CN117195263A - Database encryption method and device - Google Patents
Database encryption method and device Download PDFInfo
- Publication number
- CN117195263A CN117195263A CN202311169646.8A CN202311169646A CN117195263A CN 117195263 A CN117195263 A CN 117195263A CN 202311169646 A CN202311169646 A CN 202311169646A CN 117195263 A CN117195263 A CN 117195263A
- Authority
- CN
- China
- Prior art keywords
- data
- database
- encryption
- field name
- data table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 230000004044 response Effects 0.000 claims abstract description 9
- 238000004590 computer program Methods 0.000 claims description 13
- 238000001514 detection method Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000012797 qualification Methods 0.000 description 4
- 238000013473 artificial intelligence Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 230000002411 adverse Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Abstract
The embodiment of the disclosure discloses a method and a device for encrypting a database. The specific implementation mode of the method comprises the following steps: acquiring a configuration file of an encryption gateway, wherein the configuration file comprises an address and a port of a database, an encrypted and decrypted data table and a field name; in response to receiving data from the business system, parsing SQL statements from the data; analyzing key words and plaintext data from SQL sentences; if the keyword contains a data table and a field name to be inserted, detecting whether the data table and the field name to be inserted are the same as the encrypted and decrypted data table and field name; if the two types of data are the same, a hardware encryptor is called to encrypt the plaintext data to obtain ciphertext data, and the ciphertext data is used for replacing the plaintext data in the SQL sentence; and sending the SQL sentence to the database according to the address and the port of the database. This embodiment can improve the security of the database.
Description
Technical Field
Embodiments of the present disclosure relate to the field of computer technology, and in particular, to a method and apparatus for encrypting a database.
Background
With the rapid development of information technology, data becomes more and more important and plays an important role in various fields. However, the data brings various convenience in the information age and causes various problems such as data abuse, personal privacy disclosure, enterprise business secret disclosure and the like. Therefore, in recent years, related national departments continuously leave related policies and regulations to protect private data, and enterprises continuously improve the security of the data through technical means.
The prior art can provide static encryption for physical tablespace data files of a database, wherein the encryption mode is an encryption means at the data page level, and the encryption is carried out when the data page is written into a file system, and the decryption is carried out when the file is read into a memory.
However, the conventional database encryption method has the following problems:
1. key security problem: the current encryption mode adopts a two-stage key chain structure, the data are encrypted by a table space key, the table space key is encrypted by a master key, but the master key is not encrypted and protected by a method, and the risk of key leakage exists;
2. data security problem: because the decryption time is when the disk data are read to the memory, the data in the memory are all in a plaintext state, and if the access authority of the database is maliciously utilized, all plaintext data can be seen after the database is logged in, so that the data is never leaked;
3. algorithm compliance problem: under the domestic background, core systems such as a gateway base, government affairs and the like need to use a domestic cryptographic algorithm for data protection, and the international algorithm does not meet legal compliance requirements
Disclosure of Invention
The embodiment of the disclosure provides a method and a device for encrypting a database.
In a first aspect, embodiments of the present disclosure provide a method for encrypting a database, including: acquiring a configuration file of an encryption gateway, wherein the configuration file comprises an address and a port of a database, an encrypted and decrypted data table and a field name; in response to receiving data from a business system, parsing an SQL statement from the data; analyzing keywords and plaintext data from the SQL statement; if the keyword comprises a data table and a field name to be inserted, detecting whether the data table and the field name to be inserted are the same as the encrypted and decrypted data table and the field name; if the two plaintext data are the same, a hardware encryptor is called to encrypt the plaintext data to obtain ciphertext data, and the ciphertext data are used for replacing the plaintext data in the SQL sentence; and sending the SQL statement to the database according to the address and the port of the database.
In some embodiments, the method further comprises: if the keyword contains a data table and a field name to be read, detecting whether the data table and the field name to be read are the same as the encrypted and decrypted data table and the field name; if the data table to be read and the field names are the same, ciphertext data corresponding to the data table to be read and the field names are obtained from the database; invoking a hardware encryption machine to decrypt the ciphertext data to obtain plaintext data; and returning the plaintext data to the service system.
In some embodiments, the method further comprises: if the SQL statement is different, the SQL statement is directly transmitted to the database.
In some embodiments, the parsing the SQL statement from the data includes: determining the type of the database; and selecting a corresponding database protocol according to the type, and analyzing SQL sentences from the data.
In some embodiments, the method further comprises: if the data table to be read and the data content corresponding to the field names are different, acquiring the data table to be read and the data content corresponding to the field names from the database; and directly returning the data content to the service system.
In some embodiments, the method further comprises: and establishing a long connection between the encryption gateway and the database.
In some embodiments, the hardware encryptor is national cryptographic eligible, employing a symmetric encryption algorithm.
In a second aspect, embodiments of the present disclosure provide an apparatus for database encryption, including: the system comprises an acquisition unit, a storage unit and a storage unit, wherein the acquisition unit is configured to acquire a configuration file of an encryption gateway, and the configuration file comprises an address and a port of a database, an encrypted and decrypted data table and a field name; a first parsing unit configured to parse an SQL statement from data received from a business system in response to the data being received; the second parsing unit is configured to parse out keywords and plaintext data from the SQL statement; the detection unit is configured to detect whether the data table and the field name to be inserted are the same as the encrypted and decrypted data table and the field name if the keyword contains the data table and the field name to be inserted; the encryption unit is configured to call a hardware encryption machine to encrypt the plaintext data if the plaintext data are the same, obtain ciphertext data, and replace the plaintext data in the SQL sentence by using the ciphertext data; and the sending unit is configured to send the SQL sentence to the database according to the address and the port of the database.
In some embodiments, the detection unit is further configured to: if the keyword contains a data table and a field name to be read, detecting whether the data table and the field name to be read are the same as the encrypted and decrypted data table and the field name; the apparatus further comprises a decryption unit configured to: if the data table to be read and the ciphertext data corresponding to the field name are the same, acquiring the data table to be read and the ciphertext data corresponding to the field name from the database, and calling a hardware encryptor to decrypt the ciphertext data to obtain plaintext data; the sending unit is further configured to return the plaintext data to the business system.
In some embodiments, the transmitting unit is further configured to: if the SQL statement is different, the SQL statement is directly transmitted to the database.
In some embodiments, the first parsing unit is further configured to: determining the type of the database; and selecting a corresponding database protocol according to the type, and analyzing SQL sentences from the data.
In some embodiments, the transmitting unit is further configured to: if the data table to be read and the data content corresponding to the field names are different, acquiring the data table to be read and the data content corresponding to the field names from the database; and directly returning the data content to the service system.
In some embodiments, the apparatus further comprises a connection unit configured to: and establishing a long connection between the encryption gateway and the database.
In some embodiments, the hardware encryptor is national cryptographic eligible, employing a symmetric encryption algorithm.
The method and the device for encrypting the database provided by the embodiment of the disclosure realize sensitive data protection by using the hardware encryption machine with the national secret secondary qualification, the data key is encrypted by using the local master key, and the local master key is stored in the security chip of the hardware encryption machine, so that the key security problem can be solved. The hardware encryption machine with the national encryption secondary qualification supports the national encryption algorithm and can solve the problem of algorithm compliance. The plaintext data is changed into ciphertext before being stored in the database, and the ciphertext data is still seen after logging in the database system, and the ciphertext data can be decrypted only when the service system inquires the data through the encryption gateway, so that the problem that the database account is maliciously utilized can be solved;
it should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following specification.
Drawings
Other features, objects and advantages of the present disclosure will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the following drawings:
FIG. 1 is an exemplary system architecture diagram in which an embodiment of the present disclosure may be applied;
FIG. 2 is a flow chart of one embodiment of a method of database encryption according to the present disclosure;
FIG. 3 is a schematic diagram of one application scenario of a method of database encryption according to the present disclosure;
FIG. 4 is a flow chart of yet another embodiment of a method of database encryption according to the present disclosure;
FIG. 5 is a schematic diagram of an embodiment of an apparatus for database encryption according to the present disclosure;
fig. 6 is a schematic diagram of a computer system suitable for use in implementing embodiments of the present disclosure.
Detailed Description
The present disclosure is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. It should be noted that, for convenience of description, only the portions related to the present application are shown in the drawings.
It should be noted that, without conflict, the embodiments of the present disclosure and features of the embodiments may be combined with each other. The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Fig. 1 illustrates an exemplary system architecture of an embodiment of an apparatus or method of database encryption to which the present disclosure may be applied.
As shown in fig. 1, the system architecture may include a business system, an encryption gateway, a database, a hardware encryptor (HSM, hardware Security Module).
The encryption gateway can comprise an analysis module, an encryption and decryption module, a management module and a configuration module.
The management module may be responsible for connection pool management. In order to improve the response time of the system and reduce the resource occupation of establishing network connection, the encryption gateway realizes the connection pool management function. A long connection, such as a TCP connection, is established between the encryption gateway and the database through the management module.
The configuration module may receive a configuration file sent by the service system. The service system configures the database address into the address and port of the transparent encryption gateway in the configuration file, and simultaneously designates the database, the data table and the field name which need to be encrypted. The encryption gateway supports the user to configure which fields of which tables of which database are encrypted, and the module analyzes the configuration file when the program is started to acquire the database, the data table and the field name which need to be encrypted and decrypted.
The analysis module can analyze the database protocol and SQL grammar.
After the service system uses clients such as JDBC (Java Database Connectivity, JAVA database connection API) and the like to connect the encryption gateway, all data messages interacted between the service system and the database are sent to the encryption gateway, the encryption gateway needs to analyze the database protocol to complete the login operation of the database, and meanwhile SQL sentences need to be analyzed.
The database message protocol format is shown in the following table:
| data length (3 bytes) | Serial number (1 byte) | Data part |
TABLE 1
The purpose of SQL grammar parsing is to parse SQL sentences, judge whether data is to be inserted or queried currently, and encrypt or decrypt the data accordingly.
Inserting data: the configuration module analyzes the field to be encrypted, the analysis module analyzes the field to be inserted in the SQL sentence, if the field to be inserted belongs to the field to be encrypted, the data encryption and decryption module is required to be called to encrypt the data by using a hardware encryption machine, the encrypted ciphertext data is used for replacing plaintext data in the SQL sentence, and finally the SQL sentence is sent to a database;
reading data: the configuration module analyzes the field to be decrypted, the analysis module analyzes the field to be read in the SQL sentence, if the field to be read belongs to the field to be decrypted, the data encryption and decryption module is required to be called to decrypt the data by using the hardware encryption machine, the decrypted plaintext data is used for replacing the ciphertext data in the SQL sentence, and finally the SQL sentence is returned to the application system.
The encryption and decryption module is responsible for communicating with the hardware encryption machine, and the module sends plaintext data to be encrypted to the encryption machine for encryption and receives ciphertext results during data encryption; and the module sends the ciphertext data to be decrypted to the encryptor for decryption and receives a plaintext result when the data is decrypted. The hardware encryptor supports the mainstream symmetric encryption and decryption algorithm, including AES, SM4, SM1, and the data key is stored in the security chip of the encryptor, and the security of the data operation process is high.
It should be noted that, the method for encrypting the database provided by the embodiments of the present disclosure is generally performed by the encryption gateway, and accordingly, the device for encrypting the database is generally disposed in the encryption gateway.
It should be understood that the number of business systems, encryption gateways, databases, hardware encryption machines in fig. 1 are merely illustrative. There may be any number of business systems, encryption gateways, databases, hardware encryptors, as desired for implementation.
With continued reference to fig. 2, a flow 200 of one embodiment of a method of database encryption according to the present disclosure is shown. The database encryption method comprises the following steps:
step 201, a configuration file of an encryption gateway is obtained.
In this embodiment, the execution body of the database encryption method (e.g., the encryption gateway shown in fig. 1) may receive the configuration file from the service system through a wired connection or a wireless connection. The configuration file comprises an address and a port of a database, an encrypted and decrypted data table and a field name. The service system configures the database address into the address and port of the transparent encryption gateway in the configuration file, and simultaneously designates the database, the data table and the field name which need to be encrypted.
In response to receiving the data from the business system, the SQL statement is parsed from the data, step 202.
In this embodiment, the service system sends the SQL statement and plaintext data to the encryption gateway while maintaining the data. The encryption gateway needs to analyze the database protocol to complete the login operation of the database. As structured in table 1, the SQL statement is in the data section.
In some optional implementations of this embodiment, the parsing the SQL statement from the data includes: determining the type of the database; and selecting a corresponding database protocol according to the type, and analyzing SQL sentences from the data. The databases may be mysql, redis and other types of databases, and the database protocols of different databases are different. The corresponding database protocol may be selected to parse the SQL statement from the data. And thus can be adapted to different database scenarios. The encryption gateway can be connected with a plurality of service systems and a plurality of databases of different types, and can forward encrypted data according to the addresses of the databases set by the service systems. The service system can also set the type of the database in the configuration file, so that the encryption gateway can select the corresponding database protocol according to the type to analyze SQL sentences from the data.
And 203, analyzing the keywords and the plaintext data from the SQL sentence.
In this embodiment, the SQL statement includes keywords of the SQL command and plaintext data to be operated on by the command. Keywords and plaintext data may be parsed from the SQL statement according to the SQL grammar. The SQL INSERT statement would include the keyword "INSERT INTO". The SQL read statement would include the keyword "SELECT FROM".
In step 204, if the keyword includes the data table and the field name to be inserted, it is detected whether the data table and the field name to be inserted are the same as the encrypted and decrypted data table and the field name.
In this embodiment, if the keyword "INSERT INTO" is parsed, it indicates that the SQL statement is used to INSERT a new data row INTO the table, and there are two basic grammars "INSERT INTO table name (field name 1, field name 2,..field name N) VALUES (value 1, value 2,..value N); "and" INSERT INTO table name VALUES (value 1, value 2,..value N); "; if the field names are omitted, it is ensured that the order of the inserted values is the same as the order of the fields in the table.
The encryption gateway only encrypts the encrypted and decrypted data table and the data corresponding to the field names which are set in the configuration file. It is determined whether the data table and field names of the contents to be inserted by the SQL statement are identical to those in the configuration file of the encryption gateway.
And step 205, if the two types of data are the same, calling a hardware encryptor to encrypt the plaintext data to obtain ciphertext data, and replacing the plaintext data in the SQL sentence by using the ciphertext data.
In this embodiment, if the field to be inserted belongs to the field to be encrypted, the encryption and decryption module is required to be called to send the plaintext data to the hardware encryptor, the hardware encryptor is used to encrypt the data, and the hardware encryptor returns the ciphertext data to the encryption gateway. The encryption gateway then replaces the plaintext data in the SQL statement with the encrypted ciphertext data.
In some optional implementations of this embodiment, the method further includes: if the SQL statement is different, the SQL statement is directly transmitted to the database.
The encryption gateway is positioned between the service system and the database, and forwards the data to be encrypted and decrypted to the hardware encryption machine for processing, and if the data does not need to be encrypted and decrypted, the data is directly transmitted. Thus, the encryption gateway may also be referred to as a transparent encryption gateway. The method of the application can selectively encrypt, improve the encryption speed and avoid adverse effect on the timeliness of service processing.
Step 206, the SQL statement is sent to the database according to the address and port of the database.
In this embodiment, the SQL statement here already contains ciphertext data, and the ciphertext data is sent to the target database according to the address and port of the database specified in the configuration file. The database stores the encrypted data.
In some optional implementations of this embodiment, the method further includes: and establishing a long connection between the encryption gateway and the database. Before the encryption gateway is used for data encryption processing, a long connection with a database needs to be established, so that the connection is not established every time data is received, and the time delay can be reduced.
In some optional implementations of this embodiment, the hardware encryption engine is qualified for cryptographic reasons, and a symmetric encryption algorithm is used. The hardware encryptor supports the mainstream symmetric encryption and decryption algorithm, including AES, SM4, SM1, and the data key is stored in the security chip of the encryptor, and the security of the data operation process is high. The hardware encryption machine has national encryption qualification and can ensure algorithm compliance.
With continued reference to fig. 3, fig. 3 is a schematic diagram of an application scenario of the database encryption method according to the present embodiment. In the application scenario of fig. 3, it is assumed that there is a database test, and the username field of table emuloyes needs to be encrypted, and the corresponding ciphertext fields (username-enc, username-idx) need to be added to the database. The configuration file of the encryption gateway specifies the real address and port of the backend database, the library, table, column that need encryption. The key data in the encrypted database is shown in fig. 3. Phone is not encrypted, but username-enc, username-idx is encrypted.
With further reference to fig. 4, a flow 400 of yet another embodiment of a method of database encryption is shown. The flow 400 of the database encryption method includes the steps of:
step 401, obtaining a configuration file of an encryption gateway.
In response to receiving the data from the business system, an SQL statement is parsed from the data, step 402.
Step 403, parsing out the keywords and plaintext data from the SQL statement.
Steps 401-403 are substantially identical to steps 201-203 and are therefore not described in detail.
In step 404, if the keyword includes the data table and the field name to be read, it is detected whether the data table and the field name to be read are the same as the encrypted and decrypted data table and the field name.
In this embodiment, if the keyword "SELECT FROM" is parsed, this SQL statement is indicated for reading data.
The encryption gateway only decrypts the encrypted and decrypted data table and the data corresponding to the field name which are set in the configuration file. It is determined whether the data table and field names of the contents to be read by the SQL statement are consistent with the data table and field names in the configuration file of the encryption gateway.
And step 405, if the data table to be read and the ciphertext data corresponding to the field name are obtained from the database, and the hardware encryptor is called to decrypt the ciphertext data to obtain plaintext data.
In this embodiment, if the field to be read belongs to the field to be decrypted, the encryption and decryption module is required to be called to send the ciphertext data to the hardware encryptor, the hardware encryptor is used for decrypting the data, and the hardware encryptor returns the plaintext data to the encryption gateway.
And step 406, returning the plaintext data to the service system.
In this embodiment, the encryption gateway converts the ciphertext into plaintext through the hardware encryptor and returns the plaintext to the service system.
In some optional implementations of this embodiment, the method further includes: if the data table to be read and the data content corresponding to the field names are different, acquiring the data table to be read and the data content corresponding to the field names from the database; and directly returning the data content to the service system. If the content is not the content which needs to be decrypted, the content is directly transmitted to the service system.
The method provided by the above embodiments of the present disclosure has the following advantages:
1. the product form is deployed in the form of a gateway:
the method is deployed in a gateway mode, and supports user-defined library, table and field names which need to be encrypted, so that the service system can flexibly encrypt service sensitive data without modification, and has good compatibility with the existing system;
2. database protocol and SQL syntax parsing:
the gateway analyzes the data and SQL sentences sent by the service system, extracts corresponding data according to the matched encryption and decryption fields, encrypts and decrypts the data and forwards the data to the database system, so that the data can be ensured to be stored in the database system and read into the memory to be ciphertext data, and the data leakage caused by malicious utilization of the database authority can be prevented;
3. security compliance of data keys and algorithms:
the two-layer key chain structure is designed, the data key is encrypted by the local master key of the hardware encryption machine, the local master key is stored in the security chip of the encryption machine, the security of the key can be ensured, and the hardware encryption machine has national encryption qualification and can ensure algorithm compliance.
With further reference to fig. 5, as an implementation of the method shown in the foregoing figures, the present disclosure provides an embodiment of an apparatus for encrypting a database, where the embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 2, and the apparatus is particularly applicable to various electronic devices.
As shown in fig. 5, the database encryption apparatus 500 of the present embodiment includes: an acquisition unit 501, a first parsing unit 502, a second parsing unit 503, a detection unit 504, an encryption unit 505, and a transmission unit 506. The acquiring unit 501 is configured to acquire a configuration file of the encryption gateway, wherein the configuration file comprises an address and a port of a database, an encrypted and decrypted data table and a field name; a first parsing unit 502 configured to parse an SQL statement from data from a business system in response to receiving the data; a second parsing unit 503 configured to parse out keywords and plaintext data from the SQL statement; a detecting unit 504 configured to detect whether the data table and the field name to be inserted are the same as the encrypted and decrypted data table and the field name if the keyword includes the data table and the field name to be inserted; the encryption unit 505 is configured to, if the two types of data are the same, invoke a hardware encryptor to encrypt the plaintext data to obtain ciphertext data, and replace the plaintext data in the SQL sentence with the ciphertext data; a sending unit 506 configured to send the SQL statement to the database according to the address and port of the database.
In this embodiment, specific processing of the obtaining unit 501, the first parsing unit 502, the second parsing unit 503, the detecting unit 504, the encrypting unit 505, and the transmitting unit 506 of the database encrypting apparatus 500 may refer to steps 201 to 206 in the corresponding embodiment of fig. 2.
In some optional implementations of the present embodiment, the detection unit 504 is further configured to: if the keyword contains a data table and a field name to be read, detecting whether the data table and the field name to be read are the same as the encrypted and decrypted data table and the field name; the apparatus further comprises a decryption unit (not shown in the drawings) configured to: if the data table to be read and the ciphertext data corresponding to the field name are the same, acquiring the data table to be read and the ciphertext data corresponding to the field name from the database, and calling a hardware encryptor to decrypt the ciphertext data to obtain plaintext data; the sending unit 506 is further configured to return the plaintext data to the service system.
In some embodiments, the transmitting unit 506 is further configured to: if the SQL statement is different, the SQL statement is directly transmitted to the database.
In some embodiments, the first parsing unit 502 is further configured to: determining the type of the database; and selecting a corresponding database protocol according to the type, and analyzing SQL sentences from the data.
In some embodiments, the transmitting unit 506 is further configured to: if the data table to be read and the data content corresponding to the field names are different, acquiring the data table to be read and the data content corresponding to the field names from the database; and directly returning the data content to the service system.
In some embodiments, the apparatus further comprises a connection unit (not shown in the drawings) configured to: and establishing a long connection between the encryption gateway and the database.
In some embodiments, the hardware encryptor is national cryptographic eligible, employing a symmetric encryption algorithm.
It should be noted that, in the technical solution of the present disclosure, the related aspects of collecting, updating, analyzing, processing, using, transmitting, storing, etc. of the personal information of the user all conform to the rules of the related laws and regulations, and are used for legal purposes without violating the public order colloquial. Necessary measures are taken for the personal information of the user, illegal access to the personal information data of the user is prevented, and the personal information security, network security and national security of the user are maintained.
According to an embodiment of the disclosure, the disclosure further provides an electronic device, a readable storage medium.
An electronic device, comprising: one or more processors; storage means having stored thereon one or more computer programs which, when executed by the one or more processors, cause the one or more processors to implement the method described in flow 200 or 400.
A computer readable medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the method described in flow 200 or 400.
Fig. 6 illustrates a schematic block diagram of an example electronic device 600 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 6, the apparatus 600 includes a computing unit 601 that can perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM) 602 or a computer program loaded from a storage unit 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data required for the operation of the device 600 may also be stored. The computing unit 601, ROM 602, and RAM 603 are connected to each other by a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
Various components in the device 600 are connected to the I/O interface 605, including: an input unit 606 such as a keyboard, mouse, etc.; an output unit 607 such as various types of displays, speakers, and the like; a storage unit 608, such as a magnetic disk, optical disk, or the like; and a communication unit 609 such as a network card, modem, wireless communication transceiver, etc. The communication unit 609 allows the device 600 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The computing unit 601 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 601 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 601 performs the various methods and processes described above, such as database encryption. For example, in some embodiments, the method of database encryption may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 608. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 600 via the ROM 602 and/or the communication unit 609. When the computer program is loaded into RAM 603 and executed by the computing unit 601, one or more steps of the method of database encryption described above may be performed. Alternatively, in other embodiments, the computing unit 601 may be configured to perform the method of database encryption in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a server of a distributed system or a server that incorporates a blockchain. The server can also be a cloud server, or an intelligent cloud computing server or an intelligent cloud host with artificial intelligence technology. The server may be a server of a distributed system or a server that incorporates a blockchain. The server can also be a cloud server, or an intelligent cloud computing server or an intelligent cloud host with artificial intelligence technology.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel or sequentially or in a different order, provided that the desired results of the technical solutions of the present disclosure are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (10)
1. A method of database encryption, comprising:
acquiring a configuration file of an encryption gateway, wherein the configuration file comprises an address and a port of a database, an encrypted and decrypted data table and a field name;
in response to receiving data from a business system, parsing an SQL statement from the data;
analyzing keywords and plaintext data from the SQL statement;
if the keyword comprises a data table and a field name to be inserted, detecting whether the data table and the field name to be inserted are the same as the encrypted and decrypted data table and the field name;
if the two plaintext data are the same, a hardware encryptor is called to encrypt the plaintext data to obtain ciphertext data, and the ciphertext data are used for replacing the plaintext data in the SQL sentence;
and sending the SQL statement to the database according to the address and the port of the database.
2. The method of claim 1, wherein the method further comprises:
if the keyword contains a data table and a field name to be read, detecting whether the data table and the field name to be read are the same as the encrypted and decrypted data table and the field name;
if the data table to be read and the ciphertext data corresponding to the field name are the same, acquiring the data table to be read and the ciphertext data corresponding to the field name from the database, and calling a hardware encryptor to decrypt the ciphertext data to obtain plaintext data;
and returning the plaintext data to the service system.
3. The method of claim 1, wherein the method further comprises:
if the SQL statement is different, the SQL statement is directly transmitted to the database.
4. The method of claim 1, wherein the parsing out of the data an SQL statement comprises:
determining the type of the database;
and selecting a corresponding database protocol according to the type, and analyzing SQL sentences from the data.
5. The method of claim 2, wherein the method further comprises:
if the data table to be read and the data content corresponding to the field names are different, acquiring the data table to be read and the data content corresponding to the field names from the database;
and directly returning the data content to the service system.
6. The method of claim 1, wherein the method further comprises:
and establishing a long connection between the encryption gateway and the database.
7. The method of any of claims 1-6, wherein the hardware encryptor is national cryptographic eligible, employing a symmetric encryption algorithm.
8. An apparatus for database encryption, comprising:
the system comprises an acquisition unit, a storage unit and a storage unit, wherein the acquisition unit is configured to acquire a configuration file of an encryption gateway, and the configuration file comprises an address and a port of a database, an encrypted and decrypted data table and a field name;
a first parsing unit configured to parse an SQL statement from data received from a business system in response to the data being received;
the second parsing unit is configured to parse out keywords and plaintext data from the SQL statement;
the detection unit is configured to detect whether the data table and the field name to be inserted are the same as the encrypted and decrypted data table and the field name if the keyword contains the data table and the field name to be inserted;
the encryption unit is configured to call a hardware encryption machine to encrypt the plaintext data if the plaintext data are the same, obtain ciphertext data, and replace the plaintext data in the SQL sentence by using the ciphertext data;
and the sending unit is configured to send the SQL sentence to the database according to the address and the port of the database.
9. An electronic device for database encryption, comprising:
one or more processors;
a storage device having one or more computer programs stored thereon,
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-7.
10. A computer readable medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311169646.8A CN117195263A (en) | 2023-09-11 | 2023-09-11 | Database encryption method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311169646.8A CN117195263A (en) | 2023-09-11 | 2023-09-11 | Database encryption method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117195263A true CN117195263A (en) | 2023-12-08 |
Family
ID=88991986
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311169646.8A Pending CN117195263A (en) | 2023-09-11 | 2023-09-11 | Database encryption method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117195263A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117633319A (en) * | 2024-01-26 | 2024-03-01 | 杭州美创科技股份有限公司 | Database automation response method, device, computer equipment and storage medium |
| CN117633319B (en) * | 2024-01-26 | 2024-04-30 | 杭州美创科技股份有限公司 | Database automation response method, device, computer equipment and storage medium |
-
2023
- 2023-09-11 CN CN202311169646.8A patent/CN117195263A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117633319A (en) * | 2024-01-26 | 2024-03-01 | 杭州美创科技股份有限公司 | Database automation response method, device, computer equipment and storage medium |
| CN117633319B (en) * | 2024-01-26 | 2024-04-30 | 杭州美创科技股份有限公司 | Database automation response method, device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2018241117B2 (en) | Hybrid bot framework for enterprises | |
| US11138095B2 (en) | Identity propagation through application layers using contextual mapping and planted values | |
| US9361085B2 (en) | Systems and methods for intercepting, processing, and protecting user data through web application pattern detection | |
| US20180285596A1 (en) | System and method for managing sensitive data | |
| CN110795315A (en) | Method and device for monitoring service | |
| CN110858202A (en) | Method and device for generating where clause in database query statement | |
| EP3451627A1 (en) | Gateway computer system with intermediate data processing according to rules that are specified by templates | |
| CN110795741A (en) | Method and device for carrying out security processing on data | |
| CN111783140A (en) | Request response method and device, electronic equipment and computer readable storage medium | |
| CN116244682A (en) | Database access method, device, equipment and storage medium | |
| CN112825096A (en) | Data desensitization method and device | |
| CN107707528B (en) | Method and device for isolating user information | |
| CN117195263A (en) | Database encryption method and device | |
| CN113609156B (en) | Data query and write method and device, electronic equipment and readable storage medium | |
| CN113794706A (en) | Data processing method and device, electronic equipment and readable storage medium | |
| CN113761566A (en) | Data processing method and device | |
| CN116781425B (en) | Service data acquisition method, device, equipment and storage medium | |
| CN116600031B (en) | Message processing method, device, equipment and storage medium | |
| CN116208423A (en) | Message encryption method, message decryption method, message encryption device and message decryption device and program product | |
| US11882173B1 (en) | Capture network communication via client extension | |
| CN115238310A (en) | Data encryption and decryption method, device, equipment and storage medium | |
| CN116980205A (en) | Micro-service configuration method and device and micro-service ciphertext transmission method and device | |
| CN114297701A (en) | User data processing method and device | |
| CN115499402A (en) | Instant messaging information processing method, terminal and system | |
| CN114385635A (en) | Multi-source data storage method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |