CN116415214A - Data access control method and system based on digital signature - Google Patents
Data access control method and system based on digital signature Download PDFInfo
- Publication number
- CN116415214A CN116415214A CN202310060656.1A CN202310060656A CN116415214A CN 116415214 A CN116415214 A CN 116415214A CN 202310060656 A CN202310060656 A CN 202310060656A CN 116415214 A CN116415214 A CN 116415214A
- Authority
- CN
- China
- Prior art keywords
- data access
- access request
- digital signature
- data
- database system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 79
- 238000012795 verification Methods 0.000 claims abstract description 50
- 238000012545 processing Methods 0.000 claims abstract description 28
- 238000004422 calculation algorithm Methods 0.000 claims description 39
- 230000015654 memory Effects 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 11
- 238000004458 analytical method Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 description 18
- 238000004891 communication Methods 0.000 description 8
- 230000007246 mechanism Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000004044 response Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000010200 validation analysis Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the field of data access, and provides a data access control method and system based on digital signature, wherein the method comprises the following steps: the data access control device receives a data access request sent by a client, verifies the access authority of a user, performs signature processing on the data access request after the authority verification is passed to obtain a digital signature, and sends the digital signature to the client, wherein the data access request comprises: user information, database system identification, access command; the client sends a data access request and a digital signature to a target database system; and the target database system receives the data access request and the digital signature, performs signature verification operation on the digital signature to judge whether the digital signature is matched with the received data access request, and responds to the data access request if the digital signature is matched with the received data access request. The method and the device can ensure the safe access of the data in the database system, simultaneously can reduce the load of the data access control device, improve the throughput and can meet the data access control requirement in a high concurrency scene.
Description
Technical Field
The present disclosure relates to the field of data access, and in particular, to a method and system for controlling data access based on digital signature.
Background
Along with the rapid development of society, the importance of data is increasingly prominent, a large amount of data is stored in a database system in a centralized manner, and functions of use number, check number and the like are provided for data analysts or enterprise management staff through various modes such as a business intelligent platform and the like so as to meet various data application scenes such as enterprise client marketing, management analysis, enterprise management and the like. In the process, the various data using methods bring new challenges to the information security of the data, and the important significance is provided for ensuring that the data can be used conveniently and rapidly on the premise of the data information security.
In the prior art, a data access control method relies on database users of a database system, namely, a plurality of database users are allocated to perform operations of adding, deleting and checking, and the authority of each database user is different. This method has the following problems: firstly, the number of database users is often limited due to the function provided by the database system, and the use of a large number of enterprise users cannot be met, and secondly, the users and rights management implementation modes of each database system are inconsistent, so that each database system needs to be configured with the users and the rights, and the maintenance cost is high and the management is difficult.
Another data access control method in the prior art is to receive a database access request of a user through a data access control device, determine whether the user has access rights to related data, and send an access command (SQL statement) to a database system if the user has rights. According to the method, the database system and the data access control are decoupled in a centralized control mode, so that the use of a large number of users of enterprises is met, and the maintenance cost is reduced due to centralized control. However, in the method, the database system cannot sense or verify whether the SQL statement of the request is legal, and if an illegal user bypasses the data access control device to directly send the SQL statement to the database system, unauthorized access can occur; on the other hand, all SQL sentences need to be transferred to a database system through a data access control device, and under the condition of high concurrency, the problems of high load of the data access control device and untimely data access response are generated.
Disclosure of Invention
The method is used for solving the problem that the data access control in the prior art can cause poor security when the data access quantity is increased.
In order to solve the above technical problem, an aspect of the present disclosure provides a data access control method based on digital signature, which is applied to a data access control device, including:
Receiving a data access request sent by a client, verifying the access authority of a user, and signing the data access request after the authority verification is passed to obtain a digital signature, wherein the data access request comprises: user information, database system identification, access command;
and sending the digital signature to the client so that the client can send a data access request and the digital signature to a target database system.
As a further embodiment herein, verifying the access rights of the user includes:
acquiring a permission set of a user in a database system according to user information and a database system identifier in the data access request, wherein the permission set of the user in the database system consists of a plurality of tuples, and each tuple comprises a data table identifier and an operation type;
carrying out grammar analysis on the access command in the data access request to obtain an access object and an operation type;
judging whether the authority set of the user in the database system is consistent with the access object and the operation type, and if so, passing the access authority verification.
In a further embodiment herein, signing the data access request to obtain a digital signature includes:
Carrying out serialization processing on the data access request or the data access request and the time information;
calculating abstract information of the serialized data;
determining timeliness of the data according to the database system identification in the data access request;
determining the priority of a data access request according to the timeliness of the data and the user information;
inquiring a first target asymmetric encryption algorithm corresponding to the priority of a data access request from a first encryption algorithm configuration table which is pre-configured;
and carrying out signature processing on the abstract information of the serialized data by using the first target asymmetric encryption algorithm to obtain a digital signature.
