CN117113423A - Transparent encryption method, device, equipment and storage medium for database - Google Patents
Transparent encryption method, device, equipment and storage medium for database Download PDFInfo
- Publication number
- CN117113423A CN117113423A CN202311381486.3A CN202311381486A CN117113423A CN 117113423 A CN117113423 A CN 117113423A CN 202311381486 A CN202311381486 A CN 202311381486A CN 117113423 A CN117113423 A CN 117113423A
- Authority
- CN
- China
- Prior art keywords
- database
- encryption
- interface
- data
- custom
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 230000006870 function Effects 0.000 claims abstract description 57
- 238000005516 engineering process Methods 0.000 claims description 22
- 238000004590 computer program Methods 0.000 claims description 12
- 238000011161 development Methods 0.000 abstract description 11
- 238000012423 maintenance Methods 0.000 abstract description 11
- 230000006978 adaptation Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000007547 defect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000002787 reinforcement Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/25—Integrating or interfacing systems involving database management systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Bioethics (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a transparent encryption method, a device, equipment and a storage medium for a database, which comprises the following steps: acquiring a first function address of a primary encryption interface of a database; replacing the native encryption interface with a custom encryption interface using a HOOK technique and based on the first function address; when the first data is written into the database file from the database memory, the self-defined encryption interface is called through the database engine, and a preset encryption module is called through the self-defined encryption interface to encrypt the first data to obtain ciphertext data. Therefore, under the condition of ensuring the storage safety of the database, the difference of different versions of the database is shielded, the version maintenance work is reduced, the problem of updating and adapting the database is avoided, and the custom development of the database is avoided.
Description
Technical Field
The present application relates to the field of database encryption technologies, and in particular, to a method, an apparatus, a device, and a storage medium for transparent encryption of a database.
Background
Database encryption is the last line of defense for database security. At present, the original transparent encryption capability of the database is usually realized by adopting a soft algorithm, and certain security risks exist in the aspects of algorithm realization, key management and the like. Therefore, a data security manufacturer is generally required to secure the database, so as to realize storage security. Currently, a method for security reinforcement of a mainstream open source database is generally to modify the source code of the open source database or rely on database manufacturers to release a custom version database.
In engineering practice, the database can be safely reinforced by modifying the source code of the open source database or depending on the database manufacturer to release the customized version database, so that project requirements are met, but the following defects also exist: numerous modifications of the database version source codes have a great deal of development and version maintenance work; upgrading and publishing the custom version database has a large amount of adaptation verification and operation maintenance work; the database does not support custom development, and the cost and difficulty of interfacing database manufacturers are high.
Disclosure of Invention
In view of the above, the present application aims to provide a transparent encryption method, device, equipment and storage medium for a database, which can shield the differences of different versions of the database under the condition of ensuring the storage security of the database, reduce the version maintenance work, avoid the problem of database upgrade adaptation, and avoid the database customization development. The specific scheme is as follows:
in a first aspect, the present application discloses a transparent encryption method for a database, including:
acquiring a first function address of a primary encryption interface of a database;
replacing the native encryption interface with a custom encryption interface using a HOOK technique and based on the first function address;
when the first data is written into the database file from the database memory, the self-defined encryption interface is called through the database engine, and a preset encryption module is called through the self-defined encryption interface to encrypt the first data to obtain ciphertext data.
Optionally, the method further comprises:
acquiring a second function address of a native key management interface of the database;
replacing the native key management interface with a custom key management interface using a HOOK technique and based on the second function address;
and calling the custom key management interface, generating a key and returning the key to the database engine.
Optionally, the calling the custom key management interface, generating a key and returning the key to the database engine includes:
and calling the custom key management interface, acquiring a key from preset database encryption management equipment and returning the key to the database engine.
Optionally, the calling a preset cryptographic module by using the custom cryptographic interface to encrypt the first data includes:
and calling a preset password module by using the custom encryption interface, and encrypting the first data based on the secret key.
