CN116415264A

CN116415264A - Application method, device, equipment and medium for database encryption

Info

Publication number: CN116415264A
Application number: CN202111643604.4A
Authority: CN
Inventors: 邵波
Original assignee: Aisino Corp
Current assignee: Aisino Corp
Priority date: 2021-12-29
Filing date: 2021-12-29
Publication date: 2023-07-11

Abstract

The embodiment of the invention provides a database encryption application method, device, equipment and medium, which are used for improving the security of a database. In the embodiment of the invention, the electronic equipment encrypts the data contained in each target column of which the queried frequency exceeds the preset threshold value in the database, and encrypts the data which is not encrypted in each row in the database, so that the encryption mode is not used for encrypting the whole database, the encryption mode is more flexible, and the whole data contained in the database is not encrypted when the decryption is performed, so that the whole data contained in the database is not decrypted, the security of the database is ensured, and the encryption flexibility of the database is improved.

Description

Application method, device, equipment and medium for database encryption

Technical Field

The present invention relates to the field of data processing technologies, and in particular, to a database encryption application method, device, equipment, and medium.

Background

With the development of society, it is common for enterprise information systems to hold data for a large number of high-value users, which are stored in databases. The data in the database is the core asset of the enterprise and is also the target of the attacker\35274, once revealed, would cause immeasurable loss to the enterprise. In order to maintain the interests of enterprises, the data security of the enterprises must be paid attention to, and the database is the key point of security protection, and encrypting the data in the database is the most economical and effective means in security protection. Where data is stored in a database, typically the relevant data for a certain user is stored in the same row of the database and the same type of data for different users is stored in the same column of the database. For example, registration data of a user on a shopping site is stored in the same row of the database, and data of the same type as "age" contained in registration data of all users on the shopping site is stored in the same column of the database.

In the prior art, the whole data contained in the database is encrypted, however, the whole data contained in the database is encrypted more complicated. And the important characteristic of the database is high sharing performance, so that the database is often shared and used by a plurality of users, and a large number of random accesses are required to be accepted. Generally, when a user retrieves a certain data from a database to obtain the relevant data of the user corresponding to the retrieved data, if a method of encrypting the whole data contained in the database in the prior art is adopted, even if only the relevant data of the certain user needs to be obtained, the whole data contained in the database needs to be decrypted. However, since decrypting the whole data contained in the database or decrypting the whole data contained in the database reduces the performance of the system, and when decrypting the whole data contained in the database, each data contained in the database is acquired, unnecessary data is decrypted in, and thus the security of the database is reduced. The prior art method of encrypting a database therefore does not make the database highly secure.

Disclosure of Invention

The embodiment of the invention provides a database encryption application method, device, equipment and medium, which are used for improving the security of a database.

In a first aspect, an embodiment of the present invention provides a method for applying database encryption, where the method includes:

acquiring queried frequency of each column in a database, determining each target column of which queried frequency exceeds a preset threshold value, and encrypting data contained in each target column by adopting a preset first encryption key;

for each row in the database, encrypting the unencrypted data in the row by using a second encryption key.

Further, the method further comprises:

and for each row, acquiring a second key corresponding to the second encryption key of the row according to the corresponding relation between the pre-stored encryption key and the key, and recording the corresponding relation between the row identification of the row and the second key.

Further, the method further comprises:

according to the corresponding relation between the pre-stored keywords and the column identifications, acquiring each target keyword corresponding to the column identifications of the column with the queried frequency exceeding the preset threshold value, and adding the corresponding relation between each target keyword and the corresponding column identification into the corresponding relation between the decryption-related column identifications and the keywords.

Further, the method further comprises:

if a query instruction is received, acquiring a query keyword carried in the query instruction, judging whether the corresponding relation between a pre-stored decryption related column identifier and the keyword contains the query keyword, and if so, acquiring a first column identifier corresponding to the query keyword;

decrypting data contained in the encrypted column in the database using a pre-stored first key; acquiring a query condition carried in the query instruction, and determining first target data meeting the query condition according to each data contained in the decrypted first column identification corresponding column and the query condition; acquiring a first row identifier of a row where the first target data is located, acquiring a third key corresponding to the first row identifier according to a pre-stored correspondence between the row identifier and the key, decrypting data contained in the row corresponding to the first row identifier in the database by adopting the third key, and acquiring the data contained in the row where the first target data is located.

Further, the method further comprises:

if the corresponding relation between the stored decrypting related column identification and the keyword does not contain the query keyword, decrypting the data contained in the encrypted column in the database by adopting a pre-stored first key; for each row, determining a fourth key corresponding to the row identifier of the row according to the corresponding relation between the stored row identifier and the key, and decrypting the row by adopting the fourth key;

Acquiring a second column identifier corresponding to the query keyword according to a pre-stored corresponding relation between the column identifier and the keyword, acquiring a query condition carried in the query instruction, determining second target data meeting the query condition according to each data contained in the decrypted second column identifier corresponding column and the query condition, and acquiring data contained in a row where the second target data is located.

Further, the method further comprises:

and updating the queried times of the column identification corresponding column corresponding to the query keyword.

Further, the method further comprises:

if the updating condition is met currently, determining the queried frequency of each column according to the queried times of each column in the database and the total queried times; if the queried frequency exceeds a preset threshold value and the column which is not encrypted exists, or if the queried frequency does not exceed the preset threshold value and the column which is encrypted exists, decrypting data contained in the column which is encrypted in the database by adopting the first key; for each row, determining a fifth key corresponding to the row identifier of the row according to the corresponding relation between the stored row identifier and the key, and decrypting the row by adopting the fifth key;

For each column of which the queried frequency exceeds a preset threshold value, encrypting data contained in each column of which the queried frequency exceeds the preset threshold value by adopting a first encryption key corresponding to a first key stored in advance;

and for each row, acquiring a sixth key corresponding to the row identifier according to the corresponding relation between the row identifier and the key, and encrypting the unencrypted data in the row by adopting a third encryption key corresponding to the sixth key.

Further, the method further comprises:

acquiring a third column identifier of a column which is queried and is not encrypted, acquiring a target keyword corresponding to the third column identifier according to a pre-stored corresponding relation between the column identifier and the keyword, and adding the corresponding relation between the third column identifier and the target keyword into a corresponding relation between the decryption-related column identifier and the keyword; and removing column identifiers of columns with the queried frequency lower than a preset threshold value and corresponding keywords from the corresponding relation between the decrypting related column identifiers and the keywords.

In a second aspect, an embodiment of the present invention further provides an application apparatus for encrypting a database, where the apparatus includes:

The processing module is used for acquiring the queried frequency of each column in the database, determining each target column with the queried frequency exceeding a preset threshold value, and encrypting data contained in each target column by adopting a preset first encryption key;

and the encryption module is used for encrypting the data which is not encrypted in each row in the database by adopting a second encryption key.

Further, the processing module is further configured to obtain, for each row, a second key corresponding to a second encryption key of the row according to a pre-stored correspondence between the encryption key and the key, and record a correspondence between a row identifier of the row and the second key.

Further, the processing module is further configured to obtain, according to a pre-stored correspondence between keywords and column identifiers, each target keyword corresponding to a column identifier of a column whose queried frequency exceeds a preset threshold, and add the correspondence between each target keyword and a corresponding column identifier to a correspondence between a decryption-related column identifier and a keyword.

Further, the processing module is further configured to, if a query instruction is received, obtain a query keyword carried in the query instruction, determine whether a corresponding relationship between a pre-stored decryption-related column identifier and the keyword includes the query keyword, and if yes, obtain a first column identifier corresponding to the query keyword; decrypting data contained in the encrypted column in the database using a pre-stored first key; acquiring a query condition carried in the query instruction, and determining first target data meeting the query condition according to each data contained in the decrypted first column identification corresponding column and the query condition; acquiring a first row identifier of a row where the first target data is located, acquiring a third key corresponding to the first row identifier according to a pre-stored correspondence between the row identifier and the key, decrypting data contained in the row corresponding to the first row identifier in the database by adopting the third key, and acquiring the data contained in the row where the first target data is located.

Further, the processing module is further configured to decrypt, if the stored correspondence between the decryption-related column identifier and the keyword does not include the query keyword, data included in the encrypted column in the database by using a first key stored in advance; for each row, determining a fourth key corresponding to the row identifier of the row according to the corresponding relation between the stored row identifier and the key, and decrypting the row by adopting the fourth key; acquiring a second column identifier corresponding to the query keyword according to a pre-stored corresponding relation between the column identifier and the keyword, acquiring a query condition carried in the query instruction, determining second target data meeting the query condition according to each data contained in the decrypted second column identifier corresponding column and the query condition, and acquiring data contained in a row where the second target data is located.

Further, the processing module is further configured to update the number of times that the column identifier corresponding to the query keyword corresponds to the queried column.

Further, the processing module is further configured to determine, if the update condition is currently satisfied, a frequency of each column being queried according to the number of times each column is queried in the database and the total number of times of querying; if the queried frequency exceeds a preset threshold value and the column which is not encrypted exists, or if the queried frequency does not exceed the preset threshold value and the column which is encrypted exists, decrypting data contained in the column which is encrypted in the database by adopting the first key; for each row, determining a fifth key corresponding to the row identifier of the row according to the corresponding relation between the stored row identifier and the key, and decrypting the row by adopting the fifth key;

Further, the processing module is further configured to obtain a third column identifier of a column that is queried with a frequency exceeding a preset threshold and is not encrypted, obtain a target keyword corresponding to the third column identifier according to a pre-stored correspondence between column identifiers and keywords, and add the correspondence between the third column identifier and the target keyword to a correspondence between a decryption-related column identifier and keywords; and removing column identifiers of columns with the queried frequency lower than a preset threshold value and corresponding keywords from the corresponding relation between the decrypting related column identifiers and the keywords.

In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes at least a processor and a memory, where the processor is configured to implement, when executing a computer program stored in the memory, the steps of the method for applying database encryption as described in any one of the foregoing.

In a fourth aspect, embodiments of the present invention further provide a computer-readable storage medium storing a computer program, which when executed by a processor, implements the steps of the method for applying database encryption as described in any one of the above.

In the embodiment of the invention, when the electronic equipment encrypts the database, firstly, the queried frequency of each column in the database is obtained, each target column with the queried frequency exceeding a preset threshold value is determined, and the data contained in each target column is encrypted by adopting a preset first encryption key. For each row in the database, the data in the row that is not encrypted is encrypted using a second encryption key. In the embodiment of the invention, the electronic equipment encrypts the data contained in each target column of which the queried frequency exceeds the preset threshold value in the database, and encrypts the data which is not encrypted in each row in the database, so that the encryption mode is not used for encrypting the whole database, the encryption mode is more flexible, and the whole data contained in the database is not encrypted when the decryption is performed, so that the whole data contained in the database is not decrypted, the security of the database is ensured, and the encryption flexibility of the database is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of an application process of database encryption according to an embodiment of the present invention;

FIG. 2 is a method for encrypting a standby database according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of an application device for encrypting a database according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

The present invention will be described in further detail below with reference to the attached drawings, wherein it is apparent that the embodiments described are only some, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

In order to improve the security of a database, the embodiment of the invention provides a database encryption application method, a device, equipment and a medium.

Example 1:

fig. 1 is a schematic diagram of an application process of database encryption according to an embodiment of the present invention, where the process includes the following steps:

s101: acquiring queried frequency of each column in a database, determining each target column with queried frequency exceeding a preset threshold value, and encrypting data contained in each target column by adopting a preset first encryption key.

The application method of the database encryption provided by the embodiment of the invention is applied to the electronic equipment, and the electronic equipment can be intelligent equipment such as a PC or a server.

In the embodiment of the invention, when encrypting the database, the queried frequency of each column in the database can be acquired first. Wherein the frequency of each column in the database is determined according to the number of times each column is queried and the total number of times the query is performed. After the queried frequency of each column in the database is obtained, the electronic equipment determines each target column of which the queried frequency exceeds a preset threshold value in each column, and encrypts data contained in each target column by adopting a preset first encryption key. The preset threshold may be any value greater than 0 and less than 1, for example, may be 0.3.

In addition, if the database includes 10 columns, wherein 3 columns are queried more frequently than a preset threshold value, each data included in the 3 columns is encrypted by using the first encryption key.

Wherein, when determining the queried frequency of each column, the queried times of each column can be determined first. The electronic device may determine the number of times each column is queried by parsing the SQL statement in the application interface in a pre-set manner, or may determine the number of times each column is queried in modes such as "view" + "trigger" + "extended index" + "external call" in a post-set manner. After determining the number of times each column is queried, the frequency at which each column is queried is then determined. The view may be any column in the database, where the column to be screened is a column to be queried, and the number of times the column to be screened is queried is updated; the external calling is to call the data contained in a certain column in the database by adopting a preset program, the called column is the queried column, and the queried times of the called column are updated; the expansion index is that a user adjusts certain data, when other data in the database is correspondingly adjusted, the column of the data adjusted by the user is the queried column, and the queried times of the column of the data adjusted by the user are updated.

S102: for each row in the database, encrypting the unencrypted data in the row by using a second encryption key.

Since in the embodiment of the present invention, the data included in the column whose queried frequency is lower than the preset threshold is not encrypted, in order to ensure the security of the data in the database, for each row in the database, the data in the row that is not encrypted may be encrypted by using the second encryption key. Thus, each data in the database is encrypted, and the encrypted mode is related to the queried frequency of each column, so that the related requirements of decryption are more met.

For example, the database includes 10 columns, wherein the frequency of querying 3 columns exceeds a preset threshold, each data included in the 3 columns is encrypted, and the data of the other 7 columns in the database are encrypted in a row mode respectively.

In the embodiment of the invention, the electronic device encrypts the data which is not encrypted in each row and is included in the column with the queried frequency higher than the preset threshold value in the database, that is to say, encrypts the data which is not encrypted and is included in a certain row. The encryption keys for encrypting each row can be the same or different, so that the situation that the keys for decrypting the data contained in one row can be obtained is avoided, the data contained in other rows can be decrypted through the keys, the encryption keys for encrypting each row can be different, and therefore the safety of the data is guaranteed. Specifically, a plurality of second encryption keys may be stored in advance, and when encrypting the unencrypted data included in a certain line, one of the second encryption keys may be selected at random to encrypt the unencrypted data included in the line.

In the embodiment of the invention, the electronic equipment encrypts the data contained in each target column of which the queried frequency exceeds the preset threshold value in the database, and encrypts the data which is not encrypted in each row in the database, so that the encryption mode is not used for encrypting the whole database, the encryption mode is more flexible, and the whole data contained in the database is not encrypted when the decryption is performed, so that the whole data contained in the database is not decrypted, the security of the database is ensured, and the encryption flexibility of the database is improved.

Example 2:

in order to facilitate querying data in a database, in the embodiment of the present invention, on the basis of the foregoing embodiment, the method further includes:

Since the electronic device may need to encrypt a certain row when acquiring the data contained in the database, it is necessary to determine the key corresponding to the row for encryption. Thus, in an embodiment of the present invention, the electronic device may record, for each row, a correspondence between the row identifier of the row and a key that may encrypt the row.

Specifically, the electronic device stores in advance a correspondence between an encryption key and a key, and the key is a key that can decrypt data encrypted by the encryption key. The electronic equipment determines a second key corresponding to a second encryption key for encrypting the data which is not encrypted in each row according to the corresponding relation between the pre-stored encryption key and the key, wherein the second key is the key capable of encrypting the row, and the electronic equipment records the corresponding relation between the row identification of the row and the second key.

In addition, in the embodiment of the present invention, the electronic device may record the correspondence between the row identifier and the key in the configuration file, and in addition, the configuration file may also record a first encryption key for encrypting the data included in the column, and a first key corresponding to the first encryption key, that is, the electronic device may record the key for encrypting and decrypting the database in the configuration file.

In order to facilitate querying data in a database, on the basis of the foregoing embodiments, in an embodiment of the present invention, the method further includes:

Since when the data in the database is queried, if the queried content is the data in the encrypted column, the electronic device decrypts the encrypted column first and then decrypts the row in which the queried content is located. If the contents of the query are not data in the encrypted column, the electronic device decrypts the encrypted column and each row. In addition, the query instruction carries a query keyword, so in order to facilitate determining how to decrypt, the electronic device may store a correspondence between the column identifier related to decryption and the keyword.

Specifically, the correspondence between the keywords and the column identifiers is pre-stored in the electronic device, the electronic device determines the column identifier of the column with the queried frequency exceeding the preset threshold, determines each target keyword corresponding to the column identifier, and adds the correspondence between each target keyword and the column identifier to the correspondence between the decryption related column identifier and the keywords.

Example 3:

in order to query the data contained in the database, on the basis of the above embodiments, in an embodiment of the present invention, the method further includes:

In the embodiment of the invention, when data query is performed, the electronic equipment can firstly receive the query instruction, the query instruction carries the query keyword, and after receiving the query instruction, the electronic equipment acquires the query keyword carried in the query instruction. Specifically, the query keyword is included in the query instruction, but the query instruction may also include other content, in order to accurately determine the query keyword carried in the query instruction, in the embodiment of the present invention, a keyword library may be preset, each keyword that may be provided by the database may be stored in the keyword library, and the keywords included in the keyword library are matched with the content included in the query instruction, where the successfully matched keywords are query keywords carried in the query instruction. The obtained query keyword may be any keyword, for example, "doctor", "year", "thread", etc.

In the embodiment of the invention, the data contained in part of the columns in the database are encrypted, and in order to facilitate the inquiry of the data, the corresponding relation between the column identifiers related to decryption and the keywords is also stored in the electronic equipment, wherein the corresponding relation is the column identifiers corresponding to the encrypted columns in the database and the keywords corresponding to the encrypted columns. For example, if a column identifier is a column name, and the column name of a certain column is "age", the keyword corresponding to the column identifier may include "age", and the correspondence between "age" and "age" is saved; if the column name of a certain column is "occupation", the keyword corresponding to the column identifier may include "doctor", and then the correspondence between "occupation" and "doctor" is saved.

If the corresponding relation between the decrypting related column identification and the keyword contains the query keyword, determining a first column identification corresponding to the query keyword. In the embodiment of the invention, the encrypted column is a column of which the queried frequency exceeds a preset threshold value. For example, a database of 10 columns total, wherein 3 columns are queried more frequently than a preset threshold, the data contained in the 3 columns is encrypted.

After the electronic device obtains the first column identifier corresponding to the query keyword, since the data contained in the column corresponding to the first column identifier is encrypted, in order to facilitate the subsequent data determination to be queried, in the embodiment of the present invention, the electronic device pre-stores a decryption key corresponding to an encryption key for encrypting the data contained in the column of the database, so that the electronic device obtains the pre-stored decryption key corresponding to the encryption key for encrypting the data contained in the column of the database, that is, the first key, and decrypts the data contained in the encrypted column of the database by adopting the first key.

After decrypting the data contained in the encrypted column in the database, the electronic device can obtain the query condition carried in the query instruction. Specifically, the query condition is included in the query instruction, but the query instruction may also include other contents, and in order to accurately determine the query condition carried in the query instruction, a condition library may be preset, where each condition that may be provided by the database may be stored in the condition library, for example, conditions such as "over 30 years old", "doctor" may be stored. The electronic equipment determines the condition matched with the content contained in the query instruction in the condition library as the query condition carried in the query instruction. For example, the condition library stores "30 years old and above", and the query instruction includes "30 years old and above", and the "30 years old and above" is determined as the query condition carried in the query instruction.

And determining whether the data meet the query condition or not according to each data contained in the corresponding column of the first column identification, and if the data meet the query condition, determining the data as first target data. Specifically, the query condition may be specific data, such as "doctor", or condition information related to the scope, such as "30 years old or older". If the query condition is specific data, determining the data which is consistent with the query condition in the corresponding column of the first column identification as first target data which meets the query condition; if the query condition is condition information related to the range, determining that data meeting the query condition in a corresponding column of the first column identification is first target data. For example, if the query condition is "doctor", determining that the data in the column corresponding to the first column identifier is "doctor" as the first target data; if the query condition is "over 30 years old", it is determined that the data satisfying over 30 years old in the first column identification corresponding column is the first target data.

After the first target data in the corresponding column of the first column identifier is obtained, the electronic device obtains a first row identifier of a row where the first target data is located, where the first row identifier may be a number of a row where the first target data is located is a database. In the embodiment of the invention, in order to ensure the safety of the data of the users in the database, a line encryption mode is adopted to encrypt the data contained in each line.

In order to facilitate decryption of encrypted rows in a database, a corresponding relation between row identifiers and keys is stored in an electronic device, wherein the keys corresponding to each row identifier are decryption keys corresponding to encryption keys for encrypting row data corresponding to the row identifiers, after a first row identifier of a row where first target data is located is obtained, the electronic device obtains a third key corresponding to the first row identifier in the corresponding relation between the row identifiers and keys stored in advance, and decrypts data which can be decoded in the row corresponding to the first row identifier by adopting the third key, so as to obtain data contained in the row where the first target data is located.

In the embodiment of the invention, the whole database is not required to be decrypted, and each data contained in the row of the first target data meeting the query condition can be obtained only by decrypting the encrypted row and the row of the first target data meeting the query condition, thereby improving the efficiency of data query.

Example 4:

in order to accurately perform data query, on the basis of the above embodiment, in an embodiment of the present invention, the method further includes:

if the corresponding relation between the stored decrypting related column identification and the keyword does not contain the query keyword, decrypting the data contained in the encrypted column in the database by adopting a pre-stored first key; for each row identifier, determining a fourth key corresponding to the row identifier according to the corresponding relation between the stored row identifier and the key, and decrypting data contained in the row corresponding to the row identifier by adopting the fourth key;

In the embodiment of the present invention, if the correspondence between the stored decryption-related column identifier and the keyword does not include the query keyword, it is indicated that the column corresponding to the query keyword is not separately encrypted, and in this case, in order to obtain each data included in the column corresponding to the query keyword, the entire database needs to be decrypted. Specifically, when decrypting the whole database, the data contained in the encrypted column in the database can be decrypted by adopting the first key stored in advance, and for each row identifier, a fourth key corresponding to the row identifier is determined according to the corresponding relation between the stored row identifier and the key, and the data contained in the row corresponding to the row identifier is decrypted by adopting the fourth key, so that the decrypted database is obtained.

And the corresponding relation between the column identification and the keywords is stored in the electronic equipment in advance, the electronic equipment acquires a second column identification corresponding to the query keywords according to the corresponding relation between the column identification and the keywords stored in advance, determines whether the data accords with the query conditions carried in the query instructions for each data contained in the column corresponding to the second column identification, determines the data as second target data if the data accords with the query conditions carried in the query instructions, and acquires the data contained in the row where the second target data is located in the decrypted database.

Example 5:

in order to accurately encrypt the database, in the embodiments of the present invention, the method further includes:

In order to make the encrypted column in the database be the column with the queried frequency higher than the preset threshold value, in the embodiment of the invention, after each time the query instruction is received, the queried times of each column are redetermined, and the total times of the query instruction are received, and the queried frequency of each column is determined according to the queried times of each column and the total times of the query instruction.

In the embodiment of the invention, if the electronic equipment receives the query instruction, the column corresponding to the keyword carried in the query instruction is determined, and the number of times the corresponding column is queried is updated. Specifically, the electronic device increases the number of times that the column identifier corresponding to the query keyword is queried by a preset number, where the preset number may be any positive integer, for example, may be 1, and updates the number of times that the column identifier corresponding to the query keyword is queried by using the number after the preset number is increased. And updating the total times of the received query instructions, specifically, the electronic device increases the total times of the received query instructions by a preset value, where the preset value may be any positive integer, for example, 1, and updates the total times of the received query instructions by a value obtained by increasing the preset value.

if the updating condition is met currently, determining the queried frequency of each column according to the queried times of each column in the database and the total times of receiving the query instruction; if the queried frequency exceeds a preset threshold value and the column which is not encrypted exists, or if the queried frequency does not exceed the preset threshold value and the column which is encrypted exists, decrypting data contained in the column which is encrypted in the database by adopting the first key; for each row, determining a fifth key corresponding to the row identifier of the row according to the corresponding relation between the row identifier and the key, and decrypting the row by adopting the fifth key;

In the embodiment of the invention, the electronic device encrypts the data contained in the column with the queried frequency exceeding the preset threshold value, and encrypts the data which is not encrypted in each row in the database.

Specifically, if the time interval between the current time and the time of last encrypting the rows and columns in the database reaches a preset time threshold, or the total number of times the last encrypting the rows and columns in the database until the current receiving of the query command exceeds a preset number of times threshold, determining that the update condition is currently satisfied, and determining the queried frequency of each column according to the queried number of times of the column and the total number of times the electronic device receives the query command.

After determining the queried frequency of each column, and if the queried frequency of the column exceeds a preset threshold value and the data contained in the column in the database is encrypted, or the queried frequency of the column is lower than the preset threshold value and the data contained in the column in the database is not encrypted, then the data contained in the column in the database does not need to be encrypted again. If the frequency of the column being queried exceeds the preset threshold value and the data contained in the column in the database is not encrypted, or if the frequency of the column being queried is lower than the preset threshold value and the data contained in the column in the database is encrypted, the encrypted column in the database needs to be determined again, at the moment, the encrypted database is decrypted, and the decrypted database is re-encrypted.

The process of decrypting the encrypted database may be: decrypting data contained in an encrypted column in the database by adopting a pre-stored first key, determining a fifth key corresponding to a row identifier of each row in the database according to the corresponding relation between the pre-stored row identifier and the key, decrypting the row by adopting the fifth key, acquiring each data contained in the row, and acquiring the decrypted database.

The process of re-encrypting the decrypted database may be: acquiring each column of which the queried frequency exceeds a preset threshold value, and encrypting the data contained in each column of which the queried frequency exceeds the preset threshold value by adopting a first encryption key corresponding to a first key stored in advance aiming at the data contained in each column; and for each row in the decrypted database, acquiring a sixth key corresponding to the row identifier according to the corresponding relation between the row identifier and the key, and encrypting the unencrypted data in the row corresponding to the row identifier by adopting a third encryption key corresponding to the sixth key. That is, in the embodiment of the present invention, the data included in the column whose frequency exceeds the preset threshold is encrypted, and other data included in the database is encrypted by means of a row.

In the embodiment of the invention, when encrypting the data contained in each column with the queried frequency exceeding the preset threshold, other encryption keys can be adopted for encryption, and if the other encryption keys are adopted for encryption, the decryption keys corresponding to the encryption keys are stored. In addition, for each line in the database, when encrypting the data which is not encrypted in the line, the encryption key of the key corresponding to the line identification of the line is not used for encryption, if other encryption keys are used for encryption, the key corresponding to the line identification of the line is modified into the decryption key corresponding to the adopted encryption key in the corresponding relation between the line identification and the key, so that the data contained in the line can be decrypted conveniently.

In the embodiment of the invention, the data contained in the column with higher frequency to be queried is encrypted, and the data contained in the column with lower frequency to be queried is encrypted in a row encryption mode, namely, the column encryption mode is adopted for the column with higher frequency to be queried, and the row encryption mode is adopted for the column with lower frequency to be queried. When the database is queried for data, the data contained in the encrypted column is decrypted under most conditions, and then the data contained in the row where the first target data meeting the query condition is located is decrypted, so that the result expected by the query instruction can be queried, each data contained in the database is prevented from being decrypted, the safety of the database can be ensured, each data contained in the database is prevented from being decrypted, and the performance of the electronic equipment is reduced.

In the embodiment of the invention, the database is re-encrypted according to the queried frequency of each column in the database, so that the encrypted column in the database is the column with higher queried frequency, and the hit rate of query can be improved. In addition, the scheme of the embodiment of the invention is applied to the safe database with high requirement on the searching performance.

In addition, in order to realize the encryption mode without affecting the use of the database, the standby database can be encrypted when the database is re-encrypted, so that the electronic equipment performs data query through the database when the standby database is encrypted, and determines that the original standby database is the current database and the original database is the current standby database. In the embodiment of the invention, the query instruction can be a structured query language (Structured Query Language, SQL) statement, and the electronic device can acquire the query instruction through an application interface or a driving expansion interface.

Fig. 2 is a method for encrypting a standby database according to an embodiment of the present invention.

As can be seen from fig. 2, the electronic device may acquire a query instruction expressed by using an SQL statement through an application interface or a driving expansion interface, and determine the queried frequency of each column according to the query keyword carried in the query instruction acquired each time. When the updating condition is met currently, determining the queried frequency of each column according to the queried times of each column in the database and the total times of receiving the query instruction; if the queried frequency exceeds the preset threshold and the column is not encrypted, or if the queried frequency does not exceed the preset threshold and the column is encrypted, the electronic device can acquire a first key for decrypting data contained in the column in the configuration file, acquire a key corresponding to each row identifier from the corresponding relation between the stored row identifiers and the key, and decrypt the encrypted standby database, so that the electronic device performs data query through the database when performing encryption adjustment on the standby database. And encrypting the decrypted standby database according to the first encryption key corresponding to the first key contained in the configuration file and the encryption key corresponding to the row identification of each row.

Example 6:

in order to effectively perform data query, based on the above embodiments, in the embodiments of the present invention, the method further includes:

acquiring a third column identifier of a column which is queried and is not encrypted, acquiring a target keyword corresponding to the third column identifier according to a pre-stored corresponding relation between the column identifier and the keyword, and adding the corresponding relation between the third column identifier and the target keyword into a corresponding relation between the decryption-related column identifier and the keyword; and removing the fourth column identifier of the column with the queried frequency lower than the preset threshold value and the corresponding keyword from the corresponding relation between the decryption related column identifier and the keyword.

In the embodiment of the invention, the correspondence between the column identifier related to decryption and the keyword may be stored in the electronic device in advance, and only the column identifier of the encrypted column and the corresponding keyword are stored in the correspondence between the column identifier related to decryption and the keyword.

Specifically, the electronic device obtains the third column identifier of the column which is queried with the frequency exceeding the preset threshold and is not encrypted, and because the column is not encrypted before, the stored correspondence between the column identifier and the keyword does not contain the third column identifier and the corresponding keyword, and the current queried frequency of the column exceeds the preset threshold, so the electronic device encrypts the data contained in the column, and the electronic device adds the correspondence between the third column identifier and the keyword corresponding to the third column identifier in the correspondence between the encrypted related column identifier and the keyword. Specifically, the electronic device determines, according to the correspondence between the pre-stored column identifier and the keyword, that the keyword corresponding to the third column identifier is the target keyword, and adds the correspondence between the third column identifier and the target keyword to the correspondence between the decryption-related column identifier and the keyword.

In addition, the electronic device also obtains the fourth column identifier of the encrypted column, the fourth column identifier and the corresponding keyword are contained in the corresponding relation between the stored column identifier and the keyword because the column is encrypted before, and the current frequency of the column being queried is lower than the preset threshold, so the electronic device does not encrypt the data contained in the column any more, and the electronic device removes the fourth column identifier and the corresponding keyword in the corresponding relation between the decrypting related column identifier and the keyword.

In the embodiment of the invention, the keyword corresponding to the query can be obtained by utilizing the application customization expansion capability provided by the database and respectively using the trigger expansion capability, the index expansion capability, the custom function expansion capability, the view and other technologies. Specifically, how to obtain the keywords corresponding to the query is the prior art, and is not described herein. After determining the corresponding keywords, it is possible to determine which column is being queried based on the correspondence between each column identifier and the keywords.

In the embodiment of the invention, a user can perform operations such as adding, deleting, modifying and the like on each data contained in the row which is acquired by the electronic equipment and meets the query condition carried in the query instruction, and the electronic equipment encrypts the database again after the operations are completed.

Example 7:

fig. 3 is a schematic structural diagram of an application device for encrypting a database according to an embodiment of the present invention, where the device includes:

the processing module 301 is configured to obtain a queried frequency of each column in the database, determine each target column whose queried frequency exceeds a preset threshold, and encrypt data included in each target column by using a preset first encryption key;

and the encryption module 302 is configured to encrypt, for each row in the database, data that is not encrypted in the row with a second encryption key.

In a possible implementation manner, the processing module 301 is further configured to, for each row, obtain, according to a pre-stored correspondence between the encryption key and the key, a second key corresponding to a second encryption key of the row, and record a correspondence between a row identifier of the row and the second key.

In a possible implementation manner, the processing module 301 is further configured to obtain, according to a pre-stored correspondence between keywords and column identifiers, each target keyword corresponding to a column identifier of a column whose queried frequency exceeds a preset threshold, and add the correspondence between each target keyword and a corresponding column identifier to a correspondence between a decryption-related column identifier and a keyword.

In a possible implementation manner, the processing module 301 is further configured to, if a query instruction is received, obtain a query keyword carried in the query instruction, determine whether a correspondence between a column identifier related to pre-stored decryption and the keyword includes the query keyword, and if yes, obtain a first column identifier corresponding to the query keyword; decrypting data contained in the encrypted column in the database using a pre-stored first key; acquiring a query condition carried in the query instruction, and determining first target data meeting the query condition according to each data contained in the decrypted first column identification corresponding column and the query condition; acquiring a first row identifier of a row where the first target data is located, acquiring a third key corresponding to the first row identifier according to a pre-stored correspondence between the row identifier and the key, decrypting data contained in the row corresponding to the first row identifier in the database by adopting the third key, and acquiring the data contained in the row where the first target data is located.

In a possible implementation manner, the processing module 301 is further configured to decrypt, if the stored correspondence between the decryption-related column identifier and the keyword does not include the query keyword, data included in the encrypted column in the database with a first key stored in advance; for each row, determining a fourth key corresponding to the row identifier of the row according to the corresponding relation between the stored row identifier and the key, and decrypting the row by adopting the fourth key; acquiring a second column identifier corresponding to the query keyword according to a pre-stored corresponding relation between the column identifier and the keyword, acquiring a query condition carried in the query instruction, determining second target data meeting the query condition according to each data contained in the decrypted second column identifier corresponding column and the query condition, and acquiring data contained in a row where the second target data is located.

In a possible implementation manner, the processing module 301 is further configured to update the number of times that the column identifier corresponding to the query keyword is queried in the column corresponding to the query keyword.

In a possible implementation manner, the processing module 301 is further configured to determine, if the update condition is currently satisfied, a frequency of each column being queried according to the number of times each column is queried in the database and the total number of times of querying; if the queried frequency exceeds a preset threshold value and the column which is not encrypted exists, or if the queried frequency does not exceed the preset threshold value and the column which is encrypted exists, decrypting data contained in the column which is encrypted in the database by adopting the first key; for each row, determining a fifth key corresponding to the row identifier of the row according to the corresponding relation between the stored row identifier and the key, and decrypting the row by adopting the fifth key;

In a possible implementation manner, the processing module 301 is further configured to obtain a third column identifier of a column that is queried with a frequency exceeding a preset threshold and is not encrypted, obtain, according to a correspondence between a pre-stored column identifier and a keyword, a target keyword corresponding to the third column identifier, and add the correspondence between the third column identifier and the target keyword to a correspondence between a decryption-related column identifier and a keyword; and removing column identifiers of columns with the queried frequency lower than a preset threshold value and corresponding keywords from the corresponding relation between the decrypting related column identifiers and the keywords.

Example 8:

fig. 4 is a schematic structural diagram of an electronic device according to the present invention, and on the basis of the foregoing embodiments, an embodiment of the present invention further provides an electronic device, as shown in fig. 4, including: the processor 401, the communication interface 402, the memory 403 and the communication bus 404, wherein the processor 401, the communication interface 402 and the memory 403 complete communication with each other through the communication bus 404;

the memory 403 has stored therein a computer program which, when executed by the processor 401, causes the processor 401 to perform the steps of:

In one possible embodiment, the method further comprises:

The communication bus mentioned by the server may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.

The communication interface is used for communication between the electronic device and other devices.

The Memory may include random access Memory (Random Access Memory, RAM) or may include Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.

The processor may be a general-purpose processor, including a central processing unit, a network processor (Network Processor, NP), etc.; but also digital instruction processors (Digital Signal Processing, DSP), application specific integrated circuits, field programmable gate arrays or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.

Example 9:

on the basis of the above embodiments, the embodiments of the present invention further provide a computer readable storage medium having stored therein a computer program executable by an electronic device, which when run on the electronic device, causes the electronic device to perform the steps of:

the memory has stored therein a computer program which, when executed by the processor, causes the processor to perform the steps of:

In one possible embodiment, the method further comprises:

It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims

1. A method for applying database encryption, the method comprising:

2. The method according to claim 1, wherein the method further comprises:

3. The method according to claim 2, wherein the method further comprises:

4. A method according to claim 3, characterized in that the method further comprises:

5. The method according to claim 4, wherein the method further comprises:

if the corresponding relation between the stored decrypting related column identification and the keyword does not contain the query keyword, decrypting the data contained in the encrypted column in the database by adopting a pre-stored first key; for each row, determining a fourth key corresponding to the row identifier of the row according to the corresponding relation between the row identifier and the key, and decrypting the row by adopting the fourth key;

6. The method according to claim 4 or 5, characterized in that the method further comprises:

7. The method according to claim 1, wherein the method further comprises:

If the updating condition is met currently, determining the queried frequency of each column according to the queried times of each column in the database and the total queried times; if the queried frequency exceeds a preset threshold value and the column which is not encrypted exists, or if the queried frequency does not exceed the preset threshold value and the column which is encrypted exists, decrypting data contained in the column which is encrypted in the database by adopting the first key; for each row, determining a fifth key corresponding to the row identifier of the row according to the corresponding relation between the row identifier and the key, and decrypting the row by adopting the fifth key;

8. The method of claim 7, wherein the method further comprises:

9. An application device for database encryption, the device comprising:

10. An electronic device comprising at least a processor and a memory, the processor being adapted to perform the steps of the method for applying the database encryption according to any of the preceding claims 1-8 when executing a computer program stored in the memory.

11. A computer-readable storage medium, characterized in that it stores a computer program which, when executed by a processor, implements the steps of the method for applying database encryption as claimed in any one of the preceding claims 1-8.