In a further embodiment herein, signing the data access request to obtain a digital signature includes:
carrying out serialization processing on the data access request or the data access request and the time information;
calculating abstract information of the serialized data;
counting the number of unprocessed data access requests at fixed time intervals;
inquiring a second target asymmetric encryption algorithm corresponding to the data access request number from a second encryption algorithm configuration table which is pre-configured;
and carrying out signature processing on the abstract information of the serialized data by using the second target asymmetric encryption algorithm to obtain a digital signature.
In a further embodiment, after receiving the data access request sent by the client, the method further includes:
performing correctness checking on the data access request;
after the check passes, the access right of the user is verified.
As a further embodiment herein, performing a correctness check on the data access request includes:
verifying whether the data access request is consistent with the data format of the standard data access request;
and verifying whether the parameters in the data access request meet preset rules.
The second aspect of the present invention also provides a data access control method based on digital signature, applied to a target database system, comprising:
receiving a data access request and a digital signature sent by a client;
and carrying out signature verification operation on the digital signature to judge whether the digital signature is matched with the received data access request, and if so, responding to the data access request.
As a further embodiment herein, the data access request further includes: requesting time information;
after determining that the digital signature matches the received data access request, further comprising:
carrying out preset value postpone processing on the request time information in the data access request to obtain deadline;
Judging whether the current time is earlier than the deadline, if not, not responding to the data access request, and if so, responding to the data access request.
As a further embodiment herein, before responding to the data access request, the method further includes:
judging whether the digital signature exists in the cache, if so, not responding to the data access request, if not, storing the digital signature in the cache, setting the effective time of the digital signature, and deleting the digital signature in the cache after the effective time is up.
In a further embodiment, the digital signature is obtained by encrypting the summary information of the data access request by using a private key related to the target database system;
performing a signature verification operation on the digital signature to determine whether the digital signature matches the received data access request includes:
carrying out serialization processing on the data access request;
calculating abstract information of the serialized data;
decrypting the digital signature by using the public key of the system;
judging whether the decryption result is consistent with the abstract information of the serialized data, if so, matching is successful, otherwise, matching is failed.
A third aspect herein provides a data access control apparatus comprising:
the receiving module is used for receiving a data access request sent by the client;
the permission verification module is used for verifying the access permission of the user;
the signature module is used for carrying out signature processing on the data access request after the permission verification is passed to obtain a digital signature, wherein the data access request comprises: user information, database system identification, access command;
and the sending unit is used for sending the digital signature to the client so that the client can send the data access request and the digital signature to a target database system.
A fourth aspect herein provides a database system comprising:
the receiving module is used for receiving the data access request and the digital signature sent by the client;
and the signature verification module is used for carrying out signature verification operation on the digital signature so as to judge whether the digital signature is matched with the received data access request, and if so, the execution module responds to the data access request.
A fifth aspect herein provides a digital signature based data access control system comprising: a client, a data access control device and a plurality of database systems;
The client is used for sending a data access request to the data access control device; transmitting a data access request and a digital signature to a target database system; wherein the data access request includes: user information, database system identification, access command;
the data access control device is used for receiving the data access request, verifying the access authority of a user, signing the data access request after the authority verification is passed to obtain a digital signature, and sending the digital signature to the client;
the database system is used for receiving the data access request and the digital signature, carrying out signature verification operation on the digital signature so as to judge whether the digital signature is matched with the received data access request, and responding to the data access request if the digital signature is matched with the received data access request.
In a further embodiment herein, a data access control apparatus includes: the access control equipment is arranged in a cascading way, and each access control equipment receives a data access request sent by a client in a service area of the access control equipment;
when an access control device fails, a client in the service area of the access control device sends a data access request to the access control device of the upper level of the access control device.
A sixth aspect herein provides a computer apparatus comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any of the preceding embodiments when the computer program is executed.
A seventh aspect herein provides a computer storage medium having stored thereon a computer program which, when executed by a processor of a computer device, implements a method as described in any of the previous embodiments.
An eighth aspect herein provides a computer program product comprising a computer program which, when executed by a processor of a computer device, implements a method as described in any of the preceding embodiments.
The data access control method, device and system based on digital signature, the data access control device and database system provided herein, through receiving the data access request sent by the client by the data access control device, verifying the access authority of the user, after the verification, signing the data access request to obtain the digital signature, and sending the digital signature to the client, wherein the data access request comprises: user information, database system identification, access command; the client sends a data access request and a digital signature to a target database system; the target database system receives the data access request and the digital signature, performs signature verification operation on the digital signature to judge whether the digital signature is matched with the received data access request, and responds to the data access request if the digital signature is matched with the received data access request, so that the database system can verify the legitimacy of the data access request according to the digital signature, the safe access of the data is ensured, meanwhile, the data access control device only performs authority verification and the digital signature, is not responsible for transferring the data access request, reduces the load, improves the throughput, and can meet the data access control requirement under a high concurrency scene.