Optionally, acquiring a first function address of a native encryption interface of the database; replacing the native encryption interface with a custom encryption interface using a HOOK technique and based on the first function address, comprising:
based on a preset database plug-in, acquiring a first function address of a primary encryption interface of a database, and replacing the primary encryption interface with a custom encryption interface by utilizing a HOOK technology and based on the first function address;
correspondingly, calling the custom encryption interface through a database engine, calling a preset encryption module by utilizing the custom encryption interface, encrypting the first data to obtain ciphertext data, and comprising the following steps:
and calling the preset database plug-in through a database engine, and calling a preset password module by utilizing the custom encryption interface to encrypt the first data to obtain ciphertext data.
Optionally, the step of calling a preset cryptographic module by using the custom cryptographic interface, and encrypting the first data, before obtaining ciphertext data, further includes:
judging whether the first data needs to be encrypted or not based on a configured encryption strategy, and triggering the user-defined encryption interface to call a preset encryption module to encrypt the first data if the first data needs to be encrypted, so as to obtain ciphertext data.
Optionally, the method further comprises:
acquiring a third function address of a native decryption interface of the database;
replacing the native decryption interface with a custom decryption interface using a HOOK technique and based on the third function address;
and when the second data is read into the database memory from the database file, calling the custom decryption interface through the database engine, and calling the preset password module by utilizing the custom decryption interface to decrypt the second data to obtain plaintext data.
In a second aspect, the present application discloses a transparent encryption device for a database, comprising:
the function address acquisition module is used for acquiring a first function address of a primary encryption interface of the database;
a native interface replacing module, configured to replace the native encryption interface with a custom encryption interface using a HOOK technique and based on the first function address;
and the data encryption module is used for calling the custom encryption interface through the database engine when the first data is written into the database file from the database memory, calling the preset encryption module by utilizing the custom encryption interface, and encrypting the first data to obtain ciphertext data.
In a third aspect, the application discloses an electronic device comprising a memory and a processor, wherein:
the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the foregoing database transparent encryption method.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements the aforementioned database transparent encryption method.
Therefore, the method comprises the steps of firstly obtaining the first function address of the original encryption interface of the database, then replacing the original encryption interface with the custom encryption interface by utilizing the HOOK technology and based on the first function address, calling the custom encryption interface through the database engine when first data is written into a database file from a database memory, and calling a preset password module by utilizing the custom encryption interface to encrypt the first data to obtain ciphertext data. That is, the present application is based on the HOOK technology, and replaces the native encryption interface with a custom encryption interface based on the function address of the native encryption interface of the database, when the data is written into the database file from the database memory, the custom encryption interface is called by the database engine, and the preset encryption module is called by the custom encryption interface to encrypt the first data, so as to obtain ciphertext data.
The beneficial effects of the application are as follows: the original encryption interface of the database is replaced based on the HOOK technology, and when data encryption is carried out, the custom encryption interface is adopted for encryption, so that the difference of different versions of the database can be shielded under the condition of ensuring the storage safety of the database, the version maintenance work is reduced, the problem of upgrading and adapting the database is avoided, and the customization and development of the database are avoided.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a transparent encryption method for a database according to an embodiment of the present application;
FIG. 2 is a schematic diagram of transparent encryption of a database according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a transparent encryption device for a database according to an embodiment of the present application;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Currently, a method for security reinforcement of a mainstream open source database is generally to modify the source code of the open source database or rely on database manufacturers to release a custom version database. In engineering practice, the database can be safely reinforced by modifying the source code of the open source database or depending on the database manufacturer to release the customized version database, so that project requirements are met, but the following defects also exist: numerous modifications of the database version source codes have a great deal of development and version maintenance work; upgrading and publishing the custom version database has a large amount of adaptation verification and operation maintenance work; the database does not support custom development, and the cost and difficulty of interfacing database manufacturers are high. Therefore, the application provides a database encryption scheme, which can shield the difference of different versions of the database under the condition of ensuring the storage safety of the database, reduce the version maintenance work, simultaneously avoid the problem of updating and adapting the database and avoid the custom development of the database.
Referring to fig. 1, the embodiment of the application discloses a transparent encryption method for a database, which comprises the following steps:
step S11: a first function address of a native encryption interface of a database is obtained.
Step S12: the native encryption interface is replaced with a custom encryption interface using HOOK (i.e., HOOK) techniques and based on the first function address.
In a specific embodiment, a first function address of a native encryption interface of a database may be obtained based on a preset database plug-in, and the native encryption interface is replaced with a custom encryption interface by using a HOOK technology and based on the first function address.
And a second function address of a native key management interface of the database may be obtained; replacing the native key management interface with a custom key management interface using a HOOK technique and based on the second function address; acquiring a third function address of a native decryption interface of the database; and replacing the native decryption interface with a custom decryption interface by using a HOOK technology and based on the third function address.
In a specific embodiment, a preset database plug-in may be used to obtain function addresses of a native encryption interface, a native key management interface, and a native decryption interface of the database, and replace the native encryption interface with a custom encryption interface, replace the native key management interface with a custom key management interface, and replace the native decryption interface with a custom decryption interface using a HOOK technique and based on the function addresses.
Further, in a specific embodiment, the database plug-in management tool may be used to install the preset database plug-in into the database main program. When the database is started, the database automatically loads a preset database plug-in, the preset database plug-in obtains the access address of the original interface of the database, and the original interface of the database is dynamically replaced by using the HOOK technology, wherein the database plug-in comprises an encryption interface, a decryption interface, a key management interface and the like.
Further, the embodiment of the application can call the custom key management interface, generate a key and return the key to the database engine. In a specific embodiment, the custom key management interface may be invoked to obtain a key from a preset database encryption management device and return the key to the database engine. According to the embodiment of the application, the table space encryption strategy can be configured through the database encryption management equipment, the database engine is triggered to call the preset database plug-in to generate the key, and the preset database plug-in acquires the key from the database encryption management equipment and returns the key to the database engine.
Step S13: when the first data is written into the database file from the database memory, the self-defined encryption interface is called through the database engine, and a preset encryption module is called through the self-defined encryption interface to encrypt the first data to obtain ciphertext data.
The embodiment of the application can call the preset password module by utilizing the custom encryption interface and encrypt the first data based on the secret key. In a specific embodiment, the preset database plug-in can be called through a database engine, the preset encryption module is called through the custom encryption interface, the first data is encrypted to obtain ciphertext data, and the ciphertext data is returned to the database engine. The preset password module is responsible for providing safe and compliant password operation capability.
And the embodiment of the application can judge whether the first data needs to be encrypted based on the configured encryption strategy, and if the first data needs to be encrypted, the step of calling a preset password module by using the custom encryption interface to encrypt the first data to obtain ciphertext data is triggered. It will be appreciated that the encryption policy determines the table to be encrypted, and whether the first data needs to be encrypted may be determined by determining whether the first data is data in the table to be encrypted.
In addition, when the second data is read into the database memory from the database file, the embodiment of the application can call the custom decryption interface through the database engine, call the preset cryptographic module by utilizing the custom decryption interface, decrypt the second data to obtain plaintext data, and return the plaintext data to the database engine.
That is, before the data is written into the database file from the database memory, the database engine calls the preset database plug-in to encrypt the data, the preset database plug-in calls the preset password module to complete data encryption, and the ciphertext data is returned to the database engine. Before the data is read into the database memory from the database file, the database engine calls a preset database plug-in to decrypt the data, the preset database plug-in calls a preset password module to complete data decryption, and plaintext data is returned to the database engine.
Thus, the original algorithm of the database is replaced by the HOOK technology, and the problem of safe compliance of the algorithm is solved; replacing a database key system by using a HOOK technology, so as to solve the problem of key security management; the database version difference is shielded through the HOOK technology, so that the workload of version maintenance is reduced; developing a database encryption plug-in through a HOOK technology, and avoiding database upgrading and adaptation; the encryption and decryption interface is directly replaced by the HOOK technology, and the database manufacturer does not need to customize and develop, namely, the application provides a transparent encryption method of the database based on the HOOK technology.
For example, referring to fig. 2, fig. 2 is a schematic diagram of transparent encryption of a database according to an embodiment of the present application. The system mainly comprises database encryption management equipment, a database transparent encryption plug-in, namely the preset database plug-in, a database plug-in management tool and a password module. The database encryption management equipment is mainly responsible for key management and policy management, and performs policy synchronization and key interaction with the database transparent encryption plug-in; the transparent encryption plug-in of the database is arranged on the database server and is used for replacing a primary encryption and decryption interface (comprising an encryption interface, a decryption interface and a key management interface) of the database to realize algorithm replacement and key replacement, and a password module is called to encrypt and decrypt data; the password module is arranged on the database server and is responsible for providing safe and compliant password operation capability; the database plug-in management tool is responsible for providing the plug-in install and uninstall functionality. The working procedure is as follows:
1. the database transparent encryption plug-in is installed (static injection) into the database main program using the database plug-in management tool.
2. When the database is started, the database automatically loads a transparent encryption plug-in of the database, the transparent encryption plug-in of the database obtains a function address of a primary encryption and decryption interface of the database, and the primary interface of the database is dynamically replaced by using the HOOK technology, wherein the interfaces comprise an encryption interface, a decryption interface, a key management interface and the like.
3. And configuring a tablespace encryption strategy through the database encryption management equipment, triggering the database engine to call the database transparent encryption plug-in to generate a working key, and acquiring the working key from the database encryption management equipment by the database transparent encryption plug-in and returning the working key to the database engine.
4. Before the data is written into the database file from the memory, the database engine calls the database transparent encryption plug-in to encrypt the data, the database transparent encryption plug-in calls the password module to complete data encryption, and ciphertext data is returned to the database engine.
5. Before the data is read into the memory from the database file, the database engine calls the database transparent encryption plug-in to decrypt the data, the database transparent encryption plug-in calls the password module to complete data decryption, and the plaintext data is returned to the database engine.
The database encryption scheme provided by the embodiment of the application can be widely applied to databases which have TDE (namely Transparent Data Encryption, transparent data encryption) capability and do not externally disclose a TDE interface, in particular to open source databases which have transparent encryption. The method can solve the problems of security compliance and unified key management of the transparent encryption and decryption algorithm of the original TDE of the database. The transparent encryption plug-in of the database is released to replace the original data encryption and decryption interface of the database, so that complex problems of database upgrading, database adaptation, database manufacturer butting and the like possibly caused by database customization and development are avoided. Compared with modifying the source code of the open source database and releasing the customized version database, the method and the device shield the difference of different versions of the database through the HOOK technology, reduce the workload of version maintenance, and simultaneously avoid the problem of database upgrading adaptation. Taking MySQL (a relational database management system) database as an example, the transparent encryption plug-in of the database developed by the HOOK technology can mask the difference between more than forty versions of v5.7x and v8.0x, can realize that the SM4 (i.e. commercial block cipher algorithm standard) algorithm replaces the AES (Advanced Encryption Standard ) general algorithm, and can realize unified management of keys. In addition, the application can replace the original data encryption and decryption interface of the database through the HOOK technology, thereby reducing the cost of coordinated communication between a data security manufacturer and the database manufacturer and avoiding the custom development of the database.
Referring to fig. 3, an embodiment of the present application discloses a transparent encryption device for a database, including:
the function address acquisition module 11 is used for acquiring a first function address of a native encryption interface of the database;
a native interface replacement module 12, configured to replace the native encryption interface with a custom encryption interface using a HOOK technique and based on the first function address;
and the data encryption module 13 is used for calling the custom encryption interface through the database engine when the first data is written into the database file from the database memory, calling a preset encryption module by utilizing the custom encryption interface, and encrypting the first data to obtain ciphertext data.
It can be seen that, in the embodiment of the present application, a first function address of a native encryption interface of a database is obtained first, then a HOOK technique is used to replace the native encryption interface with a custom encryption interface based on the first function address, when first data is written into a database file from a database memory, the custom encryption interface is called through a database engine, and a preset cryptographic module is called by using the custom encryption interface to encrypt the first data, so as to obtain ciphertext data. That is, the embodiment of the application is based on the HOOK technology, and replaces the original encryption interface with the custom encryption interface based on the function address of the original encryption interface of the database, when the data is written into the database file from the database memory, the custom encryption interface is called by the database engine, and the preset encryption module is called by the custom encryption interface to encrypt the first data to obtain ciphertext data, thus, when the original encryption interface of the database is replaced based on the HOOK technology, the custom encryption interface is adopted to encrypt the data, under the condition of ensuring the storage safety of the database, the difference of different versions of the database is shielded, the version maintenance work is reduced, the problem of updating and adapting the database is avoided, and the custom development of the database is avoided.
The function address obtaining module 11 is further configured to obtain a second function address of a native key management interface of the database; the native interface replacement module 12 is further configured to replace the native key management interface with a custom key management interface using a HOOK technique and based on the second function address.
The device is also for: and calling the custom key management interface, generating a key and returning the key to the database engine. Specifically, the custom key management interface is called, and a key is obtained from preset database encryption management equipment and returned to the database engine.
The data encryption module 13 is specifically configured to invoke a preset encryption module by using the custom encryption interface, and encrypt the first data based on the key.
In a specific embodiment, the function address obtaining module 11 and the native interface replacing module 12 are specifically configured to obtain, based on a preset database plug-in, a first function address of a native encryption interface of a database, and replace the native encryption interface with a custom encryption interface based on the first function address by using a HOOK technology.
Correspondingly, the data encryption module 13 is specifically configured to invoke the preset database plug-in through a database engine, invoke a preset cryptographic module by using the custom encryption interface, and encrypt the first data to obtain ciphertext data.
The data encryption module 13 is further configured to determine whether the first data needs to be encrypted based on the configured encryption policy, and if the first data needs to be encrypted, trigger the invoking of the preset cryptographic module by using the custom encryption interface to encrypt the first data, so as to obtain ciphertext data.
The function address obtaining module 11 is further configured to obtain a third function address of a native decryption interface of the database; the native interface replacing module 12 is further configured to replace the native decryption interface with a custom decryption interface using a HOOK technique and based on the third function address.
The device also comprises a data decryption module, wherein when second data is read into the database memory from the database file, the second data is decrypted by calling the custom decryption interface through the database engine and calling the preset password module by using the custom decryption interface, so that plaintext data is obtained.
Referring to fig. 4, an embodiment of the present application discloses an electronic device 20 comprising a processor 21 and a memory 22; wherein the memory 22 is used for storing a computer program; the processor 21 is configured to execute the computer program and implement the database transparent encryption method disclosed in the foregoing embodiment.
For the specific process of the database transparent encryption method, reference may be made to the corresponding content disclosed in the foregoing embodiment, and no further description is given here.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk or an optical disk, and the storage mode may be transient storage or permanent storage.
In addition, the electronic device 20 further includes a power supply 23, a communication interface 24, an input-output interface 25, and a communication bus 26; wherein the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 25 is used for acquiring external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.
Further, the embodiment of the application also discloses a computer readable storage medium for storing a computer program, wherein the computer program realizes the transparent encryption method of the database disclosed in the previous embodiment when being executed by a processor.
For the specific process of the database transparent encryption method, reference may be made to the corresponding content disclosed in the foregoing embodiment, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The transparent encryption method, device, equipment and storage medium for database provided by the application are described in detail, and specific examples are applied to illustrate the principle and implementation of the application, and the description of the above examples is only used for helping to understand the method and core idea of the application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.
Claims (10)
1. A method for transparent encryption of a database, comprising:
acquiring a first function address of a primary encryption interface of a database;
replacing the native encryption interface with a custom encryption interface using a HOOK technique and based on the first function address;
when the first data is written into the database file from the database memory, the self-defined encryption interface is called through the database engine, and a preset encryption module is called through the self-defined encryption interface to encrypt the first data to obtain ciphertext data.
2. The transparent encryption method of databases according to claim 1, further comprising:
acquiring a second function address of a native key management interface of the database;
replacing the native key management interface with a custom key management interface using a HOOK technique and based on the second function address;
and calling the custom key management interface, generating a key and returning the key to the database engine.
3. The method of transparent encryption of a database according to claim 2, wherein said invoking the custom key management interface, generating a key and returning to the database engine comprises:
and calling the custom key management interface, acquiring a key from preset database encryption management equipment and returning the key to the database engine.
4. The transparent encryption method according to claim 2, wherein the calling a preset cryptographic module by using the custom encryption interface to encrypt the first data comprises:
and calling a preset password module by using the custom encryption interface, and encrypting the first data based on the secret key.
5. The transparent encryption method according to claim 1, wherein the first function address of the native encryption interface of the database is obtained; replacing the native encryption interface with a custom encryption interface using a HOOK technique and based on the first function address, comprising:
based on a preset database plug-in, acquiring a first function address of a primary encryption interface of a database, and replacing the primary encryption interface with a custom encryption interface by utilizing a HOOK technology and based on the first function address;
correspondingly, calling the custom encryption interface through a database engine, calling a preset encryption module by utilizing the custom encryption interface, encrypting the first data to obtain ciphertext data, and comprising the following steps:
and calling the preset database plug-in through a database engine, and calling a preset password module by utilizing the custom encryption interface to encrypt the first data to obtain ciphertext data.
6. The transparent encryption method according to claim 5, wherein the step of calling a preset encryption module by using the custom encryption interface to encrypt the first data, and before obtaining ciphertext data, further comprises:
judging whether the first data needs to be encrypted or not based on a configured encryption strategy, and triggering the user-defined encryption interface to call a preset encryption module to encrypt the first data if the first data needs to be encrypted, so as to obtain ciphertext data.
7. The database transparent encryption method according to any one of claims 1 to 6, further comprising:
acquiring a third function address of a native decryption interface of the database;
replacing the native decryption interface with a custom decryption interface using a HOOK technique and based on the third function address;
and when the second data is read into the database memory from the database file, calling the custom decryption interface through the database engine, and calling the preset password module by utilizing the custom decryption interface to decrypt the second data to obtain plaintext data.
8. A database transparent encryption device, comprising:
the function address acquisition module is used for acquiring a first function address of a primary encryption interface of the database;
a native interface replacing module, configured to replace the native encryption interface with a custom encryption interface using a HOOK technique and based on the first function address;
and the data encryption module is used for calling the custom encryption interface through the database engine when the first data is written into the database file from the database memory, calling the preset encryption module by utilizing the custom encryption interface, and encrypting the first data to obtain ciphertext data.
9. An electronic device comprising a memory and a processor, wherein:
the memory is used for storing a computer program;
the processor for executing the computer program to implement the database transparent encryption method according to any one of claims 1 to 7.
10. A computer readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements the database transparent encryption method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311381486.3A CN117113423B (en) | 2023-10-24 | 2023-10-24 | Transparent encryption method, device, equipment and storage medium for database |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311381486.3A CN117113423B (en) | 2023-10-24 | 2023-10-24 | Transparent encryption method, device, equipment and storage medium for database |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117113423A true CN117113423A (en) | 2023-11-24 |
| CN117113423B CN117113423B (en) | 2024-04-12 |
Family
ID=88795187
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311381486.3A Active CN117113423B (en) | 2023-10-24 | 2023-10-24 | Transparent encryption method, device, equipment and storage medium for database |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117113423B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118093555A (en) * | 2024-04-28 | 2024-05-28 | 深圳昂楷科技有限公司 | Database management method, system and storage medium |
Citations (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080034199A1 (en) * | 2006-02-08 | 2008-02-07 | Ingrian Networks, Inc. | High performance data encryption server and method for transparently encrypting/decrypting data |
| CN101901313A (en) * | 2010-06-10 | 2010-12-01 | 中科方德软件有限公司 | Linux file protection system and method |
| CN102654864A (en) * | 2011-03-02 | 2012-09-05 | 华北计算机系统工程研究所 | Independent transparent security audit protection method facing real-time database |
| CN103605930A (en) * | 2013-11-27 | 2014-02-26 | 湖北民族学院 | Double file anti-divulging method and system based on HOOK and filtering driving |
| US8887152B1 (en) * | 2011-11-04 | 2014-11-11 | Trend Micro, Inc. | Android application virtual environment |
| CN106126981A (en) * | 2016-08-30 | 2016-11-16 | 电子科技大学 | The software security means of defence replaced based on virtual function table |
| US20170243001A1 (en) * | 2012-08-24 | 2017-08-24 | Vmware, Inc. | Method and system for facilitating replacement of system calls |
| CN107609410A (en) * | 2017-09-11 | 2018-01-19 | 厦门市美亚柏科信息股份有限公司 | Android system data guard method, terminal device and storage medium based on HOOK |
| CN108845841A (en) * | 2018-06-15 | 2018-11-20 | 广州多益网络股份有限公司 | Change the method, apparatus and terminal of terminal applies behavior |
| CN109426702A (en) * | 2017-08-31 | 2019-03-05 | 武汉斗鱼网络科技有限公司 | IOS platform file reads guard method, storage medium, electronic equipment and system |
| CN109840058A (en) * | 2019-01-07 | 2019-06-04 | 烽火通信科技股份有限公司 | Cloud game collecting method and system |
| CN109871704A (en) * | 2019-03-19 | 2019-06-11 | 北京智游网安科技有限公司 | Android resource file means of defence, equipment and storage medium based on Hook |
| CN112560068A (en) * | 2020-12-28 | 2021-03-26 | 山东云缦智能科技有限公司 | Android program storage encryption method |
| CN113239380A (en) * | 2021-05-21 | 2021-08-10 | 杭州弗兰科信息安全科技有限公司 | Method and device for protecting file read-write, electronic equipment and storage medium |
| CN113360913A (en) * | 2021-08-10 | 2021-09-07 | 杭州安恒信息技术股份有限公司 | Malicious program detection method and device, electronic equipment and storage medium |
| CN113392120A (en) * | 2020-03-12 | 2021-09-14 | 腾讯科技(深圳)有限公司 | Method and device for acquiring execution information of SQLite |
| CN115525916A (en) * | 2022-10-21 | 2022-12-27 | 湖北天融信网络安全技术有限公司 | Database encryption method and device, electronic equipment and storage medium |
| CN116150242A (en) * | 2022-12-29 | 2023-05-23 | 成都卫士通信息产业股份有限公司 | Transparent encryption and access control method, device and equipment for database |
| CN116248253A (en) * | 2022-12-26 | 2023-06-09 | 航天信息股份有限公司 | Method and system for deriving database table keys based on domestic crypto-engine |
| CN116680715A (en) * | 2023-06-08 | 2023-09-01 | 济南浪潮数据技术有限公司 | Database encryption configuration method and device, electronic equipment and storage medium |
-
2023
- 2023-10-24 CN CN202311381486.3A patent/CN117113423B/en active Active
Patent Citations (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080034199A1 (en) * | 2006-02-08 | 2008-02-07 | Ingrian Networks, Inc. | High performance data encryption server and method for transparently encrypting/decrypting data |
| CN101901313A (en) * | 2010-06-10 | 2010-12-01 | 中科方德软件有限公司 | Linux file protection system and method |
| CN102654864A (en) * | 2011-03-02 | 2012-09-05 | 华北计算机系统工程研究所 | Independent transparent security audit protection method facing real-time database |
| US8887152B1 (en) * | 2011-11-04 | 2014-11-11 | Trend Micro, Inc. | Android application virtual environment |
| US20170243001A1 (en) * | 2012-08-24 | 2017-08-24 | Vmware, Inc. | Method and system for facilitating replacement of system calls |
| CN103605930A (en) * | 2013-11-27 | 2014-02-26 | 湖北民族学院 | Double file anti-divulging method and system based on HOOK and filtering driving |
| CN106126981A (en) * | 2016-08-30 | 2016-11-16 | 电子科技大学 | The software security means of defence replaced based on virtual function table |
| CN109426702A (en) * | 2017-08-31 | 2019-03-05 | 武汉斗鱼网络科技有限公司 | IOS platform file reads guard method, storage medium, electronic equipment and system |
| CN107609410A (en) * | 2017-09-11 | 2018-01-19 | 厦门市美亚柏科信息股份有限公司 | Android system data guard method, terminal device and storage medium based on HOOK |
| CN108845841A (en) * | 2018-06-15 | 2018-11-20 | 广州多益网络股份有限公司 | Change the method, apparatus and terminal of terminal applies behavior |
| CN109840058A (en) * | 2019-01-07 | 2019-06-04 | 烽火通信科技股份有限公司 | Cloud game collecting method and system |
| CN109871704A (en) * | 2019-03-19 | 2019-06-11 | 北京智游网安科技有限公司 | Android resource file means of defence, equipment and storage medium based on Hook |
| CN113392120A (en) * | 2020-03-12 | 2021-09-14 | 腾讯科技(深圳)有限公司 | Method and device for acquiring execution information of SQLite |
| CN112560068A (en) * | 2020-12-28 | 2021-03-26 | 山东云缦智能科技有限公司 | Android program storage encryption method |
| CN113239380A (en) * | 2021-05-21 | 2021-08-10 | 杭州弗兰科信息安全科技有限公司 | Method and device for protecting file read-write, electronic equipment and storage medium |
| CN113360913A (en) * | 2021-08-10 | 2021-09-07 | 杭州安恒信息技术股份有限公司 | Malicious program detection method and device, electronic equipment and storage medium |
| CN115525916A (en) * | 2022-10-21 | 2022-12-27 | 湖北天融信网络安全技术有限公司 | Database encryption method and device, electronic equipment and storage medium |
| CN116248253A (en) * | 2022-12-26 | 2023-06-09 | 航天信息股份有限公司 | Method and system for deriving database table keys based on domestic crypto-engine |
| CN116150242A (en) * | 2022-12-29 | 2023-05-23 | 成都卫士通信息产业股份有限公司 | Transparent encryption and access control method, device and equipment for database |
| CN116680715A (en) * | 2023-06-08 | 2023-09-01 | 济南浪潮数据技术有限公司 | Database encryption configuration method and device, electronic equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 张茂兴: "Oracle数据库透明加密技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》, no. 3, 15 March 2018 (2018-03-15), pages 138 - 101 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118093555A (en) * | 2024-04-28 | 2024-05-28 | 深圳昂楷科技有限公司 | Database management method, system and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117113423B (en) | 2024-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9135434B2 (en) | System and method for third party creation of applications for mobile appliances | |
| CN117113423B (en) | Transparent encryption method, device, equipment and storage medium for database | |
| CN101627390B (en) | Method for the secure storing of program state data in an electronic device | |
| EP3264265A1 (en) | Application protection method, server and terminal | |
| CN111475524B (en) | Data processing method and device based on interceptor and computer equipment | |
| CN105022936A (en) | Class file encryption and decryption method and class file encryption and decryption device | |
| CN104680039A (en) | Data protection method and device of application installation package | |
| CN111274611A (en) | Data desensitization method, device and computer readable storage medium | |
| EP3764224B1 (en) | Resource permission processing method and apparatus, and storage medium and chip | |
| CN116248253A (en) | Method and system for deriving database table keys based on domestic crypto-engine | |
| CN114444028B (en) | Method, device, computer equipment and storage medium for improving code security | |
| CN116244682A (en) | Database access method, device, equipment and storage medium | |
| CN107403103B (en) | File decryption method and device | |
| CN110737910B (en) | Android log decryption management method, device, equipment and medium | |
| CN113886014A (en) | Method, device and equipment for loading dynamic secret key by middleware and storage medium | |
| CN111460464B (en) | Data encryption and decryption method and device, electronic equipment and computer storage medium | |
| CN113420313A (en) | Program safe operation and encryption method and device, equipment and medium thereof | |
| CN112580101A (en) | Data decryption method and terminal | |
| EP4058910A1 (en) | Apparatus and method for protecting shared objects | |
| CN112906057A (en) | Calculation method for transaction on privacy chain on trusted construction chain | |
| KR20090072623A (en) | Method and system for dynamically changing module of program | |
| CN114679253B (en) | Chinese commercial cipher algorithm expansion method of vTPM2.0 | |
| CN117828555B (en) | Low-cost Java source code protection method and device | |
| CN114036215A (en) | Encrypted database access method, computing device and storage medium | |
| CN117527193B (en) | Encryption method and device based on CEPH object storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |