KR101095862B1 - Data encryption apparatus and method, data decoding apparatus, data searching method - Google Patents

Abstract

The present invention encrypts data by using a mapping function that divides [n, m] domain sections by a segmentation scheme to have a range section for each unit character used in the data. After generating using the value in the domain section, the generated encryption value and the character length of the input data are stored in the database, and as the search word is input, the range section corresponding to the first unit character of the search term is searched in the domain section. By dividing the range section by the section division method to have the section for each unit letter, search for the range section for the last character of the search term by searching the range section for the next character of the search term in the searched range section, and encrypt values stored in the database. In the range section for the last character of the search term Search for the value Yes.

In this way, the present invention is applied to a database system when storing and retrieving customer information in the database, as well as the safety of the stored data, as well as provide efficient search results when searching data (matching search, range search, COUNT, etc.) It can work.

Encryption, exact match, bucket, conversion

Description

Data encryption apparatus and method, data decryption apparatus, data retrieval method {DATA ENCRYPTION APPARATUS AND METHOD, DATA DECODING APPARATUS, DATA SEARCHING METHOD}

The present invention relates to an apparatus and method for securely encrypting and storing important data such as customer information and personal information stored in a database, and searching efficiently.

The present invention is derived from a study conducted as part of the IT growth engine technology development project of the Ministry of Knowledge Economy and the Ministry of Information and Telecommunication Research and Development. [Task management number: 2008-S-006-01, Task name: Open IPTV in wired and wireless environment] 2.0) Technology Development].

In general, symmetric key standard encryption algorithms such as DES and AES or public key cryptography algorithms are applied when storing in the database to protect customer information such as social security number and account number. In this case, the symmetric key cryptographic algorithm is faster than the public key cryptographic algorithm. Therefore, the symmetric key cryptographic algorithm is generally used in the database where search performance is important.

However, such a conventional method has a problem of deterioration in performance when searching for encrypted data. The reason is that because the order of cipher texts stored in one column of a specific table of the database is different from the order of plain text before encryption, the search speed optimization by indexing provided by the DBMS cannot be utilized. . In other words, because the order of the plain text and cipher text of the data constituting the column is different, the data constituting the index is different. Especially in the range search, the search is sequentially performed after decrypting all the encrypted data for the search statement requested by the user. Should be done.

Therefore, the speed of retrieving the stored data using the standard encryption algorithm in this way causes a significant speed reduction compared to the speed of storing and retrieving the plain text as it is.

One conventional technique proposed to solve the above problem is a bucket-based index method.

In the conventional bucket-based index method, as shown in FIG. 7, the encryption table may be obtained by applying the bucket-based index method to the original plain text table.

In the encryption table of FIG. 7, the Etuple column is a structure in which original five columns are concatenated and encrypted using a public encryption algorithm (AES, DES, etc.), and each column is encrypted and stored in a bucket-based index method. In the case of Salary columns, λ is assigned between 10 and 20, and ρ is assigned between 20 and 30.

If Salary is greater than 15 and less than 25, first of all, since 15 and 25 correspond to λ and ρ, we get all the values of λ and ρ, and then decode the value of Etuple. So you can see all the plain text Salary corresponds to λ and ρ.

This method encrypts the entire row constituting the original table with the existing encryption algorithm and buckets the data of the column to be used as an index. At this time, all data in the bucket range are assigned the same bucket number, and this value is used as index information. Therefore, in this case, in order to know the exact match value in exact match, additional filtering is required to take the bucket containing the search value, decrypt it, and compare it. You need a filtering process that takes all of them and decrypts all the encrypted values in the bucket.

In other words, in the case of conventional bucketing, when plain text is given, only bucket information (bucket ID) is used by assigning to a specific bucket. That is, bucket information of different plain texts assigned the same bucket is the same.

Conventional bucket-based indexing method does not support exact match and range search because it knows after decrypting all encrypted values with same bucket ID in order to get accurate value. Since the information must also be decoded, it can also cause safety issues that can expose additional information.

In the conventional bucket-based indexing method, since only the bucket ID is used, there is a problem that the security speed problem is caused by exposing unnecessary plain text information as well as the search speed due to additional filtering.

The present invention encrypts by applying a mapping process and a conversion process for not only numbers but also characters, so that data columns can be safely encrypted and stored, and match and range search can be efficiently performed.

The data encryption apparatus according to the present invention is a data encryption method using a mapping function for dividing a domain section set to have a gamut section for each unit character used in the data in a section division method. Retrieving a gamut section corresponding to the first character of the encryption request data in a section; dividing the searched gamut section by the section division method; and then searching for a second character of the encryption request data in the divided range section. Generating an encryption value of the encryption request data by searching for a region of the last character of the encryption request data in a manner of searching for a region of the encryption section, and encrypting the generated encryption value and the character length of the encryption request data. To store in the database Include.

In accordance with another aspect of the present invention, a data decoding apparatus includes: a mapping unit configured to divide a domain section set to have a range section for each unit character used for data by a section partitioning method, and to map the range section to each of the unit characters, and an encryption value and a character length. In response to receiving a search, the domain section to which the encryption value belongs in the domain section, and extracts the character mapped to the searched section, re-dividing the searched section in the segmentation scheme, in the redivided section And a decryption unit which extracts the final data corresponding to the character length and the encryption value by extracting a character mapped to the region including the encryption value.

The data encryption method according to the present invention is a data encryption method using a mapping function for dividing a domain section set to have a gamut section for each unit character used for the data in a section division method. Retrieving a gamut section corresponding to the first character of the encryption request data in a section; dividing the searched gamut section by the section division method; and then searching for a second character of the encryption request data in the divided range section. Generating an encryption value of the encryption request data by searching for a region of the last character of the encryption request data in a manner of searching for a region of the encryption section, and encrypting the generated encryption value and the character length of the encryption request data. To store in the database Include.

The data retrieval method according to the present invention is a data retrieval method using a mapping function for dividing a domain section set to have a gamut section for each unit letter used in the data by an interval division method, wherein an encryption value for input data is converted into the domain. Generating the encrypted value and the character length of the input data in a database after receiving the generated value using a value within a section; receiving a search term for searching the database; Searching for a range of sections corresponding to a first letter, dividing the searched range of sections by the section division method, and then searching the range of sections for the second letter of the search word in the found range of sections; Searching for a range of characters for a character, From the database comprises the steps of searching for values corresponding to the station interval for the last character of the search step for searching the encryption values contained in the section station for the last character of the search term.

The present invention is applied to a database system when storing and retrieving customer information in the database, as well as the safety of the stored data, as well as can efficiently provide search results when searching data (matching search, range search, COUNT, etc.) It works.

Also. The present invention satisfies the safety and the efficiency of the search compared to the existing database encryption and retrieval methods, thereby protecting important personal information not only in the content service provider but also in national institutions, ISPs, portals, financial institutions, etc. that use the database system. Can be utilized.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. In addition, in describing the present invention, when it is determined that the detailed description of the related known configuration or function may obscure the gist of the present invention, the detailed description thereof will be omitted.

1 is a block diagram illustrating an encryption apparatus according to an exemplary embodiment of the present invention, which includes a mapping unit 100, a conversion unit 120, and an encryption unit 140.

The mapping unit 100 divides the [n, m] domain section to have a range section for each unit letter used for the input data in a predetermined section division method. That is, the mapping unit 100 maps input data, for example, characters, numbers, alphabets, Korean characters, and special characters constituting the plain text to have a range section within a domain section. In other words, as shown in FIG. 2A, the domain sections of [0, 1] are divided into a plurality of range sections, and then unit letters are assigned to each range section and mapped. For example, the unit letter 'S' has a range of [0, 0.05], 'Y' has a range of [0.5, 0.52], and 'K' has a range of [0.9, 1]. Have

In the present invention, the unit character used as input data includes numbers, alphabets, Korean characters, special characters, and the like.

The conversion unit 120 searches for a range section corresponding to the first letter of the input data in the domain section [0, 1] having different range sections for each unit letter, and has a range section for each unit letter. After re-dividing by the segmentation scheme, searching for the range of the last character of the input data by searching for the range of the second character of the input data in the range of re-divided range and then encrypting the retrieved range to the encryption unit 140 to provide.

The encryption unit 140 encrypts the input data using the gamut section for the last character and the character length of the input data, that is, randomly selects a number in the gamut section for the last character to generate an encryption value for the input data. In addition, the character length is encrypted using a preset method such as AES and DES.

For example, the encryption process described above will be described below.

That is, when the unit number or character constituting the input data, for example, the plain text x is x1, x2, ....., xn, the final encrypted value y is generated through the mapping process and the conversion process. The explanation is as follows. Here, x may be created using alphabets and numbers.

When the input data is called SKY, the encrypted value y becomes Ek (x), where x = (x1, x2, x3) = (SKY).

When the mapping section 100 says that the domain section is [0, 1] and the number of unit character values that can be used for the input data is 26, as shown in FIG. 2A, the mapping section 100 determines the domain section [0, 1]. Divide to have more than 26 range sections, and each unit letter corresponds to each range section.

The conversion unit 120 searches for a region for the first letter 'S' of the input data in a domain section having a plurality of regions, that is, searches for a region [0, 0.05] for the first 'S'. . Then, the transforming unit 120 repartitions the retrieved range section [0, 0.05] in a section division method to have different range sections for each unit letter as shown in FIG. 2B, and then inputs data in the divided section section. Search for [0.045, 0.05], which is the range of the second letter of 'K', divide the retrieved range of the second letter of 'K' by the segmentation method, and then add [0.0475, the range of the third letter of 'Y'. , 0.0476]. The retrieved range section, that is, the range section for the last character of the input data is provided to the encryption unit 140 together with the input data.

The encryption unit 140 randomly selects a random number from [0.0475, 0.0476], which is a range for the last character, and encrypts the character by using a character length of the input data using a predetermined encryption method such as AES or DES. This outputs an encrypted value and an encrypted character length value for the input data. That is, the encryption unit 140 encrypts and outputs the number "0.04759" included in the [0.0475, 0.0476] range of the last character and "3" which is the character length of the input data.

Although the encryption unit 140 has been described as an example of encrypting the character length in the present invention, only the encryption value and the character length included in the [0.0475, 0.0476] range of the last character may be output.

When the above encryption process is represented by an algorithm, it is as shown in FIG.

4 is a block diagram illustrating a decoding apparatus according to the present invention, and includes a mapping unit 400 and a decoding unit 410.

The mapping unit 400 performs the same function as the mapping unit 100 in the encryption apparatus of FIG. 1, that is, the [n, m] domain to have a gamut section for each unit letter used for the input data in a predetermined section division method. Divide the interval.

The decryption unit 410 receives the encrypted value and the length of the character, searches for the first range section to which the encrypted value belongs in the domain section, and extracts the unit character corresponding to the retrieved range section, and the first range searched by the section division method. After dividing the interval, the data corresponding to the encryption value is restored by extracting the second region including the encryption value from the divided first region and the unit character corresponding thereto.

An example of the decoding process is as follows. That is, the case where the encryption value 0.04759 and the character length 3 are input to the decryption apparatus in the encryption process will be described below.

The decoder 410 searches for the first range in which the encryption value 0.04759 belongs in the domain section having the range section for each unit letter, and then searches for “S” which is the unit letter set in the first range section. You can find it.

Then, the decoder 410 divides the first range interval into a plurality of range intervals by dividing the domain interval into domain domains, that is, the interval partitioning scheme used by the mapping unit 400, and then encrypts the first range interval. The second character can be found by searching for the second range containing the value, and by searching for the unit letter "K" set in the second range, and in this way the third character "Y". Can be.

Accordingly, the decryption unit 410 may recover the data corresponding to the encryption value by searching for the string “SKY” corresponding to the encryption value 0.04759, and this decryption algorithm is represented as shown in FIG. 5.

A process of encrypting and retrieving data, such as subscriber information, stored in a database of a content service provider using an encryption apparatus and a decryption apparatus as described above will be described with reference to FIGS. 6A to 6C. In this case, it is assumed that the subscriber information includes customer name, social security number, and content information used.

FIG. 6A is a diagram illustrating a subscriber information table before encryption. FIG. 6B is an encryption table showing a result of encrypting a subscriber information table through an encryption process. FIG. 6C is data corresponding to an encrypted value in a subscriber information table. A character length encryption table showing a result of encrypting a character length of a character using a standard encryption algorithm.

When the encryption apparatus of the present invention receives the subscriber information table as shown in FIG. 6A, the data of each field in the table is encrypted as shown in FIG. 6B through the encryption process described above. Create an encryption table as shown.

In addition, the encryption apparatus of the present invention encrypts the number of characters of data belonging to each field by a standard algorithm to generate a character length encryption table as shown in Fig. 6C. The generated encryption table and character length encryption table are stored in a database operated by a content service provider.

On the other hand, when a search word for searching for the use content used by the subscriber, for example, "SKY" is input, the encryption apparatus of the present invention performs the encryption period of the input search word including the final character, that is, [0.0475, 0.0476]. Search.

Then, an encryption value included in [0.0475, 0.0476], which is the range of the last character, is retrieved from the encryption table in which the encryption values of the used content are stored, and each character length encryption value corresponding to the encryption value retrieved from the character length encryption table is retrieved. After searching, the found encryption value and the character length encryption value are output to the decryption apparatus.

Accordingly, the decryption apparatus decrypts the character length encryption value using a standard encryption algorithm to calculate the character length, and decrypts the calculated character length and the encryption value through a decryption process as described above to generate data corresponding to the search word. do.

The present invention has been limited to the embodiments of the present invention, but it is obvious that the technology of the present invention can be easily modified by those skilled in the art. Such modified embodiments should be included in the technical spirit described in the claims of the present invention.

1 is a block diagram showing a data encryption apparatus according to the present invention,

2A to 2C are diagrams for describing a mapping process and a transformation process according to the present invention.

3 is a diagram illustrating an encryption algorithm applied to an encryption apparatus according to the present invention.

4 is a block diagram showing a data decoding apparatus according to the present invention;

5 is a diagram illustrating a decoding algorithm applied to a data decoding apparatus according to the present invention.

6A is a diagram illustrating a subscriber information table before being encrypted.

6B is an encryption table showing a result of encrypting a subscriber information table through an encryption process.

6C is a character length encryption table showing a result of encrypting a character length of data corresponding to an encrypted value in a subscriber information table using a standard encryption algorithm.

7 is a diagram illustrating a conventional bucket-based index method.

Claims (11)

A mapping unit for dividing a domain section which is preset to have a range section for each unit letter used for data by a section partitioning method; Search for a range of sections corresponding to the first character of the ciphertext received from the outside in the domain section, and then repartition them using the section partitioning method, and the range of sections corresponding to the second letter of the ciphertext in the repartitioned range of sections A converting unit for searching a range section for the last character of the cipher text by a method of re-dividing by a section division method; An encryption unit for generating an encryption value of the cipher text using the range of the last character retrieved by the conversion unit, and calculates the character length of the cipher text Data encryption device comprising a. The method of claim 1, And the encryption unit generates a random number included in a range of the retrieved last character as an encryption value of the cipher text. The method of claim 1, And the encryption unit encrypts the calculated character length in an AES or DES manner. A mapping unit for dividing a preset domain section to have a section section for each unit letter used for data by section partitioning, and mapping the section section to each unit letter; Receiving an encryption value and a character length, searching for a region to which the encryption value belongs in the domain section, extracting a character mapped to the searched region, repartitioning the found region to the segmentation scheme, and A decoder that extracts the final data corresponding to the character length and the encryption value by extracting a character mapped to the region including the encryption value in the subdivided range Data decoding apparatus comprising a. The method of claim 4, wherein The decoding unit, And a character length encrypted by a predetermined encryption algorithm. The method of claim 5, And the decryption unit is configured to extract the final data corresponding to the encryption value after decrypting the encrypted character length with the predetermined encryption algorithm. A data encryption method using a mapping function that divides a domain section set to have a range section for each unit character used for data in a section division method, Retrieving a gamut section corresponding to the first character of the encryption request data in the domain section as encryption request data is input; After dividing the retrieved range section by the section division method, the range section for the last character of the encryption request data is searched by searching for the range section for the second character of the encryption request data in the divided range section. Generating an encryption value of the encryption request data; Encrypting the generated encryption value and the character length of the encryption request data and storing them in a database Data encryption method comprising a. The method of claim 7, wherein Storing in the database, And selecting a random number in the range region for the last character of the encryption request data to generate the encryption value, and storing the random number in the database together with the character length of the encryption request data. The method of claim 7, wherein Storing in the database, And encrypting the character length using an AES or DES method and storing the character length in the database. A data retrieval method using a mapping function for dividing a domain section set to have a range section for each unit letter used for data by a section partitioning method, Generating an encryption value for input data using a value within the domain section, and storing the generated encryption value and the character length of the input data in a database; Receiving a search term for searching the database; Searching for a range section corresponding to the first letter of the search word in the domain section; Retrieving the range of the last character of the search word by dividing the retrieved range of interval by the section division method and searching the range of the second letter of the search term in the searched range of interval; Retrieving an encryption value included in a gamut section for the last character of the search word from the database; Data retrieval method comprising a. 11. The method of claim 10, The data retrieval method, Receiving the encryption value and the character length retrieved from the database and searching the domain section to which the retrieved encryption value belongs in the domain section in the domain section to extract the first character corresponding to the encryption value; Dividing the searched range by the interval division method, searching for a range within which the retrieved encryption value belongs, and extracting a second character corresponding to the encryption value from the divided range; Repeating the above steps to extract final data corresponding to the character length and the encryption value retrieved from the database Data retrieval method comprising more.

Images