The foregoing and other objects, features and advantages will be apparent from the following more particular description of preferred embodiments, as illustrated in the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments herein, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates a flow chart of a digital signature based data access control method of embodiments herein;
FIG. 2 illustrates a flow diagram of a data access request checking process of an embodiment herein;
FIG. 3 illustrates a flow chart of a process for verifying user access rights in embodiments herein;
FIG. 4 illustrates a first flow chart of a digital signature process for a data access request according to embodiments herein;
FIG. 5 illustrates a second flowchart of a digital signature process for a data access request according to embodiments herein;
FIG. 6 illustrates a first flowchart of a database system validation data access request process of embodiments herein;
FIG. 7 illustrates a second flowchart of a database system validation data access request process of embodiments herein;
FIG. 8 illustrates a third flowchart of a database system validation data access request process of embodiments herein;
FIG. 9 illustrates a block diagram of a digital signature based data access control system of embodiments herein;
FIG. 10 illustrates a block diagram of a data access control apparatus of an embodiment herein;
FIG. 11 illustrates a block diagram of a database system of embodiments herein;
FIG. 12 illustrates a flow chart of a process performed by the signature verification module of embodiments herein;
fig. 13 shows a block diagram of a computer device of embodiments herein.
Description of the drawings:
901. a client;
902. a data access control device;
903. a database system;
1001. a receiving module;
1002. a permission checking module;
1003. a signature module;
1004. a transmitting module;
1005. a user authority pool;
1102. a storage device;
11011. a receiving module;
11012. a signature verification module;
11013. an execution module;
1302. a computer device;
1304. a processor;
1306. a memory;
1308. a driving mechanism;
1310. an input/output module;
1312. an input device;
1314. an output device;
1316. A presentation device;
1318. a graphical user interface;
1320. a network interface;
1322. a communication link;
1324. a communication bus.
Detailed Description
The following description of the embodiments of the present disclosure will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the disclosure. All other embodiments, based on the embodiments herein, which a person of ordinary skill in the art would obtain without undue burden, are within the scope of protection herein.
It should be noted that the terms "first," "second," and the like in the description and claims herein and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, apparatus, article, or device that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or device.
The present specification provides method operational steps as described in the examples or flowcharts, but may include more or fewer operational steps based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. When a system or apparatus product in practice is executed, it may be executed sequentially or in parallel according to the method shown in the embodiments or the drawings.
It should be noted that the method and the device for controlling data access based on digital signature herein can be used for controlling data access in financial field, and also can be used in any field except financial field, and the application field of the method and the device for controlling data access based on digital signature herein is not limited.
It should be noted that, user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
In an embodiment of the present invention, a data access control method based on digital signature is provided, which is used to solve the problem that in the prior art, data access control can cause poor security while increasing data access amount. Specifically, as shown in fig. 1, the method includes:
Step 101, the data access control device receives a data access request sent by the client, verifies the access authority of the user, performs signature processing on the data access request after the authority verification is passed to obtain a digital signature, and sends the digital signature to the client.
Wherein the data access request includes: user information, database system identification, access commands. The user information includes: user identification and credentials, the user identification being used to uniquely represent a user, e.g. an identification card number, a mobile phone number, a user name, etc. Credentials include, but are not limited to, user passwords, user password digests, digital signatures, and the like. The database system identification is used to uniquely represent/locate the database system. The access command may be implemented by an SQL statement including, but not limited to, SELECT, UPDATE, DELETE, ALTER, etc.
The process of signing the data access request to obtain the digital signature comprises the following steps: firstly, carrying out sequence processing on the data access request, calculating abstract information of the serialized data, and carrying out signature processing on the abstract information. By signing the abstract information of the data access request, the signing efficiency can be improved, and the influence on the signing efficiency caused by overlarge data size of the data access request is avoided. When the step is implemented, the data quantity of the serialized data can be judged first, and when the data quantity is larger than a preset value, the abstract information of the serialized data is calculated and signature processing is carried out on the abstract information. When the data amount is smaller than or equal to a preset value, the serialized data can be directly subjected to signature processing. The summary information may be calculated using existing algorithms, such as SHA512, the specific calculation method of which is not limited herein.
The data access control means may be a server, a computer device or the like. In particular, when the application system includes a plurality of different levels of mechanisms, for example, a banking system includes a plurality of different levels of mechanisms (headquarter-branch, etc.), in order to improve data access efficiency, the data access control device includes: the access control equipment is arranged in a cascading way, each access control equipment receives the data access request sent by the client in the service area of the access control equipment, the layout mode of the access control equipment can avoid the condition that a plurality of data access requests are generated at the same time and are not influenced, and the corresponding efficiency of the data access requests is improved.
Further, when an access control device fails, a data access request sent by a client in a service area of the access control device is sent to an access control device of a higher level of the access control device. By the method, effective processing of the data access request can be guaranteed.
The client may be a desktop computer, tablet computer, notebook computer, smart phone, digital assistant, smart wearable device, etc. Wherein, intelligent wearable equipment can include intelligent bracelet, intelligent wrist-watch, intelligent glasses, intelligent helmet etc.. Of course, the client is not limited to the electronic device with a certain entity, and may also be software running in the electronic device.
The user access authority is verified and the digital signature is generated through the data access control device, so that user authority management and data access request forwarding decoupling can be realized, the data access request sending efficiency is improved, the legality perception of a database system on data access can be ensured, and the data access security is ensured.
Step 102, the client sends a data access request and a digital signature to the target database system.
After receiving the digital signature sent by the data access control device, the client directly sends the data access request and the digital signature to the target database system.
And step 103, the target database system receives the data access request and the digital signature, performs signature verification operation on the digital signature to judge whether the digital signature is matched with the received data access request, and responds to the data access request if the digital signature is matched with the received data access request.
According to the embodiment, the data access control device carries out signature processing on the data access request, the client side sends the data access request and the digital signature to the database system, so that the database system can verify the legitimacy of the data access request according to the digital signature while realizing authority centralized management and control, the data access control device only carries out authority verification and digital signature, is not responsible for transferring the data access request, reduces the load, improves the throughput, and can meet the data access control requirement under a high concurrency scene.
In an embodiment herein, after receiving the data access request sent by the client, the data access control device further includes: and checking the correctness of the data access request, and verifying the access right of the user after the data access request passes the check. Specifically, as shown in fig. 2, the correctness checking includes:
Step 202, verifying whether parameters in the data access request meet preset rules. The preset rule is used for defining a value range of parameters in the data access request.
In the embodiment, the correctness checking is firstly performed on the data access request, and when the data access request is incorrect, the verification of the user access right is directly skipped.
In one embodiment herein, as shown in fig. 3, the step 101 of verifying the access right of the user includes:
Wherein the data table identification may be represented by a table name, such as uuu.table_xxx_yyy, the operation type refers to the operation type allowed by the access command, including, but not limited to SELECT, UPDATE, DELETE, ALTER, etc. The tuple is an unalterable data structure, integrates several data into an ordered whole, and is not changed any more, and is represented by brackets, such as (uuu.table_xxx_yy, SELECT), (uuu.table_xxx_yy, UPDATE) and the like, and when the tuple comparison is performed, the data of the two tuples must be completely consistent to be considered as equal.
When the step is implemented, the authority set of the user in the database system is obtained from the user authority pool.
And 302, carrying out grammar analysis on the access command in the data access request to obtain an access object and an operation type.
In detail, each access object and its corresponding operation type may constitute a tuple, and a plurality of tuples constitute a check set. For example, if an access command has multiple operation types for the same table (access object), multiple tuples are obtained.
When the step is implemented, a difference set of the check set in the authority set is calculated, if the difference set is an empty set, the authority check is passed, and if the difference set is not the empty set, the authority check is not passed. The difference set of the check set in the authority set is a set of all elements belonging to the check set but not to the authority set.
The embodiment stores the user rights in a tuple mode, and can ensure the orderly verification of the user access rights.
In an embodiment herein, in order to ensure the processing speed and efficiency of the signature, the signature algorithm may be an EDWARDS25519 algorithm, where the EDWARDS25519 algorithm is a fast signature algorithm based on an elliptic curve of EDWARDS25519, and the algorithm includes a public key and a private key, where the public key is published, the private key is used for signature, the public key is used for signature verification, and the lengths of the public key and the private key are 32 bytes. The Edwards25519 elliptic curve signature algorithm can reach 10 ten thousand per second signature speed and 7 ten thousand per second signature verification speed on Intel Westmere CPU of 2.4GHz under the premise of ensuring the security intensity.
In one embodiment herein, as shown in fig. 4, the digital signature of the data access request by the data access control device includes:
The step can convert the data access request into a character string, which is convenient for signing. In some embodiments, the data access request is encapsulated using a JSON format, which can be converted into a string by this step serialization process.
When the step is implemented, determining the data timeliness corresponding to the database system identification in the data access request from the association relation between the database system and the timeliness. The timeliness is used for indicating the update frequency of the stored data in the database system, and in particular, the faster the update frequency, the shorter the data timeliness, the slower the update frequency and the longer the data timeliness.
When the step is implemented, the time effectiveness and the association relation between the user grade and the access priority are preconfigured, and the shorter the time effectiveness is, the higher the user grade is, and the higher the corresponding priority is.
The first encryption algorithm configuration table is configured with an association relation between the priority and the asymmetric encryption algorithm, and the higher the priority is, the faster the processing speed of the asymmetric encryption algorithm is, so that the timeliness of data access can be ensured.
According to the method, the device and the system, the problem that the CPU occupancy rate and the cost of the signature algorithm with high encryption speed are high is considered, the encryption algorithm is determined according to the timeliness of the data access request on the data demand, the encryption cost and the resource occupancy cost can be reduced, and the effective encryption of the data access request is ensured.
In one embodiment herein, as shown in fig. 5, the digital signature of the data access request by the data access control device includes:
In practice, the fixed time interval may be set according to the requirement, which is not limited herein.
In detail, the second encryption algorithm configuration table records the number of data access requests and the correspondence relationship between the asymmetric encryption algorithms. The corresponding relation establishing process comprises the following steps: the method comprises the steps of firstly determining the number X of data access requests processed in a preset time period according to an asymmetric encryption algorithm, and then establishing a corresponding relation between the asymmetric encryption algorithm and the related range (increased or decreased by a preset value) of the number X of the data access requests.
According to the embodiment, the encryption algorithm can be adjusted according to the number of unprocessed data access requests, so that the encryption efficiency of the data access requests is guaranteed, and the balance between the encryption efficiency and the encryption overhead is realized.
In one embodiment herein, the data access request includes, in addition to user information, database system identification, access command, further including: time information is requested.
As shown in fig. 6, after the database system determines that the decryption result is consistent with the received data access request, the method further includes:
The predetermined value may be based on the data access request stream time, and in some embodiments, the predetermined value is, for example, 10 minutes.
The embodiment can avoid responding to the repeated or abnormally transmitted data access request and ensure the safety of data access.
In one embodiment herein, as shown in fig. 7, before the database system responds to the data access request, the database system includes:
The effective time can be set according to actual requirements, and in some embodiments, the effective time is 10 minutes.
The embodiment can ensure that each data access request is responded only once, and avoid the repeated response problem under the condition that the data access request is sent repeatedly due to network failure or misoperation of a user or interception of an illegal user.
In one embodiment, the digital signature is obtained by encrypting summary information of the data access request by using a private key associated with the target database.
As shown in fig. 8, the target database system performs a signature verification operation on the digital signature to determine whether the digital signature matches the received data access request includes:
In a further embodiment, the number of times of refusing to respond to the data access request is also recorded, and after the number of times reaches a certain amount, the reminding information is sent to the response client.
In one embodiment herein, there is also provided a data access control system based on digital signature, as shown in fig. 9, the data access control system includes: a client 901, a data access control device 902, and a plurality of database systems 903.
The client 901 is configured to send a data access request to the data access control device; and sending the data access request and the digital signature to a target database system. Wherein the data access request includes: user information, database system identification, access commands.
The data access control device 902 is configured to receive the data access request, verify an access right of a user, perform signature processing on the data access request after the access right passes the verification, obtain a digital signature, and send the digital signature to the client.
The database system 903 is configured to receive a data access request and a digital signature, and perform a signature verification operation on the digital signature to determine whether the digital signature matches the received data access request, and if so, respond to the data access request.
According to the embodiment, the database system can verify the validity of the data access request according to the digital signature, the safe access of the data is guaranteed, meanwhile, the data access control device only performs authority verification and digital signature, is not responsible for transferring the data access request, reduces the load, improves the throughput, and can meet the data access control requirement under a high concurrency scene.
In one embodiment herein, as shown in fig. 10, a data access control apparatus includes: a receiving module 1001, a right checking module 1002, a signing module 1003 and a transmitting module 1004.
The receiving module 1001 is configured to receive a data access request initiated by a client, and perform a corresponding format check. The format check includes: checking whether the data access request contains user information, a database system identifier, SQL sentences and request time; whether the field format in the data access request is correct. The format check is correct in order to be able to identify the information and the relevant information is not significantly unreasonable, e.g. the request time should not exceed a predetermined time.
Specifically, it is checked whether the user information is correct and whether the database system identification is correct. The user information is checked to check the legality of the user, the user information comprises the identification and the credentials of the user, and the credentials can be in various forms such as user passwords, abstracts of the user passwords, digital signatures and the like. Checking the database system identification only requires confirming that the identification exists.
The permission checking module 1002 is configured to check whether the user has permission for the data related to the current data access request.
Specifically, the method comprises the following steps:
step 1, acquiring the authority of the user in the database system by using the user information of the data access request and the database system identifier, and forming an authority set A by taking the table name and the operation type as element groups. The user is stored in the user authority pool 1005 in the authority set of the database system.
And 2, carrying out grammar analysis on the SQL statement of the data access request to obtain a table related to the SQL statement and an operation type thereof, and forming a check set by the table and the operation type. If the SQL statement has multiple operation types for the same table, a plurality of corresponding tuples are in the check set.
And step 3, calculating a difference set of the check set in the authority set, if the difference set is an empty set, passing the authority check, and if the difference set is not the empty set, not passing the authority check. The difference set of the check set in the authority set is a set of all elements belonging to the check set but not to the authority set.
The signature module 1003 is used for digitally signing the data access request passing the authority verification. The data access control device holds a pair of public and private keys of a preconfigured EDWARDS25519 algorithm, publishes the public key, the private key is used for signing, and the public key is used for verifying the signature. Specifically, the signing module 1003 performs a signing process including:
step 1, serializing the data access request. The serialization method converts the object of the data access request into a character string, so that the signature is convenient to carry out, in the example, the JSON format is used as the encapsulation format of the data access request, and the serialization can be completed only by converting the JSON object into the character string.
And 2, generating a signature for the serialized data access request by using an EDWARDS25519 algorithm.
When the EDWARDS25519 algorithm is implemented, summary information of the serialized data access request is calculated, and then a digital signature is generated according to the summary information.
A sending module 1004, configured to send the digital signature to the client.
In a specific embodiment, the system further includes a user authority pool 1005 for storing all authority information of all users in each database system, and the authority verification module 1002 accesses the user authority pool to obtain the authority of the user when verifying the user access authority. The rights information can be changed by publishing or can be maintained by a rights manager by providing a user interface.
In one embodiment herein, as shown in fig. 11, the database system includes at least: a receiving module 11011, a signature verification module 11012, and an executing module 11013. The receiving module 11011 is configured to receive a data access request and a digital signature and perform operations such as format correctness checking. The signature verification module 11012 is configured to perform a signature verification operation on the digital signature to determine whether the digital signature matches the received data access request. The execution module 11013 is configured to respond to the data access request after the signature verification module 11012 matches. In particular, the database system further includes a storage device 1102, configured to store data such as digital signatures, matching results, and the like. Fig. 12 shows a schematic flow diagram of the signature verification module 11012. The method comprises the following specific steps:
In step 1206, the signature is stored in the cache and the expiration time is set to 10 minutes.
In practice, 10 minutes in steps 1203 and 1206 may be determined based on the buffer size and the transfer time of the data access request, for example, the set time is too short, and the data access request has expired when it reaches the signature verification device through layer-by-layer transfer. If the set time is too long, a large number of signatures need to be stored in the cache, and the used cache capacity is large.
The steps 1204, 1205 and 1206 can ensure that each data access request is used only once, so as to avoid illegal users from using the valid data access requests and signatures.
The data access control method and the device based on the digital signature can be applied to access data in a data table, and when the method is applied to a more complex data control method, the original data access request is allowed to be modified, in this case, the data access control device of the invention carries out digital signature on the modified data access request, the modified data access request and the digital signature are returned to a client side together, and the client side sends the modified data access request and the digital signature to a database system for execution.
Compared with the prior art, the digital signature-based data access control method and device provided herein have the following advantages:
1) The database system and the data access control are decoupled, and a large number of legal data access requests of users can be supported through centralized data access signatures and data access requests and digital signatures sent by clients;
2) Based on the digital signature technology, the database system can verify the rationality of the data access request, so that the data access safety is enhanced, and the hidden danger of data leakage is reduced;
3) The data access control device only performs verification authority and digital signature, is not responsible for transferring the data access request, reduces load, improves throughput, and can meet the data access control requirement in a high concurrency scene.
In one embodiment herein, the data access control apparatus and client may be a computer device, as shown in fig. 13, where the computer device 1302 may include one or more processors 1304, such as one or more Central Processing Units (CPUs), each of which may implement one or more hardware threads. The computer device 1302 may also include any memory 1306 for storing any kind of information, such as code, settings, data, etc. For example, and without limitation, memory 1306 may include any one or more of the following combinations: any type of RAM, any type of ROM, flash memory devices, hard disks, optical disks, etc. More generally, any memory may store information using any technique. Further, any memory may provide volatile or non-volatile retention of information. Further, any memory may represent fixed or removable components of computer device 1302. In one case, when the processor 1304 executes associated instructions stored in any memory or combination of memories, the computer device 1302 can perform any of the operations of the associated instructions. The computer device 1302 also includes one or more drive mechanisms 1308 for interacting with any memory, such as a hard disk drive mechanism, optical disk drive mechanism, and the like.
The computer device 1302 may also include an input/output module 1310 (I/O) for receiving various inputs (via an input device 1312) and for providing various outputs (via an output device 1314). One particular output mechanism may include a presentation device 1316 and an associated Graphical User Interface (GUI) 1318. In other embodiments, input/output module 1310 (I/O), input device 1312, and output device 1314 may not be included, but merely as a computer device in a network. Computer device 1302 can also include one or more network interfaces 1320 for exchanging data with other devices via one or more communication links 1322. One or more communication buses 1324 couple the above-described components together.
The communication link 1322 may be implemented in any manner, for example, through a local area network, a wide area network (e.g., the internet), a point-to-point connection, etc., or any combination thereof. Communication link 1322 may include any combination of hardwired links, wireless links, routers, gateway functions, name servers, etc., governed by any protocol or combination of protocols.
It should be understood that, in the various embodiments herein, the sequence number of each process described above does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments herein.
It should also be understood that in embodiments herein, the term "and/or" is merely one relationship that describes an associated object, meaning that three relationships may exist. For example, a and/or B may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided herein, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices, or elements, or may be an electrical, mechanical, or other form of connection.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the elements may be selected according to actual needs to achieve the objectives of the embodiments herein.
In addition, each functional unit in the embodiments herein may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions herein are essentially or portions contributing to the prior art, or all or portions of the technical solutions may be embodied in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments herein. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Specific examples are set forth herein to illustrate the principles and embodiments herein and are merely illustrative of the methods herein and their core ideas; also, as will be apparent to those of ordinary skill in the art in light of the teachings herein, many variations are possible in the specific embodiments and in the scope of use, and nothing in this specification should be construed as a limitation on the invention.
Claims (17)
1. A data access control method based on digital signature, characterized by being applied to a data access control device, comprising:
receiving a data access request sent by a client;
verifying the access authority of a user, and signing a data access request after the authority verification is passed to obtain a digital signature, wherein the data access request comprises: user information, database system identification, access command;
and sending the digital signature to the client so that the client can send a data access request and the digital signature to a target database system.
2. The method of claim 1, wherein verifying the access rights of the user comprises:
acquiring a permission set of a user in a database system according to user information and a database system identifier in the data access request, wherein the permission set of the user in the database system consists of a plurality of tuples, and each tuple comprises a data table identifier and an operation type;
carrying out grammar analysis on the access command in the data access request to obtain an access object and an operation type;
judging whether the authority set of the user in the database system is consistent with the access object and the operation type, and if so, passing the access authority verification.
3. The method of claim 1, wherein signing the data access request to obtain the digital signature comprises:
carrying out serialization processing on the data access request or the data access request and the time information;
calculating abstract information of the serialized data;
determining timeliness of the data according to the database system identification in the data access request;
determining the priority of a data access request according to the timeliness of the data and the user information;
inquiring a first target asymmetric encryption algorithm corresponding to the priority of a data access request from a first encryption algorithm configuration table which is pre-configured;
and carrying out signature processing on the abstract information of the serialized data by using the first target asymmetric encryption algorithm to obtain a digital signature.
4. The method of claim 1, wherein signing the data access request to obtain the digital signature comprises:
carrying out serialization processing on the data access request or the data access request and the time information;
calculating abstract information of the serialized data;
counting the number of unprocessed data access requests at fixed time intervals;
inquiring a second target asymmetric encryption algorithm corresponding to the data access request number from a second encryption algorithm configuration table which is pre-configured;
And carrying out signature processing on the abstract information of the serialized data by using the second target asymmetric encryption algorithm to obtain a digital signature.
5. The method of claim 1, further comprising, upon receiving a data access request sent by a client:
performing correctness checking on the data access request;
after the check passes, the access right of the user is verified.
6. The method of claim 5, wherein checking the data access request for correctness comprises:
verifying whether the data access request is consistent with the data format of the standard data access request;
and verifying whether the parameters in the data access request meet preset rules.
7. A data access control method based on digital signatures, applied to a target database system, comprising:
receiving a data access request and a digital signature sent by a client;
and carrying out signature verification operation on the digital signature to judge whether the digital signature is matched with the received data access request, and if so, responding to the data access request.
8. The method of claim 7, wherein the data access request further comprises: requesting time information;
After determining that the digital signature matches the received data access request, further comprising:
carrying out preset value postpone processing on the request time information in the data access request to obtain deadline;
judging whether the current time is earlier than the deadline, if not, not responding to the data access request, and if so, responding to the data access request.
9. The method of claim 7, further comprising, prior to responding to the data access request:
judging whether the digital signature exists in the cache, if so, not responding to the data access request, if not, storing the digital signature in the cache, setting the effective time of the digital signature, and deleting the digital signature in the cache after the effective time is up.
10. The method of claim 7, wherein the digital signature is obtained by encrypting digest information of the data access request using a private key associated with a target database system;
performing a signature verification operation on the digital signature to determine whether the digital signature matches the received data access request includes:
carrying out serialization processing on the data access request;
Calculating abstract information of the serialized data;
decrypting the digital signature by using the public key of the system;
and judging whether the decryption result is consistent with the abstract information of the serialized data.
11. A data access control apparatus, comprising:
the receiving module is used for receiving a data access request sent by the client;
the permission verification module is used for verifying the access permission of the user;
the signature module is used for carrying out signature processing on the data access request after the permission verification is passed to obtain a digital signature, wherein the data access request comprises: user information, database system identification, access command;
and the sending unit is used for sending the digital signature to the client so that the client can send the data access request and the digital signature to a target database system.
12. A database system, comprising:
the receiving module is used for receiving the data access request and the digital signature sent by the client;
and the signature verification module is used for carrying out signature verification operation on the digital signature so as to judge whether the digital signature is matched with the received data access request, and if so, the execution module responds to the data access request.
13. A digital signature based data access control system, comprising: a client, a data access control device and a plurality of database systems;
the client is used for sending a data access request to the data access control device; transmitting a data access request and a digital signature to a target database system; wherein the data access request includes: user information, database system identification, access command;
the data access control device is used for receiving the data access request, verifying the access authority of a user, signing the data access request after the authority verification is passed to obtain a digital signature, and sending the digital signature to the client;
the database system is used for receiving the data access request and the digital signature, carrying out signature verification operation on the digital signature so as to judge whether the digital signature is matched with the received data access request, and responding to the data access request if the digital signature is matched with the received data access request.
14. The system of claim 13, wherein the data access control means comprises: the access control equipment is arranged in a cascading way, and each access control equipment receives a data access request sent by a client in a service area of the access control equipment;
When an access control device fails, a client in the service area of the access control device sends a data access request to the access control device of the upper level of the access control device.
15. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any one of claims 1 to 10 when executing the computer program.
16. A computer storage medium having stored thereon a computer program, which when executed by a processor of a computer device implements the method of any of claims 1 to 10.
17. A computer program product, characterized in that the computer program product comprises a computer program which, when executed by a processor of a computer device, implements the method of any one of claims 1 to 10.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310060656.1A CN116415214A (en) | 2023-01-16 | 2023-01-16 | Data access control method and system based on digital signature |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310060656.1A CN116415214A (en) | 2023-01-16 | 2023-01-16 | Data access control method and system based on digital signature |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116415214A true CN116415214A (en) | 2023-07-11 |
Family
ID=87057206
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310060656.1A Pending CN116415214A (en) | 2023-01-16 | 2023-01-16 | Data access control method and system based on digital signature |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116415214A (en) |
-
2023
- 2023-01-16 CN CN202310060656.1A patent/CN116415214A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11784791B2 (en) | Verifying an identity based on multiple distributed data sources using a blockchain to safeguard the identity | |
CN111783075B (en) | Authority management method, device and medium based on secret key and electronic equipment | |
CA3053316C (en) | Method for providing simplified account registration service and user authentication service, and authentication server using same | |
US11347876B2 (en) | Access control | |
CN109274652B (en) | Identity information verification system, method and device and computer storage medium | |
US20170316497A1 (en) | Method for creating, registering, revoking authentication information and server using the same | |
WO2021018088A1 (en) | Trusted authentication method, network device, system and storage medium | |
CN111416822B (en) | Method for access control, electronic device and storage medium | |
US9401911B2 (en) | One-time password certificate renewal | |
CN110069908A (en) | A kind of authority control method and device of block chain | |
KR102285805B1 (en) | Methods and devices for detecting denial of service attacks in secure interactions | |
US11356458B2 (en) | Systems, methods, and computer program products for dual layer federated identity based access control | |
CN108965342B (en) | Authentication method and system for data requester to access data source | |
WO2019175427A1 (en) | Method, device and medium for protecting work based on blockchain | |
CN111585946B (en) | Cryptographic master profile control and transaction arbitration | |
CN112235301A (en) | Method and device for verifying access authority and electronic equipment | |
CN112511316A (en) | Single sign-on access method and device, computer equipment and readable storage medium | |
CN111988262B (en) | Authentication method, authentication device, server and storage medium | |
US20220318356A1 (en) | User registration method, user login method and corresponding device | |
CN116415214A (en) | Data access control method and system based on digital signature | |
CN115967508A (en) | Data access control method and device, equipment, storage medium and program product | |
CN116484326B (en) | Multi-account access authority management method and related device based on NFT | |
CN117061251B (en) | PKI certificate suspension revocation method and system for authentication platform | |
CN112202734B (en) | Service processing method, electronic device and readable storage medium | |
WO2024011863A9 (en) | Communication method and apparatus, sim card, electronic device, and terminal device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |