification, access command;
and sending the digital signature to the client so that the client can send a data access request and the digital signature to a target database system.
As a further embodiment herein, verifying the access rights of the user includes:
acquiring a permission set of a user in a database system according to user information and a database system identifier in the data access request, wherein the permission set of the user in the database system consists of a plurality of tuples, and each tuple comprises a data table identifier and an operation type;
carrying out grammar analysis on the access command in the data access request to obtain an access object and an operation type;
judging whether the authority set of the user in the database system is consistent with the access object and the operation type, and if so, passing the access authority verification.
In a further embodiment herein, signing the data access request to obtain a digital signature includes:
Carrying out serialization processing on the data access request or the data access request and the time information;
calculating abstract information of the serialized data;
determining timeliness of the data according to the database system identification in the data access request;
determining the priority of a data access request according to the timeliness of the data and the user information;
inquiring a first target asymmetric encryption algorithm corresponding to the priority of a data access request from a first encryption algorithm configuration table which is pre-configured;
and carrying out signature processing on the abstract information of the serialized data by using the first target asymmetric encryption algorithm to obtain a digital signature.
In a further embodiment herein, signing the data access request to obtain a digital signature includes:
carrying out serialization processing on the data access request or the data access request and the time information;
calculating abstract information of the serialized data;
counting the number of unprocessed data access requests at fixed time intervals;
inquiring a second target asymmetric encryption algorithm corresponding to the data access request number from a second encryption algorithm configuration table which is pre-configured;
and carrying out signature processing on the abstract information of the serialized data by using the second target asymmetric encryption algorithm to obtain a digital signature.
In a further embodiment, after receiving the data access request sent by the client, the method further includes:
performing correctness checking on the data access request;
after the check passes, the access right of the user is verified.
As a further embodiment herein, performing a correctness check on the data access request includes:
verifying whether the data access request is consistent with the data format of the standard data access request;
and verifying whether the parameters in the data access request meet preset rules.
The second aspect of the present invention also provides a data access control method based on digital signature, applied to a target database system, comprising:
receiving a data access request and a digital signature sent by a client;
and carrying out signature verification operation on the digital signature to judge whether the digital signature is matched with the received data access request, and if so, responding to the data access request.
As a further embodiment herein, the data access request further includes: requesting time information;
after determining that the digital signature matches the received data access request, further comprising:
carrying out preset value postpone processing on the request time information in the data access request to obtain deadline;
Judging whether the current time is earlier than the deadline, if not, not responding to the data access request, and if so, responding to the data access request.
As a further embodiment herein, before responding to the data access request, the method further includes:
judging whether the digital signature exists in the cache, if so, not responding to the data access request, if not, storing the digital signature in the cache, setting the effective time of the digital signature, and deleting the digital signature in the cache after the effective time is up.
In a further embodiment, the digital signature is obtained by encrypting the summary information of the data access request by using a private key related to the target database system;
performing a signature verification operation on the digital signature to determine whether the digital signature matches the received data access request includes:
carrying out serialization processing on the data access request;
calculating abstract information of the serialized data;
decrypting the digital signature by using the public key of the system;
judging whether the decryption result is consistent with the abstract information of the serialized data, if so, matching is successful, otherwise, matching is failed.
A third aspect herein provides a data access control apparatus comprising:
the receiving module is used for receiving a data access request sent by the client;
the permission verification module is used for verifying the access permission of the user;
the signature module is used for carrying out signature processing on the data access request after the permission verification is passed to obtain a digital signature, wherein the data access request comprises: user information, database system identification, access command;
and the sending unit is used for sending the digital signature to the client so that the client can send the data access request and the digital signature to a target database system.
A fourth aspect herein provides a database system comprising:
the receiving module is used for receiving the data access request and the digital signature sent by the client;
and the signature verification module is used for carrying out signature verification operation on the digital signature so as to judge whether the digital signature is matched with the received data access request, and if so, the execution module responds to the data access request.
A fifth aspect herein provides a digital signature based data access control system comprising: a client, a data access control device and a plurality of database systems;
The client is used for sending a data access request to the data access control device; transmitting a data access request and a digital signature to a target database system; wherein the data access request includes: user information, database system identification, access command;
the data access control device is used for receiving the data access request, verifying the access authority of a user, signing the data access request after the authority verification is passed to obtain a digital signature, and sending the digital signature to the client;
the database system is used for receiving the data access request and the digital signature, carrying out signature verification operation on the digital signature so as to judge whether the digital signature is matched with the received data access request, and responding to the data access request if the digital signature is matched with the received data access request.
In a further embodiment herein, a data access control apparatus includes: the access control equipment is arranged in a cascading way, and each access control equipment receives a data access request sent by a client in a service area of the access control equipment;
when an access control device fails, a client in the service area of the access control device sends a data access request to the access control device of the upper level of the access control device.
A sixth aspect herein provides a computer apparatus comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any of the preceding embodiments when the computer program is executed.
A seventh aspect herein provides a computer storage medium having stored thereon a computer program which, when executed by a processor of a computer device, implements a method as described in any of the previous embodiments.
An eighth aspect herein provides a computer program product comprising a computer program which, when executed by a processor of a computer device, implements a method as described in any of the preceding embodiments.
The data access control method, device and system based on digital signature, the data access control device and database system provided herein, through receiving the data access request sent by the client by the data access control device, verifying the access authority of the user, after the verification, signing the data access request to obtain the digital signature, and sending the digital signature to the client, wherein the data access request comprises: user information, database system identification, access command; the client sends a data access request and a digital signature to a target database system; the target database system receives the data access request and the digital signature, performs signature verification operation on the digital signature to judge whether the digital signature is matched with the received data access request, and responds to the data access request if the digital signature is matched with the received data access request, so that the database system can verify the legitimacy of the data access request according to the digital signature, the safe access of the data is ensured, meanwhile, the data access control device only performs authority verification and the digital signature, is not responsible for transferring the data access request, reduces the load, improves the throughput, and can meet the data access control requirement under a high concurrency scene.
The foregoing and other objects, features and advantages will be apparent from the following more particular description of preferred embodiments, as illustrated in the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments herein, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates a flow chart of a digital signature based data access control method of embodiments herein;
FIG. 2 illustrates a flow diagram of a data access request checking process of an embodiment herein;
FIG. 3 illustrates a flow chart of a process for verifying user access rights in embodiments herein;
FIG. 4 illustrates a first flow chart of a digital signature process for a data access request according to embodiments herein;
FIG. 5 illustrates a second flowchart of a digital signature process for a data access request according to embodiments herein;
FIG. 6 illustrates a first flowchart of a database system validation data access request process of embodiments herein;
FIG. 7 illustrates a second flowchart of a database system validation data access request process of embodiments herein;
FIG. 8 illustrates a third flowchart of a database system validation data access request process of embodiments herein;
FIG. 9 illustrates a block diagram of a digital signature based data access control system of embodiments herein;
FIG. 10 illustrates a block diagram of a data access control apparatus of an embodiment herein;
FIG. 11 illustrates a block diagram of a database system of embodiments herein;
FIG. 12 illustrates a flow chart of a process performed by the signature verification module of embodiments herein;
fig. 13 shows a block diagram of a computer device of embodiments herein.
Description of the drawings:
901. a client;
902. a data access control device;
903. a database system;
1001. a receiving module;
1002. a permission checking module;
1003. a signature module;
1004. a transmitting module;
1005. a user authority pool;
1102. a storage device;
11011. a receiving module;
11012. a signature verification module;
11013. an execution module;
1302. a computer device;
1304. a processor;
1306. a memory;
1308. a driving mechanism;
1310. an input/output module;
1312. an input device;
1314. an output device;
1316. A presentation device;
1318. a graphical user interface;
1320. a network interface;
1322. a communication link;
1324. a communication bus.
Detailed Description
The following description of the embodiments of the present disclosure will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the disclosure. All other embodiments, based on the embodiments herein, which a person of ordinary skill in the art would obtain without undue burden, are within the scope of protection herein.
It should be noted that the terms "first," "second," and the like in the description and claims herein and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, apparatus, article, or device that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or device.
The present specification provides method operational steps as described in the examples or flowcharts, but may include more or fewer operational steps based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. When a system or apparatus product in practice is executed, it may be executed sequentially or in parallel according to the method shown in the embodiments or the drawings.
It should be noted that the method and the device for controlling data access based on digital signature herein can be used for controlling data access in financial field, and also can be used in any field except financial field, and the application field of the method and the device for controlling data access based on digital signature herein is not limited.
It should be noted that, user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
In an embodiment of the present invention, a data access control method based on digital signature is provided, which is used to solve the problem that in the prior art, data access control can cause poor security while increasing data access amount. Specifically, as shown in fig. 1, the method includes:
Step 101, the data access control device receives a data access request sent by the client, verifies the access authority of the user, performs signature processing on the data access request after the authority verification is passed to obtain a digital signature, and sends the digital signature to the client.
Wherein the data access request includes: user information, database system identification, access commands. The user information includes: user identification and credentials, the user identification being used to uniquely represent a user, e.g. an identification card number, a mobile phone number, a user name, etc. Credentials include, but are not limited to, user passwords, user password digests, digital signatures, and the like. The database system identification is used to uniquely represent/locate the database system. The access command may be implemented by an SQL statement including, but not limited to, SELECT, UPDATE, DELETE, ALTER, etc.
The process of signing the data access request to obtain the digital signature comprises the following steps: firstly, carrying out sequence processing on the data access request, calculating abstract information of the serialized data, and carrying out signature processing on the abstract information. By signing the abstract information of the data access request, the signing efficiency can be improved, and the influence on the signing efficiency caused by overlarge data size of the data access request is avoided. When the step is implemented, the data quantity of the serialized data can be judged first, and when the data quantity is larger than a preset value, the abstract information of the serialized data is calculated and signature processing is carried out on the abstract information. When the data amount is smaller than or equal to a preset value, the serialized data can be directly subjected to signature processing. The summary information may be calculated using existing algorithms, such as SHA512, the specific calculation method of which is not limited herein.
The data access control means may be a server, a computer device or the like. In particular, when the application system includes a plurality of different levels of mechanisms, for example, a banking system includes a plurality of different levels of mechanisms (headquarter-branch, etc.), in order to improve data access efficiency, the data access control device includes: the access control equipment is arranged in a cascading way, each access control equipment receives the data access request sent by the client in the service area of the access control equipment, the layout mode of the access control equipment can avoid the condition that a plurality of data access requests are generated at the same time and are not influenced, and the corresponding efficiency of the data access requests is improved.
Further, when an access control device fails, a data access request sent by a client in a service area of the access control device is sent to an access control device of a higher level of the access control device. By the method, effective processing of the data access request can be guaranteed.
The client may be a desktop computer, tablet computer, notebook computer, smart phone, digital assistant, smart wearable device, etc. Wherein, intelligent wearable equipment can include intelligent bracelet, intelligent wrist-watch, intelligent glasses, intelligent helmet etc.. Of course, the client is not limited to the electronic device with a certain entity, and may also be software running in the electronic device.
The user access authority is verified and the digital signature is generated through the data access control device, so that user authority management and data access request forwarding decoupling can be realized, the data access request sending efficiency is improved, the legality perception of a database system on data access can be ensured, and the data access security is ensured.
Step 102, the client sends a data access request and a digital signature to the target database system.
After receiving the digital signature sent by the data access control device, the client directly sends the data access request and the digital signature to the target database system.
And step 103, the target database system receives the data access request and the digital signature, performs signature verification operation on the digital signature to judge whether the digital signature is matched with the received data access request, and responds to the data access request if the digital signature is matched with the received data access request.
According to the embodiment, the data access control device carries out signature processing on the data access request, the client side sends the data access request and the digital signature to the database system, so that the database system can verify the legitimacy of the data access request according to the digital signature while realizing authority centralized management and control, the data access control device only carries out authority verification and digital signature, is not responsible for transferring the data access request, reduces the load, improves the throughput, and can meet the data access control requirement under a high concurrency scene.
In an embodiment herein, after receiving the data access request sent by the client, the data access control device further includes: and checking the correctness of the data access request, and verifying the access right of the user after the data access request passes the check. Specifically, as shown in fig. 2, the correctness checking includes:
step 201, verifying whether the data access request is consistent with the data format of the standard data access request. The data format of the standard data access request is stored in the data access control device in advance, and the verified content mainly comprises whether the position of the parameter in the access request is correct or not.
Step 202, verifying whether parameters in the data access request meet preset rules. The preset rule is used for defining a value range of parameters in the data access request.
In the embodiment, the correctness checking is firstly performed on the data access request, and when the data access request is incorrect, the verification of the user access right is directly skipped.
In one embodiment herein, as shown in fig. 3, the step 101 of verifying the access right of the user includes:
Step 301, obtaining a permission set of a user in a database system according to user information in a data access request and a database system identifier, wherein the permission set of the user in the database system is composed of a plurality of tuples, and each tuple comprises a data table identifier and an operation type.
Wherein the data table identification may be represented by a table name, such as uuu.table_xxx_yyy, the operation type refers to the operation type allowed by the access command, including, but not limited to SELECT, UPDATE, DELETE, ALTER, etc. The tuple is an unalterable data structure, integrates several data into an ordered whole, and is not changed any more, and is represented by brackets, such as (uuu.table_xxx_yy, SELECT), (uuu.table_xxx_yy, UPDATE) and the like, and when the tuple comparison is performed, the data of the two tuples must be completely consistent to be considered as equal.
When the step is implemented, the authority set of the user in the database system is obtained from the user authority pool.
And 302, carrying out grammar analysis on the access command in the data access request to obtain an access object and an operation type.
In detail, each access object and its corresponding operation type may constitute a tuple, and a plurality of tuples constitute a check set. For example, if an access command has multiple operation types for the same table (access object), multiple tuples are obtained.
Step 303, judging whether the authority set of the user in the database system is consistent with the access object and the operation type, and if so, passing the access authority verification.
When the step is implemented, a difference set of the check set in the authority set is calculated, if the difference set is an empty set, the authority check is passed, and if the difference set is not the empty set, the authority check is not passed. The difference set of the check set in the authority set is a set of all elements belonging to the check set but not to the authority set.
The embodiment stores the user rights in a tuple mode, and can ensure the orderly verification of the user access rights.
In an embodiment herein, in order to ensure the processing speed and efficiency of the signature, the signature algorithm may be an EDWARDS25519 algorithm, where the EDWARDS25519 algorithm is a fast signature algorithm based on an elliptic curve of EDWARDS25519, and the algorithm includes a public key and a private key, where the public key is published, the private key is used for signature, the public key is used for signature verification, and the lengths of the public key and the private key are 32 bytes. The Edwards25519 elliptic curve signature algorithm can reach 10 ten thousand per second signature speed and 7 ten thousand per second signature verification speed on Intel Westmere CPU of 2.4GHz under the premise of ensuring the security intensity.
In one embodiment herein, as shown in fig. 4, the digital signature of the data access request by the data access control device includes:
Step 401, serializing the data access request or the data access request and the time information, and calculating summary information of the serialized data.
The step can convert the data access request into a character string, which is convenient for signing. In some embodiments, the data access request is encapsulated using a JSON format, which can be converted into a string by this step serialization process.
Step 402, determining timeliness of the data according to the database system identification in the data access request.
When the step is implemented, determining the data timeliness corresponding to the database system identification in the data access request from the association relation between the database system and the timeliness. The timeliness is used for indicating the update frequency of the stored data in the database system, and in particular, the faster the update frequency, the shorter the data timeliness, the slower the update frequency and the longer the data timeliness.
Step 403, determining the priority of the data access request according to the timeliness of the data and the user information.
When the step is implemented, the time effectiveness and the association relation between the user grade and the access priority are preconfigured, and the shorter the time effectiveness is, the higher the user grade is, and the higher the corresponding priority is.
Step 404, querying a first target asymmetric encryption algorithm corresponding to the priority of the data access request from a first encryption algorithm configuration table which is pre-configured.
The first encryption algorithm configuration table is configured with an association relation between the priority and the asymmetric encryption algorithm, and the higher the priority is, the faster the processing speed of the asymmetric encryption algorithm is, so that the timeliness of data access can be ensured.
Step 405, digitally signing summary information of the serialized data using a first target asymmetric encryption algorithm.
According to the method, the device and the system, the problem that the CPU occupancy rate and the cost of the signature algorithm with high encryption speed are high is considered, the encryption algorithm is determined according to the timeliness of the data access request on the data demand, the encryption cost and the resource occupancy cost can be reduced, and the effective encryption of the data access request is ensured.
In one embodiment herein, as shown in fig. 5, the digital signature of the data access request by the data access control device includes:
step 501, the data access request or the data access request and the time information are serialized, and summary information of the serialized data is calculated.
Step 502, counting the number of unprocessed data access requests at regular time intervals.
In practice, the fixed time interval may be set according to the requirement, which is not limited herein.
Step 503, inquiring a second target asymmetric encryption algorithm corresponding to the number of data access requests from a second encryption algorithm configuration table which is pre-configured.
In detail, the second encryption algorithm configuration table records the number of data access requests and the correspondence relationship between the asymmetric encryption algorithms. The corresponding relation establishing process comprises the following steps: the method comprises the steps of firstly determining the number X of data access requests processed in a preset time period according to an asymmetric encryption algorithm, and then establishing a corresponding relation between the asymmetric encryption algorithm and the related range (increased or decreased by a preset value) of the number X of the data access requests.
Step 504, digital signature is performed on the summary information of the serialized data by using a second target asymmetric encryption algorithm.
According to the embodiment, the encryption algorithm can be adjusted according to the number of unprocessed data access requests, so that the encryption efficiency of the data access requests is guaranteed, and the balance between the encryption efficiency and the encryption overhead is realized.
In one embodiment herein, the data access request includes, in addition to user information, database system identification, access command, further including: time information is requested.
As shown in fig. 6, after the database system determines that the decryption result is consistent with the received data access request, the method further includes:
Step 601, carrying out predetermined value postponement processing on the request time information in the data access request to obtain the deadline.
The predetermined value may be based on the data access request stream time, and in some embodiments, the predetermined value is, for example, 10 minutes.
Step 602, judging whether the current time is earlier than the deadline, if not, not responding to the data access request, and if so, responding to the data access request.
The embodiment can avoid responding to the repeated or abnormally transmitted data access request and ensure the safety of data access.
In one embodiment herein, as shown in fig. 7, before the database system responds to the data access request, the database system includes:
step 701, determining whether the digital signature exists in the cache, if so, executing step 702, and if not, executing step 703.
Step 702, no response is made to the data access request.
Step 703, setting the valid time of the digital signature, and deleting the digital signature in the cache after the valid time is up.
The effective time can be set according to actual requirements, and in some embodiments, the effective time is 10 minutes.
The embodiment can ensure that each data access request is responded only once, and avoid the repeated response problem under the condition that the data access request is sent repeatedly due to network failure or misoperation of a user or interception of an illegal user.
In one embodiment, the digital signature is obtained by encrypting summary information of the data access request by using a private key associated with the target database.
As shown in fig. 8, the target database system performs a signature verification operation on the digital signature to determine whether the digital signature matches the received data access request includes:
step 801, serializing the data access request, and calculating summary information of the serialized data.
Step 802, decrypting the digital signature using the public key of the present system.
Step 803, judging whether the decryption result is consistent with the summary information of the serialized data, if so, responding to the data access request, otherwise, refusing to respond to the data access request.
In a further embodiment, the number of times of refusing to respond to the data access request is also recorded, and after the number of times reaches a certain amount, the reminding information is sent to the response client.
In one embodiment herein, there is also provided a data access control system based on digital signature, as shown in fig. 9, the data access control system includes: a client 901, a data access control device 902, and a plurality of database systems 903.
The client 901 is configured to send a data access request to the data access control device; and sending the data access request and the digital signature to a target database system. Wherein the data access request includes: user information, database system identification, access commands.
The data access control device 902 is configured to receive the data access request, verify an access right of a user, perform signature processing on the data access request after the access right passes the verification, obtain a digital signature, and send the digital signature to the client.
The database system 903 is configured to receive a data access request and a digital signature, and perform a signature verification operation on the digital signature to determine whether the digital signature matches the received data access request, and if so, respond to the data access request.
According to the embodiment, the database system can verify the validity of the data access request according to the digital signature, the safe access of the data is guaranteed, meanwhile, the data access control device only performs authority verification and digital signature, is not responsible for transferring the data access request, reduces the load, improves the throughput, and can meet the data access control requirement under a high concurrency scene.
In one embodiment herein, as shown in fig. 10, a data access control apparatus includes: a receiving module 1001, a right checking module 1002, a signing module 1003 and a transmitting module 1004.
The receiving module 1001 is configured to receive a data access request initiated by a client, and perform a corresponding format check. The format check includes: checking whether the data access request contains user information, a database system identifier, SQL sentences and request time; whether the field format in the data access request is correct. The format check is correct in order to be able to identify the information and the relevant information is not significantly unreasonable, e.g. the request time should not exceed a predetermined time.
Specifically, it is checked whether the user information is correct and whether the database system identification is correct. The user information is checked to check the legality of the user, the user information comprises the identification and the credentials of the user, and the credentials can be in various forms such as user passwords, abstracts of the user passwords, digital signatures and the like. Checking the database system identification only requires confirming that the identification exists.
The permission checking module 1002 is configured to check whether the user has permission for the data related to the current data access request.
Specifically, the method comprises the following steps:
step 1, acquiring the authority of the user in the database system by using the user information of the data access request and the database system identifier, and forming an authority set A by taking the table name and the operation type as element groups. The user is stored in the user authority pool 1005 in the authority set of the database system.
And 2, carrying out grammar analysis on the SQL statement of the data access request to obtain a table related to the SQL statement and an operation type thereof, and forming a check set by the table and the operation type. If the SQL statement has multiple operation types for the same table, a plurality of corresponding tuples are in the check set.
And step 3, calculating a difference set of the check set in the authority set, if the difference set is an empty set, passing the authority check, and if the difference set is not the empty set, not passing the authority check. The difference set of the check set in the authority set is a set of all elements belonging to the check set but not to the authority set.
The signature module 1003 is used for digitally signing the data access request passing the authority verification. The data access control device holds a pair of public and private keys of a preconfigured EDWARDS25519 algorithm, publishes the public key, the private key is used for signing, and the public key is used for verifying the signature. Specifically, the signing module 1003 performs a signing process including:
step 1, serializing the data access request. The serialization method converts the object of the data access request into a character string, so that the signature is convenient to carry out, in the example, the JSON format is used as the encapsulation format of the data access request, and the serialization can be completed only by converting the JSON object into the character string.
And 2, generating a signature for the serialized data access request by using an EDWARDS25519 algorithm.
When the EDWARDS25519 algorithm is implemented, summary information of the serialized data access request is calculated, and then a digital signature is generated according to the summary information.
A sending module 1004, configured to send the digital signature to the client.
In a specific embodiment, the system further includes a user authority pool 1005 for storing all authority information of all users in each database system, and the authority verification module 1002 accesses the user authority pool to obtain the authority of the user when verifying the user access authority. The rights information can be changed by publishing or can be maintained by a rights manager by providing a user interface.
In one embodiment herein, as shown in fig. 11, the database system includes at least: a receiving module 11011, a signature verification module 11012, and an executing module 11013. The receiving module 11011 is configured to receive a data access request and a digital signature and perform operations such as format correctness checking. The signature verification module 11012 is configured to perform a signature verification operation on the digital signature to determine whether the digital signature matches the received data access request. The execution module 11013 is configured to respond to the data access request after the signature verification module 11012 matches. In particular, the database system further includes a storage device 1102, configured to store data such as digital signatures, matching results, and the like. Fig. 12 shows a schematic flow diagram of the signature verification module 11012. The method comprises the following specific steps:
step 1201, serializing the data access request.
Step 1202, verifying the validity of the signature using the serialized data access request. The public key adopted by the verification signature is a public key published by the data access control device, and the signature effectively indicates that the data access request is permitted by the data access control device.
Step 1203, calculating the time after 10 minutes of the request time in the data access request, and obtaining the deadline.
Step 1204, judging whether the current time is earlier than the deadline, if so, verifying that the current time is not passed; if it is earlier than the deadline, then step 1205 is continued.
Step 1205, determining whether the signature is already present in the cache, if so, the verification is not passed, and if not, continuing step 1206.
In step 1206, the signature is stored in the cache and the expiration time is set to 10 minutes.
In practice, 10 minutes in steps 1203 and 1206 may be determined based on the buffer size and the transfer time of the data access request, for example, the set time is too short, and the data access request has expired when it reaches the signature verification device through layer-by-layer transfer. If the set time is too long, a large number of signatures need to be stored in the cache, and the used cache capacity is large.
The steps 1204, 1205 and 1206 can ensure that each data access request is used only once, so as to avoid illegal users from using the valid data access requests and signatures.
The data access control method and the device based on the digital signature can be applied to access data in a data table, and when the method is applied to a more complex data control method, the original data access request is allowed to be modified, in this case, the data access control device of the invention carries out digital signature on the modified data access request, the modified data access request and the digital signature are returned to a client side together, and the client side sends the modified data access request and the digital signature to a database system for execution.
Compared with the prior art, the digital signature-based data access control method and device provided herein have the following advantages:
1) The database system and the data access control are decoupled, and a large number of legal data access requests of users can be supported through centralized data access signatures and data access requests and digital signatures sent by clients;
2) Based on the digital signature technology, the database system can verify the rationality of the data access request, so that the data access safety is enhanced, and the hidden danger of data leakage is reduced;
3) The data access control device only performs verification authority and digital signature, is not responsible for transferring the data access request, reduces load, improves throughput, and can meet the data access control requirement in a high concurrency scene.
In one embodiment herein, the data access control apparatus and client may be a computer device, as shown in fig. 13, where the computer device 1302 may include one or more processors 1304, such as one or more Central Processing Units (CPUs), each of which may implement one or more hardware threads. The computer device 1302 may also include any memory 1306 for storing any kind of information, such as code, settings, data, etc. For example, and without limitation, memory 1306 may include any one or more of the following combinations: any type of RAM, any type of ROM, flash memory devices, hard disks, optical disks, etc. More generally, any memory may store information using any technique. Further, any memory may provide volatile or non-volatile retention of information. Further, any memory may represent fixed or removable components of computer device 1302. In one case, when the processor 1304 executes associated instructions stored in any memory or combination of memories, the computer device 1302 can perform any of the operations of the associated instructions. The computer device 1302 also includes one or more drive mechanisms 1308 for interacting with any memory, such as a hard disk drive mechanism, optical disk drive mechanism, and the like.
The computer device 1302 may also include an input/output module 1310 (I/O) for receiving various inputs (via an input device 1312) and for providing various outputs (via an output device 1314). One particular output mechanism may include a presentation device 1316 and an associated Graphical User Interface (GUI) 1318. In other embodiments, input/output module 1310 (I/O), input device 1312, and output device 1314 may not be included, but merely as a computer device in a network. Computer device 1302 can also include one or more network interfaces 1320 for exchanging data with other devices via one or more communication links 1322. One or more communication buses 1324 couple the above-described components together.
The communication link 1322 may be implemented in any manner, for example, through a local area network, a wide area network (e.g., the internet), a point-to-point connection, etc., or any combination thereof. Communication link 1322 may include any combination of hardwired links, wireless links, routers, gateway functions, name servers, etc., governed by any protocol or combination of protocols.
It should be understood that, in the various embodiments herein, the sequence number of each process described above does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments herein.
It should also be understood that in embodiments herein, the term "and/or" is merely one relationship that describes an associated object, meaning that three relationships may exist. For example, a and/or B may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided herein, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices, or elements, or may be an electrical, mechanical, or other form of connection.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the elements may be selected according to actual needs to achieve the objectives of the embodiments herein.
In addition, each functional unit in the embodiments herein may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions herein are essentially or portions contributing to the prior art, or all or portions of the technical solutions may be embodied in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments herein. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Specific examples are set forth herein to illustrate the principles and embodiments herein and are merely illustrative of the methods herein and their core ideas; also, as will be apparent to those of ordinary skill in the art in light of the teachings herein, many variations are possible in the specific embodiments and in the scope of use, and nothing in this specification should be construed as a limitation on the invention.

Claims (17)

1. A data access control method based on digital signature, characterized by being applied to a data access control device, comprising:
receiving a data access request sent by a client;
verifying the access authority of a user, and signing a data access request after the authority verification is passed to obtain a digital signature, wherein the data access request comprises: user information, database system identification, access command;
and sending the digital signature to the client so that the client can send a data access request and the digital signature to a target database system.
2. The method of claim 1, wherein verifying the access rights of the user comprises:
acquiring a permission set of a user in a database system according to user information and a database system identifier in the data access request, wherein the permission set of the user in the database system consists of a plurality of tuples, and each tuple comprises a data table identifier and an operation type;
carrying out grammar analysis on the access command in the data access request to obtain an access object and an operation type;
judging whether the authority set of the user in the database system is consistent with the access object and the operation type, and if so, passing the access authority verification.
3. The method of claim 1, wherein signing the data access request to obtain the digital signature comprises:
carrying out serialization processing on the data access request or the data access request and the time information;
calculating abstract information of the serialized data;
determining timeliness of the data according to the database system identification in the data access request;
determining the priority of a data access request according to the timeliness of the data and the user information;
inquiring a first target asymmetric encryption algorithm corresponding to the priority of a data access request from a first encryption algorithm configuration table which is pre-configured;
and carrying out signature processing on the abstract information of the serialized data by using the first target asymmetric encryption algorithm to obtain a digital signature.
4. The method of claim 1, wherein signing the data access request to obtain the digital signature comprises:
carrying out serialization processing on the data access request or the data access request and the time information;
calculating abstract information of the serialized data;
counting the number of unprocessed data access requests at fixed time intervals;
inquiring a second target asymmetric encryption algorithm corresponding to the data access request number from a second encryption algorithm configuration table which is pre-configured;
And carrying out signature processing on the abstract information of the serialized data by using the second target asymmetric encryption algorithm to obtain a digital signature.
5. The method of claim 1, further comprising, upon receiving a data access request sent by a client:
performing correctness checking on the data access request;
after the check passes, the access right of the user is verified.
6. The method of claim 5, wherein checking the data access request for correctness comprises:
verifying whether the data access request is consistent with the data format of the standard data access request;
and verifying whether the parameters in the data access request meet preset rules.
7. A data access control method based on digital signatures, applied to a target database system, comprising:
receiving a data access request and a digital signature sent by a client;
and carrying out signature verification operation on the digital signature to judge whether the digital signature is matched with the received data access request, and if so, responding to the data access request.
8. The method of claim 7, wherein the data access request further comprises: requesting time information;
After determining that the digital signature matches the received data access request, further comprising:
carrying out preset value postpone processing on the request time information in the data access request to obtain deadline;
judging whether the current time is earlier than the deadline, if not, not responding to the data access request, and if so, responding to the data access request.
9. The method of claim 7, further comprising, prior to responding to the data access request:
judging whether the digital signature exists in the cache, if so, not responding to the data access request, if not, storing the digital signature in the cache, setting the effective time of the digital signature, and deleting the digital signature in the cache after the effective time is up.
10. The method of claim 7, wherein the digital signature is obtained by encrypting digest information of the data access request using a private key associated with a target database system;
performing a signature verification operation on the digital signature to determine whether the digital signature matches the received data access request includes:
carrying out serialization processing on the data access request;
Calculating abstract information of the serialized data;
decrypting the digital signature by using the public key of the system;
and judging whether the decryption result is consistent with the abstract information of the serialized data.
11. A data access control apparatus, comprising:
the receiving module is used for receiving a data access request sent by the client;
the permission verification module is used for verifying the access permission of the user;
the signature module is used for carrying out signature processing on the data access request after the permission verification is passed to obtain a digital signature, wherein the data access request comprises: user information, database system identification, access command;
and the sending unit is used for sending the digital signature to the client so that the client can send the data access request and the digital signature to a target database system.
12. A database system, comprising:
the receiving module is used for receiving the data access request and the digital signature sent by the client;
and the signature verification module is used for carrying out signature verification operation on the digital signature so as to judge whether the digital signature is matched with the received data access request, and if so, the execution module responds to the data access request.
13. A digital signature based data access control system, comprising: a client, a data access control device and a plurality of database systems;
the client is used for sending a data access request to the data access control device; transmitting a data access request and a digital signature to a target database system; wherein the data access request includes: user information, database system identification, access command;
the data access control device is used for receiving the data access request, verifying the access authority of a user, signing the data access request after the authority verification is passed to obtain a digital signature, and sending the digital signature to the client;
the database system is used for receiving the data access request and the digital signature, carrying out signature verification operation on the digital signature so as to judge whether the digital signature is matched with the received data access request, and responding to the data access request if the digital signature is matched with the received data access request.
14. The system of claim 13, wherein the data access control means comprises: the access control equipment is arranged in a cascading way, and each access control equipment receives a data access request sent by a client in a service area of the access control equipment;
When an access control device fails, a client in the service area of the access control device sends a data access request to the access control device of the upper level of the access control device.
15. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any one of claims 1 to 10 when executing the computer program.
16. A computer storage medium having stored thereon a computer program, which when executed by a processor of a computer device implements the method of any of claims 1 to 10.
17. A computer program product, characterized in that the computer program product comprises a computer program which, when executed by a processor of a computer device, implements the method of any one of claims 1 to 10.
CN202310060656.1A 2023-01-16 2023-01-16 Data access control method and system based on digital signature Pending CN116415214A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310060656.1A CN116415214A (en) 2023-01-16 2023-01-16 Data access control method and system based on digital signature

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310060656.1A CN116415214A (en) 2023-01-16 2023-01-16 Data access control method and system based on digital signature

Publications (1)

Publication Number Publication Date
CN116415214A true CN116415214A (en) 2023-07-11

Family

ID=87057206

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310060656.1A Pending CN116415214A (en) 2023-01-16 2023-01-16 Data access control method and system based on digital signature

Country Status (1)

Country Link
CN (1) CN116415214A (en)

Similar Documents

Publication Publication Date Title
US11784791B2 (en) Verifying an identity based on multiple distributed data sources using a blockchain to safeguard the identity
CN111783075B (en) Authority management method, device and medium based on secret key and electronic equipment
CA3053316C (en) Method for providing simplified account registration service and user authentication service, and authentication server using same
US11347876B2 (en) Access control
CN109274652B (en) Identity information verification system, method and device and computer storage medium
US20170316497A1 (en) Method for creating, registering, revoking authentication information and server using the same
WO2021018088A1 (en) Trusted authentication method, network device, system and storage medium
CN111416822B (en) Method for access control, electronic device and storage medium
US9401911B2 (en) One-time password certificate renewal
CN110069908A (en) A kind of authority control method and device of block chain
KR102285805B1 (en) Methods and devices for detecting denial of service attacks in secure interactions
US11356458B2 (en) Systems, methods, and computer program products for dual layer federated identity based access control
CN108965342B (en) Authentication method and system for data requester to access data source
WO2019175427A1 (en) Method, device and medium for protecting work based on blockchain
CN111585946B (en) Cryptographic master profile control and transaction arbitration
CN112235301A (en) Method and device for verifying access authority and electronic equipment
CN112511316A (en) Single sign-on access method and device, computer equipment and readable storage medium
CN111988262B (en) Authentication method, authentication device, server and storage medium
US20220318356A1 (en) User registration method, user login method and corresponding device
CN116415214A (en) Data access control method and system based on digital signature
CN115967508A (en) Data access control method and device, equipment, storage medium and program product
CN116484326B (en) Multi-account access authority management method and related device based on NFT
CN117061251B (en) PKI certificate suspension revocation method and system for authentication platform
CN112202734B (en) Service processing method, electronic device and readable storage medium
WO2024011863A9 (en) Communication method and apparatus, sim card, electronic device, and terminal device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination